Data Breach Prevention
It seems as though every day we hear about another incident of sensitive data being stolen or inadvertently released to the public. Personal information, such as social security numbers, names, addresses and bank account details, can be utilized by criminals to open lines of credit, defraud retailers and secure employment under assumed names. While recent publicity surrounding these incidents has been primarily related to electronic data breaches, such as data stolen from computers or from the Internet, theft of traditional paper versions of data are also a concern.
These exposures reach far beyond the individual victim whose identity is stolen. The institution responsible for retaining the data may be held liable for the release of information and, consequently, the costs incurred by the victims as a result of the breach. The financial costs can be substantial, but the greater exposure and risk may be to the institution’s relationship with the individual and other customers, clients or donors through perceived damage to the institution’s reputation and public image.
Kroll Investigative Services
Because of these considerable exposures and risks, it is vital that our member institutions and parishes have a detailed response plan in place prior to an incident of data breach. The Office of Risk Management has responded to this need by identifying a comprehensive emergency response team and developing an action plan specifically designed for incidents of data breach. We have recently contracted with Kroll Fraud Solutions, the world’s leading risk consulting company, to provide its ID TheftSmart™ service. Kroll’s Fraud Solutions team has more experience than any other organization when it comes to helping people who have experienced the unintentional exposure of confidential data.
As a large risk management client, the RCAB Office of Risk Management has been able to bring these services to our participants at a fraction of the usual costs, and without the traditional set-up fees that can exceed $10,000. This plan and the associated services are available to all RCAB Office of Risk Management program participants, as well as members of the MCSIG. The initial phase of the response plan, including use of the response team and support services, are provided at no cost to our participants. In addition, under most circumstances all of the subsequent costs are covered under our Liability and Crime programs.
Summary of Data Breach Services Provided
The following is a summary of the data breach services now available to you:
Enhanced Identity Theft Consultation and Restoration – Licensed Investigators who truly understand the problems surrounding identity theft, are available to listen, to answer your questions, and to offer their expertise regarding any concerns you may have. And should your name and credit be affected by this incident, your investigator will help restore your identity to pre-theft status. The investigators do most of the work.
Current Credit Report – Kroll offers you access to an up-to-date credit report from Experian. If you suspect fraudulent activity, please call the Kroll team.
Continuous Credit Monitoring – Monitoring alerts make you aware of key changes, using data from your Experian credit file that could indicate the kind of unauthorized activity commonly associated with identity theft and fraud. Your authorization is required.
A Crisis Response Team consisting of the following:
- ORM Claims Manager to oversee the investigation, coordinate the response team and manage the services and costs
- Legal Counsel, including subrogation counsel to consider potential recovery from third party
- Communications Specialist to assist with immediate internal and external communication/customer or donor notifications
- Public Relations/Media Consultant to prepare and assist with media statements, public relations strategy and ongoing media management
- Security Consultant (when appropriate) to assess the security procedures and corrective actions, and to assist
What to Do if You Expect a Data Breach
In the event that you suspect a data breach, either through paper form or electronic, the following actions should be taken:
- Immediately discontinue operation of and/or access to the source of the breach.
- Immediately notify the appropriate authorities if criminal activity is suspected or the data was lost/misplaced offsite.
- Notify the Office of Risk Management Claims Manager.
- Notify your corporate or general counsel.
- Identify a primary contact within the organization to serve as the first point of contact for all members of the Crisis Response Team.
- Have senior staff available at your facility to meet with the Crisis Response Team.
- Confirm the type of data compromised, such as Social Security numbers, bank account information, etc.
- To the extent possible, secure a listing of the contact information for all potentially affected parties.
- Identify and secure contact information for any clients, donors or employees that were not affected but will need to receive communication to advise them they were not affected and to enable management of perceptions and expectations.
- Identify any possible responsible parties and obtain the contact information, and copies of relevant contracts or agreements.
- Document the process containing the data and/or the process that resulted in the breach.
Please remember - the Crisis Response Team and the associated services are provided at no cost to your organization.
The Office of Risk Management is available should you have any questions or concerns regarding these services or the Data Breach Response Plan. Please contact David Huskins for further information.