Privacy in a connected world: how to obtain best-in-class data breach practices.
According to a recent report by the Identity Theft Resource Center (ITRC) in San Diego, there were 656 data breaches reported in 2008. This represented a significant increase over the 446 breaches disclosed in 2007, despite a caseload of federal and state laws, all of the information technology (IT) security measures, and the heightened awareness regarding the increasing incidence of data breaches.
For companies in the risk management business, setting a good example for their policyholders to control claims is just one reason for implementing "Best-in-Class" data breach practices. The others range from retaining customer loyalty and brand equity to avoiding the significant and rising costs associated with data breaches.
A study by the Ponemon Institute, a privacy management think tank, showed that data breaches now cost organizations an average $197 per breached customer record and an average $6.3 million per breach incident annually. Compounding those losses, the study stated that organizations experiencing a data breach also incurred an average $4.1 million in costs associated with business lost because of the breach. That does not even factor in the costs associated with potential lawsuits.
Concerned by these losses and the disturbing data breach trend, some insurance carriers have taken action. Many, including AIG, Beazley/Lloyd's, CNA, Chubb, Hartford and Travelers, have developed cyber-breach policies. While they vary from carrier to carrier, the coverage generally includes Internet media liability, security and privacy liability, customer notification programs, regulatory investigations, credit monitoring, and crisis management. This coverage often is categorized as first-party coverage for direct losses, data theft and revenue lost from a system outage caused by an external breach, and third-party coverage for lawsuits stemming from a first-party loss as well as to cover certain regulatory fines. Other carriers have elected to cover certain breach-related costs under their general liability, D&O, and E&O policies.
Preparedness Is Key
More than emphasizing adequate coverage, however, pro-active carriers and brokers, along with insurance defense attorneys, have begun advocating aggressively for data breach preparedness. They recognize that insurance is only one component of a sound risk management strategy for addressing data breaches. Also essential is a program of preparedness that employs best practices from compliance and training through IT security and readiness to manage a breach. This type of program is one that insurance carriers and brokers alike would be well served to implement.
To adequately prepare for a data breach, an incident response team should be assembled. Internally, the team members should include: corporate counsel, IT security officer, network systems architect, information privacy officer, risk/compliance manager, chief financial officer, chief marketing officer and importantly, an individual designated as the incident response manager to coordinate and liaison with all members of the team. External team members should include representatives from a data breach communications firm and an investigative/fraud protection firm. Other individuals who might serve under members of the response team include the company's general counsel, thirdparty IT vendors, and the insurance broker.
Each member of the team should be given specific responsibilities, aligned with specific timelines, that reflect their roles in meeting company and industry-specific requisites, federal and state law requirements, and other insurance and risk transfer-related strategies. All of this information should be documented in a "Data Breach Response Planning Workbook." The workbook also should include the following:
* Incident response forms and templates enabling the company to record information relating to a data breach in a thorough, timely manner.
* Federal and state privacy laws.
* Industry-related data breach standards and precautions.
* Helpful Web site links as determined by the data breach communications firm.
* Key contact information for all members of the response team.
Keep It Legal
With respect to privacy legislation, it is critical that companies stay abreast of changes in this burgeoning area. Federal laws that have been on the books for several years include: the Fair Credit Reporting Act and Privacy Act of 1974; Financial Services Modernization Act of 1999 (i.e., Gramm-Leach-Bliley Act); Health Insurance Portability and Accountability Act (HIPAA); 2003 Fair and Accurate Credit Transactions (FACT) Act. At this writing, the federal government is considering the introduction of nationwide data breach notification legislation to create consistency in reporting breaches across the states.
There are now some 40 state laws, with new stricter data security laws being introduced regularly. For example, in October 2008, Nevada enacted legislation requiring all businesses to encrypt personally identifiable customer data, including names and credit card numbers transferred electronically. In January 2009, a Massachusetts law went into effect requiring businesses that collect sensitive data from state residents and store it on laptop computers or other personal devices to encrypt this data.
Other states, including Michigan and Washington, are considering similar legislation. In addition to adhering to state laws, companies that operate globally need to consider laws in other countries.
Once the team has been formed and the workbook prepared, incident response training can begin. Led by the data breach communications firm, the training program mirrors the steps that should be taken if a data breach occurs. They include:
Step 1--Data Breach Assessment: Data breaches stem from a variety of causes, ranging from internal security failures, viruses, Trojan Horses and other computer security glitches, to malice by a disgruntled employee or hacker, to theft of electronic devices, to poor business practices, such as displaying sensitive information on direct mail pieces. (The ITRC reports that 80.7 percent of data breaches are electronically based and 19.3 percent are paper-based.) It is important that every breach be viewed as a potentially criminal act. Just as the police strive to protect a crime scene so that evidence is not compromised, a similar policy should be in place with a data breach. Also, as with other crimes, the first 48 hours are critical in the assessment process.
Step 2--Team Members' Actions: Acting as if a breach had occurred, each member of the response team would follow through according to their assignment as outlined in the workbook.
Step 3--Implementation: Acting as if a breach had occurred, the members of the group would be educated as to how the data breach communications firm would serve in the event of a breach. Specifically, the firm would:
* Notify individuals whose data had been breached in accordance with federal and state laws.
* Launch the call center support to handle inquiries from individuals whose data was breached.
* Create a breach Web site landing page providing answers to "Frequently Asked Questions."
* Control potential "cyber-spin" by activating search engine de-optimization actions.
* Implement a crisis management plan and public relations strategy encompassing a prepared press statement, communications to employees on company policy relating to questions pertaining to the breach, and communications to company vendors, associates, board members, and the like, advising them of the breach and how it is being managed.
* Provide bundled fraud protection and/or credit monitoring to individuals whose data has been breached.
Step 4--Assessment: A Question & Answer session would be held to evaluate and discuss all of the aspects of the plan and the roles of the team members.
To supplement this incident response practice drill, it is important to conduct annual reviews of the training. These reviews serve as an important refresher course for existing response team members and provide the necessary foundation for new members to the team. The reviews also offer the opportunity to update information relating to changing legislation, market trends, and/or major developments in the area of privacy law and data breach response.
Jeff Jurick is president and CEO of The Jurick Group, a data breach communications, training and management firm. He may be reached at. firstname.lastname@example.org or 516-692-8282, www.jurickgroup.com.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||FEATURE STORY|
|Date:||Apr 1, 2009|
|Previous Article:||Decision time for credit scoring? Debate swirls as bills fly.|
|Next Article:||New Marsh windstorm program.|