How to Respond to a Data Breach
The question isn't if your company will be the victim of a data breach, but when. Those were the sobering words of Martin Einstein, senior partner at Brann & Issacson, a law firm that represents online and multichannel companies, at the American Catalog Mailers Association's (ACMA) Forum last week in Washington, D.C. Einstein addressed the crowd of direct marketers on what they can do to mitigate their risk and exposure to a data breach, as well as how best to respond in the unfortunate event that a breach does occur.
Citing recent examples of high-profile data breaches involving Target, Home Depot and TJX Companies (parent company of T.J. Maxx, Marshalls, HomeGoods, Sierra Trading Post), Einstein noted that there's no federal law governing data security. There are 47 individual state laws that retailers need to be in compliance with, and nexus is not a defense. You need to be in compliance with the privacy laws of where your customers live, not just the state where your company is headquartered.
Where it becomes tricky is that there's no uniformity across the state laws, Einstein noted. For example, in Massachusetts retailers can not describe the nature of a breach when notifying the state's attorney general and affected customers, yet in Maryland the law says that retailers must describe the nature of the breach when notifying the state's attorney general and affected customers. To help with the confusion, Einstein suggested that retailers have a templated letter ready to go for each state (with inserts for common info). State laws also differ in many cases around notification requirements - timing, method (email, mail), what constitutes "personally identifiable information," etc.
Costs of a Data Breach
A data breach can take a tremendous financial toll on your business. Here are just some of the costs associated with a breach identified by Einstein:
- investigative costs - i.e., what happened?;
- fixing what went wrong;
- notification and associated expenses (e.g., giving customers free subscriptions to a credit monitoring service);
- business disruption;
- addressing state attorneys general;
- potential class-action lawsuits; and
- lost business revenues.
Einstein cited research from the Ponemon Institute that put a value of $125 per record breached for retail companies. As you can see, the costs can add up fast.
What to Do
Einstein offered multiple tips for retailers to mitigate the impact to their business from a data breach:
- Adopt a WISP - written information security program. This can reduce your potential exposure to a breach by up to 25 percent, Einstein said.
- Encrypt data that's transmitted.
- Ensure that all of the third-party vendors that you work with comply with your company's data security standards. Einstein noted that in most retail data breaches a third party is responsible for the compromised data, not the retailer itself.
- Spell out who is on the data security/breach response team. Legal counsel should always part of the team.
- Have form documents ready to go in the event of a breach rather than having to write them from scratch.
- Draft a PCI security incident response plan. This is good to have, but don't rely on this solely, Einstein cautioned.
- Investigate purchasing cybersecurity insurance. Be sure to find out the specific cost coverage you'll receive - e.g., will investigative and notification costs be covered - as well as what the exclusions are. And of course you'll want to find out the cost of the premium.