Organizations have a renewed focus on privacy & security incident assessment and response but continue to struggle with consistent processes. The importance of a consistent incident risk assessment cannot be overstated. The article below breaks down the reason why consistency is so important and why it is so challenging.
Why it is so important:
“If you undernotify, you expose your organization to regulatory risks and penalties. If you overnotify, you have to tell your customers (mistakenly) that you weren’t able to protect the security and privacy of their sensitive information. It’s not great PR, to say the least.
Notification errors also put you in the crosshairs of regulators. If you get investigated or audited, your processes must be defensible, which means in part that they must be consistent and reproducible. It may seem odd, but if your processes were inconsistent, that’s far worse than if you made different judgment calls or weighed factors differently than the regulators—but did so consistently.”
Why is it hard:
“Okay, so consistency is really important. So why aren’t more organizations taking care of business with a consistent incident assessment process? The problem is that consistency is extremely difficult to achieve, for at least five distinct reasons:
- The rules require judgment calls. Data breach notification rules are subject to interpretation. For instance, how do you measure the level of compromise or the level of harm for a given incident? You have to consider and apply the same factors and weigh them consistently hundreds or thousands of times. It’s not easy.
- The rules keep changing. As alluded to earlier, breach notification laws change all the time, so the process you follow one month may need to change the next.
- There are a lot of rules. Organizations have to follow a patchwork of state, federal and international laws. And, as mentioned, those laws can and do change.
- Structure and size multiply risks. The more physical locations, the greater the volume of data and the more privacy and security officials there are—and each may use a different workflow or process. Even if you use the same homegrown software across locations, it’s only going to provide workflow support, not specific guidance. The process applied may still differ from one site to the next, resulting in inconsistent outcomes.
- People make mistakes. Even well-trained privacy and security experts will inevitably make mistakes when using manual, paper-based processes, especially in matters requiring interpretation and judgment.”
Read the whole article here: The Challenges of Consistent Incident Risk Assessment