By Ryan Bilbrey, Managing Director, Reckoning Consulting and R. Christopher Dix, Esq., CPA, CEDS, Shareholder, Smith Hulsey & Busey
Organizations of all sizes can become the victim of a data breach. Most people are aware when large corporations like Facebook or Marriott are breached. But 58% of companies who experience a data breach are small businesses, according to Verizon's 2018 Data Breach Investigations Report. The average cost of a data breach is $3.86 million, and the odds of experiencing a data breach are 1 in 4, according to Ponemon Institute's 2018 Cost of a Data Breach Study.
In our recent webinar, we went in-depth about cyber risk and what to do if your organization is affected. If you missed it, you can view it here.
We had a great Q&A session at the end of the webinar, and we wanted to share our answers here as many of our readers may have the same questions.
Is there a push in the US to merge the state regulations into a federal arena to limit the currently confusing regulatory environment, especially for businesses that work online and store their data in the cloud instead of physical data centers?
We think there is definitely momentum to standardize US privacy laws, whether at the federal level or by agreement among the states. GDPR might provide a roadmap for this. Note that privacy laws are generally dictated by where the individual resides, not where the data resides.
Can the existence and maintenance of a documented response plan mitigate breach liability? Are insurers requiring one?
A response plan likely will not mitigate breach liability, but it will almost certainly help contain direct costs and breach costs. Many insurers assist their clients with basic incident response plans.
According to a 2018 study by the Ponemon Institute, the #1 way to reduce the cost of a data breach is to have an incident response team, which is just one aspect of having a properly maintained incident response plan. Insurance companies are beginning to ask for a copy of an insured’s incident response plan during underwriting, but I have not heard of any insurance company refusing to issue a policy based solely on the lack of an incident response plan (likely because insureds can hastily prepare and submit a basic plan during the underwriting process just to “check the box” on that requirement). Please note that the mere existence of a plan does not necessarily mitigate any breach liability. Plenty of people draft a plan and then just leave it on the shelf without any further implementation or training. If employees are not trained on how to spot an issue or respond to an incident, or if there are no response team members identified and in place prior to a breach, then simply having a policy accomplishes very little towards mitigating breach liability.
Question for Chris Dix: When helping a business associate respond to a PHI-related data breach, do you typically review all of the related business associate agreements (BAAs) to ensure breach notifications are provided to each covered entity per the contractual requirements of each BAA?
In an ideal world, the BAAs are reviewed immediately after a breach, rather than during “data breach discovery.” A business associate should keep track of the notification requirements and other obligations under all of its BAAs – before a breach occurs. BAAs should be reviewed immediately after a breach, rather than later, because the timeframes for notification applicable under most BAAs are much shorter than the statutory time frames for notification generally applicable in the absence of a contract (e.g., hours rather than days). If the business associate has not reviewed its BAAs until after the “data breach discovery” effort is underway, then the contractual notification obligations under the BAAs are likely already past due at that point.
Have you seen any trends in the insurance industry as to efforts to establish standard forms and coverage policies? Given the associated costs and liability of a breach, it seems like the natural approach would be via & in cooperation with insurance companies that already insure existing businesses and firms.
There is a move towards standardization in the insurance industry, but it is still relativity early in the life cycle of cyber breach insurance. We think we will see significant changes to this business in the next 5-10 years.
Please discuss "dark and unstructured data" and how it's important to know what you have and where it is. Also the simple best practice of checking your backups. Are you able to return to business from your backups? You'd be amazed at the number of companies that think they are okay because they back up everything only to find out they don't know what the process would be to start up from the back up or how to get it in their system.
All company data that can be compromised is within the scope of notification requirements. If a bad actor can find and exploit it, then the company is responsible for it. Investing in regular data mapping, defensible data disposition and information governance efforts are all ways this can be addressed.
What are your thoughts about security of third party vendors? It seems like more and more of the large breaches are coming via third parties. Why aren't more organizations requiring their vendors to have stringent security in order to do business with them?
We ARE seeing a move toward security requirements and security audits for third party vendors, and high-cost data breaches are one of the drivers of this change.
When you get to the capture / review phase – who actually does that work?
Data capture and review can be done by outside counsel (in the case of small matters) or by employees of the company. However, we believe the most efficient, cost-effective and quickest way to perform the review is by using contract staffing with appropriate guidance, oversight and quality control measures.
What is a good estimate of the time it takes from when you receive the data until you have a completed Notification List?
Data Breach Discovery projects can take from a week to two months, depending on the volume of data, clarity of mission and quality of execution. A mid-sized breach (less than 500GB), where the company, counsel and consultants are on the same page, is likely to take about six weeks from the receipt of data.
For the duration of a Data Breach Discovery project – who is in charge? Who is giving the orders and making the decisions?
Great question! Ultimately, the company must be the decision-maker (likely the general counsel), but hopefully with outside counsel and expert consultants providing meaningful input and support for those decisions.
Thanks again to those who joined us for our recent webinar (which you can still view here). Learn more about Data Breach Discovery™, and keep checking our blog regularly for more insights!