Head over to the search engine of your choice, put in the keywords "data breach," and take a look at the screen. The very first thing you'll encounter is the new cottage industry that has evolved around rectifying the residual fallout that accompanies many breach events. You'll discover that there is no shortage of paid ads offering various solutions. Then you'll see the multitudes of vendors sharing their solutions to help you avoid having a breach. And you'll close with a long list of breach databases and breach notifications, along with lists of investigations, victim stories, etc.
A review of breaches over the course of the past six months has shown a number of repeat players coming to the table and some prominent ones appearing for the first time. The education and health care sectors are among the most frequent to appear in the Open Security Foundation's Data Loss Database, which discussed in their annual report that 2013 was a record-breaking year for breaches, with over 2,164 incidents exposing more than 822 million records. It may feel like we will become inured to the entire concept of data breaches given their frequency and volume. We must not let this occur.
Following the ignoble year of 2013, a cacophony of woeful pleas elicited from consumers, clients, partners, and elected officials culminated in an effort to turn a key in the lock and try to keep data secure. The thundering footsteps we hear beating a path to acquire data breach insurance are very real. According to Paul E. Paray, a partner at Zimmerman Weiser & Paray LLP, who presented at the recent RSA Conference 2014 on the topic of "Data Breach Resolution for Insurance Carriers," such insurance provides liability coverage for "network security and privacy liability, statutory notice requirements, regulatory fines and investigative expenses, and PCI-related penalties."
And what if you are the one who has suffered the loss? According to Paray, first-party coverage normally includes "data breach expenses, business interruption losses, information asset expenses, and extortion threats." Key coverage triggers include "coverage for claims based on the failure to protect confidential information obtained by social engineering means; acts of rogue employees and independent contractors; violation of privacy statute, including notice laws; and violation of an insured's privacy policy." This means that if if you're the victim of a second breach event that could possibly have been caused by your negligence, you may find yourself with your hand deep in the OPEX wallet to cover the post-breach expenses. The likelihood of this occurring increases when the cause and effect of a data breach is not widely shared, which stresses the importance of properly reporting a breach when it occurs.
Having a plan in place to address breach notification, remediation, and most importantly, the course of correction, demonstrates that though you may have been caught with your britches down once, you have taken appropriate steps to avoid it happening again.