You wouldn’t let your insurance carrier choose your wedding planner, would you? The same should go for your breach response team…

With the evolving frequency and complexity of data privacy and security events these days, your organization truly needs trusted allies that align with your organization’s style and culture not only in the breach response effort, but in advance of the breach as well; partnering with your organization to assess, analyze and mitigate risks with the goal of ultimately reducing the overall impact of the breach to the organization.

Customers Come First: Data Breach Response Survey

While cyber liability insurance carriers today have varying degrees of capacity to provide your organization resources, tools and referrals to different types of breach preparedness, mitigation and response resources and firms, the expertise, style and experience of your breach response team members is arguably the most critical and impactful “fit” that needs to work well for your organization. It is, therefore, key for your organization to assess and to evaluate these third party service providers and vendors—who will be executing on behalf of the organization at arguably one of the most business critical times—before the actual crisis of a breach event unfolds. At a minimum, you should closely evaluate, in tandem with trusted privacy counsel, those breach response vendors and organizations that are best suited to provide your organization not only with a well-communicated, time-tested breach response execution when a data privacy or security event occurs, but also with the level and quality of pre- and post- breach resources that align with your organization’s style, needs, and internal management culture.

There are several questions you should consider asking when evaluating your breach response team:

  1. Has a particular breach response vendor that your organization is entrusting with the highly sensitive and critical task of breach response ever been sued?
  2. Has the organization in line for serving as part of your breach response team ever had a breach of its own?
  3. Is the organization highly rated by the Better Business Bureau, or been vetted with similar standards by a trusted rating organization?

Such questions have been among many asked by the federal government when vetting breach response vendors because these issues matter. Knowing the answers to these questions makes executing your due diligence in vetting your breach response team members that much easier. Lastly, and perhaps most important: If your organization doesn’t vet, assess and determine for itself the best “fit” with respect to breach response partners, there really should be no blowback against the cyber insurance carrier for either recommending or selecting a breach response team on the organization’s behalf, if things don’t go as expected, or the organization doesn’t feel well aligned with the breach response team selected.

If you aren’t going to take the reigns, your insurance carrier, wholly vested in an appropriate and competent breach response being executed on behalf of your organization (its Insured) may do so. While the insurance carrier’s picks may “fit” well with your organization’s culture, style and preferences for how a breach response is handled—they also may not. Finally, consider that it is in your insurance carrier’s best interest to have a fully engaged Insured organization, committed not only to securing a qualified breach response team (agreed to by the carrier in advance of any breach event, to minimize confusion at the time of a breach), but doing so with the knowledge that the particular style and “fit” of that breach response team is aligned with the organization’s expectations, needs and internal management culture. After all, when an organization is pleased and satisfied with the quality, style and collaboration of a flawlessly executed breach response, everyone, including insurance carriers, should be happy.

With virtually any form of privacy or security event these days, the potentially devastating impact to your entire organization is at stake. Perhaps never before in the long, storied landscape of management and professional liability exposures, has any team of individuals with specialized expertise been more important in terms of “fit” with your organization’s style, expectations and culture.

Should this “fit” really be determined by anyone other than your own organization’s key leadership team? Musings for some time now in the evolving legal landscapes for insurance and cyber liability have, in a sense, forecast a board’s potential liability for not considering and/or purchasing cyber insurance to curb some of the significant exposure to the organization that a data privacy or security event can cause. Those considerations aside, however, it may simply come down to this question: Is the assembly of your breach response team (service providers and vendors, and possibly even privacy legal counsel) really something you want to delegate outside your organization? The stakes are high—consider well.

This discussion is intended for educational purposes only and should not be construed as legal advice or opinion with respect to any specific set of facts or circumstances. Consult a designated privacy counsel for advice or opinion regarding a specific set of facts or
circumstances.

Customers Come First: Data Breach Response Survey