Experiencing the loss or theft of protected personal data and then having to notify breach victims in the manner prescribed by law can be a costly and stressful experience for any organization. Fortunately, there are steps that can be taken to reduce the cost and contribute to the mitigation of the risks resulting from this type of cyber-attack.
If you store data that is valuable to you and your customers, you are a potential candidate for a data breach. It is almost impossible to be in business these days and not collect or hold Personally Identifiable Information (PII) that belongs to customers, employees, business partners, students or patients. PII includes (but is not limited to):
- Social Security Number
- Date of Birth
- Account Numbers (checking, credit card, etc.)
- Email Address
Corporations now face increasingly sophisticated cyber events that outstrip traditional perimeter defense systems, such as firewalls or intrusion detection systems.
Data breaches can sometimes result from negligence, human error or carelessness. More likely, a data breach is the result of malicious attacks from hackers or criminal insiders (employees, contractors, or other third parties using their trusted and verified access).
Organizations are at risk from the loss of proprietary information, processes and methods, IP and trading algorithms, destroyed or altered data, declining public confidence, harm to reputation and brand, disruption to critical infrastructure, and new legal and regulatory sanctions.
Each of these risks can adversely affect competitive positioning, stock price, and shareholder value (Association of Corporate Directors (NACD)’s Cyber-Risk Oversight – Director’s Handbook Series 2014 Edition).
According to a 2015 Cost of Data Breach Study sponsored by IBM and independently conducted by Ponemon Institute LLC, data breach and lost business costs are likely to be substantial and are increasing annually.
Fortunately, certain factors are viewed as reducing the costs of a data breach, including:
1. An effective incident response plan and team
The incident response plan should include written emergency contact lists, a clear understanding of which law enforcement agencies must be contacted, and a time frame for notification – internal Service Level Agreements should be established. Additionally, vendor contracts should be in place with a mail-house for notification letters and a call center that specializes in breach response and consumer identity protection. Finally, rates for fraud protection in the event your company needs to notify those affected, should be negotiated in advance of a data loss incident.
2. Extensive use of encryption and/or cryptographic data protection methods
Some states do not require notification of affected parties if the compromised data is encrypted. State laws are very specific on this subject. For example, the exact level of encryption (128 bit) can affect compliance requirements. It is unclear if these current exemption requirements will remain in place or if increasing risks will push states to require organizations to notify even if information is encrypted.
3. Business Continuity Management involvement
The organization’s business continuity management team can provide substantial support in containing the negative impact of a data breach incident
4. Chief Information Security Officer or Chief Privacy Officer leadership
One of the most profitable investments an organization can make is the appointment of a Chief Information Security Officer or Chief Privacy Officer with enterprise-wide responsibility to lead the data breach incident response team.
5. Employee training and awareness programs
Cybersecurity training and awareness programs should be directed at ensuring that employees practice proactive, security-conscious behavior, and should include an understanding of such things as information protection, social networking, virus protection, password security, web browser security, email security, and mobile device security.
6. Board-level involvement
- Directors need to approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue and they should understand the legal implications of cyber risks as they relate to their company’s specific circumstances,
- Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda,
- Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget, and
- Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach
7. Cyber-liability insurance protection
Insurance coverage should address:
First party claims (including forensic examination expenses; PCI/PFI audit costs; privacy notification costs; privacy counsel fees; mailing notification costs; credit monitoring and call center services; business interruption – loss of income; intellectual property loss; public relations; extortion), and
Third party claims (including claims by private litigants, consumers, or other businesses; claims by State Attorney Generals; claims by FTC; regulatory fines and penalties; PCI fines and penalties; loss of business; damage to reputation).
The complexity of cyber-threats has grown dramatically. A cyber-breach can be both financially and operationally catastrophic to any organization. Understanding the potential costs of a data breach by self-educating or seeking counsel from financial services and technology practitioners can help your organization better allocate limited resources to the prevention, detection and resolution of a data breach.
Sources used for this article include:
• Cyber-Risk Oversight https://www.nacdonline.org/Resources/Article.cfm?ItemNumber=10688
• Cyber Security: The Stark Reality http://premierriskmgt.com/cyber-security-the-stark-reality/