Eight Costs and Coverages to Consider Before A Breach

By Nate Spurrier

Data breaches are reported so frequently that consumers and businesses alike have grown weary of all the bad news. For victims, having their information stolen can lead to months and even years of stress and difficulties as they work to repair and protect their financial lives. Businesses face the challenge of investigating and remediating what is often a complex situation affecting technology components and privacy practices, while also navigating a range of regulatory mandates and a potential landslide of financial liabilities.

IN LIGHT OF the recent Canadian National Research Council (NRC) breach, we wanted to provide an eye into the nature of the current data breach environment and outline what a business may face when dealing with these situations.

Understanding the Causes

Details are still emerging about the NRC breach, and few concrete facts have been confirmed. Chinese hackers have been named the most likely culprits, with commercial secrets and other intellectual property among the data stolen.

Breaches spring from a variety of scenarios. Many data exposures occur as a result of simple negligence, such as the loss of a mobile device containing sensitive information or when employers give access to secure network portals to vendors or former employees for periods that are longer than necessary. Other breaches are caused by hackers and their instruments—brute force attacks, viruses and malware—who may target a particular organization or who might simply look for networks that are unsecured or whose defenses are easy to defeat.

Two priorities afterwards

There are two primary areas of concerns after a breach: the individuals who are affected by the breach because their information is now exposed, and fixing the problems with the company’s systems, network, website, technology or security practices and protocols so they’re able to get back up and running, returning to a state where they can conduct business as usual.

If the NRC breach involved a regular corporate entity and not a governmental organization, several initial steps would have been crucial to addressing these two key issues. First, if a company suspects its data has been exposed, they should immediately notify their insurance company. In the case of cyber or privacy breach insurance policies, the coverage will often pay for the expenses incurred for verifying whether or not a breach has occurred. By contacting the insurance broker or carrier first, the company can begin receiving assistance on investigating and resolving the potential breach very quickly.

Companies should then turn their attention to the matter of those individuals or other stake holders whose data may have been exposed. If information on Canadian citizens was breached, the Office of the Privacy Commissioner of Canada (OPC) must be notified. The details relayed to OPC should include what happened, as well as what the company plans to do in response to this event to ensure that customers and employees are protected now that their information has been exposed.

Response: Next Steps

As mentioned earlier, notifying the insurance company is a wise first step, as it often leads to the involvement of some kind of crisis management firm and/or legal support to help guide what should happen next. This ensures the organization is following any relevant regulatory mandates or other legal requirements. And because the crisis management or legal firm will occasionally need to bring a forensic expert onto the team as a critical-path measure, it also enables the company to very quickly gain better insight into what happened and how, what information was exposed and who is affected by the breach.

After determining the scope and nature of the exposure, hopefully the organization already has an incident response plan in place that will help in guiding how they will respond to this event and how they’ll adjust their security practices to prevent future breaches.

Help is Available

Breaches can be tremendously expensive. Fortunately, many insurance policies today provide assistance in handling exposures and coverage to address some of the costs that may be incurred as a result of a data breach. A number of specific coverages are commonly available that relate to data breaches. Hacking, for example, is typically covered under most insurance policies. If a business experiences an exposure as a result of hacking, insurance coverage would likely be available.

The monetary obligations springing from a data breach add up quickly and can be overwhelming for many businesses. Privacy breach expenses that may be involved in a particular exposure vary, but a handful appear in the vast majority of exposure scenarios.

Legal support. Specialized legal expertise is often necessary to guide a company’s breach response compliance efforts after an exposure.

Forensic investigation. Instrumental in identifying what data was exposed, which victims the data belongs to and when the breach occurred.

Notification. Notification letters must be prepared, printed and mailed out to affected individuals. Depending on the size of the breach, these costs alone could be sizable.

Call handling. In some breach events, it’s sometimes necessary to outsource the answering of phone calls and questions related to the exposure. This is especially true for high visibility and very large breaches—where the number of inquiries is likely to be significant—as well as for those companies that don’t have sufficient technology and in house resources to manage what may be a very high call volume.

Victim Remediation. Many organizations go beyond what is required and decide to offer services to the individuals affected by the breach. These services could include credit and fraud monitoring solutions or access to identity fraud remediation service to address any fraud that has occurred.

Public relations. The guidance of an experienced public relations firm is useful in helping to determine proper brand positioning and messaging, as well as managing interactions with media groups in a way that preserves the company’s reputation and minimizes harm.

Additionally, cyber-related expenses may also become burdensome. As part of their financial management and due diligence efforts, businesses should consider if their coverage is appropriate or if additional solutions are needed. Common cyber costs include:

System failure. After the compromise of a system or network due to a virus, malware or other attack, a forensic provider would likely be needed to get the system or website back up and running.

Business interruption. This coverage pays for losses in income as a result of not being able to conduct business because the company’s website or other network assets were down. It may also potentially cover the loss of income if customers leave as a result of a breach.

Defense and settlement. Whenever private information is exposed, there’s always the possibility of a lawsuit. One or more victims may pursue litigation, and assistance in mounting an appropriate legal defense and/or settling the case is often crucial. Small and midsized businesses in particular, which may have fewer financial resources to survive the heavy monetary tolls of litigation, should determine what coverage their policies provide.

Many cyber and privacy breach insurance policies also provide access to a risk management website for business policyholders. Most of these websites offer a free incident response plan template that businesses can print out and begin to utilize within their organization. Having an incident response plan in place prior to experiencing a breach is going to make the breach easier to handle, but will also reduce unnecessary costs in responding to a breach.

Nate Spurrier is a director of business development at IDT911.