The theft of credit and debit card information from Target’s computer systems should serve as a reminder that the risk of a data security breach must be taken seriously. Every organization must have a plan to not only prevent data security breaches, but to respond to them as well.

The first step is to identify vulnerabilities with a risk assessment. Unfortunately, this can be difficult because data security breaches can come from pretty much anywhere, including employees, laptop computers, copy machines and wireless networks. To make the process easier, organizations can perform a self-audit.

The Online Trust Alliance has come up with a series of risk assessment questions that are designed to help organizations identify vulnerabilities and gauge their level of preparedness. For example:

  • Are there any regulatory requirements that are specifically applicable to your business operations or geographic location?
  • What customer-specific data is collected? How, where and by whom is this data stored, maintained and archived? Can you identify points of vulnerability and risk?
  • Is the kind of customer-specific data you collect necessary for business operations? For example, is it necessary to request drivers’ license information or social security numbers?
  • Do you follow best practices for encryption and de-identification processes?
  • Is there an incident response team in place? Is there a clear reporting process in the event of an accidental data loss or a breach?
  • Is there a plan for communicating to employees, customers, partners, stockholders and the media in the event of a breach?
  • Are generally accepted security and privacy best practices followed? If not, why?
  • Is there a privacy policy reflecting current data collection and sharing practices, including the use of third-party advertisers and cloud service providers? Have systems been audited to confirm compliance with written policies?
  • Is there a contact person in the event of a breach? Has a person been assigned to work with the authorities, such as the FBI, Secret Service and State Attorney General Office?
  • Are you willing to sign off on your Data Incident Plan and represent to board members, investors and regulators that it contains best practices for preventing and responding to data security breaches?

This kind of self-audit should encourage discussion and evaluation of an organization’s specific data security risks. And, since the questions are general in nature, they can be used by most organizations, regardless of industry or location.

As we have seen, preventative measures are not foolproof, so organizations should also consider protecting against data security breaches with insurance. Various cyber liability products are available to protect against privacy injuries, such as identity theft, and to cover the cost of complying with various data breach notice laws.

Given the complexity of the risk, an experienced insurance agent should be consulted to ensure that adequate coverage is obtained. If you would like a professional audit please contact us to learn more.

If you would like to learn more about insuring against data security breaches, contact us.

If you would like to learn more about preventing data security breaches, take our online course Information Risk Management: Strategies for Preventing and Mitigating Information Security Breaches.

If you would like to subscribe to our newsletters please click here.