We humans have an ingrained “It won’t happen to me” attitude, as well as a head-in-the-sand reaction to things we don’t – or don’t want to – fully understand. It’s part of our nature.
However, there are millions of cyber-incidents every day in the U.S. – yes, millions per day! And any one of them could happen to you. Hackers stole personal information from 110 million accounts in 2014. And it’s not just focused on large government agencies or mega-corporations. Human/employee error was responsible for 96% of successful data breaches – either responding to phishing emails or the free iPad offers, or just sending out sensitive data to the wrong email addresses. And 25% of data breaches are from paper files.
As you can see, no one is exempt.
The costs can be significant – they include:
- Business downtime, distraction and the cost of ruined hardware and software
- Reputational damage impacting customer trust and continued shopping
- Fines and penalties by the FTC and the Department of Health and Human Services (HHS).
An Idaho hospice was fined $50,000 for the loss of less than 500 patient records by HHS’s Office for Civil Rights. They had no policies or procedures for mobile device security (laptops) that contained HIPPA records.
So businesses must consider a data breach as almost inevitable: it will happen to you!
You need a Response Plan
There are five basic steps to create a simple, practical plan
- Prevention is always the risk manager’s first step – let’s do everything reasonable to prevent a data breach from happening. This means cyber and data security and employee training.
- Recognition of when a breach has been attempted or already occurred is missed by many small and mid-sized organizations.
- Notification must be handled quickly to avoid fines, and accurately to minimize costs. You need immediate access to a specialist privacy attorney and competent forensic computer analysis people.
- Protection for customers, clients and employees is key to avoiding lawsuits and making victims feel cared for.
- Communication must be ongoing after any major incident to close the loop and restore confidence with customers, regulators and employees.
Future RiskSmart Tips will dig deeper into these five steps with more detailed help.
Cost – Benefit
Your Plan doesn’t have to be elaborate, but having these steps mapped out is a proven best practice. There are myriad examples of companies – large and small – who dropped the ball and got themselves in significant financial difficulty.
- You must respond quickly – to all your audiences: employees, clients, regulators.
- In a potentially chaotic situation a planned response is one that works.
- A response plan makes you look organized and professional – not up the proverbial creek without a paddle.
Call or email with questions or for no obligation help getting started.
Print This Post
This month’s Tip is your reminder to get going with your prevention plans! As you organize your priorities for the New Year, remember to include the following.
Below are seven key risk and protection reminders for your checklist. Many of these we know are important, yet they’re often not immediately urgent, so they fall to the bottom of the pile. That’s why an annual schedule for these updates on your calendar is great for avoiding last-minute panic.
- Update asset lists. Inventories can get quickly out of date. Think about equipment, vehicles, shop and office supplies, computers and software licenses, contact information, etc. Quarterly reviews can keep these top of mind. Keep updates offsite and secure.
- Update values. Asset values – for buildings, equipment, inventory, etc. – can vary from normal inflation for lots of reasons. Don’t get caught short in the event of a loss. Review quarterly with your asset lists above and advise your broker if you need increases. If you can’t get these done, schedule “project steps” and perhaps a summer or holiday intern to help out.
- Schedule key dates. Keep track of renewal dates for licenses, leases, client retainers, service contracts, insurance, certifications, website URLs, etc. on several people’s calendars. Add notes about who else needs a “heads up” to be involved.
- Insurance protections. Meet with your insurance professional at least once outside of the “renewal” period. Ask about new trends in legal, coverage, and insurance rates. Talk about changes to your business and find out the “hot” risks that need your attention. Then block out time for renewal applications and benefit program updates, employee communication and enrollments.
- Safety. This can be vital to employee morale, customer loyalty and your business survival. Make sure your IIPP (injury and illness prevention plan) is up to date as required by many state laws. Schedule regular safety committee meetings, and get the right equipment (PPEs). Ask your insurance broker about free insurance company services and inspections. Also get locations of emergency medical clinics nearest you and your work sites: each employee should have an appropriate list immediately accessible.
- HR issues and Training. Plan for employee handbook updates, new policies and updated legal postings. Schedule employee group discussions and reminders about expectations and rules. Plan for safety training and defensive driving, equipment certifications, harassment and discrimination courses, etc. The right training, in advance, can save businesses huge hassle and headaches.
- Update Emergency plans. These “be ready” plans need review and updates. Ensure you have the basic supplies appropriate to your location and potential circumstances (flood, windstorm, earthquake, etc.). Encourage employees to have their own supplies and some plans for family as well. Contact info must be accessible to all.
Finally, think about the big picture: who are the key people you depend on to be responsible for coordinating your overall risk and protection program? Do they clearly understand your priorities and expectations? Make sure you are delegating with knowledge and oversight, and not abdicating without paying attention.
Need help with resources or have questions? I’m always standing by: 510-685-3883 or email firstname.lastname@example.org.
Print This Post