Picking Vendors to Help You Through a Data Breach
Who Needs to Be on the Response Team?
- A cyber security law firm provides legal advice, defense services for lawsuits, and ensures that your breach response complies with all state and federal requirements. Should you suffer a breach, you will rely on this critical partnership to guide your response at every step of the way and minimize the risk of litigation and fines.
- A computer forensics firm will investigate the incident, piecing together the facts of what happened – including when the intrusion occurred, the information compromised and whether the attack is ongoing, – and They can compile results in a findings report that will determine next steps in the breach response process. Using the right computer forensics firm is essential as its report can be presented in a court of law.
- If your clients or customers are impacted by a data breach, depending on federal and state requirements, notifications may be necessary. A notifications vendor can manage the entire process from helping you and your law firm draft compliant messaging to printing and mailing the letter and tracking and reporting on its status.
- Call center support provides assistance to clients and customers with incident-related questions and concerns. You may also wish to offer credit and identity monitoring services to protect affected customers of activity related to their personal information.
- A public relations firm will support your recovery by managing the messages that are disseminated to the public. Services include crisis communication planning, delivery, monitoring and follow-up.
How Should You Begin?
What Key Qualities Should You Look For?
- Experience. Data breach response is complex and highly regulated. A vendor that lacks sufficient experience can compound the damage and expose you and your business to additional harm through mishandling. When interviewing potential vendors, ask how many breaches they’ve handled and in what industries. Also ask if they specialize and in what areas. Their response may influence your decision-making.
- Single area of expertise. Avoid data breach response companies that offer a full suite of services under one umbrella. Those that promise everything (as opposed to those that specialize or sub-contract with external suppliers) may present a conflict of interest situation. For example, a forensics investigator may dig deep for evidence that drives business to the notification segment of the same company. Look for suppliers with specific expertise and without potential conflicts.
- Reasonable rates. The best way to keep rates reasonable is engage your vendors in advance of an incident. Put them on retainer, if possible, so you won’t need to engage in a last-minute search should an incident occur. Your cyber insurance carrier may also provide vendor solutions at negotiated rates.
- Availability. Explore multiple vendors in each area of specialty to ensure availability for a reasonable price. Your insurance carrier may assist you in this process. Another option is to choose a law firm or a data breach management vendor that will bring in vendors to supply the services you need at the appointed times.
- Matches your company culture. If you value open communication with customers and the public but retain a law firm with a more cautious approach, you may not get the service you want and waste valuable time in the breach recovery process. Before a data breach occurs, take time to consider your relationship with your consumer, your company culture and how you’d want to respond. Choose a firm that understands that from the get-go to prevent bigger issues from arising later on.
About the Author
Any product described in this document may be offered by one or more of the property and casualty insurance company subsidiaries of The Hartford Financial Services Group, Inc. All products may not be available in all states or to all businesses. Certain products may be provided on a surplus lines basis and require the use of a surplus lines broker. Surplus lines policies are generally not protected by state guaranty funds
The Hartford® is The Hartford Financial Services Group, Inc. and its subsidiaries.