The risk of getting data handling wrong combined with an increase in cyberattacks presents the perfect storm for businesses that fail to plan; but the financial and reputational consequences of a data breach demand attention. So what should you be doing?
Assess – and mitigate – the risk
Undertaking a data protection audit on your business is a good way of determining your exposure and identifying where the risks lie. It’s also a good way of demonstrating compliance with the GDPRs. An audit could identify the value of data held within the business, the areas where work and security measures are needed, and include a review of the policies and procedures in place for managing data breaches. Of course the real value of the audit lies in the follow-up – use it to inform positive protection measures which could take in policies, procedures and training.
Insuring the risk
Since the introduction of the GDPRs, the specialist cyber insurance market has grown substantially: specific policies covering breach notification, legal fees and claims, and stand alone cyber policies are becoming the norm. Insurers are reviewing their existing approach to policies and expressly excluding data breaches and data issues which may have previously been covered by other more general policies, such as professional indemnity insurance or director and officers insurance.
Taking the time to consider your current protection and potential exposure could prove to be time – and money – well spent.
Check the small print
Reviewing your existing contracts with customers and suppliers and creating an internal approach to liability and indemnities is useful. When it comes to measuring your potential exposure take a look at the caps on liability that you, your suppliers and customers have agreed; identifying where you have provided unlimited indemnities and whether certain data related heads of losses are excluded in your contracts is also critical to understanding the risk you are exposed to under such contracts.
Once you know the score, make a plan to update your approach to contracts at renewal and going forwards.
Could you go beyond mitigation and adhere to industry recognised standards in relation to data security to prevent risk? Cyber Essentials, for example, is a government approved accreditation scheme that enables businesses to take measures to protect against and therefore reduce exposure to data risks.
Rebecca Leeves is a Senior Associate in DMH Stallard’s Commercial team. Contact her at Rebecca.Leeves@dmhstallard.com, or call 01273 744246.