The upside for companies nationwide is that they can minimize their risk. To avoid what sometimes amounts to operational paralysis, organizational leaders need to follow some basic guidelines.

Brian Lapidus, Managing Director and Global Identity Theft and Breach Notification Practice Leader for Kroll, has unique frontline experience helping today's businesses safeguard against and respond to data breaches. Below, he offers some important advice that every institution should know about protecting themselves and their customers, employees, and/or students from the damages of fraud

Consider the numbers1:


Average Organizational Cost of a Data Breach

$3.61 million

$3.86 million


Estimated Cost of a General Data Breach

$141 million

$148 million


*According to data gathered from breached organizations.

Data Breach Best Practices to Safeguard Data

Look beyond it security when assessing your company's data breach risks.

To eliminate threats throughout the organization, security must reach beyond the IT department. A company must evaluate employee exit strategies (HR), remote project protocol, on- and off-site data storage practices, and more-then establish and enforce new policies and procedures and physical safeguards appropriate to the findings.

Establish a Comprehensive Data Loss Protection Plan That Will Enable Decisive Action and Prevent Operational Paralysis When a Data Breach Occurs

Your efforts will demonstrate to consumers and regulators that your organization has taken anticipatory steps to address data security threats. Disseminate this plan throughout the management structure to ensure everyone knows what to do in the event of a breach.

Educate Employees About Appropriate Handling and Protection of Sensitive Data

The continuing saga of lost and stolen laptops containing critical information illustrates that corporate policy designed to safeguard portable data only works when employees follow the rules.

Thieves can't steal what you don't have. Data minimization is a powerful element of preparedness. The rules are disarmingly simple:

  • Don't collect information that you don't need.
  • Reduce the number of places where you retain the data.
  • Grant employees access to sensitive data on an "as needed" basis, and keep current records of who has access to the data while it is in your company's possession.
  • Purge the data responsibly once the need for it has expired.

Conduct a Periodic Risk Assessment

Business models and operational processes change and might alter risk levels and liabilities. Determining if you've acquired new areas or levels of risk can be accomplished through both internal audit and specialized external resources.

Provide Training and Technical Support to Mobile Workers

Ensure that the same standards for data security are applied regardless of location, by providing mobile workers with straightforward policies and procedures, ensuring security and authentication software is installed on mobile devices and kept up-to-date, and providing adequate training and technical support for mobile workers.

Retain a Third-Party Corporate Breach and Data Security Expert to Analyze the Level of Risk and Exposure

An evaluation performed by an objective, neutral party leads to a clear and credible picture of what's at stake, without pressuring staff who might otherwise worry that their budgets or careers are in jeopardy if a flaw is revealed. Furthermore, research shows that organizations with a strong security posture or a formal incident response plan in place prior to the incident can reduce the average cost of a breach as much as $21 and $17 per record, respectively .

Don't Rely on Encryption as Your Only Method of Defense

Encrypting data in transit and at rest is a best practice, but, when used alone, it can give businesses a false sense of security. Although the majority of state statutes require notification only if a breach compromises unencrypted personal information, professionals can and do break encryption codes.

Keep Current With Security Software Updates (or Patches)

An unpatched system is, by definition, operating with a weak spot just waiting to be exploited by hackers. Admittedly, applying patches takes time and resources, so senior management must provide guidance on allocations and expectations.

Hold Vendors and Partners to The Same Standards

It's important to define your security requirements upfront with vendors-third-party service providers may be required to maintain appropriate security measures in compliance with certain state and federal regulations. Ensure that your organization maintains control of data at all times, especially with offshore data storage or services. Your partner’s mistake can cost you; a third-party breach can increase the per record cost by $25.


1 Ponemon Institute, 2018 Annual Study: U.S. Cost of a Data Breach.


Valuation of businesses, assets and alternative investments for financial reporting, tax and other purposes.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate and remediate security, legal, compliance and regulatory risk.

Corporate Finance and Restructuring

M&A advisory, restructuring and insolvency, debt advisory, strategic alternatives, transaction diligence and independent financial opinions.

Investigations and Disputes

World-wide expert services and tech-enabled advisory through all stages of diligence, forensic investigation, litigation, disputes and testimony.

Digital Technology Solutions

Enriching our professional services, our integrated software platform helps clients discover, quantify and manage risk in the corporate and private capital market ecosystem.

Business Services

Expert provider of complex administrative solutions for capital events globally. Our services include claims and noticing administration, debt restructuring and liability management services, agency and trustee services and more.

Environmental, Social and Governance

Advisory and technology solutions, including policies and procedures, screening and due diligence, disclosures and reporting and investigations, value creation, and monitoring.