If you have a website, accept credit cards or take orders from an 800 number, have employees accessing your systems and sharing information or simply have possession of client information you have about a 3 in 10 chance of becoming the victim of a data breach. In 2011 the average cost of a breach was over $500,000 in lost revenue, downtime, response expense and loss of brand confidence. The cost of any resulting litigation and statutory compliance is still being determined for those breaches but will certainly add significantly to the total.
There are four general stages of coping with a breach:
- Discovery – You experience the actual or suspected theft or unauthorized disclosure of personally identifiable non-public information or third party corporate information. It may have been information that was in your care or the care of a third party you have entrusted it to. The statutory clock begins running the moment you become aware.
- Evaluation – Forensic investigation is needed in order to determine if a breach actually took place and to determine what, if any information was illegally obtained. If a breach and theft are confirmed, legal review is in order to determine what statutory notifications are required, if any, and in what specific form they need to be. In most jurisdictions you have about 60 days to get through this process and begin stage three.
- Short-Term Management – Notifications have to be sent to individuals or entities that have been affected in a pecific form mandated by each of the 50 states or the federal government depending on the nature of the information lost. In many cases credit monitoring services have to be offered. And it is generally a good idea to set up a call center to handle the incoming calls generated by the notification letters. During this process it is also generally a good idea to obtain the services of a public relations firm to mange reputational issues.
- Long-Term Consequences – There can be class action law suits, regulatory fines or penalties, consumer redress and reputational damage all that need to be dealt with before you even begin to understand what your income loss will amount to.
It’s bad enough that you’ve suffered a breach and face liability for data loss. The last thing you want to do is create additional liability from how you respond to the incident. It is always the best idea to get out in front of the issue and make sure you are kept in the best defensible position during the course of your breach response. Methodology should be your #1 priority. How well you respond and manage the four stages many times determines if your business survives. It has been estimated the nearly 60% of uninsured small businesses that suffer a breach go out of business within 9 months.
A good data breach policy would necessarily have three coverage areas:
- Breach Response Cost Coverage
- Third Party Liability
- First Party Damage and Loss of Income
If you are currently uninsured for data security or just not sure of what your current policy actually covers, please contact us for a consultation.