Excess & Surplus
Specialty Risk Coverages
Life at AmTrust
AmTrust PolicyWire Blog
How to Create a Data Breach Policy
How to Create a Data Breach Policy
When a large company experiences a data breach, it’s likely to be all over the news almost instantaneously, and the consequences almost always lead to a damaged reputation. However, small and medium-sized businesses are also at risk for these cybersecurity attacks, and no matter the size, recovering from the aftermath presents similar challenges.
A data breach occurs when sensitive information is accessed by cybercriminals who find the means to bypass network security from a remote location. They may steal personal information like user names, addresses and phone numbers or even more sensitive data like credit card records and social security numbers. Or, a data breach can also occur due to simple mistakes by employees. Regardless of what information was taken and how the breach occurred, according to the Identity Theft Resource Center, since 2005, over 878 million records have been comprised due to a data breach.
The Importance of Creating a Data Breach Response Plan
One of the most important elements in regards to a data breach is to help ensure your clients are
prepared for a cybersecurity attack
by creating a comprehensive data breach response plan. A data breach response plan, also known as a security breach response plan or a cyber incident response plan, helps businesses properly respond to a cybersecurity attack by providing the necessary steps to respond in a straightforward, documented manner. And, according to the Ponemon Institute, having a data breach response plan can reduce the cost of a data breach by an average of nearly $400,000.
There are a variety of data breach response plan templates to utilize, and depending on the size of the business, they can be a few pages to several hundred pages long. While the details can and should be customized to the organization, there are certain things every security breach response plan generally includes.
What to Include in a Data Breach Policy
Establish a baseline with existing security policies
Take a look at the company’s current privacy and security policies to use them as a framework for the data breach response plan. There’s usually no need to duplicate efforts and create an entirely new security policy. Instead, save some time and avoid duplicate efforts by expanding the current policy to include cybersecurity attacks and data breaches.
Identification about what defines a data breach
Businesses should clearly state what type of data breach requires a response plan, and this will vary by industry. Perhaps the company stores personally identifiable information (PII), such as social security numbers, date of birth, mother’s maiden name and so on. This type of information is typically legally protected data, and many state laws require businesses to notify the victims after such a data breach.
Another common cybersecurity attack involves incidents that could lead to a material loss in the company, for instance, when confidential information or trade secrets become compromised.
The designated data breach response team
Although there’s no way to determine what departments of the company could be impacted by a data breach, one employee from several key groups, such as IT, HR, Legal, Communications, Compliance, the C-Suite, etc. should be assigned specific roles in the event of a security incident. This team should be immediately notified and understand the responses required for both internal and external inquiries that will undoubtedly arise.
The messaging and communication deployment schedule
A data breach policy should also include the messaging deployment schedule and escalation process for the key team members mentioned above. This process is a vital step that sets the timeline and alerts the victims about the specific data that was compromised. Make sure to seek counsel from the legal team who can review the particular state laws and compliance regulations that apply, as well as what possible compensation might be provided to the victims of the data breach.
Information about what cyber liability insurance covers
Data breaches have become a fact of life in today’s online world. Cyber liability insurance grew from the errors and omissions insurance policies developed by tech companies 20 years ago, which were created as a means to cover events like software crashing another company’s network. Today, cyber liability insurance helps protect companies against financial loss and damage that goes hand and hand with cybersecurity attacks.
Sharing the Responsibility during National Cybersecurity Awareness Month
National Cybersecurity Awareness Month (NCSAM)
, which was launched back in October 2004 by the NCSA and the U.S. Department of Homeland Security to ensure every American has the resources they need to stay safer and more secure online. The theme of NCSAM 2018 is “Our Shared Responsibility,” reminding everyone that protecting the internet is a collaborative effort. A strong, cyber secure workforce helps ensures businesses, families, communities and the country’s infrastructure are better protected. As an official NCSAM champion, AmTrust recognizes our commitment to cybersecurity, online safety and privacy.
Cyber Liability Insurance Can Protect Your Client’s Organization
Learn more about Cyber Liability Insurance policies from AmTrust, which can protect small businesses from some of the costs associated with cybersecurity attacks. Your clients will feel confident knowing they have coverage for losses incurred following a data breach. Not an AmTrust appointed agent? [Become an Appointed Agent button] This material is for informational purposes only and is not legal or business advice. Neither AmTrust Financial Services, Inc. nor any of its subsidiaries or affiliates represents or warrants that the information contained herein is appropriate or suitable for any specific business or legal purpose. Readers seeking resolution of specific questions should consult their business and/or legal advisors.
Subscribe to PolicyWire for weekly email updates
Articles by Topic
Small Business Advice
Paid Family Leave
New York Paid Family Leave
Business Owner's Policy
Become an Agent
Get A Quote
Oct 11, 2019
Remote Workers Can Be a Cybersecurity Risk
The number of employees working remotely has increased over the last several years – find out more about the potential cyber liability risks of having remote employees and what can be done to help mitigate them.
Oct 2, 2019
October is National Cybersecurity Awareness Month
October is National Cybersecurity Awareness Month! As a partner for Stay Safe Online, we'll be sharing tips throughout the month to help small business stay safe from cybersecurity attacks.
Jul 9, 2019
Cyber Insurance in the Time of Data Privacy Protection
Learn about the importance of cyber liability insurance in the time of data privacy legislation, such as the GDPR or CCPA, from AmTrust’s Ian Thornton-Trump.