bile carrier had their information stolen
by hackers who accessed a database run
by credit monitoring firm, Experian Plc.
Hackers accessed names, addresses and
social security numbers.
Commenting on the breach, Francis
said, “Cyber threats are increasing, but
businesses can take action. Hackers have
evolved and are now more sophisticated
He said that the industry is seeing
more state affiliated hackers coming out
of countries like China, North Korea and
Russia. Some hackers attack companies
because they don’t agree with their ideol-
ogy or what their business does as in the
case with Ashley Madison. “An industry
or outspoken CEO can cause a company
to become a target,” Francis explained.
Data breaches still cause the largest losses for companies, and frequently
the breach is due to vulnerabilities from
within the company such as an employee
who works from home and has his or her
computer hacked, or somehow loses a
computer with unencrypted information.
Small businesses are particularly vulnerable because they may not have the
resources to prevent an attack or they
may believe they would never be a target.
Chris Hauser, second vice president with
Travelers Investigative Services said that
small businesses also may not vet their
new employees as carefully as larger companies with more resources and may hire
the wrong person such as an employee
who skims credit cards.
Hauser said, “Sometimes employees
don’t act maliciously, but they may do
something wrong unknowingly.” He gave
an example involving social engineering,
a sophisticated attack where the hacker
poses as a company executive who sends
an employee what looks like a legitimate
email instructing the employee to transfer money from one account to another.
The reality is that the wire transfer goes
into the hacker’s offshore account and the
money will never be recovered.
In another scenario, an employee may
click on a link that puts a Trojan program
on the server that allows hackers to gain
access to the company’s database. Other
hacks may allow someone to access a
company’s social media credentials so
they can take over the firm’s social media
sites and post information that will harm
the business in some manner.
John Mullen, an attorney with Lewis,
Brisbois, Bisgaard and Smith LLP said
that many companies post the wrong
information on social media or they out-
source data to a vendor who doesn’t pro-
tect the information being shared. It’s still
an issue for the company that outsourced
the data management because they are
responsible for the information.
When companies reach out to his firm,
Mullen said the priority is to get a sense
of what transpired. He asks questions
• Was customer information hacked?
• Were employee records impacted?
• When was the last time the company
purged the data?
• Did they get into your payment processes and access credit cards?
• How far back do the records go?
He doesn’t expect the company to
have all of the answers, but since there
are deadlines for federal regulators, understanding what kind of information is
in play is critical. “We need to deal with
provable facts, bring in a forensic company, develop a scope of work and come
up with a plan of attack,” he explained.
“We need to know how many records
were touched, what burned and what
Managing the message
Once the scope of the breach has been
identified, the company must develop a
plan to share that information with customers, regulators if they are publicly held,
the media and the public in general. How
the details of the breach are explained and
the information conveyed to all of these
constituents is vital in repairing the damage to the company’s reputation.
Melanie Dougherty, CEO and man-
aging director at public relations firm,
Inform said, “The natural response is to
shut the door to the media, but many
times you are obliged to respond for legal
or regulatory reasons.”
Since many breaches stem from human
error, companies need to be prepared for
this eventuality and work on messages
that will help them recapture their cus-
tomers and their reputations. “It’s not the
breach, it’s the perception of a cover-up
that can cost a company,” she added.
“For a small company, a data breach
can force them to shut their doors forever,” said Francis. He shared that one Travelers customer spent around $300,000 to
find out they didn’t have a breach, but it
was still important information for the
company to have and it allowed them to
see how their processes would work in
the event of an actual breach.
Francis identified four common weak
spots for companies:
• Intrusion detection software — this
raises a red flag when a system has been
breached. Francis said it’s important to
have someone in the company monitor
this and respond immediately when a
breach is detected.
• Encryption of private data — encrypt-
ing data can turn a lost laptop into a
paperweight, although a sticky note
with the password on the computer can
undo an expensive encryption program
• Patch management — companies have
to apply them to patch vulnerabilities in
programs and keep software up to date
• Vendor mismanagement — vendors
have to be trustworthy and protect the
information they are entrusted with for
All companies are vulnerable, regard-
less of their size and insurers are now
tailoring policies to meet the needs of
all businesses. “Less than 20 percent of
companies have cyber insurance now,”
With the reality becoming more of a
“when” scenario as opposed to an “if”
possibility, companies will need to be
proactive in managing this emerging risk.
“Once a data breach happens, the biggest problem is that no one knows who
to call,” added Francis. “It’s important for
businesses to create clear action plans to
help manage the data breach.”