Data breach fallout gives risk managers reason to prepare

By Erin Ayers on September 22, 2014

Demonstrating the effect of a data breach on an organization’s senior executives provides a helpful tool for risk managers to convince their companies of the need to prepare for cyber attacks in the same way they would for any disaster, according to a recent paper from Experian.

In “The Impact of Mega Breaches on Consumers and Corporate America,” Experian analyzes the lessons learned from the many high-profile data breaches that have occurred in the past year.

“With the rapid increase in the threat landscape and number of data breaches, concerns over how to manage them have moved beyond corporate IT teams to other major departments of organizations,” stated Experian. “The reputational and financial damage caused by a breach is difficult for C-suite or board members to ignore. And, as we’ve seen with larger breaches, the role of today’s chief executives has expanded to now be held responsible for lapses in computer security.”

Experian noted that frequently when it is called in to aid an organization, a breach has already occurred and the company must quickly react. According to the report, many organizations aren’t prepared, or haven’t properly tested their breach response plans. A formal process for preventing and dealing with data breaches is key, Experian emphasized, with not only the C-suite involved, but with one main leader driving the preparation.

The report noted that every business should assume that a breach will happen, regardless of the precautions taken, and have a plan for remediation.

“Companies need to assume that a data breach will happen to them. It’s not a matter of if but when and how large the incident will be. Companies that succeed have some sort of crisis management system already in place that will help them more efficiently manage the legal, operational, IT and communication needs that a breach brings,” said Liisa M. Thomas, partner and chair of the privacy and data security practice at Winston & Strawn LLP, in the report. “They should also train the different key functions in their organization on how the company plans to handle a security incident and the role they will need to play.”

While businesses are wising up to the risk and taking action, consumers are raising their expectations and becoming increasingly mistrustful of companies that appear not to have tight security controls – but not taking much action on their own.

“Consumers are also sending mixed signals to organizations – with many becoming more apathetic in a phenomenon coined by Experian as ‘data breach fatigue’ and taking less action to personally protect themselves – whilst expressing heightened concern for identity theft,” said the firm in its report. “And although the cost for data breach victims is actually decreasing, there remains much to be done for organizations to ensure they meet consumer needs and protect their brand.”

Quick, effective communication could smooth over some of the fallout after a breach, Experian suggested, for consumers and lawmakers and regulators.

“Communication to media, regulators, customers and partners is at center stage during a breach response. In addition to legal considerations that are critical for timing and method of your communications, keep in mind that communicating effectively doesn’t necessarily mean sharing information as quickly as possible. Make sure to have the facts and forensics investigation underway, if not completed, before issuing statements,” stated Experian. “Further, be sure to understand and comply with the number of legal requirements to provide notification of the incident. Currently there are 47 different state notification laws with unique requirements for how long a company has to notify affected customers, what details need to be provided and when notification is needed. Given the complexity of the patchwork of laws and regulatory action, it’s essential to hire outside counsel that has a strong understanding of the issue and landscape.”

Experian advised “debriefing” after a data breach event and response, warning organizations that the process rarely consists of a quick fix. Throughout an incident, businesses can be collecting data, determining consumer sentiment, and planning mitigation for the future, the firm recommended.'

Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].