OneTrust_Square Banner_300x250_DD_ROS_01_19

By Angelique Carson, CIPP/US

At a May 16 IAPP KnowledgeNet on Pre-Breach Preparedness, Joe Burgoyne, corporate manager of security at Osram Sylvania, opened the “privacy panel” with a somewhat startling prompt: Raise your hand if you know where all of your company’s data is. Of the 100-plus attendees, maybe two hands went up—hesitantly.

The response didn’t shock Burgoyne. It served as a pretty strong segue to his first point when it comes to preparing for a breach: Be proactive. It’s essential to identify risk areas, he said. What risks is your company exposed to that could put protected data in jeopardy? Understanding those, he said, will help to avoid breaches.

Before a breach occurs—when the climate is relaxed and the hourglass isn’t rapidly losing sand—is the best time to assemble a breach-crisis team. These folks should represent a cross-section of specialties, perhaps representatives from IT, compliance and outside counsel.

Joe Burgoyne from Osram Sylvania, Larissa Crum from Immersion, and Nancy Kelly from Governo Law pose with KnowledgeNet Chair Joe Nugent at yesterday’s KnowledgeNet on breach preparedness and cyberinsurance.

“Identify (the team) upfront. It’s not a really difficult thing to do now, but it is difficult when you have a breach and everybody is panicking,” Burgoyne said. “Talk these things out now, while you have time to do it.”

The key steps to avoiding a breach, according to Burgoyne, are to know your environment; understand your business; know the key business players; be a part of the decision-making process; educate your C-level executives on the importance of data privacy, and communicate the risk and costs of noncompliance.

Pointing to a recent healthcare study by the Ponemon Institute, Burgoyne noted that insider negligence continues to be the most common root of data breaches, whether they be due to lost or stolen devices, employee mistakes or third-party errors. 

If or when a breach does occur, he said, the most important steps to take are:

  • Secure the scene.
  • Take compromised or infected machines offline.
  • Preserve evidence and/or logs.
  • Document everything.
  • Notify and activate the breach-crises team.

“Make sure the people who have to be called are called early,” he said. “Try not to change anything radically that might help you understand the extent of the loss.”

Nancy Kelly from Governo Law discussed the importance of cyber insurance coverage, saying breaches are “virtually inevitable,” and “a single breach can cost millions of dollars.” That’s often because of regulatory compliance costs; 46 states now have breach-notification requirements, an increasing trend given the rate at which laptop and other portable device theft occurs.

Consumer notification costs include establishing customer call centers, offering credit monitoring and facing regulatory fines and private litigation, as well as intangible costs such as damage done to a brand’s reputation.

KnowledgeNet in Boston

Attendees of this Dedham KNet were treated to a movie-theater style showing.

Echoing Burgoyne, Kelly said preparedness is going to mean cost-psavings in the end. “It’s much easier to frontload these things and do them from the beginning rather than have them arrived at in an enforcement negotiation with a regulatory agency,” Kelly said. “And generally speaking, it’s more expensive when doing that after the fact. If you’re planning it on a budget sheet, you have the resources you need and the processes and procedures.”

Standalone cyber insurance is still a growing market, but it’s something many companies are now pursuing. However, Kelly said, coverage can vary widely, and it’s a matter of semantics. It tends to cover both first-party and third-party damages. Typically, first-party coverage includes notification and crisis management expenses; cyber extortion and terrorism; digital asset loss, and business-interruption loss. Third-party coverage tends to include lawsuit defense and judgments and settlements.

All of this is negotiable, Kelly said, adding it’s important to ensure your company’s sublimits are high enough.

“One advantage of standalone cyber insurance is you will have dedicated limits. And you may need all of what you’ve got for one incident. The factors you must consider with your carrier and your risk management team is what your limit should be.”

It’s important to remember that many states don’t permit insurability of punitive damages, she said. It’s also important to do due diligence when it comes to obtaining coverage. 

“Consider, if you are a large company, do you have a risk management team? Or are you a smaller, lean company who outsources functions? That will drive what policy you want.”

Larissa Crum, executive vice president at Immersion, moderated the panel. She added that many policies will cover voluntary breach notification, noting Reputation.com’s recent decision to send an e-mail to customers of a hack not out of a legal requirement but out of an abundance of caution.

“Many policies will cover that,” Crum said.

The role of a cyber-insurance carrier in a breach is to coordinate the response, including legal considerations, forensics and notification, Kelly said, and the carrier prefers to be immediately involved.

In negotiating with carriers, it’s important to establish a broad definition of “loss” so it includes the costs associated with regulatory enforcement and a broad definition of “claim,” one that covers demands for payment and complaints filed privately or by a regulatory agency.

“Anecdotally, the more money spent ahead of time on preparing for breach notices, the less the carrier spends after the breach,” Kelly said. “Some carriers provide the handling of all aspects of a data breach from start to finish, which means better and faster compliance. But it also means cost and privilege issues, and the interests of the insured and carrier are not always aligned.”

Crum emphasized that when vetting vendors, it’s essential to ask carriers if they are experienced in cyber insurance and actually handling claims. Experience is key.

Read more by Angelique Carson:
IN FOCUS: The Directive
ZIP Codes: Are Courts Set To Protect Consumers from Marketing?
Researchers Publish Study of Indian Privacy Perceptions
Data protection was not a game at London’s 2012 Olympics


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens May 1.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»