One of your clients will suffer a serious data breach this year.  Use these tips to help them prepare.

“the cost of battling Cybersecurity will double in the coming year”[1]
iStock_000020042572LargeNeiman Marcus, Staples, JP Morgan Chase, and now Sony.  The list of prominent companies that have suffered a major data breach continues to grow.  While it is the dramatic incident related to a well-known public company that tends to appear on page one, there are thousands of small to mid-sized companies that have experienced a loss of data or treasure related to hackers or IP misappropriation….and those losses are equally devastating to the owners of those firms.  Many of you represent such companies, and chances are good that one of them will experience a Cybersecurity event in 2015.  When that happens, your client, in serious need of a trusted advisor, will call you.  But will you be prepared to help?

Better yet, have you provided your clients with a list of preparedness best practices so when that inevitable breach occurs, they will be able to mitigate the damage?  If not, now is your chance to get off to a good start with your clients in 2015.

  • $7.2 Million:  What the average data breach cost companies and their insurers last year.
  • $500,000:  The average cost of defending a data breach.
  • 73% of small to mid-sized companies suffered a data breach last year

The damage to a company, both financial and reputational, after a data breach, can be huge.  But having a solid breach response strategy in place before the event occurs can significantly reduce these losses and risks.  Yes, it is true that the best breach response philosophy is to have good security protections and policies in place to prevent a breach, but we have learned that even the best-protected companies in America are not immune from an attack.  We are offering our Top Ten Data Breach Preparedness Tips below.  The first 6 deal with direct breach response tips, and the final four are a little more proactive.  Share them with your clients…you will be happy you did.

  1. Have a team in place.  Sounds like a no-brainer, right?  Most companies have not taken the time to assemble a data breach response team, and this failure increases the risk of costly missteps.  Help your client identify a team and task them with carrying out a plan.  Team members should represent the following segments of your client’s business:  Legal, outside counsel, HR, Media Relations, IT, Corporate Security, Insurance, and vendors from computer forensic, remediation, and notification specialist firms.  Keep your phone trees up to date, and have back-up people in place.
  2. TrainingTrain the team.  Make sure the members of your client’s breach response team are fully up to speed on the legalities of breach response including notification requirements, data spoliation risks, and regulatory laws.  Keep training records as evidence of your client’s best efforts to have a competent team in place.  This documentation can help the plan survive outside scrutiny if your client does experience a breach.
  3. Communicate with the team.  Provide the team with the written plan and have regular communication.  Update team members with industry developments, emerging case law, and breach response trends.
  4. Negotiate now.  Have master service agreements in place with your key vendors, (breach response notification specialists, call centers, credit reporting agencies, etc.).  Negotiate to price (and especially indemnification language!) now…not in the heat of the moment during a data breach.
  5. Practice!  Stage “tabletop” exercises at least twice per year on a wide-array of breach event scenarios, (loss of consumer information, trade secret breach, website hack, etc.)  Maintain records of these practice sessions.  Practicing the plan not only increases its effectiveness, but it also demonstrates how serious your client is about protecting data, rendering the plan more defensible.
  6. Time is not your friend.  If your client suffers a breach, move fast to respond with your investigation, forensics, and notifications.  Companies that delay will pay more, particularly for fines, litigation, and settlements.   As you know, some regulatory reporting “triggers” are time-sensitive, and the clock typically starts ticking once your client is reasonably aware of a breach.
  7. illustration copyTime for a CSO?  The new data indicates companies with a dedicated Chief Security Officer tend to pay less for breach response costs.  Why?  Those firms are more likely to have good controls in place.  Is it time for your client to hire a professional CSO?  Only your client’s risk tolerance, size, and resources can answer this.  Smaller firms with limited resources may benefit from a contract CSO on a part-time basis.   Have this conversation with your client before the loss occurs.
  8. Do an assessment!  Encourage your client to identify and inventory their company’s most valuable data.  Then, spend 80% of your risk mitigation money on protecting those assets.   Consider selecting an outside partner to do a full IT Security Assessment.  Remember, the assessment should address not only your client’s information security hardware and software, but also those components of a security plan that focus on people, processes, and policies.  TIP:  Be actively involved in the hiring and management of the consultant yourself, so that the results of the assessment  (and your client’s “dirty laundry”) may be protected under attorney-client privilege.   An assessment is a lot cheaper than a breach.  Do it.
  9. Clean the dirtiest room in the house first.  Some fairly basic security measures will yield a huge ROI on your client’s risk-reduction investment.  Laptop computer encryption, for example, is cheap, extremely effective, and offers a big “Safe Harbor” if a laptop containing the family jewels gets lifted.  Other remedies like two-party authentication, changing the default security settings on servers, and keeping your internet security software updated will also go a very long way.
  10. The insurance question.  New insurance tools can help your client shift some of their cyber risks.  If your client has cyber insurance and they have suffered a breach, remind them to engage your insurance company claims executives immediately upon suspicion of a breach.  Insurance carriers can bring breach response experts to the table that can reduce your client’s response costs significantly, and some of these resources are covered by insurance.

Errors made during a breach response can be extremely costly. Attorneys, regulators, and others will have the luxury of time to critique the decisions you and your client make during the post-breach heat of battle.  Planning ahead is critical.  The existence of a thoughtful breach response plan will help ensure a defensible response to a cyber breach.