RCAB logo

Loss Control

Fraud Prevention
Communication
CPR & AEDs
Data Breach
Driver Safety
Fire Safety
Food Safety
Seasonal
PDF Print E-mail

Data Breach Prevention

It seems as though every day we hear about another incident of sensitive data being stolen or inadvertently released to the public.  Personal information, such as social security numbers, names, addresses and bank account details, can be used by criminals to open lines of credit, defraud retailers and secure employment under assumed names.

The exposure of this type of incident reaches far beyond the individual victim whose identity is stolen.  The institution responsible for retaining the data may be held liable for the release of information and, consequently, the costs incurred by the victims as a result of the breach.

The financial costs can be substantial, but the greater exposure and risk may be to the institution’s relationship with the individual and other customers, clients or donors through perceived damage to the institution’s reputation and public image.

Kroll Investigative Services

Because of these considerable exposures and risks, it is vital that our member institutions and parishes have a plan in place for dealing with a potential incident of data breach.  To this end, the ORM has contracted with Kroll Investigative Services, an international investigation and security services company, to provide our participants with access to high quality support services in the event of a breach. These services include credit monitoring, credit repair, and counseling.

As a large risk management client, the ORM has been able to bring these services to our participants at a fraction of the usual costs, and without the traditional set-up fees that can exceed $10,000.  This plan and the associated services are available to all RCAB ORM program participants, as well as members of the MCSIG.

The initial phase of the response plan, including use of the response team and support services, is provided at no cost to our participants.  In addition, under most circumstances all of the subsequent costs are covered under our Liability and Crime programs.

Summary of Data Breach Services Provided

The following is a summary of the data breach services now available to you:

  • Access to Crisis Response Team
  • Investigative Services
  • Legal Support
  • Credit Monitoring Services
  • Credit Repair and Counseling Services
  • Internal and External Communications Support

The Crisis Response Team consists of the following:

  • ORM Claims Manager to oversee the investigation, coordinate the response team and manage the services and costs
  • Legal Counsel, including subrogation counsel to consider potential recovery from third party
  • Communications Specialist to assist with immediate internal and external communication/customer or donor notifications
  • Public Relations/Media Consultant to prepare and assist with media statements, public relations strategy and ongoing media management
  • Security Consultant (when appropriate) to assess the security procedures and corrective actions, and to assist in the development of improved procedures and processes to mitigate the likelihood of another breach
  • Kroll Investigative Services to issue prepared information packages to each affected individual, with multi-lingual capability, credit monitoring services, and credit repair services and counseling for any individuals that are adversely impacted by the release. This service includes a multi-lingual call center.

What to Do if You Expect a Data Breach

In the event that you suspect a data breach, either through paper form or electronic, the following actions should be taken:

  • Immediately discontinue operation of and/or access to the source of the breach.
  • Immediately notify the appropriate authorities if criminal activity is suspected or the data was lost/misplaced offsite.
  • Notify the Office of Risk Management Claims Manager at 617-746-5743, or via This e-mail address is being protected from spambots. You need JavaScript enabled to view it .
  • Notify your corporate or general counsel.
  • Identify a primary contact within the organization to serve as the first point of contact for all members of the Crisis Response Team.
  • Have senior staff available at your facility to meet with the Crisis Response Team.
  • Confirm the type of data compromised (social security numbers, names, etc.)
  • To the extent possible, secure a listing of the contact information for all potentially affected parties.
  • Identify and secure contact information for any clients, donors or employees that were not affected but will need to receive communication to advise them they were not affected and to enable management of perceptions and expectations.
  • Identify any possible responsible parties and obtain the contact information, and copies of relevant contracts or agreements.
  • Document the process containing the data and/or the process that resulted in the breach.

Please remember - the Crisis Response Team and the associated services are provided at no cost to your organization.  The Office of Risk Management is available should you have any questions or concerns regarding these services or the Data Breach Response Plan.