Breach Communications: Who Will Act During a Data Breach?

Even if your benefits are administered by a third party, you – as the plan sponsor – are ultimately responsible for data protection. You need every aspect of a potential security breach covered and that includes your communications plan.

That’s because your people, your business partners and – if it gets that serious – law enforcement, government agencies and the media will direct questions to you, even if you’ve outsourced benefits administration.

Have a question about breach communications? We can help.

Contact Segal ›

Creating Your Comprehensive Breach Communications Plan

No matter how good your data protection process, breaches can occur. When they do, it’s imperative that you know exactly who does what, when and why.

The communications component of the incident response plan is a guide for when and how to release information to stakeholders.

Your Breach Communications Checklist

Defining roles should be a key part of your incident response plan.

Make sure you define who will:

  •     work with legal counsel on reviewing all internal and external communications and requests for database backup tapes or other specific evidence
  •     coordinate communication between the plan and its vendors, including your insurance provider
  •     handle external communications with the media (for instance, local TV and newspaper reporters)
  •     authorize access to certain data if the FBI or other authorities investigate the breach
  •     work with law enforcement and other government agencies, if necessary, and
  •     make the final decisions on what to do if the incident resolution takes so long that the business impact is severe.

To discuss role setting at your organization, get in touch.

Speak With Us ›

Breach Communications: Key Components

Once you’ve defined roles and responsibilities, you’ll  need to create:

  • Correspondence templates,
  • Participant notices,
  • Incident reports,
  • Website FAQs,
  • Social media posts, and
  • Press releases.

You should also be prepared for incoming phone calls and media interviews.

We can guide you in preparing these materials. Contact us.


Breach Communications for Covered Entities

In 2013, the Department of Health and Human Services (HHS) modified the Privacy, Security Breach Notification and Enforcement Rules under the Health Insurance Portability and Accountability Act (commonly known as HIPAA).

This included certain rules related to breach communications for covered entities.

Under HIPAA, covered entities are:

  • health plans
  • health care clearinghouses, or
  • health care providers.

If you're a covered entity, you need to follow a very specific breach notification process with the Office for Civil Rights (OCR). 

Not doing so can have significant financial consequences.

Segal has developed a model OCR breach notification plan. For more details, get in touch.

Contact Segal ›

Defining Your Incident Management Process

Breach communications is only one component of your incident response plan. If you’d like to discuss and develop the full process, our cybersecurity incident response workshop equips you to:

  • Understand leading IT security practices
  • Obtain a clear picture of your current IT security risks and the potential impact should an incident occur
  • Gain insights into the breadth of IT security areas to be addressed
  • Identify your IT security end state, and
  • Prioritize your plan for IT security efforts given the potential and likelihood of your IT security risks.

Don't wait until it's too late. 

Schedule Your Workshop ›

Share this page

Contact an Expert

Stuart Lerner

Stuart Lerner

SVP, Administration and Technology Consulting Practice Leader

Amy S. Timmons

Amy S. Timmons

VP and Senior Consultant, Administration and Technology Consulting