When it comes to data breaches, things can get pretty complicated pretty fast. But if there are simple themes that arise they might boil down to these: Be prepared, continually make sure you are prepared, engage the right people right away, act appropriately but don’t overreact, and document everything you do as if you’re already answering to an Attorney General. These are some of the themes that emerged during a panel discussion at a conference produced by HB Litigation Conferences LLC — NetDiligence® Cyber Risk & Privacy Liability Forum — during a session titled “Data Breach Preparedness: The Right Way to Survive 30 Days of Hell.” Moderated by Steven Anderson of XL Group, the panel comprised Ted Augustinos, Esq.; Edwards Wildman Palmer LLP; Nicholas Cramer, All Clear ID; Richard Cheng, Kivu Consulting; Larissa Crum, Immersion Ltd.; and Ozzie Fonseca, Experian Consumer Direct. Editor’s Note: HB Litigation Conferences will produce the next NetDiligence® Cyber Risk & Privacy Liability Forum June 6-7, 2013, in Philadelphia. For more information, please visit www.LitigationConferences.com. Augustinos told the audience that 96% of breaches are avoidable even with minimal to medium levels of security. To prepare, he said, no one simply starts off with a breach policy, “It’s about getting the team together. Having forensics talk to I.T. Repeat and visit your you plan and your processes. Know your insurance requirements.” Augustinos places a great deal of value in staying abreast of change. Technology changes, threats change and employees change, he said, noting that a huge part of the data security problem is related to human error. “We can’t get enough training and revisiting of processes with employees who are handling data,” he said. Experian’s Fonseca said fire-drill-style responses have a lot to do with the company’s lack of preparation. “They didn’t have it in their plan to contact a forensic firm, to call outside counsel or to have a notification team ready to send out letters, so by the time they figure out what to do, they have already burned through maybe 30, 45 or 60 days since the breach. It can be so late in the game they are just trying to make something happen.” Cramer of All Clear ID said that if you execute a plan it is always going to be much cheaper than trying to “ham fist a response and go and get three or four vendors to do a specific job here, there and every other place. Remember that whatever you do, it is going to take people, some of whom have to work overnight, to run a call-center efficiently. And it can be costly if you have to rush people into place.” He said the cost of a breach to an unprepared company is four or five times that of a prepared company. “When I think about preparation and insurance,” Immersion’s Larissa Crum added, “I think about preparation being your risk mitigation and insurance being risk transference. They are not mutually exclusive. The better prepared a company is — and has gone through a walk-through [of a breach scenario] — even as basic as just knowing the team or having the team identified — you’re already better than 75% of the other companies out there.” Crum urged the audience that, when faced with a breach, “respond with the end in mind.” Act as though you will be answering to the Office for Civil Rights or a state Attorney General. “Make sure you have documented all of the things that went into your decision making.” Did you engage a breach coach? Did you engage a forensic team? Document everything the whole way through notification, she said. The panel was emphatic that it does save a company money to have a plan in place. Read the full story.