Two Things That Will Help You Manage a Data Breach




Should your company fall victim to a data breach, preparedness plays a significant role in helping position you to recover. EDA members are not immune to cyber security threats. In fact, 63% of small- to medium-sized businesses surveyed by the Ponemon Institute experienced a data breach in 2019 and the average cost of a data breach in the United States exceeded $8 million in 2020. Knowing that criminals are always seeking new ways to access your data, here are two things well-prepared businesses can do to help manage the risk of a breach:

  1. Continually analyze risks
  2. Create a response plan


Continually Analyze Risks

Regularly assessing the risk of a data breach from three perspectives — processes, technology, and people — can help uncover gaps and vulnerabilities in your security. Once uncovered, determine how best mitigate these risks.

  • Processes: 52% of data breaches are caused by malicious or criminal attacks by hackers or criminal insiders.2 Evaluate the way you collect, store, or transmit sensitive financial or customer data. Confirm your vendors’ compliance with the latest cyber security recommendations or laws and regulations applicable to your business.


  • Technology: Encryption can help decrease overall data breach costs2. Consider encryption of all devices used by your employees, such as laptops, tablets, and smartphones. Additionally, install firewalls for servers and networks, or restrict access to suspicious websites.


  • People: Phishing, or “social engineering,” scams have grown incredibly sophisticated. Educate your employees to “think before you click” on e-mails that seem suspicious, too good to be true, or uncharacteristic of the sender. Many businesses benefit from phishing simulation services that help teach employees to recognize fraudulent emails.


Create a Response Plan

When data breach occurs, time is of the essence. On average, it takes 280 days to contain a data breach.2 Businesses that reduce that timeframe to 200 days or less can lower associated expenses by an average of $1 million.2 You need to respond quickly and appropriately per your legal or regulatory obligations, and having an established response plan can help you do just that. Components of your plan could include:

  • Investigation: Determine how you will uncover when and how the breach occurred, the type of information accessed, and how many individuals were affected.


  • Legal: Work with qualified counsel to understand and plan for your legal obligations in the event of a data breach, such as notification requirements.


  • Communication: Draft communication templates you can use to notify employees, customers, and other impacted parties about the data breach. Keep your messaging genuine and clear. Focusing on mitigation efforts and offering assistance to affected individuals can help restore trust and retain business.

Cyber criminals are always innovating new ways to steal company data, so remember to work with your legal advisors and risk managers to refine your plan on a regular basis.


  1. “2019 Global State of Cybersecurity in Small and Medium-Sized Businesses,” Ponemon Institute. Published October 2019.
  2. “Cost of a Data Breach Report, Ponemon Institute / IBM Security. Published July 2020.


This publication is intended to provide general information and recommendations regarding risk prevention only and should not be considered legal or other expert advice. The recommendations herein may help reduce, but are not guaranteed to eliminate, any or all risk of loss. The information presented may be subject to, and is not a substitute for, any laws or regulations applicable to your business. Qualified counsel should be sought regarding questions specific to your circumstances. © 2021 Federated Mutual Insurance Company. All rights reserved.