How Organizations Can Respond to a Data Breach
When a hack is discovered, an organization must first assess the possible damages.
This post was originally published by Parker, Smith & Feek.
By Gregor Hodgson
Every week we hear of a new virus, data breach, or ransomware that threatens our business operations or employee or client information. Many business owners have been hearing about, and are now considering, cyber insurance. But, what exactly is cyber insurance? What does it cover, and is it a good fit for my business?
In order to understand what cyber insurance covers, we first must understand what constitutes a cyber incident. A good definition of a cyber incident is, “The failure to prevent the theft, loss, or disclosure of personally identifiable, non-public information (or corporate information, which you have a written obligation to protect) that is in the care, custody, or control of your organization or a third party, for whom you are legally liable.” This could include the loss of a laptop, hack of a POS system, phishing scheme that results in you or an employee being tricked into divulging personal information to others, or a hacker who steals data and then extorts your organization by threatening to release the data, or by encrypting the data and offering to sell you a key. Cyber insurance can help you assess the damage, respond to the initial threats, and manage the fallout of such an event.
When a hack is discovered, an organization must first identify what has happened and assess the possible damages. An information technology forensic firm is often engaged to discover what happened, what information was accessed, how might have the organizations’ servers been co-opted, and what patches are required to correct the problems. Once the forensic firm can identify what information was accessed, then legal counsel is engaged to identify regulatory and other reporting requirements. These could include notifying state attorneys general, federal agencies, bank card issuers, as well as business partners. These investigations should be conducted in conjunction with legal counsel so that all findings remain privileged.
Once damages have been assessed, the initial response to the breach can begin. Depending on the size and scope of the breach, state and federal agencies may need to be notified. Some companies may be required to demonstrate payment card industry (PCI) compliance. Other companies need to begin informing individuals affected by the breach and, depending on the jurisdictions, offer credit-monitoring services to those individuals. If the breach included extortion demands, then the organization must decide whether they are going to negotiate with the extortionists or if they can recreate needed data from back-up systems. If news of the breach has reached the public, then public relation or crisis management services may be needed in order to communicate with customers and the general public.
Once the initial response is contained, the organization can turn to managing the fallout of the attack. This may include class action lawsuits, regulatory or PCI fines, data restoration, income loss, as well as rebuilding a damaged brand.
A well-structured cyber insurance policy can help an organization address all of the challenges outlined above. In addition to the financial protection, most insurance carriers now offer “Data Breach Coaches” who help the organization manage the entire project. The coaches have managed hundreds, if not thousands, of breaches. Their experience can be invaluable as you attempt to negotiate the regulatory and business challenges of a breach. In addition, most insurance carriers can also offer pre-breach services that may include sample data breach response plans, limit analysis, discounted virus detection software and employee training, table top exercises, and more. Consult with your insurance broker and discover the full value of these evolving insurance policies.
Gregor Hodgson serves as a vice president and account executive for Parker, Smith & Feek.