Recovering from a Data Compromise: What should My Business Do Next?

Larry Brennan, SVP Merchant Data Security & Cybersecurity Director, Bank of America Merchant Services
380
631
132

From major fast food chains to branches of government— and everything in between— it’s clear cybercriminals don’t discriminate when it comes to breaching businesses’ data defenses. Research confirms there have been more than 850 data breaches in the first half of the year, making it more important than ever to know how to respond effectively.

There’s a lot at stake for a business if a data breach occurs. If your company accepts credit cards, you could be liable for card brand assessments and non-compliance fines, the cost of IT professionals, PCI Forensic Investigators (PFI), outside legal fees, client notifications, and investments necessary to win back customer confidence.

According to a 2017 study from cybersecurity firm Kaspersky Lab, a single cybersecurity incident can cost large businesses on average almost $4 million. This figure doesn’t account for the impact from the loss of customer trust and confidence. In fact, 31 percent of customers said they terminated their relationship with the business after a breach, according to a First Data report.

Experts agree the best way to reduce damage is to act quickly. A recent IBM and Ponemon Institute study revealed organizations that act within 30 days save an average of $1 million. Here are some actions your company can take to mitigate its losses.

Put a Plan in Place Now If You Don’t have One Already.

This plan should engage three key teams: an incident response team, a crisis communications team—or outside firm—and an outside counsel focused on computer security and cyber law. Your communications plan should encompass how you will engage with employees, customers, investors, clients, business partners, and additional stakeholders. Finally, test your plan regularly and ensure everyone knows their role.

Know How to Investigate the Breach.

As soon as you know or suspect you’ve been breached, contact your card service provider, or acquirer. They may instruct you to hire a Payment Card Industry (PCI) Forensic Investigator, or PFI. A PFI is a firm that's been certified through the PCI Security Standards Council to conduct the investigation, determine the root cause, recommend or implement fixes, and report back to the relevant payment card brand organizations. Depending on which payment card brands you accept, this may even be a requirement. Some experts recommend having a PFI on retainer to ensure they are familiar with your company and on standby.

 The best way to reduce damage is to act quickly 

Preserve the Evidence.

The success of the investigation depends on the quality of the available evidence, and it is important to ensure the integrity of your system components and data environment.

Let the Pros Get to Work.

A PFI will analyze an image of your card processing environment to see when, where and how the criminals got in, and what malware or malicious software they may have deployed. The PFI will then remove the malware and secure your system. This establishes the at-risk timeframe—the elapsed time between the infiltration of your network and when the malware was contained or eradicated.

Check your State and Federal Laws or Regulations.

Most states have enacted legislation requiring businesses to notify customers of breaches involving personal information. There may be other laws or regulations that apply to your specific business or industry.

Add Up the Costs.

Depending on the number of credit and debit cards that are at risk and whether your security measures were up to date and compliant with PCI mandates, you may be subjected to non-compliance fines or a card brand assessment. You may also incur costs associated with notifying impacted customers or clients, as well as potential fees for retaining legal counsel or public relations and reputational management experts.

Now let’s talk about what your company can do to avoid data breaches:

Make Sure You are PCI Compliant Now.

A common theme among businesses who suffered a data compromise is that they were not PCI compliant at the time of the data breach. If you process, store or transmit payment card data, you are required to implement and uphold the PCI Data Security Standards (PCI DSS).

Understand Compliance is An Ongoing Commitment.

Many companies treat PCI compliance as a single moment in time, reaching a point of compliance and calling it a day. Maintaining compliance is an ongoing commitment to keep up with evolving policies, technologies, and processes. Changes you make to your card processing environment, such as adding a new way to accept credit/debit cards, may knock you out of compliance. It is up to you to regularly re-evaluate your compliance.

Regularly Check Your General Liability and Cybersecurity Liability Policies.

Work with your insurance provider to help ensure you are covered against all assessments in the event of a breach.

Deploy Technology to Secure Your Payment Card Data.

End-to-end or point-to-point encryption and tokenization, if properly implemented, is an effective way to secure payment card data.

The true cost of a data breach is different for every company, but taking precautions and understanding what to do immediately after the discovery of a breach can help you minimize the fallout and get back to running your business.

Read Also

Online Businesses Face Increasing Regulatory Scrutiny

Online Businesses Face Increasing Regulatory Scrutiny

Dyann Bradbury, Senior Director of Corporate Compliance, Digital River
Five Key Information Governance and Risk Management Trends for 2017

Five Key Information Governance and Risk Management Trends for 2017

Joe Garber, VP-Marketing, HPE Information Management & Governance, Hewlett Packard Enterprise