One of the most talked about risks today is a data breach which can and will cause havoc in any organization. Most mid-size companies have not taken this risk seriously despite almost daily news about the effects of cyber risk. The recent article in the February 2012 issue of CFO magazine notes it is happening more frequently especially to mid-size companies, and should serve as a clear warning to a company’s senior leadership – Get your “Cyber” House in Order!
The costs of a compromised electronic record now pegged at $214 each coupled with obligations under state notification laws, the damage an organization can suffer in productivity and reputation data breach and cyber security are not exposures to be taken lightly.
While, as the article suggests, insurance is available for these types of exposures, the insurance industry rarely underwrites “a house on fire”. It is therefore critical a company take a thoughtful approach to risk control and security measure so they may get their technology house in order before seeking insurance for further risk mitigation.
The Risk & Insurance Management Society (RIMS) recently interviewed a cyber liability insurance executive[1] to discuss notification challenges following a data breach. The following is an excerpt from the interview:
“Think about a situation where someone breaks into my car and steals a laptop out of the back seat and there was some sensitive information on the hard drive. Whether or not we have evidence that the person was aware of the data, [these] regulations require that I notify those individuals.
Now, you have to incur the cost for notifying individuals, the forensic analysis, the call centers. Those are costs that companies in the past didn’t have to incur and now they do — for an event where you don’t even know if the [thief] knew the information was on the computer.”
Data breaches are not limited to electronic exposures, although the vast majority emanate from some form of electronic means. Careful disposal and management of paper records and client source data must be incorporated into a company’s “Data Security Best Practices”.
What does an organization to do if despite of all the measures taken, a data breach occurs? Just like when we were in grade school, go through a “Data Breach Fire Drill”. Ask yourself questions such as what is the public relations impact? Do you have legal advisors who are aware of the implications? Will your technology partner be able to get you back up and running in an acceptable time frame?
If you would like to discuss a data breach risk mitigation plan or how to deal with the type of claims or liabilities that present themselves from a data breach, please do not hesitate to contact me.