[BreachExchange] Response Options For Businesses With Sensitive Data Breaches

[Audrey McNeil]

https://www.jdsupra.com/legalnews/response-options-
for-businesses-with-12632/

Your heart raced when the caller on the phone identified himself as an FBI
agent. But the conversation was matter-of-fact.

About 2,500 sets of credit card information from your clients had been
posted for sale on a Ukrainian cybercrime forum along with the personal
information of 125 of your current and former employees. The FBI believed
that this information was possibly stolen from your business computers and
concluded that your network may have been hacked by an Eastern European
criminal gang.

As you consult with your leadership team, you realize that the list of
actions you will need to take seems endless:

1.    You will need to get your IT systems functioning again and ensure
that the bad guys are out of your system for good. You learn that this may
not be easy because hackers often leave back doors to let them return to
continue their theft. It will take significant IT expertise to delete them
from your system permanently.

2.    You will need to find out how long the criminals were inside your
system, what data was stolen, and how the criminals may have used your
system to hack into the systems of your customers or vendors. This forensic
investigation also requires special IT expertise.

3.    You will need to check the contracts you have with customers and
vendors whose data was compromised, verifying your contractual obligations.
Payment card companies have specific provisions concerning breach response
and notification, and you need to pay attention to them.

4.    Because of the liability issues involved, you will probably want the
most sensitive parts of the investigation to be guided by an attorney. This
allows the results of parts of the investigation to be treated as
attorney-client privileged.

5.    The biggest headache may be notification of affected customers and
employees. You must notify each person whose personal data was compromised.
Legal requirements are different from state to state. The notice you must
give will be determined by the breach notification laws of the state in
which each customer or current or former employee now lives. You will also
need to notify the attorney general’s office in many of these states.

6.    You will probably need a dedicated website for posting information.
You may need a call center unless you want the people you notify calling in
on your business switchboard.

For even a small business, responding to a data breach can be a major
expense and a costly distraction from managing the enterprise. One helpful
option is to add once-exotic cyber insurance policies to standard property,
casualty, and business liability insurance packages.

What does cyber insurance do?

Cyber insurance pays for breach response costs up to policy limits. Often
the insurance company provides breach coaches and a pre-positioned team of
experts with the roadmap and experience required to walk you through the
steps you must take to respond. The expertise and assistance that comes
packaged with cyber insurance can be as valuable as the liability coverage
under the policy — perhaps even more so.

Typically, the provider’s breach response team can respond to the breach
more efficiently and cheaper than your own team. And your internal
leadership team can focus on managing your business during the months ahead.

What are the basic provisions you need in a cyber insurance policy?

•    Coverage for breach response costs, including system restoration,
forensic investigation, third-party notification, legal expenses, credit
monitoring services, and web and call center response.
•    Network security coverage to protect you against claims made by third
parties that were economically harmed by the breach, including both
customers and vendors. (More than half of the major breaches that have
involved national or global companies have come through small vendors whose
systems were initially breached.)
•    Insurance for third-party liability that may arise if your website is
infected with malware that loads itself on to the computers of people who
access your site. This is referred to as a watering hole attack.
•    Business interruption coverage. Businesses that do a lot of sales
through the web or by email or telephone may find business interruption
coverage a higher priority.
•    Cybercrime coverage against wire transfer fraud and internal social
engineering attacks — the sorts of attacks where employees are tricked into
making wire transfers or diverting payments to false accounts. Businesses
that deal with multiple foreign customers and suppliers may prioritize
coverage for wire transfer fraud and funds transfer loss.
•    Coverage for costs and damage caused by ransomware or other cyber
extortion, and for the damage done to internal systems by malware.

Since cyber insurance is a new field, the terms and conditions of cyber
insurance policies have not been standardized by decades of practice, as
with property and casualty insurance, and it is important when reviewing
cyber insurance options that you consult with a skilled adviser who can
assess your business’s level of risk and guide you through the terms of the
available policies.

Lily Tomlin pointed out that “reality is the leading cause of stress among
those in touch with it.” Increasingly we are aware of the reality of
cybercrime, but reviewing the security steps we need to take to prevent it
— as well as our response options should we experience it — will go a long
way toward lessening that stress.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180430/7d6141be/attachment.html>