Into the Breach

Another data breach – this one affecting the National Research Council (NRC) – has made the news. It is a scenario that’s becoming far too commonplace, as evidenced by a recent study that estimated 36% of Canadian businesses know they have been hit by a cyber attack.

Considering the multitude of repercussions organizations face if they experience a breach – from steep financial outlays to potential regulatory mandates – the odds look even more grim. With this mind, it is time to look at the current data breach landscape and evaluate what business policyholders are likely to encounter if an exposure occurs.

ROOTS OF A DATA BREACH

At the time of writing, very little information about the NRC exposure had been released. It appears as if commercial data, including intellectual property and possibly trade secrets, was among the information stolen. Initial reports point to the involvement of state-sponsored hackers from China, though the Chinese government has issued a denial. While early indications are that this particular breach was the result of hack, exposures can occur in a number of different ways.

Deliberate acts, such as the introduction of viruses into a system by a hacker or accessing a corporate network by cracking a password, account for a portion of breaches. Other exposures are caused by human error and oversights. Lost smartphones, weak passwords, unsecured network portals and simple mis-mailings, where one customer receives another’s information, all account for a significant percentage of breaches. Policyholders must be vigilant on both fronts, to thwart attackers and to prevent internal errors.

THE BREACH RESPONSE

Businesses that experience a data exposure must quickly work on several fronts. One priority is to implement an initial solution to the breach so data does not continue to be lost. In order to accomplish this objective, it is vital that a policyholder contact its broker or insurance carrier. Many privacy breach and cyber insurance policies provide financial assistance for investigating the situation and making a determination as to whether a breach actually occurred. Resolution of support-repairing problems that were found and returning systems to a functional state-may also be included in these policies.

The firm’s next priority must be to help those who have been impacted by the breach – the individuals or other businesses whose information was exposed – whether they are customers, patients, employees or business partners. In addition, organizations are strongly advised in some provinces, and even required in others, to notify the Office of the Privacy Commissioner of Canada if Canadian citizens’ information is among the data exposed. Information about the breach – including the cause and the remediation steps the organization will undertake to ensure affected individuals are protected moving forward – must also be reported.

By notifying the insurance company early in the process, the business is able to leverage many of the services available under its policies. Crisis management specialists, legal counsel and qualified forensic experts will help ensure the policyholder meets its compliance obligations. They will also work to quickly determine the nature and scope of the breach. These knowledgeable resources are often instrumental in shutting down exposures and launching effective remediating actions.

To provide the best basis for recovery from a breach, policyholders should be encouraged to draft an incident response plan (IRP) that can be implemented once the initial discovery phase is complete. The IRP will pull together all the steps and resources necessary to fully respond to a breach and to review and revise privacy protection protocols to ensure the security gaps that led to the breach are eliminated.

WHAT BREACH VICTIMS CAN DO

Businesses or individuals who suspect their information may have been exposed should first contact the organization that held the data they fear was stolen. The breached entity is likely to offer assistance with answering questions about what information was lost, how and when the exposure occurred, and what the organization is doing to ensure additional data is not also lost.

In many cases, the breached entity is also likely to offer some level of support to victims. This assistance may include a credit or fraud monitoring solution, which is typically free to victims, and also perhaps access to an identity fraud remediation service if a victim actually experiences some form of identity fraud as a result of the breach.

Identity theft victims do not always know how or where their information was lost, and not every breached organization offers post-breach assistance. In those instances, individual victims will want to check their homeowners insurance policies as many policies offer reimbursement expense coverage for handling identity fraud. Some even provide an identity fraud remediation service as an added benefit to the baseline homeowners coverage.

BUSINESS INSURANCE SOLUTIONS THAT PROVIDE ASSISTANCE

Many firms rely on technology – their websites, internal systems and overall networks – to conduct business. The cyber threats to corporate infrastructure are very real, ranging from hackers to malware. Expenses related to resolving cyber issues can be enormous, but these technology services are often necessary to maintain business continuity.

Though cyber costs will be specific to each breach, many insurance policies provide coverage for common expenses.

• Virus removal and system repair. If the policyholder’s website, network or critical-path system was brought down by a virus or malware, this coverage would pay for a forensic specialist to remove the threat. It would also provide for services related to getting affected systems back to working order.

• Data restoration. It is often necessary to contract with an expert to restore a clean or sanitized data set from a back up source if the original data was deleted, destroyed or corrupted during the breach event.

Privacy breach costs, which revolve around the data exposure facet of a breach rather than the technology side of things, can also be significant. The monetary implications even have the potential to threaten the financial viability of small businesses. Coverage is available to manage many of the typical costs involved in the exposure of information.

• Crisis management. When a breach occurs, many critical decisions must be made very quickly. An experienced crisis management firm can help

provide guidance on what kind of forensic expert to bring in, what to say in the notification letters that will be sent to affected parties and what services should be offered to victims.

• Remediation services. The cost to offer breach victims credit and fraud- monitoring solutions, along with identity remediation services, can quickly mount. This is especially true if it is discovered that the exposure has been going on for some time or if the data lost pertains to a large number of victims.

• Communication services. It may be prudent to establish a call center – perhaps contracted through an outside firm-to answer questions about the breach and to provide victims with contacts for any support services they have been offered. In some cases it is also necessary to partner with an outside agency to manage inquiries from the media or other groups.

Risk management resources are also provided via web portal to businesses holding many privacy breach and cyber coverage policies. Incident response plan templates are often available for download through these sites, allowing businesses to draft IRPs that suit their particular needs. This piece of proactive planning enables policyholders to more quickly and effectively deal with potential breach events while also minimizing their financial liabilities.