Businesses have all kinds of plans; marketing plans, strategic plans, safety plans, sales plans, production plans, staffing plans, and even cash management plans. But do you have a data breach plan? If we’ve learned anything over the past 7 months, data breaches do occur, and they seem to be occurring at a faster rate than ever before.
Data breaches can happen to anyone. Some of more notable companies that have had the distinction of being in the news over the past 7 months include Target, Neiman-Marcus, Michael’s Stores, eBay, PF Chang’s, and AOL. It’s not just the huge companies that this is happening to though. Take a stroll down the list of reported data breaches since 2005 on the Privacy Rights Clearinghouse website and you’ll find physician groups, car dealerships, community colleges, hospitals, government agencies, communications firms, credit unions, and more.
How bad and widespread is this problem? There have been 4,308 data breaches that have been made public since 2005 with 867,647,607 records breached. The number of reported data breaches for 2013 and so far in 2014 is 745 with 260,355, 675 records compromised. What is more disturbing than these numbers is the fact the vast majority of data breaches are never made public.
Businesses of all sizes should have a data breach response plan outlining what actions will be taken, who’s responsible for them, and how information is to be communicated to those affected such as employees, customers, vendors, credit bureaus, etc. While there is no federal notification law in place, state legislation exists for 47 of the 50 U.S. states. Texas law outlines the following:
- Who should report
- What constitutes sensitive personal information
- When notification should be made
- Consumer reporting requirements
- How notices are to be made
- When substitute notices can be made
- Coordinating communication with law enforcement
At the very least, state guidelines should provide the rough structure for any organization’s response plan.
After the steps are outlined, it’s then important to assign who will be responsible for each step and how coordination will take place. A data breach is not just the responsibility of the information technology person or department. It’s the company’s problem and should be coordinated across departmental lines including executive, IT, legal, public relations, marketing and sales, and even human resources if it impacts employees. For solopreneurs and small businesses, this will require coordination with outside expertise such as an attorney, PR specialist, mail house, etc.
These steps are time consuming and potentially expensive. Having a cyber liability insurance policy, in addition to your general and / or professional liability policy, can help defray some of these costs including:
- The cost to defend suits brought by affected parties
- Failure to maintain reasonable security procedures
- Response expense arising from notifying affected individuals of the breach, providing them with a suite of services to deal with the breach, as well as legal and forensic technology reviews
- Identity recovery
For more information on cyber liability insurance, see our earlier blog post, Cyber Liability Insurance for Small Business at http://126.96.36.199/~wiseinsu/cyber-liability-insurance-small-businesses/.
Creating a data breach response plan is important and should be approached with the same care and attention an organization takes with all of their strategic planning. The likelihood of it happening is too great to ignore. If you have a question, comment, or suggestion on creating a data breach response plan, please share them with us in the comments section of our blog or on our Google + and Facebook pages. I’d love to hear from you!