Why Your Company Needs an Incident Response Plan for Data Breaches
Why Your Company Needs an Incident Response Plan
Being prepared to respond to a network security or privacy event is important for more reasons than you might imagine.
Malicious cyber criminals are increasingly searching for ways to exploit computer system vulnerabilities, from email scams that target employees, to malware that gathers sensitive information, to other social engineering schemes.
Even simple human error—such as an employee mistakenly leaving a mobile device in an unlocked car, or a latent programming defect—may lead to a network security or privacy event for which your company may be required by law to notify affected parties.
What Kinds of Information Are at Risk?
Your company may collect and store all kinds of private or proprietary information that may have value to others:
- Customer and healthcare records
- Contact lists
- Debit and credit card numbers
- Employee information (including Social Security numbers, email addresses and passwords)
- Financial account information
The Potential for Cyber Losses
Once private or proprietary information is lost or stolen, the damages and containment costs can quickly add up. According to the Ponemon Institute, the average U.S. cost of a data breach in 2014 was $201 per compromised record, so total costs of a breach (whether insurable or not) can swiftly mount if thousands or tens of thousands of records are involved. Moreover, the average overall cost of a breach in the U.S. was $5.8 million.
Consider the costs your company could incur while coping with a network security or privacy event:
- Direct costs, including forensic investigation and legal/regulatory compliance fees, fines or penalties
- Victim costs, including notification, call center, monitoring and restoration
- Indirect costs, including civil lawsuits and regulatory proceedings
- Opportunity costs, including loss of consumer confidence and funding
What Should an Incident Response Plan Include?
A well-considered, up-to-date, tested incident response plan is a critical component of any company’s cyber risk management program and should provide answers to several critical questions:
- Would your company be able to identify how and when the event occurred, what data was exposed, how many individuals were affected, and the proper timeframe(s) for reporting to impacted individuals and consumer protection, enforcement and/or monitoring agencies?
- Has your company placed one individual or a team of individuals in charge of decisions regarding containment of a network security or privacy event?
- Has your company identified experienced legal and post-data breach resources to advise it in the event of a network security or privacy event?
With knowledge and preparation, you can be ready if, or when, a data breach occurs at your company. Learn more about data breaches and relevant risk management tips, please watch my webinar below How to Mitigate the Risk of Data Breaches.
Lisa Ryder is an attorney with over 15 years of experience in the Claims department at Chubb. Chief among her responsibilities is analyzing data breaches and working with Chubb clients who have experienced a network security or privacy loss.
 Ponemon Institute, LLC and IBM. 2014 Annual study: Cost of a Data Breach Study: Global Analysis. May 2014.