By Angelique Carson, CIPP/US

At a May 16 IAPP KnowledgeNet on Pre-Breach Preparedness, Joe Burgoyne, corporate manager of security at Osram Sylvania, opened the “privacy panel” with a somewhat startling prompt: Raise your hand if you know where all of your company’s data is. Of the 100-plus attendees, maybe two hands went up—hesitantly.

The response didn’t shock Burgoyne. It served as a pretty strong segue to his first point when it comes to preparing for a breach: Be proactive. It’s essential to identify risk areas, he said. What risks is your company exposed to that could put protected data in jeopardy? Understanding those, he said, will help to avoid breaches.

Before a breach occurs—when the climate is relaxed and the hourglass isn’t rapidly losing sand—is the best time to assemble a breach-crisis team. These folks should represent a cross-section of specialties, perhaps representatives from IT, compliance and outside counsel.

Joe Burgoyne from Osram Sylvania, Larissa Crum from Immersion, and Nancy Kelly from Governo Law pose with KnowledgeNet Chair Joe Nugent at yesterday’s KnowledgeNet on breach preparedness and cyberinsurance.

“Identify (the team) upfront. It’s not a really difficult thing to do now, but it is difficult when you have a breach and everybody is panicking,” Burgoyne said. “Talk these things out now, while you have time to do it.”

The key steps to avoiding a breach, according to Burgoyne, are to know your environment; understand your business; know the key business players; be a part of the decision-making process; educate your C-level executives on the importance of data privacy, and communicate the risk and costs of noncompliance.

Pointing to a recent healthcare study by the Ponemon Institute, Burgoyne noted that insider negligence continues to be the most common root of data breaches, whether they be due to lost or stolen devices, employee mistakes or third-party errors. 

If or when a breach does occur, he said, the most important steps to take are:

  • Secure the scene.
  • Take compromised or infected machines offline.
  • Preserve evidence and/or logs.
  • Document everything.
  • Notify and activate the breach-crises team.

“Make sure the people who have to be called are called early,” he said. “Try not to change anything radically that might help you understand the extent of the loss.”

Nancy Kelly from Governo Law discussed the importance of cyber insurance coverage, saying breaches are “virtually inevitable,” and “a single breach can cost millions of dollars.” That’s often because of regulatory compliance costs; 46 states now have breach-notification requirements, an increasing trend given the rate at which laptop and other portable device theft occurs.

Consumer notification costs include establishing customer call centers, offering credit monitoring and facing regulatory fines and private litigation, as well as intangible costs such as damage done to a brand’s reputation.

KnowledgeNet in Boston

Attendees of this Dedham KNet were treated to a movie-theater style showing.

Echoing Burgoyne, Kelly said preparedness is going to mean cost-psavings in the end. “It’s much easier to frontload these things and do them from the beginning rather than have them arrived at in an enforcement negotiation with a regulatory agency,” Kelly said. “And generally speaking, it’s more expensive when doing that after the fact. If you’re planning it on a budget sheet, you have the resources you need and the processes and procedures.”

Standalone cyber insurance is still a growing market, but it’s something many companies are now pursuing. However, Kelly said, coverage can vary widely, and it’s a matter of semantics. It tends to cover both first-party and third-party damages. Typically, first-party coverage includes notification and crisis management expenses; cyber extortion and terrorism; digital asset loss, and business-interruption loss. Third-party coverage tends to include lawsuit defense and judgments and settlements.

All of this is negotiable, Kelly said, adding it’s important to ensure your company’s sublimits are high enough.

“One advantage of standalone cyber insurance is you will have dedicated limits. And you may need all of what you’ve got for one incident. The factors you must consider with your carrier and your risk management team is what your limit should be.”

It’s important to remember that many states don’t permit insurability of punitive damages, she said. It’s also important to do due diligence when it comes to obtaining coverage. 

“Consider, if you are a large company, do you have a risk management team? Or are you a smaller, lean company who outsources functions? That will drive what policy you want.”

Larissa Crum, executive vice president at Immersion, moderated the panel. She added that many policies will cover voluntary breach notification, noting Reputation.com’s recent decision to send an e-mail to customers of a hack not out of a legal requirement but out of an abundance of caution.

“Many policies will cover that,” Crum said.

The role of a cyber-insurance carrier in a breach is to coordinate the response, including legal considerations, forensics and notification, Kelly said, and the carrier prefers to be immediately involved.

In negotiating with carriers, it’s important to establish a broad definition of “loss” so it includes the costs associated with regulatory enforcement and a broad definition of “claim,” one that covers demands for payment and complaints filed privately or by a regulatory agency.

“Anecdotally, the more money spent ahead of time on preparing for breach notices, the less the carrier spends after the breach,” Kelly said. “Some carriers provide the handling of all aspects of a data breach from start to finish, which means better and faster compliance. But it also means cost and privilege issues, and the interests of the insured and carrier are not always aligned.”

Crum emphasized that when vetting vendors, it’s essential to ask carriers if they are experienced in cyber insurance and actually handling claims. Experience is key.

Read more by Angelique Carson:
IN FOCUS: The Directive
ZIP Codes: Are Courts Set To Protect Consumers from Marketing?
Researchers Publish Study of Indian Privacy Perceptions
Data protection was not a game at London’s 2012 Olympics


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»