How to Respond to a Data Breach
- investigative costs - i.e., what happened?;
- fixing what went wrong;
- notification and associated expenses (e.g., giving customers free subscriptions to a credit monitoring service);
- business disruption;
- addressing state attorneys general;
- potential class-action lawsuits; and
- lost business revenues.
Einstein cited research from the Ponemon Institute that put a value of $125 per record breached for retail companies. As you can see, the costs can add up fast.
What to Do
Einstein offered multiple tips for retailers to mitigate the impact to their business from a data breach:
- Adopt a WISP - written information security program. This can reduce your potential exposure to a breach by up to 25 percent, Einstein said.
- Encrypt data that's transmitted.
- Ensure that all of the third-party vendors that you work with comply with your company's data security standards. Einstein noted that in most retail data breaches a third party is responsible for the compromised data, not the retailer itself.
- Spell out who is on the data security/breach response team. Legal counsel should always part of the team.
- Have form documents ready to go in the event of a breach rather than having to write them from scratch.
- Draft a PCI security incident response plan. This is good to have, but don't rely on this solely, Einstein cautioned.
- Investigate purchasing cybersecurity insurance. Be sure to find out the specific cost coverage you'll receive - e.g., will investigative and notification costs be covered - as well as what the exclusions are. And of course you'll want to find out the cost of the premium.