Directors and Officers being held liable in cyber breach cases has landed the matter squarely on the dashboard of all Boards and top level executives.
Board members are now being held accountable to a minimum level of care – knowledgeable on the risk and compliance requirements as pertinent to their company and, actively over-seeing the company’s cyber security program which should include, a robust IT system, an Incident Response Plan, and safety net in the form of Cyber Insurance. The Board also needs to be able to show that they regularly challenge and update the program and practice adherence to the Plan in the case of a breach. Documentation of continuous attention and compliance by the Board not only adheres to “best practices”, but also establishes a strong defense.
Cyber Security refers to sensitive information, or data, that is kept electronically for which a company is responsible for keeping safe and unavailable to unauthorized persons/entities – and the measures taken to keep such data protected.
A Breach is considered a violation of such security measures
Sensitive information/data is deemed to consist of names, addresses, telephone numbers, social security numbers, medical information, credit card information, etc.
Data is often kept on employees, customers, clients, independent contractors, sub-contractors, vendors, Board members, Advisors, and the like.
Data can reside in paper files, on networked servers, on a laptop, tablet, mobile phone or USB storage device.
The same data may reside in multiple files or electronic locations – each of which counts as a record. (applications , tax forms, customer files, employee records, health records, vendor files, etc.)
Incident Response Plan – refers to the course of action (protocol) that is to take place upon the discovery of a breach. The plan should outline internal communications and decision making and identify internal personnel that will be tasked with managing the response as well as external resources to be employed.
A thorough plan well executed provides Ds & Os and Executives with a good defense, a poorly drafted and or executed plan will only provide proof for Plaintiff attorneys. Note that having a team of internal personnel identified to address a breach will redirect their energies away from normal business operations. As such, a plan to delegate those operations should also be identified.
Having outside resources identified and vetted should be included in the plan (PR, IT and
legal experts if not using insurance)
The plan should also include a list of all data types and locations
Data Breach Expenses – largely include:
Regulatory fines – both State and Federal Crisis Services – such as notification letters, credit monitoring, ID Theft insurance, PR, IT, Forensics…
Legal services – for regulatory negotiations and defense
In terms of Damages, a breach can consist of :
Both first and third party damages
Loss of productivity, business and reputation
When a breach occurs:
State and federal laws (and regulators!) come into play.
Proper notification must be given to all affected parties within regulatory time frames.
Multiple state laws and regulations may apply; affected parties are entitled to notification and remedy according to the laws of their home state – and all laws of those states will need to be complied with. As such, the magnitude of attention required to address a breach can quickly grow exponentially and become monumental.
Government Agencies that may get involved include:
Federal Trade Commission
Department of Homeland Security
US Department of Commerce
US Department of Justice
Various state agencies – they differ for each state
Cyber Liability Insurance can cover much of the costs, but more importantly, it can provide the knowledge and expertise needed to respond appropriately to a breach. Resources can include:
Legal Experts, familiar with state and federal laws, to communicate and negotiate with the multitude of state and federal agency regulators
Public Relations experts – necessary to craft and manage outbound messages for the public, your community, customers/clients, vendors and all effected parties
Forensic experts – needed to determine exactly what happened.
Credit Monitoring services
*Carriers may not provide such services themselves but direct you to outside sources
Note -additional IT resources may be needed to restore data, fix and fortify computer systems with additional security measures. These expenses are not typically covered by insurance.
A readiness program should consist of –
Robust IT measures (to include secured computer systems with password protocols, firewalls, encryption, data segregation, restricted use access),
Incident Response Plan, and Cyber Liability insurance policy