Merchants and retailers who believe a data breach could never happen to them should stop and think again.
Whether it's a mom-and-pop convenience store, a branch of the US government or anything in between, all are possible targets of cybercriminals who don't care about size when it comes to breaching data. CIO Review reports there have been more than 850 data breaches in the past year and, as a result, it's becoming more important for businesses to not just protect themselves but to be ready to respond effectively if the worst happens and hackers manage to breach their data.
Have a Plan in Place
The threat of a data breach has to be taken seriously. Any company that accepts credit cards could be liable for assessments, non-compliance fines, the cost of IT professionals, forensic investigators, outside legal fees and that's just the beginning. Clients must be notified and additional investments must be made to win back customer confidence and business.
"Since it is really more of a question of when, than if, when it comes to data breaches, we always recommend having a detailed and thorough data breach response plan in place," Michael Bruemmer, vice president of the data breach team at Experian, told Business News Daily. "And not only should that plan be created, but it needs to be practiced and updated on a regular basis to ensure it accounts for the latest threats, including attacks like ransomware."
The first step to recovery from a breach is to understand what happened. Experts can't stress enough how important it is to be able to identify when something has gone wrong. In many cases there aren't any clear signs at first that anything is wrong. The first time many businesses hear about a breach is often months after the attack when they are informed by law enforcement, business partners, banks or the media.
If you don't already have one, it's vital to make sure there's a plan in place for when the worst happens. This should include a having response team to investigate the source of the breach, as well as a communications team to help engage with employees, customers, investors, clients, business partners and additional stakeholders. In the same way individuals have a fire escape plan for home and family, test the data breach plan regularly to make sure everyone knows what they'll need to do.
Resources to Assist You Following a Breach
Contact an attorney and have him or her hire a forensic investigator who specializes in finding, preserving and analyzing electronic equipment and data. David Zetoony with the law firm Bryan Cave says lawyers who specialize in data security breaches will be able to advise companies of their legal obligations to notify consumers, the public, insurance companies and regulators.
The Federal Trade Commission publishes a pamphlet that guides businesses recovering from a data breach with some good advice for informing customers about the breach. The FTC says to inform customers as quickly as you can after discovering the breach so they can steps to reduce the chance their information will be used for fraudulent purposes.
"Inform customers quickly after discovering the breach."
Before notifying customers, the FTC advises consulting with law enforcement to make sure you won't be releasing information that could impede the investigation. The agency also says most states have breach notification laws telling you what you must provide in your notices to customers and others. Unless state law says otherwise you must clearly describe what you know about the compromise, how it happened, what information was taken, how the thieves have used the information (if you know), what action you have taken to remedy the breach and what action you are taking to protect individuals - such as offering free credit monitoring services - and who to contact in your company for further information.
Finally, make sure you are PCI compliant. Businesses who have been victims of a data breach are usually those who were not PCI compliant at the time of the breach. Merchants and others who process, store or transmit payment card data are required to implement and uphold PCI data security standards. It's important to understand the compliance is an ongoing commitment beyond the initial technology upgrade. Experts can't emphasize enough the need to evaluate systems regularly for compliance.