Do you know your enemy? Are you fighting the wrong war? Despiteeverything you're read about cyber security, despite all thebreaches in the news, the fact is well-intentioned business peopleare still surprisingly behind the times. 

Thieves and hackers are by no means the main cause of databreaches. Cyber security is just one element—because physicalrecords, paper and files, continue to play a major role. And too few managers understand that they remain responsible forlost information—even if no one's noticed it's been lost or takenadvantage of the breach.

What does this tell you?  Cyber security is just onepart of the equation. Breaches happen many ways.  And itcould be companies are fighting the wrong war.  They'refocused exclusively on protection, on encryption and firewalls forexample, when they should be considering what to do after thesystems are breached. 

My work, my company Beazley, isn't mainly in the business ofpreventing breaches. Instead, and perhaps more relevant today,we're the people who help companies survive them. We've resolvedover 1,000 cases in the last five years.

Let me tell a few illustrative stories—and some interestinglessons to be learned.

• An angry client of a large, prestigious law firm broke intotheir offices and stole all their hard drives.  They had agreat encryption system, powerful fire walls, all the latest datasecurity software.  None of that made a whit ofdifference;  they were breached anyway. 

• A multi-state health provider sent a free wellness magazine toits older members.  They loved it.  But one monththeir printing system got the mailing labels wrong—each onecontained not just the member's address but their patient ID aswell—and thoseincluded their social securitynumbers. 

• Outside contractors remodeling an office disposed of some oldfile cabinets.  Unfortunately, scores of old computerbackup tapes were stored inside them. Did bad actors get hold ofthe data?  Was anybody hurt? No, it was only anaccident.  But the company was, nevertheless,responsible.  They had to search for the tapes in a landfill and notify thousands of customers.

• Thieves posing as employees of a recycling company worked theirway up the Eastern seaboard removing X-rays from hospital radiologylabs. Their plan was to retrieve and sell the silver in thefilms.  The problem was the X-rays were marked withpatient data, names, addresses, date of birth and social security.The crooks were not identity thieves. They weren't after thedata.  But thanks to HIPAA rules, the hospitals had tonavigate around hefty fines.

• A doctor was in the habit of motorcycling to work. One day his briefcase came open.  He arrived safely at hisoffice, but hundreds of patient records were scattered three milesbehind him.

• One company's security system was so complete that they guardedtheir data against their own employees.  Staff had to typein secret codes to get information using special terminals withsecurity cameras watching everything over each one.  Aninsider, however, was stealing employee identities.  Shestood behind friends while they looked up data and memorized theinformation.

What are the lessons? 

The first one is that accidents are behind more data breachesthan hackers. There are plenty of crooks out there, but your owninnocent employees mislay more data. The second lesson is thisisn't only an information systems problem. Pieces of paper, devicesand hard-drives, X-ray films and even mailing labels can bevulnerabilities.  A third lesson is that thieves come inall manner of disguises. They're not just digital wizards inRussia; they're maintenance men or angry clients or a fellow workerlooking over your shoulder.

The last, most significant lesson is that you're responsible.Thanks to HIPPA rules, legal decisions, state and federalregulations, if important data disappears your company has theburden of recovering it and notifying those who might be harmed. Itdoesn't matter if it was an accident, if no injury resulted, if youdidn't even know there was a breach or what went missing.

And that brings us to data breach insurance.  It reallyhas two parts.  The first part is traditional insurance –to protect your company against potential losses.  Youneed a broad, well-crafted policy, with coverage and limits toaddress the full variety of claims arising out of your company'sunderlying exposures. (There are several ways of setting limits—andwe've found that a per-person basis, up to, say, two million orfive million records—gives us a better way to define the risk.)

The other part of data breach insurance has the characteristicsof a service.  In the event of a breach, weprovide—and pay for—the IT forensics experts, the specialized legalhelp, the PR consultants and the notifications services you needwhen there's a complex breach.  The vendor is there toadvise you and walk you through the steps, because, believe me,this isn't something you want to learn while you're going throughit.

The good news is there's a lot that you can do to mitigate thedamage.  It's in your hands and if your response is soundno liabilities may follow.

And so what happened to the companies in the stories? Our IT experts tracked down what the law firm lost—and we helpednotify their clients. We worked with the company that lost itsbackup tapes. They were never found, but thanks to us theirliabilities were covered.  For the mailing labels, we knowhow to notify the readers.  For the hospitals with themissing X-rays we supplied expert IT specialists—because some ofthem had no index for their records. We identified and notified thepatients of the motorcycling doctor. We helped find the insider whowas memorizing information­—and, even more difficult, we identifiedthe people whose identities she stole. 

Data breaches are, unfortunately, a part of doing business. Nomatter how well you're protected they will happen. It isn't "if";it's "when."

And a final lesson to be learned: A data breach doesn't have tobe a disaster—but mishandling it is.  

Mike Donovan is the Global Leader ofTechnology, Media, and Business team with Beazley, the leadingspecialist insurer, pioneering data breach response insurancethrough the Beazley Breach Response (BBR) product.