Reining in runaway data breach costs
In 2011 the largest reported data breach in the university world was suffered by a Virginia institution of higher learning, which reported more than 176,500 records breached. More recently, in late 2012, a Florida university suffered a breach involving data on more than 200,000 students and some of the university's top employees. The same week hackers posted online thousands of personal records from 53 universities around the world--including some 36,000 email addresses and thousands of names, usernames, passwords, addresses and, in some case, sensitive information such as students' dates of birth and employee payroll information. Dealing with data breaches can cost a university from tens of thousands of dollars up to many millions, depending on the breach and its handling.
What would your university do if it happened to you?
Examples of how not to respond to a data breach are easy to find in the higher education arena. After personal information in its care was breached, one university's IT department issued an email to faculty, staff and students explaining what happened. Unfortunately, the communication fell short of the school's legal obligations for notification. Moreover, the university's two-person help desk was woefully unprepared for the barrage of calls from concerned students, parents and staff triggered by the email.
Another college, attempting to respond swiftly, sent notification letters to those whose data it thought was breached before its investigation of the incident was complete. Ultimately, forensics revealed it was all a false alarm. The school had to re-contact the same people to explain the mistake and assure them that their data was safe.
Over- or under-reacting to a data breach is common -- and can be costly. Often whoever discovers an incident, whether they are in the IT department or the registrar's office, will take it upon themselves to try to address it, without consulting the multiple parties who need to be involved in responding to a serious incident, such as legal counsel. In other cases, if news of an incident does ultimately wind its way up the chain of command, university administrators are left scrambling to outsource a proper response to third parties -- paying more and often getting less. Many universities, after outsourcing services in haste, learn the hard way that vital services are actually subcontracted out to other un-vetted third parties.
To avoid these pitfalls and ensure a strategic, compliant and efficient response, keep in mind three critical elements of data breach response: Speed, thoroughness and coordination.
"I heard it from the media first" is something no university wants to hear from the victims of a data breach. Not only is a sluggish response bad for your reputation, it can raise the liability stakes if the breach ends up causing serious damages. Colleges may also feel pressured to move quickly to meet state and federal notification requirements.
Pre-planning is critical to prepare an organization to respond swiftly. Every university should have a comprehensive plan to respond to data breaches, just as it would for other crises. In those initial hours after a breach is suspected, this document enables those discovering it to begin to properly assess the threat and involve the appropriate parties.
Responding to a data breach is typically a collaborative effort , drawing on the expertise of stakeholders from diverse internal areas, from IT and administration, to compliance and alumni relations. Risk managers should be brought into the loop as soon as an incident is suspected to consider applicable risk transfer and insurance issues. External specialists, from forensic investigators, to call center staff, to privacy counsel, are likely to be needed, along with a reputational risk advisory firm to help with damage-controlling messaging once word of the breach is out.
But, Not Too Fast
While acting fast is critical, the need for speed must be tempered by a focus on thoroughly investigating the cause and extent of a breach. Premature and inaccurate notifications of a breach can actually heighten the potential liability associated with the incident and trigger scrutiny from regulators. Once an incident is discovered, triaging is essential to assess potential damages and understand the level of the threat. For instance, is it malicious or accidental? Is Protected Healthcare Information (PHI) or Personally Identifiable Information (PII) comprised? How many records might be involved? Is the impact local, national or international? Answers to these types of questions will be key in defining the level of threat -- and determining the team that will be needed to address it.
Keep It Coordinated
Once you have a clear picture of the threat your university faces and the team you need to address it, your plan will help to keep all team members on the same page and ensure a well coordinated response, even under the pressure of what could be a serious crisis. Your plan can walk the team, step by step, through what is required at every stage of response -- and articulate who should be involved at every turn. Such careful choreography is critical: If the left hand does not know what the right hand is doing, an already bad situation can deteriorate fast.
A rigorous regulatory review is integral to your response. University data can be diverse and span many jurisdictions, making an organization subject to multiple regulations, from state notification requirements, to federal Red Flag rules. The regulations themselves can be a tangled web: Some 46 states have (often subtly different) laws requiring that notice be given to the residents of their jurisdiction whose PII is breached.
To accelerate and ease response, your plan should also house pre-drafted templates of communications that are likely to be needed, such as notification letters and FAQ scripts for call center staff. Consistent messaging is critical; inconsistency can have serious liability consequences.
After an incident, regulators will want to know how you fixed the problem and are preventing repeats. Remedying the cause of the breach is critical, both to dilute the risk of future incidents and the liability associated with the current one. Shoring up your defense could require everything from retooling IT security practices and procedures, to stepping up internal privacy awareness and education training. The response team should also discuss when and where your response can be improved and amend your incident response plan accordingly.
Allocate the Tab
Even absent liability, defense costs, regulatory fines or penalties, responding to a data breach incident is likely to be expensive. For instance, mailing notification letters can run about a dollar per letter. Credit monitoring, a standard offering for those whose information is compromised, can run $12 to $15 per person. Specialized privacy counsel--needed to sort through the myriad legal and regulatory issues involved--can cost thousands of dollars, as can the fees for a reputational management firm and forensic experts. Setting up call centers is costly. And the list goes on. All of these expenses must be considered in advance and the question asked during planning: Who will pay?
As part of the process, it makes sense to evaluate risk transfer options that can address the costs of incident response in a comprehensive way, alleviating the unexpected outlays associated with these incidents. With the right plan and risk transfer strategies in place, you can rest assured that your university is prepared to achieve the best possible outcome when you suffer a data breach. Your entire organization can be ready to respond with the speed, thoroughness and coordination required.
—Nicholas Economidis is a technology underwriter at Beazley.