Guest Op-ed: What I’ve Learned from 5,000 Data Breaches

When clients ask me to describe the biggest risks surrounding a data breach I sometimes say: “(1) reputation, (2) reputation, and (3) litigation, regulatory, and contractual.” Our guest columnist this week talks about her own opinion of the role of reputation and the impact that customer service plays on that. Please note that the views and opinions expressed are those of the author and do not necessarily reflect the official policy or position of Bryan Cave.

– David Zetoony


What I’ve Learned from 5,000 Data Breaches

By Jamie May, AllClear ID

  1. How has the breach response landscape changed over the last year?

Over the last year, the biggest shift we’ve seen in the industry relates to the activities that occur well before a data breach. We’ve all seen the devastating consequences a botched response can have on brand reputation, customer retention and the bottom line. Today, more and more businesses are engaging with partners like Bryan Cave early on, and taking proactive steps to be ready to address their customers quickly and with care when a data breach does occur.

 

  1. After a breach, losing customer trust is a big concern for brands. What can companies do before and after a breach to ensure customer trust remains intact?

Companies should place excellent customer service as their guiding principle during response planning and execution. Taking the time to plan for an incident with the customer in mind will go a long way in preserving customer trust when a breach occurs. All communications to customers need to be clear and helpful to minimize confusion and anger.  It is much easier to have clear communications when you think through the flow and complexities in advance of a real incident. Keep in mind, your customers’ first interaction with your brand after a breach may be with the identity protection services and support center, so getting that experience right is crucial to success. To make this easier, look for a partner who can help provide:

  • Identity protection services that are user-friendly and available to every affected customer
  • Guaranteed access to quality, scalable call center services
  • Call center agents who are trained in soft skills as well as identity theft protection best practices

 

  1. What is the single most important thing companies can do to ensure a breach response goes smoothly?

In my experience, companies across all industries that focus on their customers before, during and after a data breach fare far better than those that do not, both in terms of overall response and the speed at which they are able to return to normal business operations.  To do this well, securing the resources you need before an incident occurs is absolutely critical. Even the best planning is rendered useless if your customers experience hour-long hold times when they call in to the call center for help.  To avoid this negative customer experience, companies should partner with response providers who offer them a contractual guarantee that the resources they need will be available when they need them – this is the most critical component of true breach readiness.

  1. What trends are you currently seeing in the breach response space?

We’re working with more and more companies who are taking proactive steps to be ready to respond well before an incident event occurs. We help these companies build out the operational details of their customer-facing response plan. Part of this process involves testing that plan through a breach simulation. We create a mock breach scenario and use the response plan to actually walk through how the company would respond.  This exercise exposes any gaps in the response plan and allows the response team to practice in a controlled environment.

Another trend we’re seeing is that businesses want a guarantee that we will be available to help them respond to their customers should they ever need us. To address this need, we created our Reserved Response program, which allows companies to reserve guaranteed response manpower. They invest upfront, and we guarantee we will be available when they need us.  This takes a lot of the uncertainty out of breach response.


Jamie May is Vice President of Operations at AllClear ID. Since joining the company in 2007, she has managed the implementation and execution of over 5,000 data breaches, including 3 of the 4 largest and most complex breach responses in history. She advises Fortune 1000 companies, government agencies, and healthcare organizations on all aspects of breach readiness and response and is a sought-after industry expert.

Guest Op-ed: Frequently Asked Questions Regarding Cyber Insurance

Our clients have a lot of questions when it comes to cyber insurance. For this week’s op-ed, we asked Tim Burke, director of cyber risk at IMA, Inc., if he could discuss the two main questions that he receives from clients who are investigating cyber insurance as well as his typical response. Please note that the views and opinions expressed are those of the author and do not necessarily reflect the official policy or position of Bryan Cave.

– David Zetoony


Frequently Asked Questions Regarding Cyber Insurance

By Tim Burke, IMA, Inc.

We have now reached a recognition by most commercial entities that cyber insurance is a “need to have” as opposed to a “nice to have.” Having been involved with cyber insurance dating to 1999, I have seen quite a bit of change in the marketing and scope of this coverage. Today, my job often involves presenting on this topic to a wide variety of audiences who pose engaging questions. Therefore, I have addressed within this post some of the most commonly received inquiries pertaining to cyber insurance.

Q: What is the biggest mistake you see in consideration of purchase of this coverage?

A: One consistent issue I see is companies viewing this issue as exclusively related to privacy breaches. If I do not maintain a significant amount of confidential information (ex. PII, PHI, PCI) then we have no relevant exposure. That logic may be accurate to an extent but the primary intent of the coverage is to address operational risks associated with failures of security and safeguarding confidential information. This can extend to internal operational errors as well as outsourced functions. The scope of coverage is broader than most realize and extends to first-party risks such as business interruption and costs to replace data. A recent example of this is the number of highly publicized ransomware attacks where there was significant operational disruption, including down time and loss of data. Since most traditional property and casualty policies do not address new and emerging perils (malware, denial of service, encryption), cyber insurance policies have been specifically designed to address those gaps in your insurance portfolio. I often pose this guiding question: what is the enterprise value of your intangible property vs. tangible property and how does your insurance program reflect that?

Q: What suggestions can you provide for an effective procurement of this coverage?

A: The first suggestion is to recognize this is an enterprise risk issue, not an “IT” issue. As part of that consideration, you need to break down the silos within the organization to foster dialogue and awareness. Bring together a cross spectrum of relevant stakeholders (CISO, CIO, Legal, Risk Management, Finance, Marketing) to identify and quantify unique operational risks. Examples of unique “blind spots” we come across are outsourcing, industry specific regulation, M&A and reputational impact. Build a consensus and then develop a list of coverage priorities. These priorities should then dictate your marketing goals. The cyber market is highly competitive (50 + carriers) with creative underwriters eager to write new business. You should also engage in direct dialogue with a prospective insurer as underwriters welcome the opportunity to learn more about your operations. It also provides an opportunity for you and your broker to pose questions of them. As part of that discussion, include a representative from the claims department to discuss experience handling your peers’ claims, industry trends and expectations in the event of a claim. Ultimately, a well-thought-out strategy results in you dictating the pace to the marketplace as opposed to vice versa and eliminates any questions you may have on the viability of your coverage.


Tim Burke is the Director of Cyber Risk at IMA, Inc. As the national practice leader, he is in charge of researching emerging issues and creating proprietary solutions. Areas of focus include creation of custom risk transfer programs based on industry segment, loss control solutions and fostering partnerships with service providers. Tim has over 15 years of experience underwriting and selling cyber insurance. He has assisted numerous clients manage through high-profile data breaches. Those experiences allow him a unique perspective on both the design and claims protocol of cyber insurance. He specializes in working with companies in the energy, retail, hospitality, financial and healthcare industries. He is a frequent presenter at industry conferences and a recognized innovator in the rapidly evolving area of cyber risk. Tim can be reached by email at tim.burke@imacorp.com.

Op-ed: Let’s Not Kid Ourselves – There Is No Insurance for the Big Data Risk

Cyber-insurance is on the minds of most Boards (and, therefore, most CEOs, CFOs, and GCs).  As a result, clients often ask us to benchmark their cyber-insurance policies, or to work with their brokers to make sure that the policies they purchase have real coverage.

The market for cyber-insurance is incredibly diverse, and there are a hundred traps for the unwary.  If you are interested in understanding the gaps to look for, the exclusions to avoid, and how to get a reality check on limits, we’ve published several guides on the topic and have recorded several presentations.[1]  Understanding the traps can help steer you from buying a “junk” policy that provides no real coverage.  But that’s not necessarily where the role of attorneys stops.

I always try to remind my clients to keep one thing in mind.  There is no insurance for the “big” data risk.  Why?  The “big” data risk is your company’s reputation.

There are few instances I can think of where the potential reputational impact from the mishandling of data did not outweigh (exponentially) the possible legal liability.  While some insurance policies provide access to public relations experts (at least in the case of a breach), and a few policies attempt to compute reputational damage by comparing earnings in the 12 months preceding a data event with earnings after a data event, no policy can make a company whole for the long term impact of losing the trust of customers and the public.

Managing the reputational risk is, unfortunately, a lot more complex than buying an insurance policy.  It means making strategic decisions about what you collect, how you use it, with whom you share it, and how you will respond to a crisis – like a data breach – when it occurs.  Those decisions require creativity, planning, and practice that can’t be purchased, but can turn out to be priceless.

[1]  See http://bryancavedatamatters.com/wp-content/uploads/2015/02/Cyber-Insurance_At-A-Glance.pdf; https://d11m3yrngt251b.cloudfront.net/images/content/8/1/v2/81918/Credit-Card-Data-Breaches-Protecting-Your-Company-from-the-Hid.pdf;

Guest Op-ed: Addressing Cyber Risks Inherent in M&A Transactions

Data privacy and security law has impacted (or, depending on your perspective, infected) almost every area of traditional practice. As a result, lawyers in different practice areas are finding that they need a working knowledge of data issues, just like they need a working knowledge of torts, administrative law, labor and employment, insurance, etc. This is particularly true in the world of mergers and acquisitions. Every corporate seller is conveying, among other things, data and IT infrastructure; every corporate buyer is purchasing data and, potentially, a security vulnerability or unknown data breach.

Today’s guest writer discusses the need to mature data security due diligence so the parties have a better understanding of the data risks and assets in the transaction. Although many companies still rely primarily on contractual representations and warranties of sound security practices, lack of a thorough assessment on both sides can lead to litigation if the parties find out post-closing that the world was not as one, or both of them, believed. Please note that the views and opinions expressed are those of the author and do not necessarily reflect the official policy or position of Bryan Cave.  

– David Zetoony


Addressing Cyber Risks Inherent in M&A Transactions
By Shawn Henry, CrowdStrike Services, Inc.

The year 2015 marked the highest ever value of mergers & acquisitions with an astounding $4.6 trillion. If 2016 follows this trajectory, we’re looking at over 18,000 M&A events to occur this year, many of which may be “megadeals” exceeding $50B. With figures this staggering, you can’t afford to take on a partner organization without exploring ALL areas of risk – financial calculations can no longer be the only factor considered. Cybersecurity risks must be thoroughly explored since they will directly impact the value of the company to be acquired, as well as potentially lead to significant costs to remediate gaps or defend litigation post merger.

I equate it to buying a home, which is usually the biggest personal investment one makes. Your realtor is there to protect you and, with the inspector, asks the important questions that likely won’t come up during your house hunting. Are there structural problems with the house? What about termites? Is this home in a flood plain? What’s the condition of the electrical and plumbing systems? Similarly, a substantial business investment often occurs with an M&A event. You wouldn’t make that home purchase without the inspection; why, then, would you accept less vigilance when it comes to your business?

It is essential that the acquirer thoroughly explores the critical security questions for companies, and avoid introducing unnecessary risk to an organization prior to a merger. By performing a comprehensive assessment, the acquirer should identify the gaps in the partner organization’s security posture and develop ways to solidify it before integration with your brand occurs. In addition to a comprehensive technical evaluation, the assessment should encompass an examination of security documentation, a review of IT processes, and interviews of key staff to understand where on their list of priorities cybersecurity falls.

Some questions to explore include:

  • Are there vulnerabilities in the partner organization that could be exploited to access your systems?
  • How secure will the organizations’ data be during the integration process?
  • Has their network been compromised in advance of the merger?
  • What security risks are there in merging your environment with theirs?
  • Does their organization have the same level of security controls in place that meet the standards of yours, even if you’re not absorbing their technological resources?

I realize every organization, every M&A, and every security setup is unique; and therefore, assessment must be customized to meet specific needs. In order to provide the best protection for your most valuable assets, you should prioritize resources based on the actual risk, an implementation plan of effective detection measures, and a comprehensive security strategy to actually prevent damage.

Throughout my previous law enforcement career, I saw time and again that the nominal cost of being proactive and predictive about security saved significant time and money in the long run…underscoring, bolding and italicizing the word ‘significant’. It’s ALWAYS harder and more expensive to react to something than preventing it from happening in the first place.


Shawn Henry is the President of CrowdStrike Services, Inc., a Google-backed cybersecurity company that provides pre- and post-breach services to mitigate the risks and damage associated with cyber compromises. Prior to joining CrowdStrike, Mr. Henry served as the executive assistant director of the FBI and is credited with boosting the FBI’s computer crime and cybersecurity investigative capabilities. He oversaw computer crime investigations spanning the globe, including denial-of-service attacks, bank and corporate breaches, and state-sponsored intrusions.

Op-ed: Don’t Blame Companies for Convoluted Privacy Policies

It’s a myth that consumers read privacy policies. They don’t. I know that because I like privacy policies more than almost anyone – I’ve written them, I’ve defended them, I’ve analyzed them – and yet I can’t remember the last time that I went to purchase something online for myself and read the company’s privacy policy. If privacy lawyers don’t pause to read them, I’m confident that average consumers do not.

It’s no surprise why consumers don’t read them. Assuming that a consumer cares about privacy and assuming that they think about reading a policy before submitting information online, privacy policies read like mini legal treatises. They refer to technology that may be hard to understand (e.g., what is a clear gif?), and subtle but significant differences that might not be obvious to some consumers (e.g., what does it mean to share data for “joint marketing with a third party,” but not for a third party to market themselves?).

About a year ago, I was asked to moderate a panel discussion on “best practices” when drafting privacy policies. We had a great panel of regulators, noted privacy officers, and general counsel, and I was excited to hear some new perspectives. I turned the discussion to a topic that has been on my mind for years – is it possible to draft a truly simple privacy policy that would be quick and easy for a consumer to read and understand? We talked about various companies that had attempted this by trying to use plain language, reducing word counts, or using matrices, graphics, tables, hyperlinks, roll overs, or cross-references. At the end of the day, despite some commendable efforts nobody could think of a truly successful attempt at making a privacy policy digestible.

There was some agreement as to the reason policies tend toward being long, convoluted, and legalistic. Privacy practices are complex and plaintiffs’ attorneys and regulators can be unforgiving. For example, a company that does not intend to sell, rent, or share information, may want to simply say that to consumers using those eight words “we do not sell, rent or share information.” The truth is, however, that there are no definitives when it comes to information. If the company has service providers (as most companies do), it inevitably shares information with consultants, lawyers, product fulfillment companies, etc. If a company receives a subpoena (which any company could), it may have to share information with the government. If the company is acquired (which many companies are), it will sell the information to the acquirer. If the company is sued, it may have to share the information with a plaintiff. The eight word statement, suddenly becomes a 100 word list of exceptions and exclusions to ensure that a company is not accused of deception by carrying out normal (and in most cases unavoidable) sharing practices.

The net result is that the precision that the plaintiff’s bar and some regulators have demanded, forces companies away from brevity and toward legalese. The end result is a precise policy that no consumer has the time (or attention span) to read.

Guest Op-ed: Developing a Better Approach – The Benefits of Public–Private Collaborations

There is no shortage of data-privacy and security laws in the United States.  By our count, there are now about 300 state and federal statutes.  They include breach-notification laws, data-disposal laws, data-safeguard laws, payment card information-protection laws … the list goes on and on.  Quantity does not, unfortunately, always translate into quality.  Most legislators and regulators have displayed relatively little creative thinking and pass largely redundant statutes that often confuse the business community rather than facilitate better practices.  A distinct exception was a legislative proposal from the New York Attorney General’s Office last year that would have created a new framework for state data security regulation benefiting consumers, the business community, and regulators.  We asked Kathleen McGee, Chief of the Bureau of Internet and Technology within the Office of the Attorney General of the State of New York, and the architect of the proposal, to explain the process by which that proposal was created. Please note that the views and opinions expressed are those of the author and do not necessarily reflect the official policy or position of Bryan Cave.  

– David Zetoony


Developing a Better Approach – The Benefits of Public–Private Collaborations
By Kathleen McGee, New York State Attorney General’s Office

Public–private collaborations and regulation are not commonly perceived as the norm.  But, in the New York Attorney General’s approach to addressing the data breach crisis, public-private collaboration was considered crucial to successful regulation.

Under New York State General Business Law section 899-aa, anyone who maintains private information of New Yorkers and subsequently experienced a breach of that information is required to notify the Office of the New York Attorney General, as well as two other state agencies.  And in 2014, in the wake of some of the largest mega-breaches to date, NYAG undertook an analysis of all such data breach notifications to our office (the report may be found on our website at http://www.ag.ny.gov/pdfs/data_breach_report071414.pdf).

Our analysis yielded some interesting results.  While breaches due to third-party intrusions were on the rise, so too were breaches resulting from negligence or other internal failures within a company.  In other words, companies themselves were reporting that they were increasingly unable to protect the private information they maintained from their own internal failures.  Confronted with this information, we asked ourselves: what about the current state of data security was working, what was failing, and what could NYAG do to strengthen data security for New Yorkers and the companies who did business in New York?

We first turned to an analysis of our existing state law and other data breach security laws across the country.  We knew that many of the companies servicing New Yorkers operated nationally and therefore had to conform to the strictest laws of the land, even if those weren’t in New York.  New York’s law was clearly not the most demanding – that honor went to states like California and Massachusetts, who had set the highest standards for reporting and encryption, for example.  Nor was New York’s law prescriptive, like Oregon’s, which established reasonable guideposts any company could follow to better secure private information.  Yet, breaches of New Yorkers’ private information were on an upward trajectory.  Would a change in New York law have a positive impact on data security?

To find out, we turned to companies and consumer groups and, for six months, took our data and legal analysis on tour, so to speak.  We asked these groups about their biggest concerns and obstacles in data security and also what they thought worked well in the existing regulatory landscape.  The resulting conversations were forthright and candid, ranging from the principles to the practice of data security.  We observed that generally, companies were incentivized to not have a breach.  However, what incentivized companies – regulatory hammers, class actions, and bad press, to name a few – was not sufficiently laying the groundwork for meaningful data security.  Bluntly put, strict deterrence alone was not positively affecting companies’ security of private information.

Could positive incentives and guideposts towards a better data security program be the answer?  If so, how could New York craft legislation that reflected the real concerns of companies and consumers and yet be flexible enough to grow with the rapidly evolving data collection landscape and security concerns?  In answer, and in collaboration with the private sector, NYAG crafted a simple set of affirmative incentives – a safe harbor for top-shelf data security and a rebuttable presumption for achieving commendable data security benchmarks – that would encourage and reward best practices for companies and ensure reasonable data security for consumers.  And, we proposed a set of practical and reasonable data security guideposts companies could follow regardless of size or industry.  The result was the NYAG’s Data Security Act, a practical prescription to the real concerns faced by business and consumer alike.

The public-private collaboration was critical to the end product.  Taking the time to fully consider the applications of regulation to a company’s practice, appreciating how data is collected and utilized by companies, should be a hallmark of any data security legislation.  A version of the Act had bipartisan support but fell short of passage this year.  But we will continue to work with partners in industry to raise awareness of the issue next year, in hopes of passing the Data Security Act into law.  Smart business and smart government alike can benefit from working together towards a better regulatory solution to data security.


Kathleen McGee is Chief of the Bureau of Internet & Technology for the New York State Attorney General’s Office.  The Bureau of Internet & Technology is responsible for the enforcement of New York’s privacy and consumer protection laws in the online and technology environment, as well as enforcement of New York’s data breach notification laws.  The office investigates a wide range of issues affecting the internet and technology space, including spyware, spam, online privacy, child safety, gambling, free speech and fraud.  Recent investigations have included Daily Fantasy Sports, Broadband Internet Speeds, the online sale of tickets to events, and the teen chat websites.  Kathleen can be reached by email at Kathleen.McGee@ag.ny.gov.

Guest Op-ed: Cyber Insurance – Just as Much Benefit in Preparing for the Submission as There is in Procuring the Coverage

Most of our clients have to make decisions regarding cyber insurance every year – whether they are deciding to go to market for the first time, coming up for renewal, or considering switching providers. We asked a cyber insurance expert her opinion as to whether it’s worth testing the cyber insurance market even if you decide not to move forward on coverage. Please note that the views and opinions expressed are those of the author and do not necessarily reflect the official policy or position of Bryan Cave. 

– David Zetoony


Cyber Insurance – Just as Much Benefit in Preparing for the Submission as There is in Procuring the Coverage
By Florence Levy, JLT Specialty USA

The process of purchasing cyber insurance can be a daunting task. With the onslaught of cyber and privacy-related breaches in the news, including prevalent ransomware attacks and social engineering tactics to impersonate high-level executives for the improper funds transfer, the risks are high. The good news is that today’s more rigorous submission process can uncover a number of opportunities for companies to improve their cyber defenses.

Underwriters are becoming savvier with their due diligence in an effort to keep up with technology and associated exposures.  Some employ internal resources like risk engineers, or outsource the more technical aspects to network security professionals. The questions can be numerous, topics can be diverse, and it takes a multi-disciplined, enterprise-wide approach to answer them.

For example, in review of your contracts for limitations of liability as it relates to cyber exposures, you may discover that you do not have “standard” wording regarding cyber-related exposures for clients or vendors. This may encourage you to work with your legal and sales staff to revamp your contractual language and ensure the appropriate limitations of liability and hold harmless clauses are in place.

You may also discover that your company does little to no training for employees regarding cyber and privacy awareness. With a significant number of incidents stemming from internal employee error, negligence, or frankly rogue employee incidents, it’s imperative to appropriately train your staff on security and privacy risks.  Consequently, you may work closely with your HR and legal departments to ensure that new employees are properly vetted, and sign off on a cyber-risk training program that includes data retention, access and classification policies.

This process will assist you in quantifying and qualifying cyber risk, through taking inventory of information assets, reviewing and adopting any relevant or necessary compliance frameworks, identifying key vulnerabilities, and potentially creating internal positions that you may have never thought were important or relevant (the role of Chief Privacy Officer, for example, isn’t so out of the box anymore).

The process will also oblige you to identify owners of cyber risk management within your company, document processes and technology, and construct and test your incident response/crisis management plans.  While underwriters care about the technical aspects of your risk (With whom do you outsource for various technology processes? Do you have firewall protection? Do you encrypt sensitive data at rest and in transit?), they care just as much about your corporate culture around cyber and data privacy risks. As a result, you’re compelled to proactively define your security posture, and tell your story around risk mitigation and breach preparedness.

This in-depth, intra-company process facilitates open communication across disciplines. The end result is a positive one – you’ve aligned your firm’s awareness and preparedness with unique risks and exposures, while potentially procuring a financial risk transfer solution that will perform in the event of a loss, protecting your company’s most precious assets.


Florence Levy, Esq. is the senior vice president of the Cyber / Errors & Omissions (E&O) Practice at JLT Specialty USA where she focuses on creating cyber and E&O risk management programs for companies in a wide array of industries. Her expertise lies in identifying exposures, program design, contract language, negotiation and claims advocacy to ensure her consultancy reflects her clients’ unique exposures. Florence has more than 15 years of experience in the insurance industry as a cyber and commercial E&O specialist. Prior to joining JLT, she was head of the U.S. Global Technology and Privacy Practice for Lockton Companies, as well as the national practice leader for Aon’s Professional Risk Solutions Group. Florence has spoken at many industrywide events and been quoted in a variety of trade publications. She was selected by Business Insurance among the 2015 Women to Watch. Florence can be reached by email at Florence.Levy@jltus.com or phone at 720-530-9934.