How to manage your next data breach

Cyber security professionals have somewhat resigned themselves to the fact that data breaches are inevitable and placed an emphasis on how to manage a highly fluid situation.

After last year’s large retail data breaches, the industry has doubled-down on efforts to protect customer records. Most retailers now have data breach response teams in place and leaders have called for increased industry collaboration on cybersecurity. However, the threats continue to evolve and effectively managing security incidents requires constant evaluation.

Based on experience helping thousands of retail companies navigate these murky waters, Experian Data Breach Resolution provides the following tips for retailers to be best prepared to manage a data breach in today’s landscape.

1. Practice your data breach response plan. Research shows that most companies have acknowledged the need to prepare for a data breach by having an incident response plan in place. While this is an encouraging step, companies also need to practice and update their plan on a regular basis to ensure it runs smoothly and to account for changing threats. Like a fire-drill, companies should rehearse and audit the data breach response plan on a semi-annual or quarterly basis.

2. Don’t treat chip and PIN as a data breach panacea. With the imminent adoption requirements for EMV chip and PIN technology in the United States this October, retailers are pushing to quickly update payment terminals. While the technology is more secure, businesses and consumers should not consider this a silver bullet. Companies should prioritize moving to the new technology, but do not expect this will halt all point-of-sale attacks as criminals are likely looking for new ways to access valuable customer data.

3. Balance customer convenience with security. Although concern for data breach risk is high, new technologies are often deployed by retailers because they promise customer convenience. In fact, a survey published by the Ponemon Institute earlier this year found more than half of payment executives surveyed prioritize convenience over security. This is concerning as the adoption of new technologies often leaves a company particularly vulnerable to a data breach. While it is understandable that convenience is an important part of any retailer’s business model, it should never come at the expense of data security. As companies look to incorporate purchases via mobile applications or other new technologies, make sure that there are strong security controls built in.

4. Consider investing in cyber insurance. Many security professionals agree that having a cyber insurance policy in place is a valuable part of any company’s risk mitigation strategy. Typically a good policy will account for retroactive incidents, loss of revenue following a data breach, and access to external experts needed to help navigate a breach.

5. Be prepared to provide meaningful protection for customers. The proliferation of data breaches has prompted increased expectations for swift notification and customer protection if an incident occurs. In fact, 63 percent of consumers believe organizations should be obligated to provide identity theft protection in the event of a data breach. Retailers should be prepared to put customers first after a data breach by providing protection services and clear guidance on how consumers can take an active role in protecting themselves from potential fraud.

6. Communicate regularly with regulators. More state attorneys general have called on companies to have a data breach response plan in place that includes the offering of identity theft protection services to affected customers, and several state legislatures are continuing to update notification requirements in their respective data breach laws. As a best practice, we suggest partnering with outside legal counsel for guidance to help build a relationship with local regulators and be up to speed on the latest customer notification requirements.

7. Collaboration is key to solving long-term issues. To successfully protect customers’ payments data and personally identifiable information (PII), retailers must embrace industry-wide collaboration and continue to invest in data breach response planning. In addition to educating internal stakeholders, consider participating in discussions hosted by the National Retail Federation and Retail Industry Leaders Association about data breach preparedness and how retailers can continue to combat security threats.

Michael Bruemmer is a VP with the Experian Data Breach Resolution group. With more than 25 years in the industry, Bruemmer is on the Ponemon Responsible Information Management (RIM) Board, the Information Security Media Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board.