These 10 New Year's resolutions can help retailers be better positioned for increased cyber scrutiny.
By Alysa Hutnik and Katherine Rileys, InsideCounsel.
Data breaches are an ever present factor for all companies that maintain consumer data. But from a review of the 2014 breaches alone, this issue appears to be particularly acute for retailers. It is not a question of "if," but rather "when," and how many times, a retailer is likely to be the recipient of future cyber attacks.
While much of that is not news, what is becoming more stark is the significant exposure and risk associated with breaches. There is extensive, and often negative, media coverage that impacts the brand. In 2014, the average cost of a data breach for U.S. companies rose to $5.85 million per breach and $201 per breached consumer record, according to Ponemon. Ponemon also reports that companies are losing more customers following a data breach, with the average churn rate increasing 15 percent from 2013 to 2014. In early December, a federal court in Minnesota ruled that Target owed banks a duty to protect payment card information from hackers â€” another blow for retailers if their data security is deemed insufficiently robust. These growing costs and risks underscore that data security preparation is key to protecting both customer data, and a retailer's bottom line.
The following data breach New Year's resolutions can help retailers avoid some of these issues and be better positioned for the increased cyber scrutiny anticipated for 2015.
- Plan it: When a breach occurs, companies often need to make the most of borrowed time to perform appropriate forensic analysis and remediation, comply with notice obligations, craft appropriate messaging and otherwise mitigate exposure. Having in place â€” and already being familiar with â€” a formal incident response plan can help reduce the costs associated with a breach by as much as $17 per record, the Ponemon Institute reports. Given the tight timeline and high costs to the company at stake, an incident response plan with a clear and delineated list of responsibilities that identifies who will undertake what particular analyses and action items, combined with training personnel on the plan, can be the difference between a contained breach and a mega-breach.
- Avoid blind spots: In two of the largest recent retailer breaches in 2014, hackers apparently were able to access the companies' systems with stolen vendor credentials and, due to other system vulnerabilities, place malware on point-of-sale systems that recorded magnetic strip data. Most companies cannot function without the support of vendors and business partners. But a smart, organized vendor due diligence and security program can help mitigate both the occurrence and the scope of a data breach caused in whole or part by the lax security practices of a third party.
- Know your peeps: Many retailer breaches result from malicious or criminal attacks on retailers' systems, and therefore involve law enforcement. Identifying points of contact within federal and state law enforcement, as well as other entities that the company may want or need to involve, such as third-party forensic experts, a public relations firm or credit monitoring services, will help expedite the response and remediation processes.
- Coverage: Breach-related costs, particularly those from larger breaches, often exceed the amount of network security-related insurance a company has. By reviewing and understanding the scope and applicability of their policies, companies can evaluate the adequacy of their coverage, limitations and any breach-related obligations, such as notice requirements. Considering whether to purchase specific cyber liability insurance is another option.
- Business partner obligations: In addition to applicable state data breach notification laws, most companies have notice obligations in their contracts with business partners that share consumer data, such as a merchant or acquiring bank, payment processor or payment card brands. Determining a point of contact at each partner, and the notice obligations under the applicable contract, can help ensure compliance and avoid unnecessary delays.
- Forensics: When a breach involves payment card data, as most retailer breaches do, a retailer is required to hire a PCI Security Standards Council-approved forensic investigator. Selecting preferred PFIs ahead of time will give a company the opportunity to carefully consider all available options and find the best fit. Additionally, drafting and executing a contract with one or two PFIs beforehand will allow more time to negotiate contract terms, rather than during a breach crisis.
- Template notice: State data breach notification laws vary widely. Drafting template notice documents that comply with, or can easily be modified to comply with, all applicable laws can help avoid delay while still ensuring compliance.
- Guideposts: Tracking legal trends, such as by the FTC and state attorneys general, provides insight into a regulator's view on data security requirements and best practices. For example, in a recent closing letter, the FTC reminded businesses that data security is an ongoing process, requiring the adjustment of security practices as the landscape changes, and that it is in the company's and public's best interest to engage in proactive, remedial measures without waiting for government prompting to take additional steps.
- Remediate and reevaluate: Reviewing and reevaluating the company's response plan and security practices routinely demonstrates that a company takes customer privacy seriously. Regulators will want to know what a company has done and continues to do in the wake of a breach, and reassurance that a company has taken the necessary steps to enhance security going forward may help prevent further scrutiny.
- Strategy: Companies that experience well-publicized breaches often find themselves the targets of investigations by the FTC and state attorneys general, and lawsuits by financial institutions and consumers. Once the immediate breach crisis has settled, time is well spent designing the company's overall defense strategy and narrative on these fronts. A focused approach for the long term will result in an organized defense. Too often, the crisis can lend itself to short term decisions, continually evolving facts, and changing strategy that negatively impact the overall defense.
Data security plays an important role in retailer's businesses and, if neglected, increases a retailer's exposure to cyber attacks and the costs associated with a data breach, including regulator investigations, litigation and customer loss. It's never too late (even with lean resources to reduce risk by reviewing and optimizing policies and procedures and understanding the common pitfalls that increase the costs or delay notification of a data breach. Proactive efforts can go a long way when an incident arises.