Be Prepared for Even the Smallest Data Breaches

Be prepared for even the smallest data breaches

Whenever there’s a news headline about the latest data breach incident, it usually means that a hacker has stolen the private records of thousands of people. More often than not, hundreds of thousands.

But many more data breach incidents, involving far fewer victims, never make the news.  Maybe a couple of files were left behind on an airplane.  Maybe a cell phone with a half-dozen sensitive downloads was stolen at a restaurant.  Maybe a tax form was emailed to the wrong person by mistake.

It doesn’t matter whether the breach involves thousands or dozens, companies suffer the same requirements and costs, just on a smaller scale. The obligation to notify the victims within a certain deadline, usually 45 days but sometimes fewer, does not go away. Legal advice, computer forensic experts, public relations, mailing notifications, and offering credit monitoring are all expenses companies face no matter how small the breach may be.   And, perhaps more importantly, companies also suffer the same reputational damage if they appear to be careless in their handling of sensitive information.

Sometimes the actual expenses do not amount to much.  A recent survey conducted by the Society of Corporate Compliance and Ethics and Health Care Compliance Association found that while 62% companies had suffered at least one breach, and 22% of companies had suffered 4 or more breaches, the vast majority were not particularly costly.  49% responded that the costs were under $50,000, and another 35% reported that their particular breach did not require any material costs to resolve.

On the flip side, this same survey reports that about 9% of the time, the costs exceed $100,000.  The Ponemon Institute, which conducts a regular survey of breaches, found that the average cost of a large breach exceeds $4,000,000.

One of the ways to keep the costs of a breach low is to be prepared.  It is important simply to accept the reality that some kind of breach is probably inevitable. Taking active steps to prepare is a critical element of basic corporate risk management. There are three key elements to this effort:

  1. Have a Plan – All organizations should have a basic Incident Response Plan outlining the various steps.
  2. Assign Responsibilities – It is very helpful to know, in advance, who in the organization is going to be taking responsibility for investigating the facts and making sure that all the obligations that follow a breach are properly met.
  3. Survey the Operations – Give some basic thought to the kinds of information your company stores, for what purpose, where it is stored, and how it is stored.

More and more companies are also including Cyber Liability Insurance as a way to bolster their preparation.  Insurance companies partner with experienced Cyber consultants and attorneys which come to the rescue of companies that have suffered breaches and make sure that all the regulatory i’s are dotted and t’s are crossed.  They help with public relations and the costs notification.  They know that if the response is comprehensive and all the rules are followed, a company is much less likely to find itself in court over a breach.   Perhaps best of all, the fees for these consultants are negotiated up front, absent the stress of dealing with an actual data breach.

No matter the size of the breach, it pays to be prepared.  Cyber Insurance can be an important part of that preparation.  Propel can help.

Propel Insurance