Data breach: the essentials

by |

Data breach is a serious risk for many organisations. As well as having significant financial consequences, it can damage relationships with customers and the public, and threaten compliance – which can result in litigation and fines.

“A data breach can have devastating consequences to an organisation,” says Christine Marciano, President, Cyber Data Risk Managers LLC. “Data breaches continue to happen and the risks associated with it are increasing.”

Data breach can occur accidentally (when information is mistakenly sent to the wrong person, for example), or it can result from deliberate actions, including:

  • hacking
  • appropriated hardware
  • inappropriate disposal of hardware

To protect themselves, companies need to have a data breach risk management strategy in place, in addition to a broader IT security strategy. “Today any business with control or possession of sensitive and private data must assume they may experience a data loss incident and would be wise to explore the purchase of a data breach insurance policy,” says Marciano.

With the rise in data breaches, coverage is increasingly being denied under traditional insurance policies. Data breach insurance, which is a relatively new form of insurance, is important in ensuring that your company is protected. It can cover:

  • legal costs
  • recovery of lost data
  • payment of regulatory fines

According to Marciano, companies with an effective data breach risk management strategy will also:

  • train employees
  • encrypt any mobile devices that carry sensitive data
  • encrypt sensitive data at rest and in motion
  • ensure that any third-party service providers who may be contracted and have access to sensitive data have policies and procedures in place and enforce them, and have data breach insurance themselves

Importantly, an effective strategy will account for IT asset disposition. Companies should dispose of hardware through a vendor that has a third-party certification in data sanitisation and ask to see their certificate.

“Due to the amount of decommissioned IT assets and the rapid advancement of never-ending types of new media in use by organisations, it is important that organizations incorporate disposing of hardware/IT assets into their policies and procedures and work with a reputable (ITAD) IT Asset Disposition company that can clear, purge and destruct an organisation’s decommissioned hardware and IT assets,” says Marciano.

A broader IT security strategy, which many companies already have in place, can also help to protect against data breach.

  • Rodger Braid on 9/04/2013 11:10:36 AM

    Usefull except for the comment obout encrypting sensitive data at rest. The National Archives of Australia recommends that encryption not be used to protect records. The reson for this is that the encryption key may not be available in future so the information will be effectively lost. The best way to protect sensitive data is to apply an appropriate classification or dissemination limitation marker and use the security capabilities of your electronic recordkeeping system to manage access. Otherwise lock it up in a file cabinet.

  • Robert Cooper on 3/04/2013 12:17:38 PM

    Some excellent tips here for any business.

Corporate Risk & Insurance forum is the place for positive industry interaction and welcomes your professional and informed opinion.

Name (required)
Comment (required)
By submitting, I agree to the Terms & Conditions