Blog

What a Business Should Do After a Data Breach

You’ve been hit with a cyberattack. Now what? Who do you owe money too? What regulations are you subject to? How do you handle it? Who can you turn to for help?

Whitney Tabash, a Broker with All Risks, Ltd, recently sat down for an interview and answered the following questions. You can jump to her answers by clicking on the links below.

• What fines do you owe after a breach?
• How do businesses know how they need to respond to cyberattack?
• What about small businesses that can’t afford a compliance officer, and DON’T have a cyber policy?
• For small businesses that DO have cyber insurance, how can the carrier help guide them through a cyberattack?
• What is covered by a cyber policy? What isn’t covered?

What fines do you owe after a breach?

Each state has their own regulations. There are regulations internationally, for instance the EU has them. If you collect information on an EU citizen, California citizen, New York citizen, Texas citizen – you have at least four different privacy laws that you have to adhere to.

There are also timelines you have to adhere to. Once the breach is discovered you have five days to respond. The response has specific requirements and each law has unique requirements. So those kinds of things can be hard for a small business to manage.

Most businesses are busy running their business. When a breach hits, the time it takes to resolve takes time away from running their business and creates a financial burden. The cost of it can create insolvency, especially when there aren't shareholders or more stocks to issue to make ends meet and pay for business interruption.

How do businesses know how they need to respond to cyberattack?

Start with your compliance officer. If you don’t have one, you can hire experts in the cyber industry that know the privacy rules and regulations. It’s similar to licensing, but with a consultant. They help you navigate through the various regulations.

You’re a step ahead if you have cyber liability insurance and a breach occurs. That's one of the main things cyber coverage is designed to do. It helps small businesses, or really any business, respond and do it in accordance with the law.

Each cyber carrier has either in-house vendors or an internal staff that are experts in the various  privacy regulations. They will hold the hand of small business owners, to make sure they're adhering to those laws and regulations.

What about small businesses that can’t afford a compliance officer, and DON’T have a cyber policy?

If you don't have a cyber policy, I would highly recommend you hire an expert at the point of a breach to help navigate through it.

Unless you deal with this all day, every day, it's impossible to know how to handle it. The regulations are constantly being updated.

Here in the United States, each state has their own laws and regulations. And they’re constantly changing. A big one that people are talking about is the California Act, and that just changed what businesses would have to do if they keep information on California residents.

So, you really need an expert in the field of privacy laws and regulations, and how to be compliant, in the event of a data breach. Otherwise, the fines are going to stack up quickly. You're not going to be able to adhere to every single one. And each state is going to start fining you, and keep fining you, until there's proof that their laws and regulations have been met.

For small businesses that DO have cyber insurance, how can the carrier help guide them through a cyberattack?

Cyber policies are designed to help businesses navigate cyberattacks. Once the data breach occurs, they call their insurance company and the insurance company walks them through it.

A lot of cyber carriers have vendors that are experts in compliance. They help with notification forensics to figure out how the breach occurred and how to prevent future breaches. And to make sure that the data is clean.

If you had a hack, then does the hacker still have access to the system? How do we make it where they don't? These are issues your cyber insurance carrier can resolve with you.

Cyber insurance also handles all the compliance issues that are going to come up, and how to navigate it. If there are issues that are not met on time and you get regulatory fines, the cyber insurance covers those as well.

What is covered by a cyber policy? What isn’t covered?

It depends on your cyber policy. All coverage is not created equal. Unlike other coverage lines, there is not a specific cyber form that all carriers must start with. Each carrier and each policy form are really different.

For example, with social engineering, markets add it as an endorsement or as a supplement. That means you need to make sure that your insurance agent is showing you where that limit is. Some other names for it are transfer fraud or fraudulent instruction coverage, but it would be specifically added on to your policy. You should be able to see it very clearly.

Question: So, let's say I get hit with a $20k exposure and I have sufficient coverage. Does the carrier pay back that $20k to cover my loss?

Answer: Exactly. That policy will have a deductible and some carriers do a specific deductible for social engineering that might be higher, but for most it would be whatever deductible you choose to buy on the policy – you would still have to pay the deductible.

For example, if you have $1 million policy with a $1,000 deductible and a $100,000 social engineering supplement – you basically pay the $20k exposure, and then the insurance company would reimburse you $19,000, so the amount less your deductible.

Summary

The unknown compliance requirements of a data breach can be overwhelming. If you’re hit by a data breach, treat the recovery like a project requiring a project manager. Your insurance company will help you through this process. Otherwise, you’ll need to hire a consultant to make sure you don’t miss any steps.

Related Resources