Given your many locations around the globe you had early signs that something was going to be happening in the world. How did that help you make decisions about your U.S. workforce?
It really helped us prepare a lot. I was tasked to lead our global incident response. So the chief privacy officer became the leader of our incident response team. Mainly I just knew the company and the operations, and it was easy to help people make the right decisions and empower people.
I think we stood up our incident response team in about mid-February. For U.S. companies, we were at least two or three weeks ahead of a lot of other people in the U.S., and just started to gather information about what was working and what wasn’t working in our offices in Hong Kong and Singapore. Then, as it overtook Europe, we have a very large operation in Milan, as an example, and learned a lot from the experience that they were having in Lombardy. It was basically being able to ingest that information and then put it out to everybody in a way that they could use it and say, “OK, this is what we learned. This is what’s worked.”
I think it also helped us to get the protocols in place, which was, “OK, there’s going to be minimum requirements for equipment to leave our offices.” We want documentation of proper encryption and safety. Do they have the power cords? Do they have the right setups and configurations?
Did you find new vendors during this time and onboard them through your procurement process?
We did, we were able to keep that going. We have a third-party risk management process that we put everybody through. I’d like to think we were pretty rigorous in that we said, “We’re not going to take any shortcuts. I know that everyone is screaming that they want this, and they need it now, but let’s make sure we cross the Ts, dot our Is and make sure that we’re entering into this eyes wide open.
Is there a plan for any sort of retrospective audit of any new vendors onboarded over the past few months?
Now that we’ve got a little bit more breathing room, as we’re trying to look at reopening, we’ll go back through. To see so much digital transformation happen in such a compressed timeframe, it was pretty impressive. But I do think you have a duty to go back now and say, “OK, we moved quickly. We were successful. It looks like it’s working, but let’s make sure that everything we put in place was right and everything is as it should be.”
Looking around corners, or seeing over the horizon, after experiencing Covid-19, what are things organizations should have on their lists to weather future issues?
One of the biggest preps that we had done was we had rewritten our incident response plan in the summer of 2019, and we had tested it, and we had done a walk-through with senior management in December of our incident response plan. So I had the luxury of having people that I had already I locked in a room for six hours and went through incident response.
I truly think engaging with your senior management to say, “We need to understand what our business continuity plan is. Have you seen it?” No one’s going to read a 64-page incident response. I gave them a three-page with highlights. They will read that. The idea was, here’s the basics you need to know about our incident response plan. If someone tells you, “We’re activating the incident response plan,” pull that three-pager out, that’s going to give you the information you’re going to need day one.
The same thing with your business continuity plan. I think everyone’s probably going to be smart enough to have a pandemic section in their business continuity plan now, but what’s next? What if the next massive delay and slowdown of the global supply chain is due to something else? Can you write a section that has to do with that, that doesn’t distinguish the cause right now?
And then the other big thing, I think you’re going to see the interconnectivity between your business continuity and your incident response. Because if we saw anything, they are absolutely correlated.
Comments have been edited for clarity. For the full conversation, watch the video above. And for more on the latest privacy and data security developments, check out Bloomberg Law’s privacy and data security law resources.
CCPA and EU GDPR: Expert Insight and Practical Guidance
From state to state and continent to continent – privacy and data security regulations are taking form that change the way business is conducted across the country and around the globe.
Privacy, Compliance Pose Big Challenges for In-House Counsel
Heidi Maher, executive director of the Compliance and Governance Oversight Council and privacy lead for Hybrid Cloud, IBM, shares insights into the critical issues surrounding data use and the protection of personal information.