A three-step process to prevent your business from a data breach
On an almost daily basis, news reports announce another breach of corporate websites and point-of-sale systems. Data breaches at some of the country’s largest retailers attract national press attention, but numerous studies confirm that the majority of data breaches are occurring at small to mid-sized business. Many are unaware that they have been compromised. These businesses are at significant risk for costly, and potentially catastrophic, losses including liability to customers and payment card issuers, and a loss of reputation and good will.
Your business’s exposure to losses due to a data breach can be mitigated by taking relatively simple steps to identify and address your security vulnerabilities. Every business should, at least annually, conduct a risk assessment of their information systems, including retail point-of-sale systems, update those systems and address any identified vulnerabilities and review their insurance program to increase the likelihood that they will have coverage when the inevitable happens.
Most businesses believe their information systems are up-to-date and compliant with the necessary security standards—and at one time they likely were. But security standards are changing regularly, and many businesses are not regularly reviewing and updating their information and point-of-sale systems.
The first step is to assess your risk with an evaluation of your information management. Namely, what information is your business collecting? How is it being used? How is it being stored?
Any business with a website or e-commerce system should identify any digital information they are processing, including whether payments are processed directly on your website or through a third-party service such as PayPal or Google Wallet.
This kind of assessment should be done regularly. As technology and business methods evolve, the answers to these questions change. Many businesses now have the ability to collect, use and store new forms of information that they previously could not collect or use effectively. Now is a good time to reevaluate what customer information your business has and how it is handling that information.
Once you have assessed your information management processes, evaluate and mitigate your exposure if something goes wrong. For most retail businesses, a significant source of exposure is the point-of-sale system, whether in-person, at the cash register or online. The payment card industry has promulgated the Payment Card Industry–Data Security Standard (or PCI-DSS). Compliance generally requires every merchant, regardless of size, to meet 12 requirements in six separate categories. If a breach occurs and your business is not PCI-DSS compliant, your business may be liable not only to your customers but also to the banks and financial institutions that issued the credit and debit cards your customers use. Today, liability to card issuers may be much greater than the liability to consumers directly.
Some businesses have outsourced payment card processing to a vendor. Even then, businesses should evaluate their exposure in the event their vendor is breached, including the vendor’s obligation to notify and indemnify them in the event of a breach.
For other types of information, evaluate whether the information constitutes “personal information” under the applicable state laws. Notably, many states have extended their laws to any business with personal information about a resident of that state. So, New Jersey businesses with personal information of California and Massachusetts residents, for example, may be subject to the data breach notification laws of California and Massachusetts.
Finally, every business should review their insurance policies for adequate coverage for when the unexpected happens. This requires more than confirming that your comprehensive general liability or CGL policy is up to date. Today, most policies, particularly CGL policies, will contain terms that limit or exclude coverage for cyber, privacy and other information related losses. Every business should carefully review the terms of their policies against the specific exposures that their business may be facing.
Today, the information economy presents numerous opportunities for businesses to gain a competitive edge through the use of technology and information processing. But these new opportunities carry new risks. Taking a few steps now to review and evaluate your exposure can go a long way in preparing and mitigating these risks—and protecting your business from future losses.
Ryan J. Cooper is Counsel at Pashman Stein and head of the firm’s Privacy and Information Governance practice, where he advises clients on all aspects of information risk including the data breach prevention and response. Mr. Cooper can be reached at firstname.lastname@example.org.