Organizing a Breach Notification Team
It's Not Enough to Have a Team; You Also Must Test it
Having a breach response team in place at your organization is a necessity in today's threat environment. But how - before a breach occurs - do you know if your team is truly effective?
Brian Dean, a former privacy executive for KeyBank, says the key component for determining the effectiveness of a breach response team and program is to test them. "You can test the program before it's needed, or you can wait until you experience a material breach and then test the plan," Dean says. "Clearly, testing in advance gives you reaction time," he says in an interview with Information Security Media Group's Tom Field [transcript below].
Outside of testing, collaborating with peers is a crucial step in ensuring all the right mechanisms and personnel are in place for a breach response program. "I collaborate a lot with my peers," he says. "I ... see what they're doing to figure out if my program is in a good space."
Speaking with industry groups is also an effective way to learn new techniques and benchmark a breach team's effectiveness.
"But at the end of the day, you leverage all those materials, put together your program and then go ahead and execute a test," Dean says.
In an exclusive interview about putting together a breach notification team, Dean discusses:
- The most critical roles on a breach response team;
- How to know if your breach response team is effective;
- How to address the most important aspects of assembling the team.
Dean, who formerly served as senior vice president of privacy at KeyBank, part of Cleveland-based KeyCorp, one of the nation's largest financial-services companies with $89 billion in assets, now works as a senior HIPAA and privacy consultant at SecureState. He is an adjunct professor at Bryant and Stratton College. Dean graduated with a master's degree from Baldwin Wallace in 2000 and received his bachelor's degree from Bowling Green State University in 1987.
TOM FIELD: Why don't you tell us a little bit about your current work please?
BRIAN DEAN: I've invested the last 15 years as senior vice president for a large financial institution, and during that time I spent about 11 years putting together a privacy program including a breach response unit. But I recently switched jobs. I left the corporate world to join a company, SecureState, where I'm a consultant for HIPAA privacy, safe harbor and breach responses.
Response Team: Critical Roles
FIELD: This year, we've seen more breach response I think than any other recent year that I can think of. When you look at putting together a breach response team, what do you see as the most critical roles?
DEAN: First is really the program leader, and that's going to be a person, or persons, who provides the vision and the direction for the program. These architects put together a program. They have to adjust the program to meet the changing laws and regulatory expectations. Given that there are 46 state breach laws and I think two that will be implementing soon - not to mention the federal laws such as HIPAA and GLBA - it's imperative you get these programs done right. That starts with the planning and you need a leader to establish the planning and meet those objectives.
Secondly is a frontline support. You put together a great program but you need a funnel to learn about breaches as they occur real-time, so some type of reporting mechanism. I put together the use of a help desk. They were available 24-7 to funnel those in.
Then lastly is a response team. You put the program together, you learn of an incident and now you need to really triage the event and quickly manage that, and that really requires a lot of planning to put together a solid response team to react to an event as it occurs.
Assembling a Breach Response Team
FIELD: It sounds like a diverse set of skills. How do you go about assembling the necessary people with these skills?
DEAN: That's a loaded question because it kind of depends on organizational structure, but if you look at the basic functions of a response program, you can really get it to be org-chart agnostic. For example, if you start with the planning phase of the program, you need a call center somewhere to initiate the channel for reporting breaches. Who's going to be in that chain? Is it legal? Is it your business unit's IT, risk management and the leadership that I had mentioned earlier?