Results of a study on corporate confidence in responding to a data breach are in and of the 604 executives who responded, just 34 percent feel their company’s data breach response plans are effective. Though data breaches ranked second only to poor customer service, the third annual study released by Experian Data Breach Resolution and the Ponemon Institute, reveals the juxtaposition between how prepared companies are for a data breach and the impact one could have on business.
The effect of a data breach on a business can be fatal in some cases, said Joe Salpietro, cyber insurance claims manager for CyberClaims911.
“Loss of reputation is something that is very difficult to bounce back from,” Salpietro said, especially if the business serves a niche industry, like Ashley Madison.
As data breaches evolve from information obtained via stolen devices, by rogue employees or through inadvertent transmission of email or electronic protected information to more sophisticated forms of hacking, cyber criminals are becoming savvier in how they infiltrate computer networks, said Sian Schafle, an attorney Lewis Brisbois Bisgaard & Smith specializing in data breaches.
As awareness of protected information increases, there is more incident reporting because people are more knowledgeable that certain types of data constitutes protected information under state and federal laws or regulations, said Schafle.
“You’re seeing a lot more awareness and therefore a lot more reported incidents than you did, let’s say, several years ago,” she said.
Before a breach occurs, she said it’s always a good idea to have incident response plans in place – policies and procedures that protect data privacy – as well as annual employee training.
While employee negligence has been noted to be a leading cause of data breaches, employee security training remains lacking, according to the Experian/Ponemon survey.
Half of the company executives that responded said they do not receive data protection training as part of new employee onboarding.
“It’s also a great idea to know what you’re going to do when you do experience the breach, so having an incident response plan in a very concise, executable fashion is something that they can do,” she said.
Despite some businesses that reported having a plan, 30 percent of organizations never practice their response plan with difficulty scheduling being the top reason why, according to the Experian/Ponemon survey.
In addition, she recommended businesses conduct risk and security assessments of their system to understand what information they have stored, where it’s contained and how it can best be protected.
“That usually involves bringing in a third party, forensic vendor or somebody that can come in and help them understand that, and help them conduct those tests,” Schafle said. “It could mean bringing in somebody like a breach coach to look at their policies and procedures, to help them develop them based upon what is required of them, either through regulation or law.”
Once a business discovers a breach they should report the claim to their cyber carrier, Schafle said.
“Through that they’ll be able to gain access to different resources that will help them navigate and respond through the breach,” Schafle said.
Forensics will help businesses identify what happened, how it happened, when it occurred and the type of data compromised.
The next step is to make sure there is compliance with applicable laws relating to data breach reporting, she said. A breach coach will help businesses report to regulators and identify whether there is a statutory requirement to do so.
“That would fall into the notification aspect of the breach response, wherein they would bring in…a third party provider to help them notify the affected individuals and maybe provide them credit monitoring or some sort of identity monitoring,” said Schafle. “That is a statutory requirement in only two states, California and Connecticut, but has become more of an industry standard and expectation.”
A public relations company may be hired to help businesses preserve their brand and protect against any reputational harm that could occur, she said.
Lastly, companies will likely need to work with their IT personnel to ensure evidence is maintained and preserved, Schafle said this includes showing what has been done in response to an incident, preserving any logs or forensic evidence that could later be requested either through litigation or regulatory action.
Was this article valuable?
Here are more articles you may enjoy.