Organizing a Breach Notification TeamIt's Not Enough to Have a Team; You Also Must Test it
Brian Dean, a former privacy executive for KeyBank, says the key component for determining the effectiveness of a breach response team and program is to test them. "You can test the program before it's needed, or you can wait until you experience a material breach and then test the plan," Dean says. "Clearly, testing in advance gives you reaction time," he says in an interview with Information Security Media Group's Tom Field [transcript below].
Dean, who now works as a senior HIPAA and privacy consultant at SecureState, says it's wise to test the program and team annually and update appropriately.
Outside of testing, collaborating with peers is a crucial step in ensuring all the right mechanisms and personnel are in place for a breach response program. "I collaborate a lot with my peers," he says. "I ... see what they're doing to figure out if my program is in a good space."
Speaking with industry groups is also an effective way to learn new techniques and benchmark a breach team's effectiveness.
"But at the end of the day, you leverage all those materials, put together your program and then go ahead and execute a test," Dean says.
In an exclusive interview about putting together a breach notification team, Dean discusses:
- The most critical roles on a breach response team;
- How to know if your breach response team is effective;
- How to address the most important aspects of assembling the team.
Dean, who formerly served as senior vice president of privacy at KeyBank, part of Cleveland-based KeyCorp, one of the nation's largest financial-services companies with $89 billion in assets, now works as a senior HIPAA and privacy consultant at SecureState. He is an adjunct professor at Bryant and Stratton College. Dean graduated with a master's degree from Baldwin Wallace in 2000 and received his bachelor's degree from Bowling Green State University in 1987.
TOM FIELD: Why don't you tell us a little bit about your current work please?
BRIAN DEAN: I've invested the last 15 years as senior vice president for a large financial institution, and during that time I spent about 11 years putting together a privacy program including a breach response unit. But I recently switched jobs. I left the corporate world to join a company, SecureState, where I'm a consultant for HIPAA privacy, safe harbor and breach responses.
Response Team: Critical Roles
FIELD: This year, we've seen more breach response I think than any other recent year that I can think of. When you look at putting together a breach response team, what do you see as the most critical roles?
DEAN: First is really the program leader, and that's going to be a person, or persons, who provides the vision and the direction for the program. These architects put together a program. They have to adjust the program to meet the changing laws and regulatory expectations. Given that there are 46 state breach laws and I think two that will be implementing soon - not to mention the federal laws such as HIPAA and GLBA - it's imperative you get these programs done right. That starts with the planning and you need a leader to establish the planning and meet those objectives.
Secondly is a frontline support. You put together a great program but you need a funnel to learn about breaches as they occur real-time, so some type of reporting mechanism. I put together the use of a help desk. They were available 24-7 to funnel those in.
Then lastly is a response team. You put the program together, you learn of an incident and now you need to really triage the event and quickly manage that, and that really requires a lot of planning to put together a solid response team to react to an event as it occurs.
Assembling a Breach Response Team
FIELD: It sounds like a diverse set of skills. How do you go about assembling the necessary people with these skills?
DEAN: That's a loaded question because it kind of depends on organizational structure, but if you look at the basic functions of a response program, you can really get it to be org-chart agnostic. For example, if you start with the planning phase of the program, you need a call center somewhere to initiate the channel for reporting breaches. Who's going to be in that chain? Is it legal? Is it your business unit's IT, risk management and the leadership that I had mentioned earlier?
The second phase is the incident response itself and who will identify to be at the table when a problem occurs.
Thirdly is the escalation in communications. An event happens. You learn about it and you implement your program - who needs to be involved in how you escalate that? For example, the senior management needs to be notified immediately. It's a real problem if your CEO is asking questions about a large breach by one of your large clients and he or she knows nothing of the event. Same for if a client were to walk into one of the offices - my former life, walk into a branch - have questions and the customer service representatives not be able to respond to those quickly.
FIELD: You've had an opportunity to see a number of breach notification teams. Where do you typically find skills gaps within those teams?
DEAN: Organizational savvy is often lacking, and what I mean by that is having people at the table who understand the organizational structure and are savvy enough to know who needs to be at the table in the event of a breach. All breaches come in different shapes and sizes and having the right people at the table to triage that is imperative.
Also, technical savvy - not so much the technology itself but how data flows; knowing which systems could be implicated is very helpful in triaging an event.
Thirdly and often overlooked is vendor management in data flow. Often when there's a breach it involves a third party. Knowing who to bring in and how to triage those events is also extremely important.
Lastly are solid project management skills. You need to be able to provide the management to resolve the issue and also the leadership to help guide it through the crisis.
FIELD: Ideally, you never have to deploy your breach response team because you haven't had a breach. How do you know if your breach notification team is effective if you've not had the opportunity to put them into action?
DEAN: The key component for determining the effectiveness of your breach program is to test the program. You can test the program before it's needed or you can wait until you experience a material breach and then test the plan. Clearly, testing in advance gives you reaction time. I would advocate actually testing it annually and then updating your program appropriately.
Testing Your Team
FIELD: What are some ways you can test your team, test your skills and refine the team skills if necessary? What have you found to be effective?
DEAN: I collaborate a lot with my peers. I talk to see what they're doing to figure out if my program is in a good space. I do a lot with industry groups and try to use that to benchmark the effectiveness and learn new techniques and things that I might also want to employ. There's also a lot of best practice material you can grab off the web. But at the end of the day, you leverage all those materials, put together your program and then go ahead and execute a test. When I say test, it really hones the skills. [It] would be maybe a desk walk-through for example.
You have a program, you pick the right people in the room and you walk through that, and that will help you determine who should have been at the table that wasn't there, what resources weren't available and allow you to account for that in subsequent tests.
FIELD: When you're testing these teams and their skills, what are some red flags that might pop up that tell you you've got something you have to address?
DEAN: One of the key things that I found is not having the right people or the right resources available. For example, we experienced a major breach that included the outage of the building. I couldn't get back into that building and there were materials in there that I needed to get a hold of some vendors that were implicated in the breach. Not having that off-site in another storage location was a huge disadvantage to quickly triage the event. Having a good program, having multiple safe locations and having it tested so you know it works is very, very important.
Organizing Team: Top Aspects
FIELD: If you're going to advise organizations putting together their team - which is what I presume you do now - what would you say is the most important aspect of assembling your breach notification team?
DEAN: There are a couple of pieces to that actually, but the most important aspect is clearly the planning. You put together a solid program and a solid plan, but in order to do that effectively you have to establish a program leader, somebody who's going to provide the vision, direction and ongoing support to manage that program. If you do the planning, you have somebody in charge of it. You craft a comprehensive program and then you put together a strong team.
And this is the biggest piece and that's team continuity. Too often I see the players on the triage team change, so you need to minimize the turnover. You need to train all the new employees as they come on and you need to test that program. Proper planning will help garner the support needed to build a strong team, and if you position that correctly the program will be seen as a corporate asset. I think this is important because if management understands the team's important, they can help minimize the turnover thus providing continuity in fostering an effective, sustainable breach-response program.