By Angelique Carson, CIPP/US
At a May 16 IAPP KnowledgeNet on Pre-Breach Preparedness, Joe Burgoyne, corporate manager of security at Osram Sylvania, opened the “privacy panel” with a somewhat startling prompt: Raise your hand if you know where all of your company’s data is. Of the 100-plus attendees, maybe two hands went up—hesitantly.
The response didn’t shock Burgoyne. It served as a pretty strong segue to his first point when it comes to preparing for a breach: Be proactive. It’s essential to identify risk areas, he said. What risks is your company exposed to that could put protected data in jeopardy? Understanding those, he said, will help to avoid breaches.
Before a breach occurs—when the climate is relaxed and the hourglass isn’t rapidly losing sand—is the best time to assemble a breach-crisis team. These folks should represent a cross-section of specialties, perhaps representatives from IT, compliance and outside counsel.
“Identify (the team) upfront. It’s not a really difficult thing to do now, but it is difficult when you have a breach and everybody is panicking,” Burgoyne said. “Talk these things out now, while you have time to do it.”
The key steps to avoiding a breach, according to Burgoyne, are to know your environment; understand your business; know the key business players; be a part of the decision-making process; educate your C-level executives on the importance of data privacy, and communicate the risk and costs of noncompliance.
Pointing to a recent healthcare study by the Ponemon Institute, Burgoyne noted that insider negligence continues to be the most common root of data breaches, whether they be due to lost or stolen devices, employee mistakes or third-party errors.
If or when a breach does occur, he said, the most important steps to take are:
- Secure the scene.
- Take compromised or infected machines offline.
- Preserve evidence and/or logs.
- Document everything.
- Notify and activate the breach-crises team.
“Make sure the people who have to be called are called early,” he said. “Try not to change anything radically that might help you understand the extent of the loss.”
Nancy Kelly from Governo Law discussed the importance of cyber insurance coverage, saying breaches are “virtually inevitable,” and “a single breach can cost millions of dollars.” That’s often because of regulatory compliance costs; 46 states now have breach-notification requirements, an increasing trend given the rate at which laptop and other portable device theft occurs.
Consumer notification costs include establishing customer call centers, offering credit monitoring and facing regulatory fines and private litigation, as well as intangible costs such as damage done to a brand’s reputation.
Echoing Burgoyne, Kelly said preparedness is going to mean cost-psavings in the end. “It’s much easier to frontload these things and do them from the beginning rather than have them arrived at in an enforcement negotiation with a regulatory agency,” Kelly said. “And generally speaking, it’s more expensive when doing that after the fact. If you’re planning it on a budget sheet, you have the resources you need and the processes and procedures.”
Standalone cyber insurance is still a growing market, but it’s something many companies are now pursuing. However, Kelly said, coverage can vary widely, and it’s a matter of semantics. It tends to cover both first-party and third-party damages. Typically, first-party coverage includes notification and crisis management expenses; cyber extortion and terrorism; digital asset loss, and business-interruption loss. Third-party coverage tends to include lawsuit defense and judgments and settlements.
All of this is negotiable, Kelly said, adding it’s important to ensure your company’s sublimits are high enough.
“One advantage of standalone cyber insurance is you will have dedicated limits. And you may need all of what you’ve got for one incident. The factors you must consider with your carrier and your risk management team is what your limit should be.”
It’s important to remember that many states don’t permit insurability of punitive damages, she said. It’s also important to do due diligence when it comes to obtaining coverage.
“Consider, if you are a large company, do you have a risk management team? Or are you a smaller, lean company who outsources functions? That will drive what policy you want.”
Larissa Crum, executive vice president at Immersion, moderated the panel. She added that many policies will cover voluntary breach notification, noting Reputation.com’s recent decision to send an e-mail to customers of a hack not out of a legal requirement but out of an abundance of caution.
“Many policies will cover that,” Crum said.
The role of a cyber-insurance carrier in a breach is to coordinate the response, including legal considerations, forensics and notification, Kelly said, and the carrier prefers to be immediately involved.
In negotiating with carriers, it’s important to establish a broad definition of “loss” so it includes the costs associated with regulatory enforcement and a broad definition of “claim,” one that covers demands for payment and complaints filed privately or by a regulatory agency.
“Anecdotally, the more money spent ahead of time on preparing for breach notices, the less the carrier spends after the breach,” Kelly said. “Some carriers provide the handling of all aspects of a data breach from start to finish, which means better and faster compliance. But it also means cost and privilege issues, and the interests of the insured and carrier are not always aligned.”
Crum emphasized that when vetting vendors, it’s essential to ask carriers if they are experienced in cyber insurance and actually handling claims. Experience is key.
Read more by Angelique Carson:
IN FOCUS: The Directive
ZIP Codes: Are Courts Set To Protect Consumers from Marketing?
Researchers Publish Study of Indian Privacy Perceptions
Data protection was not a game at London’s 2012 Olympics