Skip to Main Content

It Takes More Than an Insurance Policy to Be Prepared for a Data Breach

The news seems to report data breaches almost daily. In the past several weeks, there were two major stories of interest to me. The first was news that Target’s cost to respond to its well-publicized 2013 data breach exceeded $148 million dollars and that its cyber insurance coverage for the year had been exhausted. The second story was about a Russian gang of hackers reportedly having stolen 1.2 billion (BILLION!) user names and passwords affecting 420,000 websites.

As technology continues to evolve and become more fully integrated into everyday life and as more and more customer data is collected, businesses of all sizes must constantly evaluate and reevaluate their exposure to loss from cyber-related events or run the risk of being put out of business.

This may be especially true for smaller businesses. According to an article in PCWorld, 20 percent of small businesses fall victim to cyber crime each year, and of those, some 60 percent go out of business within six months following an attack. How might they protect themselves?

As any reader of my blog knows, an obvious option is the purchase of cyber insurance. This is an excellent first step — though, as evidenced by Target, it may not be enough. And efforts shouldn’t stop there.

A firm’s cyber preparedness needs to begin before a data breach incident ever occurs. Some considerations in addition to cyber insurance include:

Employee education — Has the company developed a comprehensive cyber emergency response plan for all employees to follow? If so, make sure to hold tabletop drills so employees can become familiar with the plan before a data breach incident occurs.

Data breach response — Businesses need to have their ducks in a row and be prepared to respond to a data breach incident. A company experiencing a data breach may need to provide notification to its customers. According to the National Council of State Legislatures, 47 states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands currently have enacted laws requiring companies to notify potentially affected individuals of a data breach.

Data breach investigation — Once a data breach is suspected, a company may need to determine whether the breach has actually occurred, if any personally identifiable information (PII) or protected health information (PHI) was accessed, and how the system was breached? A forensic analysis may need to be performed.

Those are just some of the many tasks necessary to prepare for a potential breach and steps to be taken following a suspected breach. But it’s not an exhaustive list.

Companies experiencing a data breach don’t have to go it alone. Help may be at their disposal.

Many insurers have partnered with cyber-related service firms that provide education and pre-security-breach services designed to prepare for and reduce the likelihood of a breach and post-security-breach services designed to respond to and reduce the impact of an incident.

One such firm is IDentity Theft 911 (IDT911®),with whom ISO recently announced a strategic collaboration. As part of the strategic collaboration, IDT911 will be the ISO Businessowners Program vendor of choice for data breach avoidance and remediation services, and ISO businessowners customers who use IDT911 will receive discounts on a comprehensive suite of services available to them.

Shawn Dougherty

Shawn Dougherty is the assistant vice president of ISO's Specialty Commercial Lines Division. He is responsible for providing the overall direction, leadership, and client service for ISO's cyber liability (e-commerce), D&O (management protection), businessowners, crime and fidelity, financial institutions, employment-related practices liability, and professional liability (other than medical) insurance programs. He is also the ISO product manager for the Lloyd's Wordings Repository, an electronic database of policy wordings and clauses regularly used within the London market. Mr. Dougherty has worked at ISO since 1988.

You will soon be redirected to the 3E website. If the page has not redirected, please visit the 3E site here. Please visit our newsroom to learn more about this agreement: Verisk Announces Sale of 3E Business to New Mountain Capital.