When technology goes wrong: the Data Breach Contingency Plan

What would happen if you lost your customer database?  What would you do if you realized your network had been hacked and sensitive data had been accessed?  Do you know what kind of data you hold and what your obligations are if that data were released to unauthorized persons?

Your company’s data is a vital asset.  It’s also a giant liability.  Databases full of credit card information, customer data, inventory systems, and intellectual property (“how we do what we do”) are examples of the sensitive data you count on and protect everyday.  As a business owner, the realization that you can’t access your data or that your data has been (or even might have been) exposed to outsiders, can be a gut-wrenching experience.

In our super-mobile and phenomenally digital world, there are numerous new tools available that make daily tasks easier and faster for both employees and customers alike.  Smart phones, social media sites, cloud computing, thumb drives, eCommerce tools, and tablet style computers are just a few examples.  But with these sleek devices, software, and online resources come great risks.  Business owners need a plan for responding when one of these great solutions has opened the door to an information catastrophe.  Following are a few guidelines for creating a Data Breach Contingency Plan.

1)      Create a Response Team.  Do you know who wil huddle around the table when an executive’s laptop computer is stolen from their vehicle?  This team might consist of a representative from the IT team, legal counsel,  your public relations professional, the compliance officer, the CFO, and someone from each of the company’s business units.  This team should be able to answer questions like: “What was on the laptop?” “What can it access?” “Can we shut it down remotely?” “What are our legal obligations based on the type of data lost?” “Who do we need to notify - Customers, shareholders, news media, our insurance company?”

2)      Create solid documentation.  If there was a data breach, would you know exactly who had access to your system before the event?  Did each user have a distinct password or was there a general one for a group of people?  If your IT professional is conspicuously absent during the crisis, do you have a roadmap you can give to another IT professional stepping in to solve the situation?  Create a log of users, what they have access to, and at what level.  Also prepare a map of your network and the configurations for all the devices (routers, switches, printers, laptops, mobile devices, etc.) on the system.

3)      Know what information is where. If a sales rep lost her phone, would you know what sensitive data was in her e-mail, contact lists, or bookmarked web pages (pages that saved her password and username?)  What can someone access through that phone.  When there’s an incident, you need to know what data has been compromised.  If it’s personally identifiable (such as SSN’s, drivers license numbers, birth dates, credit card numbers, health information, etc.) then you have specific obligations under the law.  If, in contrast, the data  was a list of your vendors and your purchasing history with them, then your concerns would be entirely different.

4)      Policies.  Policies.  Policies.  Put solid policies in place to help thwart the potential for problems.  Are employees allowed to stream music or news reports on company computers?  Are employees allowed to use thumb drives?  If a company cell phone is lost, who should be notified first?  Do you perform extensive background investigations on your IT people before employing them?  Do you thoroughly reference 3^rd party vendors such as website designers, data destruction companies, or data storage providers?  These policies should provide best practices, good documentation, and the ability to discipline when needed.

5)      Know what you’re insured for.  Traditional policies may not cover incidents and costs associated with today’s new technologies.  Following is a list of items that new cyber liability policies cover, but many traditional policies do not:

• Costs associated with responding to a breach of personally identifiable, non-public data (SSN’s, PIN numbers, etc.)  Doing proper notifications and possibly paying for credit monitoring for the affected individuals runs an average of $214 per record.¹  If the compromised list contained even 500 individuals, that total goes upward of $100,000.00.
• Public relations expenses incurred to preserve the corporate reputation.  This can be a large expense requiring the services of a specialized consultant or agency.
• “Hacking” is often not listed as a covered event.
• Data is not defined as “tangible property.”  Both general liability and property policies only respond to cover damage to “tangible property.”
• Damage caused by inadvertantly transmitting a virus.
• Claims that your data breach was the root cause of damages suffered by a 3rd party.

For more information about data breach contingency planning, contact our Tech Secure^TM Division.

 

¹Ponemon Institute’s 2010 “U.S. Cost of a Data Breach” report, released March 8, 2011. http://www.ponemon.org/blog/post/cost-of-a-data-breach-climbs-higher

 

 

© 2012 All Rights Reserved LBW Insurance & Financial Services, Inc
 Legal Statements  Contact Us  Search  Sitemap