Prepare for the worst: Interdepartmental crisis training improves data breach response efforts

By Sascha Matuszak

Table of Contents

For compliance professionals, especially those working with the many vendors and other third parties that make up modern global value chains, building bridges between departments is a major task, because it is common for departments within an organization to operate as silos; for example, the accounting, marketing and information technology (IT) departments may have very little horizontal interaction. Those bridges are necessary in order to train employees, explain policies and procedures, and acquire the data necessary to understand where risks are and how to mitigate them.

With data and operations increasingly being relegated to automated and digital (i.e., cloud) software solutions, IT, in particular, plays a critical role in any organization’s daily affairs. All the major compliance challenges — bribery, trade and labor issues, regulatory burdens, third-party vetting and management — increasingly require IT and compliance to work together.

But unfortunately, it is often the case that the two departments will only interact when a problem arises. In the worst-case scenario, IT and compliance will find themselves across the table from each other in a crisis, such as a data breach.

“A crisis is the worst time for them to get together,” said Jonathan Armstrong. “They sort of mistrust each other, they have a deadline, the IT guys are blaming compliance and vice versa. … Everyone is worried about being sacked and so compliance and IT meet like two opposing armies to try and agree on a common direction. That doesn’t always work.”

Armstrong has hosted data breach academies that bring together several parties (e.g., management, IT and compliance) for a test run at managing a breach. It turns out that much of the interaction is dysfunctional. Emotions are high, the stakes are huge, and both sides have to learn a common language. The simple step of “de-jargoning” their conversations can make a big difference.

“I’ve sat in on a data breach response meeting in which the two top individuals from IT and compliance waited for me to introduce them,” Armstrong said. “With GDPR, you have 72 hours to report a breach. You don’t have 30 seconds to play with introductions and protocol.”

The academies produced some interesting findings, and Armstrong recommended a few steps that organizations can take to build the bridges necessary for an effective response to crisis.

Steps to take

  • Do a rehearsal. For most organizations, its suboptimal for them to learn to work together in a crisis.

  • Prepare common briefing notes. Have everybody working from the same set of facts, so individuals have a common understanding and common terminology.

  • Distribute hard copy readings. There is a real difference between reading hard copy versus reading a projection on a screen.

  • Have a war room where people can sit and do their reading together.

  • Don't underestimate the stress involved. Making sure there is enough water, enough candies; that sort of basic stress relief stuff makes a difference. Any minor friction will be magnified.

  • Decide who is going to lead the breach team. In the worst-case scenario, people are too polite and nobody makes a decision (everyone canvasses everyone else). In a real life situation, no one will decide. Armstrong described a situation in which the head of IT, the head of legal, and the head of compliance all told him, “You should make the decision.” Armstrong said, “I am outside counsel. Organizations need a more sustainable way of doing this in the future; someone needs to make a decision. You don’t coach in a crisis; you need a commander.”

  • Make sure the data breach plan is fit for the purpose. There will be a language difference if the compliance team writes a plan, IT writes a plan, and each plan is very different and addresses different problems. “You need a plan that is like a fire evacuation notice on the back of hotel door,” Armstrong said. “Raise the alarm and await instructions.”

Data breach by a third party

Most major corporations do not process the majority of their data, and a vendor’s payments may be outsourced to a payroll company. When traveling, a company may use a third party to book the travel; when a person gets sick, the healthcare arrangements are often handled by a third party. Nevertheless, most organizations still behave as if everything that is relevant to employees is “in the building,” whereas none of the data relevant to the employee is in the building anymore.

The same is true for customers. Online payments are processed through a payment engine, and another third party collects the cash, while a logistics firm ships the product. A lot of organizations are still thinking their risks exist in the bricks-and-mortar world, but the risks aren’t there anymore.

Third parties often do not take data breaches as seriously as the primary organization and, even if they do, the policies and procedures differ. Creating bridges between departments within an organization is difficult, but creating those same bridges across the many vendors and third parties that make up the supply chain is much more complicated — and much more critical than it has ever been.

Look for a discussion on protecting data across the supply chain — including vendors and other third parties — coming soon in RSCC.

Takeaways

  • Getting departments to work together effectively is a key component of a compliance program. A case-in-point is the cooperation necessary for IT and compliance to handle data security.

  • Third parties and the dominant role of software and digital solutions in today’s business environment make compliance in those areas (i.e., supply chains, accounting and services) that much more complex and critical to business continuity.

This publication is only available to subscribers. To view all documents, please log in or purchase access.
Purchase Login

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings