Privacy Operational Lifecycle - Section III.E. - Respond: Privacy Incidents

Question 1

True or False: The average cost associated with responding to a data breach has risen significantly in the past two decades.

Answer 1

True

Question 2

What is a privacy incident?

Answer 2

An adverse event or action that is unplanned, unusual, and unwanted that happened as a result of non-compliance with the privacy policies and procedures of an organization.

Question 3

What aspects of a data breach response plan should be reviewed as part of incident follow-up?

Answer 3

(1) Staffing and resources;
(2) Containment, including timing and processes;
(3) Commitment of executive leadership;
(4) The roles of response team members and other stakeholders; and
(5) The notification process.

Question 4

What steps does the FTC recommend in providing notice to affected data subjects that a data breach has occurred?

Answer 4

(1) Consult with a law enforcement so as not to impede any investigation;
(2) Designate a point person for external contacts; and
(3) Consider offering a year of free credit monitoring and other support to affected individuals.

Question 5

What is required of organizations that hire third-party call centers for customers to contact as part of its data breach response plan?

Answer 5

Draft the scripts for call center workers to utilize,
provide training to the call center’s quality assurance team,
analyze reports prepared by the call center, and
maintain adequate staffing.

Question 6

What is the most common term used to describe the amount of time an organization has to provide notice to affected data subjects once it is determined that a data breach has occurred?

Answer 6

At the most expeditious time possible and without unreasonable delay.

Question 7

Who typically leads an organization’s response to a data breach?

Answer 7

Legal counsel.

Question 8

What types of expenses are typically covered by cyber insurance?

Answer 8

Legal expenses;
Forensic analysis;
Negotiation or payment of ransomware;
Data restoration expenses;
Breach notification expenses;
Public relations consultations; Identity restoration;
Fines or penalties;
Security and system failures; and
Contract expenses.

Question 9

What are some of the benefits associated with training employees how to respond to a data breach?

Answer 9

It helps expose gaps in procedures before an incident occurs,
Increases security (i.e., lower the risk of a breach),
Lessens long-term costs, and
Better maintains an organization’s reputation in the event of a breach.

Question 10

What are the four steps the FTC recommends after confirming that a data breach occurred?

Answer 10

(1) Secure operations;
(2) Analyze and fix vulnerabilities;
(3) Notify affected parties; and
(4) Take proactive steps to limit future breaches.

Question 11

Does developing a data classification schema increase or decrease the cost of responding to a data breach?

Answer 11

Decrease.

Question 12

What steps should be taken in preparation for responding to a privacy or security incident?

Answer 12

(1) Develop an incident response plan;
(2) Implement appropriate training;
(3) Understand key roles and responsibilities;
(4) Obtain insurance coverage, if appropriate; and
(5) Effectively manage third-party data vendors.

Question 13

Does business continuity management increase or decrease the cost of responding to a data breach?

Answer 13

Decrease.

Question 14

True or False: The average cost associated with responding to a data breach is pretty consistent across jurisdictions globally.

Answer 14

False. The cost of responding to a data breach varies significantly across jurisdictions, with the United States being the country with the highest average response costs.

Question 15

Other than lowering the cost of responding to a data breach, employee training can also lower [blank].

Answer 15

The frequency with which privacy incidents occur.

Question 16

What is an incident register?

Answer 16

A document or record of every incident that has taken place within an organization, on a select project, or at a specific location, such as a privacy incident register.

Question 17

What are some things commonly included in a privacy incident register?

Answer 17

(1) A classification of the incident;
(2) A description of the events;
(3) A description of the source or location of the incident;
(4) A description of why the incident happened; and
(5) An outline of the corrective actions taken.

Question 18

Does the rush to notify stakeholders increase or decrease the cost of responding to a data breach?

Answer 18

Increase.

Question 19

What is the primary cause of data breaches?

Answer 19

Malicious activity, which accounts for roughly half (50%) of all data breaches.

Question 20

Does the extensive use of data loss protection increase or decrease the cost of responding to a data breach?

Answer 20

Decrease.

Question 21

Does the appointment of a Chief Privacy Officer increase or decrease the cost of responding to a data breach?

Answer 21

Decrease.

Question 22

Other than malicious activity, what are the other two primary causes of a data breach?

Answer 22

System glitches and human error.

Question 23

Do compliance failures increase or decrease the cost of responding to a data breach?

Answer 23

Increase.

Question 24

What are some of the responsibilities of the persons leading a data breach response?

Answer 24

(1) Coordinate with team leaders;
(2) Maintain a budget;
(3) Engage and manage outside legal counsel and vendors;
(4) Prepare a final report or analysis; and
(5) Lead post-incident activities to reduce future risk.

Question 25

What is a legal “privilege”?

Answer 25

An evidentiary rule that allows a witness (including an organization) the option to not disclose information, documents, or testimony that would normally otherwise be required to be produced as part of litigation or regulatory enforcement.

Question 26

Does extensive cloud migration increase or decrease the cost of responding to a data breach?

Answer 26

Increase.

Question 27

What principles should guide notification to internal employees that a data breach has occurred?

Answer 27

Transparency and forthrightness.

Question 28

What typically guides an organization’s response to a privacy incident?

Answer 28

Applicable laws, and especially data breach notification laws.

Question 29

Plans on how to address a data breach or privacy incident are more frequently being incorporated into what other type of business planning?

Answer 29

Business continuity planning.

Question 30

What are some of the key areas that a privacy incident response plan should focus on?

Answer 30

How to protect privilege,
The roles and responsibilities of team members,
How to escalate possible issues and report suspicious activities,
Severity rankings,
Interactions with external parties, and
Integration with business continuity plans.

Question 31

How is privacy incident response training funded in most organizations?

Answer 31

There is no universal approach, and each organization is different; but funding will often come from a cross-section of departments, including IT, legal, and HR.

Question 32

What are some tasks that the FTC recommends in analyzing and fixing vulnerabilities following a data breach?

Answer 32

Re-evaluating third party service providers and data segmentation practices.

Question 33

What is one way organizations may manage the multiple departments that are involved in responding to a privacy incident?

Answer 33

Appointing an oversight team that will provide high-level leadership.

Question 34

What are some examples of the ways in which an organization may be made aware of a potential data breach?

Answer 34

Internal screening mechanisms, customers, news reports, or even the person conducting the cyberattack.

Question 35

What are two privileges that are particularly important to preserve when responding to a data breach?

Answer 35

(1) Attorney-client privilege; and
(2) Attorney work product privilege.

Question 36

Most organizations experiencing a data breach estimate that the percentage likelihood that they will experience another in the next two years is roughly how high?

Answer 36

25-30%.

Question 37

What are two reasons why organizations might offer remediation services to customers affected by a data breach?

Answer 37

(1) It is mandated by law; and
(2) To maintain good will with customers.

Question 38

Does the engagement of consultants increase or decrease the cost of responding to a data breach?

Answer 38

Increase.

Question 39

True or False: Responding to a privacy incident involves running through an ordered list of response steps.

Answer 39

False. There is no simple checklist organizations can follow in responding to a privacy incident.

Question 40

What are some best practices when working with an industrial-scale printer to provide data breach notifications?

Answer 40

(1) Establish a secure data transfer channel;
(2) Create a letter copy in a preferred format (e.g., Microsoft Word);
(3) Obtain content approvals from the legal team; and
(4) Supply a return address for undeliverable mail.

Question 41

During the process of containment and remediation, organizations must be sure to avoid what?

Answer 41

Destroying or failing to preserve evidence that is needed to investigate the incident or ensure that other aspects of a response plan are completed appropriately.

Question 42

When should organizations enter into contracts with data breach vendors, such as call and mailing centers?

Answer 42

Before a breach occurs.