How Organizations Can Respond to a Data Breach

Share on facebook
Share on twitter
Share on linkedin
Share on email

When a hack is discovered, an organization must first assess the possible damages.

Data breach cybersecurity

This post was originally published by Parker, Smith & Feek.

By Gregor Hodgson

Every week we hear of a new virus, data breach, or ransomware that threatens our business operations or employee or client information. Many business owners have been hearing about, and are now considering, cyber insurance. But, what exactly is cyber insurance? What does it cover, and is it a good fit for my business?

In order to understand what cyber insurance covers, we first must understand what constitutes a cyber incident. A good definition of a cyber incident is, “The failure to prevent the theft, loss, or disclosure of personally identifiable, non-public information (or corporate information, which you have a written obligation to protect) that is in the care, custody, or control of your organization or a third party, for whom you are legally liable.” This could include the loss of a laptop, hack of a POS system, phishing scheme that results in you or an employee being tricked into divulging personal information to others, or a hacker who steals data and then extorts your organization by threatening to release the data, or by encrypting the data and offering to sell you a key. Cyber insurance can help you assess the damage, respond to the initial threats, and manage the fallout of such an event.

When a hack is discovered, an organization must first identify what has happened and assess the possible damages. An information technology forensic firm is often engaged to discover what happened, what information was accessed, how might have the organizations’ servers been co-opted, and what patches are required to correct the problems. Once the forensic firm can identify what information was accessed, then legal counsel is engaged to identify regulatory and other reporting requirements. These could include notifying state attorneys general, federal agencies, bank card issuers, as well as business partners. These investigations should be conducted in conjunction with legal counsel so that all findings remain privileged.

Data breach hacking brighton jonesOnce damages have been assessed, the initial response to the breach can begin. Depending on the size and scope of the breach, state and federal agencies may need to be notified. Some companies may be required to demonstrate payment card industry (PCI) compliance. Other companies need to begin informing individuals affected by the breach and, depending on the jurisdictions, offer credit-monitoring services to those individuals. If the breach included extortion demands, then the organization must decide whether they are going to negotiate with the extortionists or if they can recreate needed data from back-up systems. If news of the breach has reached the public, then public relation or crisis management services may be needed in order to communicate with customers and the general public.

Once the initial response is contained, the organization can turn to managing the fallout of the attack. This may include class action lawsuits, regulatory or PCI fines, data restoration, income loss, as well as rebuilding a damaged brand.

A well-structured cyber insurance policy can help an organization address all of the challenges outlined above. In addition to the financial protection, most insurance carriers now offer “Data Breach Coaches” who help the organization manage the entire project. The coaches have managed hundreds, if not thousands, of breaches. Their experience can be invaluable as you attempt to negotiate the regulatory and business challenges of a breach. In addition, most insurance carriers can also offer pre-breach services that may include sample data breach response plans, limit analysis, discounted virus detection software and employee training, table top exercises, and more. Consult with your insurance broker and discover the full value of these evolving insurance policies.

Gregor Hodgson serves as a vice president and account executive for Parker, Smith & Feek.


Please remember that past performance may not be indicative of future results. Different types of investments involve varying degrees of risk, and there can be no assurance that the future performance of any specific investment, investment strategy, or product (including the investments and/or investment strategies recommended or undertaken by Brighton Jones LLC), or any non-investment related content, made reference to directly or indirectly in this blog will be profitable, equal any corresponding indicated historical performance level(s), be suitable for your portfolio or individual situation, or prove successful. Due to various factors, including changing market conditions and/or applicable laws, the content may no longer be reflective of current opinions or positions. Moreover, you should not assume that any discussion or information contained on this blog serves as the receipt of, or as a substitute for, personalized investment advice from Brighton Jones LLC.

To the extent that a reader has any questions regarding the applicability of any specific issue discussed above to his/her individual situation, he/she is encouraged to consult with the professional advisor of his/her choosing. Brighton Jones LLC is neither a law firm nor a certified public accounting firm and no portion of the blog content should be construed as legal or accounting advice. A copy of the Brighton Jones LLC’s current written disclosure statement discussing our advisory services and fees is available for review upon request.

Brighton Jones is not affiliated with Facebook, Twitter, LinkedIn, Google+, YouTube or other social media websites and we have no control over how third-party sites use the information you share. Please remember that you should never communicate any personal or account information through social media and it is important to familiarize yourself with their respective privacy and security policies.