Data breach — those two words stir fear in most peo- ple. According to Privacy- rights.org, over 864 million
personal records have been breached in
the U.S. since 2005. With approximately
40% of the people in the world online, the
number of breaches will only increase.
So it’s not a matter of if your company
is breached, but when. While it’s important to take the steps necessary to prevent
a breach, preparing for an actual breach
is also critical.
Every company should have an incident response plan. This is a written plan
of the steps to take when a data breach
occurs. It lists the resources the company
has available, the resources they need
in order to respond to the breach, who
should be told, and what actions should
be taken and when.
Katherine Keefe, global focus leader for
Beazley Breach Response Services, says
that the company needs to be able to de-
ploy the resources needed to respond to
the breach. “These may include privacy
counsel, forensic assistance to identify
whether or not there has been an intrusion
in the computer system, notification ven-
dors and identity monitoring companies.”
Organizations like Beazley work with
clients to develop a range of breach sce-
narios and test their responses to make
sure they will address all of the issues in-
herent in a data breach. “When a breach
occurs, whether it is a lost laptop with
company information or a system intru-
sion, senior leadership in the organiza-
tion should be told,” explains Keefe.
She recommends contacting a competent privacy and security attorney.
“It needs to be someone who specializes in this type of breach who has had
experience with hundreds or thousands
of cases, not a general practice attorney.
You want the expert who has done this
hundreds of times.” She compares the
selection of an attorney to someone un-
dergoing a hip replacement,
you want the physician who
has thousands of hours of
experience with that type of
procedure. There are attor-
neys and forensic firms that
specialize in this area.
An attorney and the forensics company can help evaluate the scale of the breach and
the legal issues involved. The
attorney and a crisis public
relations firm can help with
crafting the message: what is
said, how it is said, who the
spokesperson is, and make
sure that the message is consistent and accurate.
There is significant and
varied liability when there
is a breach because it depends on the organization
involved. Healthcare organizations are governed by
There may also be regulatory liability, as well as liability from third-party
claims, so the company suffering the
breach should notify their insurer as soon
Keefe says there are insurance programs that can provide these services,
which are pre-arranged. She said it is
important to vet a vendor ahead of time
rather than waiting until after the breach
when the company is in crisis mode. Vendors will know the company is vulnerable
and that they can charge exorbitant rates
to address the issue.
Vetting a vendor ahead of time also
enables the company to step through the
first crisis management steps more quickly. Role playing scenarios ahead of time
helps staff to understand what will happen, what steps will be taken and where
they need to address any holes or issues
with the plan.
After the data breach: Now what?
By Patricia L. Harman, PropertyCasualty360.com