Company Data Breach Policy

Topics: Cyber Liability

Summary: Data breaches can damage a business's productivity, reputation and customer satisfaction. Learn the critical elements of a data breach policy and why it is essential to have a plan in place to mitigate the risk of a cyber attack, and why cyber liability insurance is an essential coverage you need. 

It's not uncommon to hear stories about large corporations such as Citrix and Starwood Marriott falling victim to data breaches. However, small and medium-sized businesses are also at risk for these cybersecurity attacks. No matter the size of the company, recovering from the breach presents similar challenges.

What is a data breach?

A data breach occurs when sensitive information is accessed by cybercriminals who find the means to bypass network security from a remote location. They may steal personal and sensative information like:
  • User names
  • Addresses
  • Phone numbers
  • Credit card records
  • Social security numbers

While all businesses are at risk, there are data breach prevention tips that can help lower exposure.

How much does a data breach cost?

A data breach can also occur due to simple mistakes by employees. The Identity Theft Resource Center found that in 2019, 705 million non-sensitive records were compromised due to a data breach, while cyber attacks exposed over 164 million sensitive records. Non-sensitive records such as usernames or passwords could lead to additional exposure. The Ponemon Institute found that the global cost of a data breach in 2020 was $3.86 million.

The Importance of Creating a Data Breach Response Plan

databreachpolicy.jpg

Businesses should prepare for a cybersecurity attack by creating a comprehensive data breach response plan. A data breach response plan, also known as a security breach response plan or a cyber incident response plan, helps businesses appropriately respond to a cybersecurity attack by providing the necessary steps to respond in a straightforward, documented manner. There are various data breach response plan templates to utilize, and depending on the size of the business, they can be a few pages to several hundred pages long. While the details can and should be customized to the organization, there are certain things every security breach response plan generally includes.

What to Include in a Data Breach Response Plan

Having a data breach plan in place will give your business procedures to follow if you are a victim of a data breach. Certain essential elements to the data breach response plan will need to be considered to pull the procedures together.

Establish a baseline with existing security policies

Take a look at the company's current privacy and security policies to use them as a framework for the data breach response plan. There's usually no need to duplicate efforts and create an entirely new security policy. Instead, save some time and avoid duplicate efforts by expanding the current policy to include cybersecurity attacks and data breaches.

Identification about what defines a data breach

Businesses should clearly state what type of data breach requires a response plan, which will vary by industry. Perhaps the company stores personally identifiable information (PII), such as social security numbers, date of birth, mother's maiden name and so on. This type of information is typically legally protected data, and many state laws require businesses to notify the victims after such a data breach. Another common cybersecurity attack involves incidents that could lead to a material loss in the company, for instance, when confidential information or trade secrets become compromised.

Designate a data breach response team

Although there's no way to determine what departments of the company could be impacted by a data breach, one employee from several key groups, such as IT, Human Resources, Legal, Communications, Compliance, the C-Suite, etc. should be assigned specific roles in the event of a security incident. This team should be immediately notified and understand the responses required for both internal and external inquiries that will undoubtedly arise.

Messaging and communication

A data breach policy should also include a messaging deployment schedule and an escalation process for the key team members mentioned above. A communication plan should follow all legal notification requirements for notifying all parties affected by the breach, such as customers, employees, vendors and more. This process is a vital step that sets the timeline and alerts the victims about the specific data that was compromised. Make sure to seek counsel from the legal team who can review the particular state laws and compliance regulations that apply and what possible compensation might be provided to the victims of the data breach.

Information about what data breach insurance covers

Data breaches have become a fact of life in today's online world. Cyber liability insurance grew from the errors and omissions insurance policies developed by tech companies 20 years ago, which were created as a means to cover events like software crashing another company's network. Along with creating a data breach response policy, today, many companies also utilize cyber liability insurance, sometimes called data breach insurance, to stay protected against financial loss and damage from a cybersecurity attack.

What are Data Breach Protection Laws?

Data breach notification laws vary by state, but today, all 50 states have breach notification laws. Most states have implemented legislation that requires businesses to notify customers of the security breach when it involves personal information. For example, in Ohio, protected information includes a combination of social security numbers, drivers' license numbers and credit/debit card account numbers. In 2020, California enacted the California Consumer Privacy Act, giving consumers more control over how their data is shared and more protection should a data breach occur.

Additionally, depending on the type of information compromised, each state will have its own specific data breach notification requirements. A business's legal counsel should be one of the first departments alerted following a cybersecurity attack, as they will research the state's law on whom to notify in the event of a data breach, and find out if the breach the business experienced fits the type covered by the law.

Some of the parties you may need to notify include:


Local law enforcement

As soon as you realize your business has been the target of a cybersecurity attack, the legal team should notify local law enforcement to report the situation. Time is of the essence, as the sooner the authorities are made aware of the incident, the more effective they can be in stopping it from escalating further. The FBI's state office can also be of assistance if the local police aren't familiar with cyber theft investigations. Law enforcement can also help with the timing of the data breach notification you will send to your customers to ensure it's not obstructing the investigation.


Vendors

If any of your company's vendors or business partners were affected by the data breach – for example, if your business stores or collects customers' personal information like social security or credit card numbers via a third party vendor – legal counsel needs to notify them as soon as possible. This helps ensure they'll monitor their accounts accordingly to watch for any potential fraudulent activity.


Customers

Companies should send valued customers a formal notification of the data breach in the form of an email or letter. In general, the notification should include the following information:
  • How and when the breach occurred
  • What information was stolen and how it may have been misused
  • The steps being taken to address and remedy the situation
  • Actions the customer can do to protect their information
  • Contact number, email or website customers can visit to learn more

Remember, the potential damage to your company's reputation is one of the most significant issues a data breach can cause. Properly communicating with customers helps protect your relationships and rebuilds the confidence they have in your organization.

Cyber Liability Insurance From AmTrust Financial

Cyber Liability Insurance policies from AmTrust can help protect small businesses from some of the costs associated with various cybersecurity attacks. Some of the standard components of cyber liability insurance include:
  • First-party coverage that responds immediately after a suspected incident. This coverage includes forensics, legal analysis, notification and credit monitoring, and also public relations.
  • Third-party coverage that provides a defense in the event of litigation against your client.

AmTrust appointed agents focuses on providing small and mid-sized businesses with affordable, effective Cyber Liability insurance policies tailored to their clients' specific needs. Contact us today for more information.


This material is for informational purposes only and is not legal or business advice. Neither AmTrust Financial Services, Inc. nor any of its subsidiaries or affiliates represents or warrants that the information contained herein is appropriate or suitable for any specific business or legal purpose. Readers seeking resolution of specific questions should consult their business and/or legal advisors. Coverages may vary by location. Contact your local RSM for more information.
Copy

Time Zones

13

Countries

34

Brands

12

Agents

9500