Security Experts:

Security and Privacy Mate During Incident Response

I recently got off the road from two weeks of travel. The first week I was in sunny San Francisco for the annual RSA Security conference, a massive gathering of security wonks and sales people in a maelstrom of light and sound. The second week I was in rainy Washington DC for the far more manageable summit of the International Association of Privacy Professionals (IAPP). The scale of these two conferences is vastly different, but the content is edging closer each year. RSA is a security conference with a privacy track and IAPP is a privacy conference with a security track. But my biggest take away from the RSA conference was the shift from prevention and detection to response.

Don’t get me wrong. Good defenses and robust detection are still critical. No reason to drain the moat, unlock the gates and fire the lookouts. But the hoard making it over the wall every now and then is inevitable. That’s what folks I spoke with at RSA were saying. Breaches happen. Then the question becomes what you do about it. And that’s where incident response comes in.

Security and Privacy in Incident Response

Incident response comes after that “oh shoot” moment when you realize something is missing, your family jewels are up on some random website, or you get a call from a chap willing to trade your million dollars for your own information. Sophisticated companies have incident response teams that are incident type specific. Some of these sophisticated companies even have incident response plans that are specific to each incident type. But truth be told, most companies aren’t that sophisticated. For many, an incident response plan is contained within a binder that mostly serves to gather dust on the shelf. Inside may be a list of team members, or the name of someone who owns the Chief Privacy Officer title along with their day job at the company. Perhaps this plan will undergo a yearly review before once again being shelved.

Also, typically, management of incidents is done on spreadsheets, email, conference calls, and maybe a support ticketing system. Perhaps this may have worked in simpler times. However, folks are learning that there are tools that organize incident response better. Breaches are becoming increasingly more common and severe and the regulatory atmosphere is becoming increasingly restrictive. Firms need to develop and practice a more consistent, repeatable approach or face suffocation by regulations.

Privacy is baked into more sophisticated tools and processes for incident response. If it wasn’t, the privacy breach would often times go undetected because many privacy incidents start as security incidents. That’s why any security incident response plan needs to have a privacy track included. Ideally, this plan should be practiced quarterly—making sure to run different scenarios to see that all parts of the plan are working well with each other.

Mating privacy and security during an incident shouldn’t be as hard as it seems to be for many people. Your written or electronic process needs to have a stage at which you ask whether personal information or personal health information is involved in the incident. If it is, what is the nature of that information, was it encrypted and what harm could result from its disclosure? If the answers to these questions lead to a triggering of state or federal breach notification laws, then a privacy incident can be run in parallel with the security incident. However, while asking questions as to the nature of the data at risk is a simple one, the answer is like opening a wall in an old house. What you tend to find is a new set of problems and a host of components that while operational, no longer are in compliance with the current code, or in this case business policies – be they internal or regulatory. This requires new team members to hop onto what is already a speeding locomotive.

Back to my travel schedule. Being a seasoned business traveler, I am prepared with schedules, contact information, plans and backup plans – and am well versed in the mechanics of the roads and airports I will traverse. Even with a heavy schedule and two snowstorms snarling a couple of legs of my trip, in total I have had two relatively smooth and incredibly productive weeks. What's my point? Think of your incident response like a business trip. Sometimes you can see it coming, sometimes it's a spot trip, but regardless you travel the roads and airways and navigate meetings all the time. And for those you don't, you make an extra effort to understand them in advance – be it by use of tools like GPS or the Internet to research a meeting contact.

Just like travel, incident response is a business responsibility. You need to understand in advance, and practice, your plans, your responsibilities, your points of engagement and the tools you have at your disposal, to meet your ultimate goals in the most effective way.

view counter
Gant Redmon, Esq., is General Counsel & Vice President of Business Development at Co3 Systems. Gant has practiced law for nineteen years; fifteen of those years as in-house counsel for security software companies. Prior to Co3, Gant was General Counsel of Arbor Networks. In 1997, he was appointed membership on the President Clinton’s Export Counsel Subcommittee on Encryption. He holds a Juris Doctorate degree from Wake Forest University School of Law and a BA from the University of Virginia, and is admitted to practice law in Virginia and Massachusetts. Gant also holds the CIPP/US certification.