NU Online News Service, June 25, 3:10 p.m. EDT
Companies that collect personal information need to develop plans in advance to guard against data theft so they can protect the company in case of a breach and communicate to those affected, according to a panel of experts.
The panel presented the information during an ACE webinar, "How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised."
John Mullen, an attorney with Nelson, Levine, DeLuca & Horst, said, "A good plan is vital because companies face a number of serious issues, including how to manage their reputation."
Such a plan, he added, could prevent reports about a breach "from becoming the next news cycle feature." He said the plan should address ways of communicating transparently and proactively to the public, including any individuals who are directly affected.
In the case of a breach, he said a company may want to contact the FBI or other authorities, depending on the type of loss.
With an accidental loss, government authorities may not need to be contacted unless directed by statute, as is the case in some states, he said.
Toby Merrill, vice president, ACE Professional Risk, said an important facet of a response plan is knowing how to respond before an incident occurs. This can save time, money and effort.
"But before you can determine how your company needs to respond to a breach, you will need to identify who in your company needs to be involved," he said.
Members of a response team, he said, would typically include senior level management from legal, compliance, information security, risk management, corporate communications and marketing.
Mr. Merrill added, "The next step is to establish a team leader to manage the crisis and direct operations."
This person, he said, would operate as the central contact for reporting status to senior management, and would oversee implementation of the plan.
A company should also identify the external expertise and resources that are needed. It's not unusual for organizations to tap experts in the marketplace for assistance with forensic, legal and public relations matters, he said, adding, "Therefore, it is important to pre-approve these vendors and add them to your incident response plan."
A solid plan should also identify someone to communicate with the media, Mr. Merrill said. A company may want to prepare for a breach by approving a third party communications or public relations firm with experience in responding to data breaches. This would provide backup to the company spokesperson, he observed.
Because there are many types of breaches that can occur, he said a company may want to consider storyboarding potential scenarios to help develop several contingency plans.
Mr. Merrill also recommended preparing written communications in advance. Letters to affected customers and business partners and other communications vehicles should be prepared so that the crisis response team can focus on giving the best response to a given breach, he said.
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
