Terplan stressed the importance of trying to get a sense of what the breach event encompasses. "The first goal is to stop the breach from happening, but you don't want to erase the data because you need it to find out what occurred," she explained. In their effort to stop a breach, companies may inadvertently erase the data that could show how the system was compromised and the scale of the breach.

Troy Bates of Werlinger & Assoc. said that companies should also be aware that "if you've been breached, your backup includes the virus and you're just putting it back onto your system unless you mitigate it."

He said it is important to conduct the investigation – identify what caused the breach and remove the virus or issue, but he cautioned against erasing the hard drive unless there is a backup or some other preventative measure in place. Recreating information on the hard drive can be extremely expensive, sometimes costing millions of dollars.

Data analytics can be used to identify what information is involved in a breach. For example, if Server A was the only server breached, it may only contain information on customers in a specific geographic area, as opposed to impacting all of a company's customers. Analytics can also determine what information was affected such as passwords, birthdates or emails, which determines whether or not customers are notified.

(Photo: Shutterstock)

Notification – it's complicated

A breach of birth date information may require notification in one state but not in another. Terplan explained that there are 47 different state breach notification laws and none of them are the same, which makes determining who needs to be notified of a breach and when a challenge. Notification is triggered by the residency of the state where the affected individual resides. She said the Obama administration is pushing for a national notification law, which would simplify the process. "What is a breach in California may not be a breach in Texas," she said, "and frequently companies know that they have been attacked, but they don't know what happened."

She said that notification laws in the U.S. are based on first identifiable information such as Social Security numbers, emails, passwords, and drivers' licenses. "You have to notify each individual about the breach," she said, and the company is expected to offer some sort of identity monitoring for all of those affected. Depending on the type of breach, regulators will need to be notified and possibly the Attorney General's offices in multiple states. Notifying the Attorney General will depend on the number of people impacted. A company may also have to advise its shareholders and the Securities and Exchange Commission of the breach if the company is publicly held because losses could be catastrophic after regulators are notified.

Cyber laws also vary from country to country. Canada has breach notification laws, while Europe and Asia do not. When there is a breach in Europe, a company notifies the regulators, who determine what the next steps will be. And the rules for what constitutes a breach in these countries may not be considered a breach in the U.S., so there are a number of issues to consider. And hackers are well aware that these differences work in their favor.

While these issues won't be addressed in the immediate future, the questions will continue to evolve as the attacks become even more sophisticated. As experts see a greater variety of breaches, cyber insurance policies will become even more nuanced in order to address the various scenarios arising from cyberattacks.