Risk management approach can help public entities protect vulnerable data

Public entities must take a proactive stance in addressing their data systems' vulnerabilities to hacker attacks.

“It's Risk Management 101. You have to try to quantify and qualify your actual exposure, financial or otherwise, and obviously that means you've got to engage the (information technology) folks within the organization to think like a risk manager,” said Joe Blasi, Houston-based executive vice president at broker McGriff, Seibels & Williams Inc.

“Once you've got your arms around what the actual exposure is,” solutions can include insurance or self-insurance, he said, adding that it also is important for all departments and agencies to collaborate on the issue.

Even if public entities do not have the resources to defend the entire system, they should focus on the biggest risks, said Daniel Howell, San Francisco-based executive vice president and managing director of Alliant Insurance Services Inc.'s public entity group.

Of particular concern is health care-related information. “Public entities have more of that than the think they do,” Mr. Howell said.

Public entities also should consider the controls third-party providers have in place, said Anne Corona, San Francisco-based managing director of Aon Risk Solutions' financial services group.

“Pick someone and tell them they are now in charge of all data privacy issues,” said John F. Mullen, a partner at law firm Lewis Brisbois Bisgaard & Smith L.L.P. in Philadelphia. Otherwise, “everyone assumes someone else is doing it.”

Also, the person in charge of data privacy issues should have “some clout” and decision-making authority, he said.