TORONTO – 'Be prepared' is an old Boy Scout motto. But Telus' vice-president and chief data officer told a privacy conference Wednesday that being prepared can also make the difference between a data breach being big headlines for days or dealt with quickly and quietly.
"It really very often can be how you respond that makes the difference between a major incident that you manage and get through and live to survive," Pamela Snively told the Toronto conference.
Before taking her present post at Telus, Snively was a consultant who advised companies on how to respond after a breach. "Often," she recalled, "the underlying cause of a (publicized) breach was not significantly different than breaches that other organizations suffered on a daily basis that never make the front page of the Globe."
In an interview she recalled one unnamed client's breach that did make headlines after the exposure of tens of thousands of personal records. That incident was "the perfect storm," she said: It took some time for the organization to identify the nature of the incident, that it involved personal information, that the data that was exposed was old and should have been deleted some time before – in fact, they didn’t know the breach had taken place quite some time in the past.
The big problem, she said, is that organization didn’t have a data breach protocol, a document that defines what a breach is, who will be responsible for handling various problems when suspicions of one arise and how it will be handled.
In fact, she said in the interview, few Canadian organizations have a breach protocol as detailed as she believes they should have.
"Some organizations have some plan in place, but I think until we had seen the greater volume of incidents we've seen over the past few years I'm not sure that organizations knew what being prepared should look like… There's always a little bit of 'It won’t happen to us' mentality, and it’s a lot of work to be prepared. You have to have that sense of 'It's a matter of when, not if', in order to apply the resources and thorough planning to be properly prepared."
However, she added, "I think a lot of organizations are embarking on that journey now."
Snively (pictured) was the chairman of the two-day conference for privacy and legal officers run by the Canadian Institute. She led a session on how organizations should create a privacy breach protocol, a document she said could be 30 pages long.
The questions the C-suite need to answer are lengthy, starting with who will lead the incident team, and then does all management, including the board, agree on that person. "Very often what happens in organizations – especially those that have a more junior privacy officer who handles a breach – is suddenly it looks like a big deal, it looks a little scary and the media might get involved and all of a sudden you have a whole bunch of people who are senior to the privacy officer who come in and take over."
In other words "the big wheels who've never handled a breach in their lives" come in when it matters most.
Other personnel questions: Who leads internal communications with staff, who communicates with the media and 
partners? And are they willing to stand up to pressure on whether the data involves personal information.
There are practical questions: Who needs to be advised? Only IT, all staff, the executive team, the board? And, of course, how big a breach does it have to be before the C-suite is notified?
If, due to law or internal policies the organization has to notify impacted individuals, who makes the call (the privacy officer? Legal?), and how will it be done (who writes and approves the email/letter)? If customers are entitled to credit monitoring is needed, who pays (the privacy officer, the affected business unit?) Is it covered by insurance? Does the insurer have a say?
Is the incident response team trained to preserve evidence? Are they trained to testify if necessary in a lawsuit? Are there procedures – and a person assigned – for keeping records of how the incident is dealt with? They will not only be needed for regulators and possible lawsuits, but also for lessons learned.
Answers to these and other questions will lead to the drafting of the privacy breach protocol, Snively said. This protocol should also detail how it intersects with the organization's business continuity plan – and privacy officers might be able to use some of that document – as well as how it integrates with the IT and incident response team.
Finally the protocol has to be regularly tested to see if all the pieces work. Snively said it's a good idea to hire an outside firm for that.
As for the unnamed organization that had "the perfect storm," of woes, it got lucky. While there was some press coverage, "It didn't turn out as bad as I thought it might be," she said, considering "they had done just about everything wrong."
Because the data was old there were few complaints, no investigation from regulatory authorities, and no litigation.
For more on creating a breach protocol, Ontario's Information Privacy Commissioner has this document for government institutions, which can be adopted for the private sector.
