It’s been a week, folks. Not even a week. And we’ve already got a looming hot war, an active cyberwar, three major data breaches, and the promise of a major fight over GDPR on the very near horizon. Apparently, 2020 is going to be like 2019, just more so.
Normally, this is the time of year when we’d give our list of predictions for the year, and explain what we think are going to be the major trends. We still plan to do that. But, in context, we think it’s more important to talk about how you should approach managing a crisis, both from a regulatory and a commercial perspective.
Step One – Have a Plan to Begin With
One of the fundamental mistakes we see businesses make is assuming that they will be able to handle a crisis by tackling the problems as they arise. “As long as we keep calm, we should be able to weather the storm.” But that completely misses the critical point that it’s having a plan that allows you to keep calm in a crisis. I had a law professor who used to talk about “cold facts” and “hot facts.” Cold facts were the things that you knew, that you could plan for, that you understood about yourself, your business, your customers, and any other information that was on-hand. The known-knowns, and even some of the known-unknowns. These are the things you can account for. Hot facts were the complete unknowns, the unk-unks, the wildcards that emerged and for which no amount of planning could prepare you.
Good business sense, no less than good legal acumen, is about understanding that every problem presents the cold facts and hot facts together. If you’re spending 80% of your time on the cold facts, you’re spending 80% of your talent and energy on them too. That’s a waste: you need that energy and attention to handle the unexpected. Spending the time, in advance, to set out how you’re going to address crises is a central component of mitigating their costs and consequences. That’s why insurance companies look for foresight and planning when they work through cyberinsurance rates, and why regulators look at how well you’ve planned for an emergency when they come in to conduct a post-crisis audit.
Taking the time (while you have it) to create a plan, then, is really about adequate resource and time management. You’re essentially buying time in the future by spending time on it now, which is an investment that experience tells me is absolutely worth it. I’ve been involved in internal responses to breaches or external investigations in both scenarios, and the sense of sheer panic when there wasn’t a plan to begin with is palpable. So spend the time, this month, to create a plan.
Step Two – Execute on the Plan
It shouldn’t be necessary to make this an actual step in the process, but you might be surprised to learn how many times a crisis strikes, someone asks “what do we do,” and — despite the existence of a well-reasoned, thoughtful response protocol — everybody just kind of shrugs their shoulders and gives the “I dunno” look.”
The problem typically lies in the fact that, after the drafting of a response plan, it is never used as a component in training or brought out to discuss as time goes by. Often, a breach or incident response protocol will reflect business practices or software platforms long since abandoned, which means the protocol itself is worse than useless: it is a reminder of a failure to follow through or continue to treat data security or privacy protection as an integral part of what you do. Think of it this way: if, at your business, every fire extinguisher was empty and the sprinkler system was never connected, would the a post-fire investigation commend you for having both? Or would it make things a whole lot worse?
It takes more than the mere existence of a plan to make the plan valuable, then. Implementation requires practice, of course, but it also requires a sense of urgency. We recommend a rapid-response timeline that allows for gathering and deployment of resources in a very short period. At the same time, not every crisis requires the same degree of response: if an intern left their locked company phone at grandma’s house, it can be resolved with minimal fuss; if the accountant’s unlocked laptop was stolen, it’s time to call the CEO and your lawyer.
Why else does execution matter? Because time counts. It’s true that a fast response means that you’re focused on the problem and that, if personal data is involved, you’re trying to mitigate risk to your customers. But there is another, serious component to this, which is the very short deadlines that laws like GDPR impose when it comes to reporting an incident. Under GDPR, a company has 72 hours to report a personal data breach to the supervisory authorities. The guidance from data protection authorities is essentially that, if you’re not capable of reporting a breach in that time, you probably weren’t following GDPR anyway, which means the inevitable investigation will start out with you already on the back foot. If you want to avoid that, and ensure that you have at least a semblance of strategy to your response, it’s crucial that you know, and use, your response plan.
Step Three – Conduct a Post-Hoc Review
If you’ve drafted a strong response protocol and given yourself as much of a chance for success as possible by actually following it, two things are certain. First, you’ll have saved time that you were able to devote to the crisis. Second, your plan absolutely did not cover all contingencies, and you’ve had to improvise, modify, or redirect resources as a consequence. That’s good, though. If you have been forced to rethink aspects of your response, it means that you didn’t mechanistically apply the plan and simply exclude any facts or considerations that were outside of it — something that really does happen all the time.
The important thing to do in the post-crisis period is review, reflection, and revision. What exactly were the modifications you had to make in response to unknown facts? Did you have to bring in an outside vendor? What were the costs, and would you use them again? How much longer did it take to identify the source of the problem than you anticipated, particularly because (as with any problem) it didn’t come up until 4:40 on a Friday afternoon?
When conducting a post hoc (or even a post-training) review, we typically use a three part assessment test. Each part interrelates to the others, but they give a general idea of what worked and what needs to be changed.
1. Did Our Initial Response Work?
It’s fine to have a plan, but if the first response doesn’t actually produce desired or intended results, you have to ask yourself why. One of the most valuable lessons we’ve learned over the years is that, while plans typically focus on technological or regulatory issues as a solution to whatever prompted the crisis, it is almost always a human issue that lies at the root of a problem. Whether it’s poor training, use of shortcut tools, or simple unawareness of risk, people tend to be at the root of problems much more frequently than pesky laws or finicky technology.
2. Where Did We Waste Time?
This is an important question, because time is typically the most valuable resource during a crisis response. But it is crucial not to mistake time spent trying to identify causes or solutions as wasted time: that will always be baked into any response. The real time waste comes with things like taking too long to get a first email, meetings where the necessary team members didn’t attend, calls to vendors who couldn’t follow through, etc. These are the lessons you learn just as much in practice as in the real thing, and so the more you practice, the more you’re able to hone your response and do better the next time.
Think of it this way: squirrels don’t actually remember where they bury acorns, they remember their method for finding places to bury certain kinds of acorns, and then follow it. It’s brilliant: they don’t have the capacity to remember absolutely everything, but they recognize how they came to whatever conclusions they did and follow through on it. You should be finding ways to make your solution-finding algorithm faster and more efficient. Basically, be more of a squirrel.
3. What Worked (and What Didn’t?)
It may seem obvious, but ask which proposed solutions worked best, and why? Was it really just a question of changing a few passwords, or was a forensic analysis necessary? As with analyzing time spent, this process is far less about identifying particular solutions (because past performance is no guarantee of future utility) than about identifying how you found the useful solution. That’s exactly what you should be doing: figuring out how you figured out what the solution was or, conversely, what proposed fixes wouldn’t work. To put it in internet terms:
The final aspect to all of this is making a record of what you’re doing and what you’ve learned. Not only will it help solidify the lessons and clarify the confusing aspects of what took place, it will give you an audit trail demonstrating how you’ve responded, adapted, and improved your response mechanism. That comes in particularly handy in the event of litigation or a regulator review. As Elizabeth Denham, head of the Information Commissioner’s Office put it, you need to be be able to “show us and prove to us that this data breach wasn’t just a one off, but you actually have the rigor of good sound data governance in place.” A record of steady improvement and training does just that.
There’s no way to predict and prevent every data crisis you may face, and promises of tech panaceas are little more than pitches for snake oil. But you can predict with some confidence that, eventually, you’ll face some kind of crisis about data, privacy, or both. Planning, training, carry-through, and review are the only ways to ensure that you minimize the potential harms and demonstrate your commitment to doing better. In an uncertain time, reliable attention to detail and process is often the most valuable trait, which means the time to start being consistent is now.