Effective data breach response at large organizations requires team approachReprints
Once a data breach occurs, an enormous amount of activity ensues.
Forensic investigators try to learn the causes and extent of the damage, attorneys prepare to notify regulatory authorities and the victims, the public relations staff drafts the company's media outreach effort, and systems to monitor victims' credit for suspicious activities are implemented.
For large organizations, breach responses can be challenging but not financially taxing — unless the response is poorly thought out and executed and results in reputational damage.
“A lawyer is almost always necessary to assess the extent of legal requirements implicated by the incident, as are forensic (information technology) professionals to question the nature, timing and scope of the breach,” said Wendee M. Hilderbrand, a member at Nashville, Tenn.-based law firm Bass, Berry & Sims P.L.C. “If customer notice is required, credit monitoring services should always be offered. And depending on the scope of the breach and the (public) visibility of the company, a PR firm may also be advisable.”
“Large organizations like retailers and financial institutions need dedicated security teams, legal experts and crisis management professionals, all of which they typically have on staff,” said Jerry Irvine, chief information officer of Prescient Solutions, a Chicago-based IT advisory firm.
“But, even smaller organizations should partner with such services providers, doing quarterly audits to assess vulnerabilities and developing response plans in the event of a breach,” said Mr. Irvine, who also is a member of the U.S. Department of Homeland Security's cyber security task force.
One way to obtain the needed assistance is to purchase cyber liability insurance from the handful of specialist insurers that typically provide the services at no additional cost. But even that is not a panacea.
“The question then becomes, "Can they afford the insurance premium?'” said Collin Hite, partner and practice leader of the insurance recovery group at Richmond, Va.-based law firm Hirschler Fleischer. “If the premium is much higher than the exposure, you're better off going bankrupt.”
“The best advice is to secure the four corners of your network, and ensure that your employees do not use third-party email like Gmail or Hotmail,” he said. “We've handled three incidents this year where the customers were victims of wire fraud because the third-party emails were hacked.”
U.S. credit card companies also are expected to enhance their security measures.
“The goal is to embed credit and debit cards with a micro chip requiring a security code or PIN to process every payment, which is in place in the European Union,” Mr. Irvine noted. “The ideal solution would be a third form factor — biometrics.”
This third form factor would require consumers to scan their thumbprint or retina during the purchasing process.
“Although these security measures would require merchants and banks to buy all new equipment, it's a heck of a lot cheaper than the costs of a data breach,” Mr. Irvin said.