In today’s society, data breaches are inevitable for businesses in all industries, with the associated costs rising dramatically each year.
Now let’s assume your restaurant or hospitality business has been hacked. Naturally, you’ll want to solve any issues yourself. The problem is your best intentions may do more damage. Taking matters into your own hands can lead to a cyber claims denial, it can broaden the reach of your hack and it can ultimately create new exposures for your organization. Even with a cyber insurance policy, you will want to engage a trusted insurance advisor as quickly as possible, to address the attack in its entirety.
From the first critical hours to the remainder of the breach, here’s what needs to happen:
Putting Your Cyber Insurance Policy into Action
As soon as you suspect something has gone wrong, calling your insurance broker should bring all the resources you’ll need directly to your fingertips – a privacy attorney, a cyber forensics expert, notification and credit monitoring as well as a public relations firm whose job it is to maintain the reputation you’ve worked so hard to build. Your broker will closely review your cyber policy coverage and help you initiate a claim. They should then connect you with a recommended privacy attorney to determine your next steps. This includes hiring a reputable cyber forensics expert to verify the when, how and why your breach occurred – even determining if your network is still infiltrated.
You’ll have a forensic scope call with your new privacy attorney and the forensic experts. Having your privacy attorney hire the forensic expert on your behalf is a key move. It ensures that the entire forensic investigation remains under attorney client privilege and can’t be subpoenaed later by regulatory officials or a class action lawsuit that results from your data breach. It ensures that inexperienced IT personnel don’t access your already compromised network and come to false conclusions.
At the same time, depending on the scope of the event, your broker will hire an experienced PR firm to create messaging around your data breach, both focused on restoring faith with internal members of your staff as well as external clients, customer and vendors, as necessary.
Once the forensic report comes back, which can take anywhere from five days to five weeks, depending on the scope of the breach, your privacy attorney will determine if personally identifiable information (PII) was exposed, requiring individual and/or regulatory notification. Where individual notification is necessary, organizations could have to comply state privacy laws, dictated by the breached individual’s residence. When this happens, your broker will engage a policy-approved, experienced notification call center to handle the barrage of necessary paperwork.
There’s no one size fits all policy when it comes to covering your breach. A robust cyber policy will bring with it resources to help you immediately start to comply with both federal and state regulations. The key to having the right resources is knowing what to do and when to do it. This only comes along with an experienced broker that’s savvy in data breach risk and compliance.
While out of pocket costs are minimized when you have a cyber insurance policy, a good insurance broker can help you remediate a data breach even without cyber coverage. This includes connecting you to a privacy attorney who will initiate a forensic investigation under attorney-client privilege, determining if you need to notify affected individuals and state or federal authorities.
Going at a cyber breach alone is a sure way to dig your organization deeper into crisis. Working together with an insurance professional from the first hour of crisis is a sure way to get yourself to the other side of a cyber breach safely – and as intact as possible.