How to Create a Data Breach Policy

Topics: Cyber Liability

When a large company experiences a data breach, it’s likely to be all over the news almost instantaneously, and the consequences almost always lead to a damaged reputation. However, small and medium-sized businesses are also at risk for these cybersecurity attacks, and no matter the size, recovering from the aftermath presents similar challenges.

A data breach occurs when sensitive information is accessed by cybercriminals who find the means to bypass network security from a remote location. They may steal personal information like user names, addresses and phone numbers or even more sensitive data like credit card records and social security numbers. Or, a data breach can also occur due to simple mistakes by employees. Regardless of what information was taken and how the breach occurred, according to the Identity Theft Resource Center, since 2005, over 878 million records have been comprised due to a data breach.

The Importance of Creating a Data Breach Response Plan

databreachpolicy.jpg
One of the most important elements in regards to a data breach is to help ensure your clients are prepared for a cybersecurity attack by creating a comprehensive data breach response plan. A data breach response plan, also known as a security breach response plan or a cyber incident response plan, helps businesses properly respond to a cybersecurity attack by providing the necessary steps to respond in a straightforward, documented manner. And, according to the Ponemon Institute, having a data breach response plan can reduce the cost of a data breach by an average of nearly $400,000.

There are a variety of data breach response plan templates to utilize, and depending on the size of the business, they can be a few pages to several hundred pages long. While the details can and should be customized to the organization, there are certain things every security breach response plan generally includes.

What to Include in a Data Breach Policy

Establish a baseline with existing security policies

Take a look at the company’s current privacy and security policies to use them as a framework for the data breach response plan. There’s usually no need to duplicate efforts and create an entirely new security policy. Instead, save some time and avoid duplicate efforts by expanding the current policy to include cybersecurity attacks and data breaches.

Identification about what defines a data breach

Businesses should clearly state what type of data breach requires a response plan, and this will vary by industry. Perhaps the company stores personally identifiable information (PII), such as social security numbers, date of birth, mother’s maiden name and so on. This type of information is typically legally protected data, and many state laws require businesses to notify the victims after such a data breach.

Another common cybersecurity attack involves incidents that could lead to a material loss in the company, for instance, when confidential information or trade secrets become compromised.

The designated data breach response team

Although there’s no way to determine what departments of the company could be impacted by a data breach, one employee from several key groups, such as IT, HR, Legal, Communications, Compliance, the C-Suite, etc. should be assigned specific roles in the event of a security incident. This team should be immediately notified and understand the responses required for both internal and external inquiries that will undoubtedly arise.

The messaging and communication deployment schedule

A data breach policy should also include the messaging deployment schedule and escalation process for the key team members mentioned above. This process is a vital step that sets the timeline and alerts the victims about the specific data that was compromised. Make sure to seek counsel from the legal team who can review the particular state laws and compliance regulations that apply, as well as what possible compensation might be provided to the victims of the data breach.

Information about what cyber liability insurance covers

Data breaches have become a fact of life in today’s online world. Cyber liability insurance grew from the errors and omissions insurance policies developed by tech companies 20 years ago, which were created as a means to cover events like software crashing another company’s network. Today, cyber liability insurance helps protect companies against financial loss and damage that goes hand and hand with cybersecurity attacks.

Sharing the Responsibility during National Cybersecurity Awareness Month

October is National Cybersecurity Awareness Month (NCSAM), which was launched back in October 2004 by the NCSA and the U.S. Department of Homeland Security to ensure every American has the resources they need to stay safer and more secure online. The theme of NCSAM 2018 is “Our Shared Responsibility,” reminding everyone that protecting the internet is a collaborative effort. A strong, cyber secure workforce helps ensures businesses, families, communities and the country’s infrastructure are better protected. As an official NCSAM champion, AmTrust recognizes our commitment to cybersecurity, online safety and privacy.

Cyber Liability Insurance Can Protect Your Client’s Organization

Learn more about Cyber Liability Insurance policies from AmTrust, which can protect small businesses from some of the costs associated with cybersecurity attacks. Your clients will feel confident knowing they have coverage for losses incurred following a data breach. Not an AmTrust appointed agent? [Become an Appointed Agent button] This material is for informational purposes only and is not legal or business advice. Neither AmTrust Financial Services, Inc. nor any of its subsidiaries or affiliates represents or warrants that the information contained herein is appropriate or suitable for any specific business or legal purpose. Readers seeking resolution of specific questions should consult their business and/or legal advisors.
Copy

Time Zones

13

Countries

34

Brands

12

Agents

9500