The insurance industry has seen its share of data breaches in recent years. But insurers aren’t the only ones at risk. All businesses and risk managers should also have data breach processes in place–those that prevent and respond to either a hacker or an internal breach, according to risk management and security experts.
Last year, both the Insurance Corporation of British Columbia (ICBC) and credit union Coast Capital revisited their practices after policyholder information ended up in the wrong hands. Preparing for, and responding to such breaches means having two strategies in place, say experts sharing data breach best practices in a June 24 podcast.
Planning: prevention & response
Organizations need a prevention plan first. That means naming a specific senior manager to take charge if a breach occurs, pre-selecting a forensic computer specialist, managing communications to the media and stakeholders and pre-negotiating services with credit monitoring services
But the response is crucial–a crisis response team should be ready to respond immediately,
Their first job: have the forensics experts determine how big–or severe–the breach is. Getting that “snapshot” of the breach can figure out what servers were impacted, when and where the breach took place, and what processes were (or weren’t) in place at the time, says Mark Greisinger, president of NetDiligence.
That snapshot will identify the kind of data that’s at risk and also help direct the company response, says Toby Merrrill, vice president of ACE Professional Risk. “A breach of 10 or 20 credit cards should be treated differently than the theft of thousands of social [insurance] numbers.”
Next, the legal members of the team should determine who should be notified. Then crisis management consultants should advise on the best way to communicate the breach.
Best practices
Organizations should keep their notifications simple, says John Mullen, an attorney at Nelson, Levine, DeLuca & Horst. “A clear company statement should let them know key facts–what’s been done to contain the breach and the timeframe, and that appropriate action is being taken,” he advises.”It’s always best to tell your story upfront.” In giving the basic facts, companies should show empathy to those affected, and accept the responsibility “taking care not to admit negligence,” he says.
They can also extend help in the form of free credit checks, he adds.
Most organizations make missteps in the wake of data breaches because they aren’t prepared. “Without a crisis response plan in place, they make rash decisions,”notes Merrill.
A sound preparedness plan should take into account a company’s culture, have its senior management on board, and should include a screening process for third-party advisors or consultants. Organizations should also carefully consider what they tell stakeholders–”there’s a tendency to over-notify,” says Merrill
But even if companies aren’t required to notify stakeholders–they may be better off in doing so to protect their reputation and really ensure customer protection he points out.
“A breach of email addresses may not seem important, but can be used by a hacker to get more sensitive information.”
No comments:
Post a Comment