Although no major financial loss was incurred by the customers of the October 2015 TalkTalk computer systems hack, the personal data of 4% of the company’s 4 million users was compromised. The breach resulted in costs of £60m which resulted in the loss of over 101,000 customers. One thing is clear – no business is immune from the threat of data breach.
The media raised some serious questions, such as how could a third attack in that year have happened, and how were TalkTalk going to manage the crisis.
We all saw TalkTalk’s CEO, Baroness Dido Harding, doing the media rounds, discussing the company’s security. TalkTalk is a business with four million customers, a dedicated security team and comms department. What can smaller businesses do to defend themselves against what Baroness Harding has called “the crime of our era”?
Data breach insurance is a first step. This can help you cover the costs to defend, manage, respond and help prevent further loss for an actual or suspected breach of data security. Cover relates directly to a breach of individual privacy rights or confidentiality relating to personal information and personally identifiable data, for both customer and employee information. This includes credit card details and personal healthcare information, as well as the costs an organisation incurs from mistakes made by a third party service provider, for say information stored in the cloud.
A key issue emerging from the TalkTalk breach is its failure to protect sensitive, personal information. This could result in a breach of contract, negligence claim or legal liabilities and fines attached to privacy law violations such as failing to comply with data breach notification laws and PCI compliance. With the upcoming General Data Protection Regulation, whereby data protection will be unified under a single EU law, companies will have more legal obligations. Businesses need to factor this into their cyber strategy, underpinned by data breach insurance.
With strict rules for dealing with the fall-out of a data breach, the costs of notifying affected users can be extremely high. What should data security policies include protection for?
- Draft official notices (including the printing and postage costs)
- Cover the costs of an independent security audit, or a forensic investigation into a organisations system to identify the source and scope of the breach
- Provide a credit monitoring service or an ID theft helpline for the affected third parties
As well as mitigating the associated costs by transferring the risk to the insurance, the loss of existing or future customers from damage to an organisation’s brand or reputation following a data breach can be saved by how your business responds. Data breach protection gives you access to the specialist teams you need to manage this – from forensics through to PR – helping you to regain customer confidence and minimise business disruption.
To speak to our specialist cyber team, please contact Adam Lawrence on 0118 916 5484.
*Information correct as of 1st May 2016