Ideas and suggestions are always welcome. Please let us know how we can improve your newsletter! We welcome your feedback.
LexisNexis® for Corporate Counsel
LexisNexis® Webinar Center
LexisNexis® Legal Newsroom
Live CLE Webinars | OnDemand Webinars
By Kristin Casler, featuring Simon Barker of Blue Moon Consulting Group, Ozzie Fonseca of Experian Data Breach Resolution, Adam Cottini of Arthur J. Gallagher & Co., Kelli Artin of Liberty International Underwriters and Jeremy Barnett of NAS Insurance
Most companies talk about preventing a data breach. Many even have a plan for how to respond to one. If your company isn’t among those prepared, your name could be mud—for quite a long time. The stocks of companies that respond appropriately to a breach are valued 30 percent higher than those that don’t, experts say. How will you protect your reputation, get back to work and handle any potential victims? There’s a lot to account for. It likely won’t be cheap. And you’re definitely going to need more than a press release.
What is reputational risk? Simon Barker, managing partner of Blue Moon Consulting Group, describes it as a significant disconnect between what you do and what your stakeholders expect. The farther apart those two components are, the greater the reputational harm, Barker said.
“We find that the majority of the impact of a breach is the degree to which the organization is prepared in advance, and it’s the response, rather than the underlying event, that has the biggest impact on the reputational damage to the institution,” Barker said.
Three-quarters of the risk is in indirect costs due to customer churn, a loss of trust, management distraction and reputational damage, Barker said. The usual corporate instinct is to control for these risks using the media. There is a “we-need-a-press-release” mentality. But Barker suggests leaving the media largely on the sidelines in the initial response.
Data breaches are becoming fairly routine, and they get lost in the Internet/media noise. Only the really big breaches are picked up by actual reporters. Instead, companies should concentrate on alerting and taking care of their stakeholders. This is particularly important if data protection is close to your core business, such as with a financial or healthcare institution. Barker said it is obviously less critical if you make pizzas or widgets.
“If you understand who the key stakeholder is, you’re going to be in a much better position to respond to meet their needs. It could be our employees, if we’ve lost employee data, or it could be our patients’ healthcare data or our customers, if we’re in financial services. What are they expecting us to do?”
Your senior-level management process must allow you to make fast, coordinated decisions and take actions that withstand the external credibility test.
This obviously depends on the organization, Barker said. You don’t need your CEO being alerted every time a customer record is at risk. Data at risk is different from a data crisis. Know who monitors the data and how and when threats or breaches should be escalated up the chain.
Barker stressed the importance of a timeline in this component. A gap of months between discovery and reporting up the chain of command or notification is unacceptable.
“I understand there are complications in the forensics, but slowness is a killer from a reputation perspective, because it looks like you guys were asleep at the wheel, that you guys don’t even know what you’re dealing with in terms of your own system.”
This is a key question. How are you going to solve the underlying problem? How are you going to close this? What are you going to demonstrate? That you are taking it seriously and have learned from the event?
When you think you’re ready to send a notification, check again, said Ozzie Fonseca, senior director at Experian Data Breach Resolution. He has seen companies not think through their actions before sending a notification letter. Or what was thought to be a breach turned out to only be an event, but at that point it is too late to take back a notification.
You need to have consistent messaging across stakeholders, Barker said. Organizations are killed when they tell their sales team one thing and external audiences another, or their employees one thing and the media another.
If you haven’t told your phone line operators about the breach or what to say, and callers use those lines rather than the number given in the notification, the lines will be flooded and callers will get bad information. And they’ll get angry.
“Only 24 percent of companies ever tell their employees about a breach and actually train them on what to say,” Fonseca said. “Now you have potentially millions of people, thousands of people definitely, plus the media, calling various numbers, staffed with people who have no idea that a breach has even happened.”
You also need to be compassionate about stakeholders’ situations. It is imperative that your response plan anticipates the hard questions and you think through how you will provide clear answers. Make sure your CEO doesn’t torpedo your response plan by commenting at an inappropriate time. Talk to and train your CEO or spokesperson in advance. Maybe someone else needs to manage it.
“If they haven’t been media trained and they say things that come off half-cocked, you can really cause major problems,” Barker said. “I think when we see CEOs leave following a breach, it’s typically because the way they’ve responded has seemed insensitive to stakeholders, and people say, ‘Yeah, this guy’s got to go.’”
Stay on top of social media. It can be an early indicator of a problem or can break the news wide open while you are still working on the forensics. And, if your entity typically is active on social media, you can’t suddenly go quiet. Barker said you have to maintain continuity with your organization’s personality.
And, finally, stop talking. “There is a tendency amongst some people to think that, if they talk about it, that somehow it’ll make it better,” Barker said. “You will only make it worse. In almost every instance, unless there’s a compelling reason, it is much better to go with written statements and email responses. You will be less likely to get caught by some gotcha journalist who wants to make you look silly.”
Many insurers offer products that help companies bounce back from a breach. Just what your company requires can be addressed by a broker. But the first thing a broker will tell you is that you need to be doing everything you can about breach prevention, said Adam Cottini, managing director at Arthur J. Gallagher & Co.
Kelli Artin, vice president at Liberty International Underwriters, agreed. The underwriter wants to see that you have done and continue to do network assessments and patch any vulnerabilities. You need to demonstrate constant risk management, from the C-suite to the last IT employee, and that all of the departments are working together with a consistent message. This might include regular email campaigns to employees about document retention, clean-desk policies and even phishing campaigns. Companies also need to regularly test their response plan, she said. This might include tabletop exercises, a calling tree and actually going through the motions of a breach.
Cottini suggested that some companies might benefit from a turnkey response plan, while others are better equipped to tailor their own. Either way, don’t just list what you will do—actually prepare for it.
“It’s really important because if something happens, the costs are going to escalate so quickly that a small company could potentially go out of business if there isn’t a policy in place or procedures or even insurance,” Artin said.
Are there prior approval requirements? You want to choose a forensic provider or breach response law firm that the insurer will pay for. You should talk to your carrier as part of your preparation. And your insurance broker needs to be part of your response process, Cottini said. You want to ensure proper reporting and approvals so you don’t jeopardize coverage.
“The insured and the carrier—it is a partnership,” Artin said. “You’re trying to mitigate costs on both ends, and if you have an agreement up front, it definitely will help everyone. I think that’s a valid point, and I think a lot of carriers will work with their insureds.”
Designing the best policy for your company is critical. Do you really know what you are purchasing? Did you think your general liability coverage policy covered bodily injury or property damage claims related to a breach? Is it products liability? Do you have a cyber liability policy? What does it cover? Where do the financial losses lie? Does your business interruption coverage include system failure or a breach at a vendor or dependent business that disrupts your business?
“Eventually we’re going to come to a point where this issue needs to be dealt with better than what’s currently available,” Cottini said. “There are some products out there that could offer some level of coverage from an excess position. But when we’re talking about bodily injury and property damage and we’re coming up against the general liability policy and the cyber policy, recognizing that we have a financial loss policy in cyber liability and the bodily-injury property-damage events that are occurring from cyber-oriented type events, we are going to converge.”
Jeremy Barnett, senior vice president at NAS Insurance, said cyber policies are starting to innovate to help policyholders address the real issues of a breach, including insuring their brand or reputation and other indirect costs.
If a retailer loses a certain percentage of its monthly revenue as a result of a breach, and the lost revenue is tied back to the breach, that’s a very valuable component for insurance coverage, Barnett said. “When it’s not just an emotional response, it’s not just how people feel about their brand, it’s when they stop reaching for their wallet and purchasing goods, that’s where we recognize that there’s an opportunity to extend the benefit of insurance.”
Most companies don’t do anything about mitigating the risk of the identity theft, yet six to seven percent of people affected by a breach expect that it will be provided, Fonseca said. Companies send notification letters to individuals and regulators, but they may go no further, either because they cannot afford to or simply because they think their stakeholders won’t bother finding a replacement for their services.
One fairly counterintuitive offer that works for some companies is discounted merchandise, Fonseca said. It appears to monetize a data breach, but the reality is that 63 percent of people want it. They actually prefer to receive some kind of cash discount in conjunction with identity protection. Ideally, the identity protection should be a complete package and include proactive credit monitoring (to spot identity and medical-information theft) and Web scanning (for the individual’s specific data being used online) and fraud resolution (to fix any problems caused by the data’s use).
This article is derived from a presentation at HB Litigation Conferences’ NetDiligence Cyber Risk & Privacy Liability Forum in 2015 moderated by Shawn Melito of NPC. The program will be held again in Philadelphia in June 2016.