While data breaches are not specific to the workers compensation industry, experts say the industry should be prepared.

In November, SAIF Corp., Oregon’s state-chartered workers comp insurer, was the victim of a data breach when an unauthorized third party illegally gained access to a SAIF premium auditor’s email account from a phishing attack. The emails contained confidential information, including the names and Social Security numbers of more than 1,000 employees from six of SAIF’s 52,000 policyholders, according to an emailed statement from a SAIF spokeswoman.

“The bad guys are getting more and more sophisticated and any form of cyber security always has a human element that is dependent on people following certain steps and procedures,” said Patrick Fowler, a Phoenix-based partner and cyber security and privacy practice co-chair at Snell & Wilmer L.L.P.

SAIF is not the first workers compensation organization to fall victim to a cyber security breach. Last June, the Kentucky Workers Compensation Fund endured a ransomware attack, which according to a fund spokeswoman locked files but did not cause the loss of information.

Separately, in 2015, personal information of employees who filed workers comp claims in Salt Lake County was available online for nearly three months. The information release occurred during a scheduled upgrade by a software services company retained by the county, according to a statement by the county mayor.

Companies must pay attention to the vulnerabilities that exist before a data breach occurs because of the type of personal information that can be accessed, experts say.

“Insurers have different obligations because of the information that they store and the volume of information, especially when it comes to workers comp,” said Jennifer Rothstein, New York-based senior director, cyber security, at Kroll Associates Inc. “With workers comp, there is a lot of (personally identifiable information) and (protected health information) that is collected, and because you are dealing with employees of an organization, that might trigger notification obligations, credit monitoring and other remediation. Insurers have to be particularly sensitive to all that information that they store. Workers comp requires a review of medical records ... that may trigger some (Health Insurance Portability and Accountability Act) protections.”

There are many risks to be aware of, experts say.

“You have to recognize that the risk involves a lot of pieces. You may have all sorts of computer systems that communicate with physicians, hospitals and other insurers,” said Alan Brill, New York-based senior managing director, cyber security and investigations, at Kroll. “You may have systems that you are using internally, you may have paper records coming in which get scanned and added to the database, so the normal processes that you go through as a person in this industry creates risks.”

The key to lessening these vulnerabilities is having secure networks, using encryption appropriately and making sure employees are trained on how to keep confidential data secure. But 100% security is not guaranteed, Mr. Brill said.

“If you have data and that data is valuable, it could get stolen,” he said. “Somebody could make a mistake, a file setup could be misconfigured, somebody could click on something they shouldn’t click on in a phishing email and those things are enough to start the chain of infection that could lead to the actual compromise of the data.”

Companies have a number of different responsibilities in the aftermath of a data breach, experts said.

“First is reporting requirements, depending on what type of information is subject to breach and where company and information owners are located,” said Michael Hindelang, Detroit-based partner, data security and privacy litigation, at Honigman Miller Schwartz & Cohn L.L.P. “There are different notification laws in 48 states. Second is the exposure: have you been able to remedy the cause of the breach and ensure that there is no one actively in your system… and then you have the potential for regulatory inquiries.”

Companies should also be prepared for potential class actions or other civil suits resulting from a breach, Mr. Hindelang said.

Class action lawsuits against companies that have experienced data breaches have been a “mixed bag,” said Karla Grossenbacher, a Washington, D.C.-based partner at Seyfarth Shaw L.L.P.

“There have been some suits that have been settled for very large dollars because the plaintiffs have been able to get over some of the hurdles and actually show injury. Some of them succeed past the motion-to-dismiss stage, and then we hear about very large dollar settlements,” said Ms. Grossenbacher.

In SAIF’s case, the insurer took steps to respond to the breach.

“As soon as we learned of the incident, we took immediate steps to disable the employee’s business email accounts,” a SAIF spokeswoman said. “We reported the incident to the FBI, the Oregon Department of Justice and the three major consumer reporting agencies. We also retained CSIdentity to provide employees possibly impacted by this with credit monitoring service for twelve months, and notified anyone who may have been affected. We have not received reports that any information has been used to commit identity theft.”

While each company’s approach to addressing a breach may differ, the most important thing is to “stop the bleed,” said Angela Gleason, Washington, D.C.based senior counsel, cybersecurity, privacy, travel insurance, surety, construction and intellectual property, at the American Insurance Association.

This means “understanding what occurred and figuring how best to notify your consumers as appropriate so that they can take meaningful action,” said Ms. Gleason.