1. www.npcweb.com Looked at a sampling of 140 claims Per Breach Costs –Average claim : $733K Large Co. = $2.9 Mil Healthcare = $1.3 Mil Per Record Costs –Average per-record cost $956 (up, was $307 in 2013 Study) –Cost Range pennies - $11K per record Crisis Services Costs (forensics, legal counsel, notification & credit monitoring) –Average cost of crisis services $366K (could be Millions for retail) Legal Costs (defense & settlement) –Average cost of defense$698K (could be Millions for retail) –Average cost of settlement$558K Highlights 2014 NetDiligence Cyber Claims Study Findings

2. www.npcweb.com $0.6 Comparing 2014 Findings Average # of Records Exposed & Cost by Type (in millions) 1.7 1.4 $3.7 $2.4 $0.9 $1.0 $0.5 $1.0 $2.1 $1.0 $0.4 $0.3 $0.1. 2.3 2.4 $733K $0.4 $0.7 $0.6

3. www.npcweb.com Comparing 2014 Crisis Services Average Expense (in thousands) $101 $119 $341 $170 $66 $175 $198 $575 $469 $54 $242 $118 *All services provided directly to victims (notification, call center, credit monitoring and ID restoration) are now consolidated under the term ‘Notification’.

4. www.npcweb.com Example Breach Claims ABC Physician Group: –Cause: Malware –Number of records affected: 2,126 –Type of data lost: PHI –CLAIM COST: Forensics: $200,000 Notice: $6,300 Credit: $0 Legal Guidance (crisis response): $109,000 Total Claim: $315,000 ($148 per record) XYZ Nursing Home:  Cause: Exposed paper files  Number of records: 1,200  Type of data lost: PII  CLAIM COST: Forensics: $0 Notice: $20,000 Credit: $2,000 Legal Guidance (crisis response): $100,000 Total Claim: $122,000 ($102 per record)

5. www.npcweb.com Data Breach Response Step One: Get the Facts A description of the data breach incident. What has been done to date, e.g. forensics, legal analysis? How large is the breach, i.e. quantity? Substitute vs. print vs. email notices? How many versions of the notification letter? What is the timeline for notification (especially important depending on type of breach and regulatory requirement)?

6. www.npcweb.com Data Breach Response Step Two: Start the Process Assign dedicated and experienced Customer Service Representative (CSR). Work with breach coach to finalize notification letter(s). Obtain credit monitoring “codes” (if applicable). Review call center script. Establish call center escalation process. Receive mail file from law firm or forensics team. Order envelopes with appropriate return address.

7. www.npcweb.com Data Breach Response Step Three: Production Send a proof of the letter for final review. Perform 48-month National Change of Address (NCOA) Perform CASS (endpoint validation) and pre-sort to maximize postal discounts and de-dup file. Review report from NCOA and CASS (business decisions need to be made). Print, insert and mail letter using tight quality controls – bar coding and sequence numbering. Send email notifications.

8. www.npcweb.com Data Breach Response Step Four: Review & Document Call center goes live. Monitor call center Ticket Reporting System (TRS). Call center escalation rates within the first 48 hours. Review and edit FAQs “on the fly.” No improvisation. Monitor any returned mail. Collect and document all processes and procedures used during breach incident for potential audits / class actions. Keep track of lessons learned.

9. www.npcweb.com Lessons Learned Engage the right team members early (first call is important). Time is of the essence. Use your most current address file. Never underestimate call volumes, operator training or the types of calls you will receive. Have a plan for undeliverable mail. Think about the “response to the response” Think about regulatory actions or class actions – documentation is key!

10. www.npcweb.com Questions? Shawn Melito MBA, CIPP/US, CSP Management Consultant, NPC’s Immersion® Data Breach Response Cell: 814.207.4007 Email: shawn.melito@npcweb.comshawn.melito@npcweb.com