Cyber Liability: Managing A Data Breach Incident
This blog was originally published on February 3, 2015. It has been updated as of February 9, 2018.
If a data breach were to occur—putting at risk the potential for sensitive, protected or confidential data (such as personal health information, personally identifiable information, trade secrets or intellectual property) to be viewed, stolen or used by an unauthorized individual—how prepared would your insureds be? With cyber crime costs estimated to hit $6 trillion annually by 2021, an all-encompassing incident response management process should be in place to address the increasingly emerging risk of cyber attacks, data breaches, and scams.
As outlined by Id Experts in their white paper, there are three phases to an effective incident response management plan.
The First Phase: Discovery
The first phase begins once the breach has been discovered, either inside or outside of the organization. The information security team must immediately determine the facts of the incident, including:
- The root cause of the breach
- The level and risk of exposure
- The nature of the personal data potential exposed
- Whether any protections were in place
- The number of potentially impacted individuals.
Also included during this phase are the remediation steps needed to contain the incident and limit the risk of further exposure. It’s important to determine whether the event is ongoing or static, malicious or non-malicious. Throughout this process, everything should be thoroughly documented, as this will aid in the recovery process and will be of use for future incidents.
The Second Phase: Assessment
The second phase involves incident assessment. If the assessment determines that an incident is in fact a breach, an organization must take critical steps such as client/patient notification. An improper response, such as lack of notification, opens up an organization and its customers to legal, financial, reputation and even health risks. If an organization fails to notify its customers or patients, it could be accused of hiding the breach to avoid costs and exposure. It’s important that it’s clear who is responsible for making this decision and executing it.
In the United States, forty-eight states as well as the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted security breach notification laws that require private and governmental agencies to notify individuals of security breaches that involve personally identifiable information (PII). The laws vary by state (so every organization should be aware of its state laws), and they encompass who must comply, what “personally identifiable information” entails, the legal definition of a breach, requirements to who must be notified as well as when and how, and exceptions to any of the above regulations.
The Third Phase: Response
Phase three involves having a successful response that addresses not only the needs of the organization but also of the affected individuals whose data was breached. This includes notifications and crisis communication and identity monitoring and protection. The requirements regarding notification timing, content and delivery to affected individuals, regulators, and in some cases, the media are very specific and necessitate outside counsel to protect attorney-client privilege. Crisis communication involves website notifications, call centers to contact clients/patients, and media relations to stem reputational damage. In terms of monitoring and protection, these should be tailored to meet individual needs, such as, for example, medical identity monitoring for patients.
Organizations must take a hard look at how they manage incident response. In doing so, it’s critical that all those involved are educated and informed as to how laws and rules define a data breach. In addition, an organization should look at the potential costs involved if a breach occurs, including the expense to pinpoint the cause of the breach, notify clients/patients, manage the crisis, and prevent a future incident. Cyber Liability insurance is designed to provide coverage for these and other expenses when a breach occurs and should be an integral component of an insured’s plan. We can provide you with Cyber Liability policy options to go over with your insureds, including for medical facilities.
About Caitlin Morgan
Caitlin Morgan specializes in providing insurance solutions to healthcare facilities, including nursing homes and assisted living facilities, addressing liability, property, cyber and privacy, workers’ comp, risk management, and many other exposures. To find out more about our programs, give us a call at 317.575.4440.