• Back to quick summary
  • Insuring Your Business Against a Security Breach

    Game Plan


    How to Respond to a Data Breach

    Since data breaches are becoming more common, how you respond to one can go a long way in maintaining your business reputation and keeping you from losing the trust of your customers.

    As with any crisis, a quick and decisive response is critical. But here’s the problem: most breaches go undetected for a long time. A 2013 study conducted by Verizon reveals that two-thirds of breaches took months or years to detect. One-third of breaches only come to light when the company is alerted by law enforcement, a customer, or simply by accident. The longer a breach goes undetected, the more harm it can do to your business.

    If you are unfortunate enough to experience a data breach, here are some suggestions on how to respond:

    • Stay calm and take the time to investigate thoroughly. You might be tempted to quickly patch a hole so you can get your business back up and running, but this could leave you vulnerable to another breach.
    • Get a response plan in place before you turn the business switch back on.
    • Notify your customers, following your state’s reporting laws. Only 33 percent of the Ponemon study respondents who had experienced a data breach sent out notifications, even though 46 states require it. Not following through on this could subject you to penalties and further legal troubles.
    • Call in your security and forensic experts to identify and fix the problem.


    Game PlanGame Plan

    Game Plan

    Consider buying data breach insurance. Your policy should cover costs for:

    • Responding to a breach, including forensic investigations.
    • Notifying affected customers.
    • Developing crisis management plans, along with PR and advertising campaigns to repair your image.
    • Legal defense and liability requirements, such as civil awards, settlements and judgments.

    Develop a data breach response plan before you have a problem and test it periodically with some “what-if?” scenarios.

    For a list of the 46 states that require security breach notification, along with links to each state’s relevant civil code section, go here.