Life’s a breach: Make a New Year’s resolution to be prepared

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.insidecounsel.com/2015/01/07/lifes-a-breach-make-a-new-years-resolution-to-be-p

Data breaches are an ever present factor for all companies that maintain
consumer data. But from a review of the 2014 breaches alone, this issue
appears to be particularly acute for retailers. It is not a question of
“if,” but rather “when,” and how many times, a retailer is likely to be the
recipient of future cyber attacks.

While much of that is not news, what is becoming more stark is the
significant exposure and risk associated with breaches. There is extensive,
and often negative, media coverage that impacts the brand. In 2014, the
average cost of a data breach for U.S. companies rose to $5.85 million per
breach and $201 per breached consumer record, according to Ponemon. Ponemon
also reports that companies are losing more customers following a data
breach, with the average churn rate increasing 15 percent from 2013 to
2014. In early December, a federal court in Minnesota ruled that Target
owed banks a duty to protect payment card information from hackers —
another blow for retailers if their data security is deemed insufficiently
robust. These growing costs and risks underscore that data security
preparation is key to protecting both customer data, and a retailer’s
bottom line.

The following data breach New Year’s resolutions can help retailers avoid
some of these issues and be better positioned for the increased cyber
scrutiny anticipated for 2015.

Pre-breach

1. Plan it: When a breach occurs, companies often need to make the most of
borrowed time to perform appropriate forensic analysis and remediation,
comply with notice obligations, craft appropriate messaging and otherwise
mitigate exposure. Having in place — and already being familiar with — a
formal incident response plan can help reduce the costs associated with a
breach by as much as $17 per record, the Ponemon Institute reports. Given
the tight timeline and high costs to the company at stake, an incident
response plan with a clear and delineated list of responsibilities that
identifies who will undertake what particular analyses and action items,
combined with training personnel on the plan, can be the difference between
a contained breach and a mega-breach.

2. Avoid blind spots: In two of the largest recent retailer breaches in
2014, hackers apparently were able to access the companies’ systems with
stolen vendor credentials and, due to other system vulnerabilities, place
malware on point-of-sale systems that recorded magnetic strip data. Most
companies cannot function without the support of vendors and business
partners. But a smart, organized vendor due diligence and security program
can help mitigate both the occurrence and the scope of a data breach caused
in whole or part by the lax security practices of a third party.

3. Know your peeps: Many retailer breaches result from malicious or
criminal attacks on retailers’ systems, and therefore involve law
enforcement. Identifying points of contact within federal and state law
enforcement, as well as other entities that the company may want or need to
involve, such as third-party forensic experts, a public relations firm or
credit monitoring services, will help expedite the response and remediation
processes.

4. Coverage: Breach-related costs, particularly those from larger breaches,
often exceed the amount of network security-related insurance a company
has. By reviewing and understanding the scope and applicability of their
policies, companies can evaluate the adequacy of their coverage,
limitations and any breach-related obligations, such as notice
requirements. Considering whether to purchase specific cyber liability
insurance is another option.

5. Business partner obligations: In addition to applicable state data
breach notification laws, most companies have notice obligations in their
contracts with business partners that share consumer data, such as a
merchant or acquiring bank, payment processor or payment card brands.
Determining a point of contact at each partner, and the notice obligations
under the applicable contract, can help ensure compliance and avoid
unnecessary delays.

6. Forensics: When a breach involves payment card data, as most retailer
breaches do, a retailer is required to hire a PCI Security Standards
Council-approved forensic investigator. Selecting preferred PFIs ahead of
time will give a company the opportunity to carefully consider all
available options and find the best fit. Additionally, drafting and
executing a contract with one or two PFIs beforehand will allow more time
to negotiate contract terms, rather than during a breach crisis.

7. Template notice: State data breach notification laws vary widely.
Drafting template notice documents that comply with, or can easily be
modified to comply with, all applicable laws can help avoid delay while
still ensuring compliance.

8. Guideposts: Tracking legal trends, such as by the FTC and state
attorneys general, provides insight into a regulator’s view on data
security requirements and best practices. For example, in a recent closing
letter, the FTC reminded businesses that data security is an ongoing
process, requiring the adjustment of security practices as the landscape
changes, and that it is in the company’s and public’s best interest to
engage in proactive, remedial measures without waiting for government
prompting to take additional steps.

Post-breach

1. Remediate and reevaluate: Reviewing and reevaluating the company’s
response plan and security practices routinely demonstrates that a company
takes customer privacy seriously. Regulators will want to know what a
company has done and continues to do in the wake of a breach, and
reassurance that a company has taken the necessary steps to enhance
security going forward may help prevent further scrutiny.

2. Strategy: Companies that experience well-publicized breaches often find
themselves the targets of investigations by the FTC and state attorneys
general, and lawsuits by financial institutions and consumers. Once the
immediate breach crisis has settled, time is well spent designing the
company’s overall defense strategy and narrative on these fronts. A focused
approach for the long term will result in an organized defense. Too often,
the crisis can lend itself to short term decisions, continually evolving
facts, and changing strategy that negatively impact the overall defense.

Data security plays an important role in retailer’s businesses and, if
neglected, increases a retailer’s exposure to cyber attacks and the costs
associated with a data breach, including regulator investigations,
litigation and customer loss. It’s never too late (even with lean resources
to reduce risk by reviewing and optimizing policies and procedures and
understanding the common pitfalls that increase the costs or delay
notification of a data breach. Proactive efforts can go a long way when an
incident arises.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!