Spencer Fane LLP Logo

The Four I’s to proactively addressing data breach risks

You’ve been hearing about data breaches for quite some time now. It seems like there’s a new one every day. Most of the news focuses on credit card transactions, but regardless of your industry and the safeguards you use to protect your data, if you collect any type of information about your customers, you’re at risk.

This series will focus on how to minimize your risk, and how to react if a data breach does occur. Today’s post will focus on measures you should take to address data breach risks. We call it “The 4 I’s.”

  1. Information Governance
  2. Indemnity
  3. Insurance
  4. Inquiry Protocol

Information Governance

The foundation of a sound data security and breach response strategy is information governance. An information governance policy distinguishes the data in your organization across a variety of matrix; the most important being whether the data contains personally identifiable information. Such data should be flagged and segregated in your database. Likewise, efforts at data triage should be regularly undertaken to distinguish between information and data useful to the ongoing enterprise and that information which is useless to the organization. On the front-end, organizations should seek to collect the minimum amount of personal information necessary to accomplish the company’s business purposes and that information should be specifically flagged as confidential. While the information is retained within the organization, appropriate safeguards should be implemented and monitored. Employees should be made aware of the sensitivity of the information. The enterprise’s data should be regularly reviewed so that information no longer of any value to the enterprise can be disposed of in a safe and secure manner. Special focus should be placed on all mobile devices, which represent a significant risk of data breach.


Indemnity is a powerful and often overlooked device to address data breach risks. A significant number of data breaches are caused by an organization’s vendors and other business partners. Vendors should be closely scrutinized to insure their compliance with your organization’s data security protocols. Moreover, agreements with those vendors should contain strong indemnity provisions protecting your organization in the event the vendor is responsible for a data breach. Companies should also consider requiring proof of data breach insurance from its vendors.


The procurement of a cyber insurance policy is increasingly important for two reasons. First, both the frequency and financial consequences of data breaches are escalating. Second, the insurance industry has become increasingly active in disclaiming coverage under existing commercial general liability policies.

Inquiry protocol for data breach notice

All but a few states require notice of any data breach where the data owner determines a significant risk of harm to its customers is present. Companies should have a predetermined protocol to make this risk assessment. Little guidance from the government has been provided on whether or not the notification requirement is triggered by any given breach. As such, a pre-established protocol to assess the likelihood of customer harm in any given breach is essential. Companies are given relatively little time to complete a risk assessment and give notice as more states are imposing tighter deadlines. Accordingly, a pre-established inquiry plan is a vital part of a data breach plan.