Focus on: Risk Management
 Mitigating the damage of a security breach

While retailers continue to beef up computer security, hackers continue to find ways to circumvent even the most sophisticated cyber-blockades. And the threat is not only hackers or rogue employees maliciously liberating private information: Data breaches occur when sensitive information is improperly disposed of and tossed in the trash or lost when a laptop or other portable electronic device is mislaid by or stolen from a well-meaning employee. This not only impacts your customers but can damage a company’s reputation and bottom line.


In addition to computer security, retailers must have a crisis plan in place to prepare a strategic offense when a breach occurs. The right response can go a long way to mitigating the damage an incident can cause to both a retailer’s bottom line and its brand reputation. 


The following three steps are critical: 


1. Get to the root of the problem. As soon as a breach is known or suspected, a retailer may be bombarded with questions and possibly adverse publicity. Almost universally, the company will need to call on third-party forensic and technical experts to help determine the root cause of the breach and the extent of the damage. 


2. Assess notification needs. Almost every U.S. state now has a statute outlining what a company must do in the event of a data breach, including specific requirements for notifying those impacted by the incident. (Check current notification laws by state at beazley.com/databreachmap.) The costs associated with these notifications can stack up fast when you consider that thousands — even tens of thousands — of customers need to be alerted. Outside of notifications, additional regulations are constantly being enacted, and place ever-greater burdens on businesses handling personal information. 


Negotiating the maze of applicable laws can be complicated. Retailers are wise to engage legal counsel to help them through the process and to ensure compliance. 


3. Nurture customer relationships. After individuals are notified that their data have been lost or stolen, they will understandably be concerned about the potential consequences of the breach. Putting their minds at ease is critical to maintain customer confidence and protect a retailer’s reputation. According to a recent study, customer turnover in direct response to breaches is the main driver of data breach costs. (Ponemon Institute, 2010 Annual Study: U.S. Cost of a Data Breach) If a customer is really dissatisfied, they may sue. 


Consequently, providing credit monitoring and other “recovery” assistance to mitigate the impact on a breach victim is critical for retailers. And it can be an expensive proposition. Studies by the Ponemon Institute show ex-post response costs — costs of credit monitoring, legal defense, identity restoration and other assistance to victims —has increased at a double-digit pace in the past five years, reaching $51 per record in 2010. 


Of course, the real key to an effective response is planning and preparation before a breach occurs. Insurance is a critical part of this preparation. Retailers may be surprised to learn that their current property and casualty insurance policies do not cover costs and liabilities arising from data breach issues. These traditional policies are likely to extend to a small portion of the costs and liabilities at best. However, insurance expressly for the legal liability and costs associated with a data breach has been available for some time. 


The newest products on the market cover not only a retailer’s legal liability and response costs, they make a comprehensive, strategic breach response essentially turnkey. Look for insurance that couples an insurance contract with services from best-in-class experts such as: 


• Forensic specialists to uncover exactly what happened,


• Privacy lawyers to assist in addressing the legal requirements of a breach,


• Notification service providers to print and mail letters to affected individuals, and


• Credit monitoring and fraud response service providers. 


Legal liability insurance is just one part of the multifaceted data security exposure. To be truly effective, any data breach insurance solution should address the broad spectrum of costs associated with an incident, help to rapidly mitigate the reputational damage caused by an incident and relieve retailers of the administrative burdens of a breach. Fortunately, today’s best-of-breed solutions do all that and more.


Nicholas Economidis is an underwriter in the technology, media and business services group at Beazley Group, a specialist underwriter that offers a complete privacy-breach response management and information security insurance solution.