Cyber security and privacy starts with good planning
March 11, 2014
It’s not so much a question of if it will happen, but when it will happen.
Data breaches have escalated to one trillion dollars worldwide. In 2013, more than 740 million records were hacked and is on record as the worst data breach year in history. We are culture that increasingly relies on technology and devices. Whether it’s to entertain, do business or connect with people — we are all users of technology and we are all at risk.
Recently, I took part in a discussion with the Atlantic Council‘s Jason Healey, director of the Council’s Cyber Statecraft Initiative, which focuses on international cooperation, competition, and conflict in cyberspace. The event was hosted by the New Yorker and the topic, of course, was cyber security.
Information security and privacy liability has been discussed at great lengths in several forums, but the same core principles of risk management still apply — have a plan for when a breach happens, because any data in the care of your business is at risk. This is why it is important to build a culture of awareness within your organization to ensure effective escalation and timely response. A few quick planning steps to consider:Preparation is key: Have a plan and practice that plan.
- Know what data is managed or accessible by third party vendors and understand the controls they have in place.
- Have third-party vendors for notification and credit monitoring lined up.
- Be sure you have a strong communications plan set up either through your own public relations firm, or a third-party and develop a statement addressing the situation and how it is being handled.
- Have a FAQ website ready to launch where victims can get answers.
- Be sure to consult with peers on how they are preparing or how they have handled a breach situation. Find out what consultants they used, and if they’re good you may want to consider placing them on retainer to go into action if a breach occurs.
- Perhaps the most important is to communicate in-house. Make sure your team that includes general council, the risk manager, supply chain manager, public relations, operations, IT – make sure they’re all talking to one another to ensure no efforts are being forgotten or wasted.
Taking preventative measures is critical to preventing the risk of a data breach, however there is no guarantee that those risk measures will prevent the threat. Being vigilant in testing and protecting your data is the best form of risk management.
This is especially true if you have a third party vendor retaining data for you. You need to make sure that they have processes in place to secure that data. If they have a breach, your company will not be absolved of your responsibility because they were the ones managing the data. You still may be held liable for the vendor’s negligence and you’re responsible for compliance with notification requirements.
So how can insurance help? Insurance can help with pre-breach planning and post-breach response services such as notification, forensics, credit monitoring, and public relations costs. The coverage is evolving as new scenarios and attack vectors emerge, so partnering with an insurer and broker who specialize in this space is essential to determining your exposures and coverage needs.
Is your business being proactive in the war on data? What steps are you taking to make sure your information is protected?
The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should consult independent advisors when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. We undertake no obligation to publicly update or revise any of this information, whether to reflect new information, future developments, events or circumstances or otherwise. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.