As last year’s cyber attack on Anthem and other recent large-scale hacking incidents illustrate, few events can put your company’s entire reputation on the line more readily than a data security breach. A company’s first line of defense, of course, is to ensure that its data security measures are as strong and as up-to-date as possible. Insurers must be proactive in this regard. It is imperative that companies continually assess the adequacy of their security measures given the proliferation of ever more sophisticated cyber attacks. Even the most stringent security measures, however, may not be enough to prevent a breach. To protect its brand, and to meet its legal requirements in the event of a data security breach, your company should develop and maintain a data security breach response plan. Here are some items that should be included in the plan:
- A state-by-state list of the state agencies that must be notified in the event of a breach affecting consumers in that state. State laws vary in this regard. State laws may require notification to the state attorney general’s office, the state insurance department, other state consumer protection agencies, or a combination of these.
- A state-by-state summary of the specific notification thresholds and exemptions, notification time frames, and other notification requirements.
- Templates for providing the required notices to each state.
- Designation of the person or persons responsible for making sure the required state notifications are sent within the time frames required.
- A state-by-state summary of consumer notification requirements, including the specific information that must be included in each notice.
- Consumer notification templates for each state containing the information currently required by that state.
- Designation of the person or persons responsible for making sure notices are sent to consumers as required.
- A list of other institutions, vendors, or other entities that, by law or by contract, must be notified of a security breach.
- Templates for press releases and other media communications and the designation of the persons and/or media-relations firms responsible for making statements to the media.
- Templates for internal communications to make sure everyone in the organization is aware of the incident, the steps the company will take to respond, and the persons or departments responsible for taking each step.
- Website FAQs and customer service scripts for questions regarding the breach.
- A list of data security forensic firms and an RFQ process for retaining such a firm.
- A process for determining whether credit monitoring services must be, or will voluntarily be, provided to consumers and, if so, an RFQ process for retaining a company to provide those services.
- A process for reviewing vendor contracts to determine the scope of their liability in the event a data security breach may be attributed to one or more of them.
- A process for reviewing and updating the plan periodically to reflect law changes, necessary corrections due to identified deficiencies, and internal policy changes.
Please share (in the Comment box below) any other items or tips from your company’s experience with developing such a plan.
The Lawson Firm would be happy to assist your company in developing up-to-date data breach response procedures and templates. Please feel free contact me to discuss your company’s needs in this area: Scott Lawson, E: email@example.com, P: +1 (440) 666-9735♦
Attorney Advertising. The Lawson Firm, LLC (“TLF”) is a law firm providing legal counsel and value-added legal services to its business clients. Further information about TLF may be found at www.lawsonfirm.net. This article is intended to provide general information only and is not intended to provide solutions to specific issues. Readers are cautioned not to attempt to solve specific issues solely on the basis of the information contained in the article. TLF does not claim expertise in the laws of jurisdictions other than those in which our attorneys are licensed. Certification in any of the practice areas mentioned in this article is not available in Ohio.