After the data breach: Now what? by Patricia Harman

Data breach – those two words stir fear in most people. According to Privacy Rights Clearinghouse, more than 864 million personal records have been breached in the U.S. since 2005. With approximately 40% of the people in the world online, the number of breaches will only increase.

So it’s not a matter of if your company is breached, but when. While it’s important to take the steps necessary to prevent a breach, preparing for an actual breach is also critical.

Every company should have an incident response plan. This is a written plan of the steps to take when a data breach occurs. It lists the resources the company has available, the resources they need in order to respond to the breach, who should be told, and what actions should be taken and when.

Katherine Keefe, global focus leader for Beazley Breach Response Services, says that the company needs to be able to deploy the resources needed to respond to the breach. “These may include privacy counsel, forensic assistance to identify whether or not there has been an intrusion in the computer system, notification vendors and identity monitoring companies.”

Organizations like Beazley work with clients to develop a range of breach scenarios and test their responses to make sure they will address all of the issues inherent in a data breach. “When a breach occurs, whether it is a lost laptop with company information or a system intrusion, senior leadership in the organization should be told,” explains Keefe.

She recommends contacting a competent privacy and security attorney. “It needs to be someone who specializes in this type of breach who has had experience with hundreds or thousands of cases, not a general practice attorney. You want the expert who has done this hundreds of times.” She compares the selection of an attorney to someone undergoing a hip replacement, you want the physician who has thousands of hours of experience with that type of procedure. There are attorneys and forensic firms that specialize in this area.

An attorney and the forensics company can help evaluate the scale of the breach and the legal issues involved. The attorney and a crisis public relations firm can help with crafting the message: what is said, how it is said, who the spokesperson is, and make sure that the message is consistent and accurate.

There is significant and varied liability when there is a breach because it depends on the organization involved. Healthcare organizations are governed by HIPPA and patients must be notified when protected healthcare information is breached. If they fail to protect or notify patients, they can face liability.

There may also be regulatory liability, as well as liability from third-party claims, so the company suffering the breach should notify their insurer as soon as possible.

Keefe says there are insurance programs that can provide these services, which are pre-arranged. She said it is important to vet a vendor ahead of time rather than waiting until after the breach when the company is in crisis mode. Vendors will know the company is vulnerable and that they can charge exorbitant rates to address the issue.

Vetting a vendor ahead of time also enables the company to step through the first crisis management steps more quickly. Role playing scenarios ahead of time helps staff to understand what will happen, what steps will be taken and where they need to address any holes or issues with the plan.

When do you go public?

After a breach occurs, one of the important questions is when does the company go public with the information. Keefe says a company should not go public if they cannot answer the following questions:

1.   What happened?

2.   Why did it happen?

3.   What is your company doing to prevent it from occurring again?

4.   What does this breach mean to my customer?

She also offers several steps that a company should take after the breach:

1.   Make good on any promises such as providing credit monitoring for a specific period after the breach.

2.   Reinforce your security practices and retrain employees on proper procedures.

3.   Demonstrate to the public and your constituents that the company has taken affirmative actions and has learned from the experience.

4.   Take necessary steps to prevent it from occurring again.

Coverage issues with a data breach

There are several coverage issues to consider with a data breach. This is new territory for many insurers and knowing which questions to ask will help identify what triggers the coverage. “Start with the fact that many insurance companies offering cyber insurance had never faced a claim until 2014,” says Kevin Kalinich, global practice leader, network risk/cyber insurance for Aon Risk Solutions. “A number of key definitions are being scrutinized for interpretation such as, ‘When was the wrongful act or incident that triggered notice?’ and “What if the insured requires multiple IT security experts and different specialist attorneys to investigate and remediate the claim?’ All [of these are] issues that are unique to cyber incidents.”

Other questions to ask include whether or not internal costs are covered if they are less expensive and provide a better option than hiring an outside expert. Another issue involves whether or not authorities request that the insured notdisclose the incident.

For publicly held companies, other issues must be considered. “When a cyber incident results in the loss of business, such as a large customer contract or consumers, then it is material to the financial statements,” adds Kalinich. “If there is a shareholder derivative action, then it impacts the D’s and O’s. The SEC Guidelines for public companies and the NIST Cybersecurity Framework have established new thresholds for plaintiff’s attorneys to allege as the minimum bars must be met. If not, then entities may not only be liable for the network privacy and security incident costs, but the D’s and O’s may be alleged to have not met their fiduciary duties.”

5 ways to avoid a data breach

There are now over-the-counter malware programs available to help hackers infect computers and grab personal identifiable information. Beazely offers 5 steps to help avoid a data breach:

1.       Encrypt your devices

More than 73% of the breaches Beazely consulted on in 2013 could have been prevented if the devices involved had been encrypted. Currently, encryption is a safe harbor under breach notification laws.

2.       Keep patches up to date

Automating your patch management programs can protect devices against malware and hacking.

3.       Use complex passwords

Algorithms can deduce passwords and systematically cycle through different variations of words. Use a combination of letters and symbols.

4.       Watch for phishing

Since most breaches occur because of human error, employees should be aware of the various phishing scams and be trained on how to spot the indicators in a phishing emails. 

5.       Before you hit send…

So far this year, 30% of the breaches Beazley has serviced were due to unintended disclosure. Before sending an email check the contents and the email address to make sure you’re sending information to the right person.