For 20 days spanning from November 27 to December 15, 2013, the retail giant Target Corporation experienced one of the largest data breaches in American history. The information consisted of everything from some 70 million customer names and 40 million credit and debit card numbers to the short verification codes on the back of the compromised cards. In addition to forcing the retailer to book a reported $61 million in direct costs related to the breach, it also scared customers away from shopping at their stores—which resulted in a 46 percent drop in net profit in the holiday quarter. Although the exact full costs of the breach are not yet known, security analysts have pegged the costs at upwards of $400 million. 1 While most businesses aren’t nearly the size of Target, a data breach can be even more impactful for a small business without the resources of a larger corporation. Fortunately, there are steps even the smallest businesses can take to mitigate the possibility of a data breach or its destructive impact if one is experienced. What Is Data Breach? Data breach is the exposure of sensitive customer information due to hacking, theft or the accidental release of data. Business owners are expected to be custodians of customer information and have a reasonable expectation to protect their customers’ data. Some examples of actions leading to data breach may include: • Failure to shred customer documents • Medical records falling off a truck on a freeway • Skimming devices that steal customer data installed in credit card machines • Lost laptop computer containing sensitive customer data • Printed social security number on mailings PROTECTING YOUR BUSINESS: MITIGATING DATA BREACH 1 Society Insurance | P. 888.576.2438 | 150 Camelot Drive, P.O. Box 1029, Fond du Lac, WI 54936-1029 | societyinsurance.com 1. Horovitz, Bruce. Data breach takes toll on Target profit. USA Today. February 26, 2014. Retrieved from http://www.usatoday.com/story/money/business/2014/02/26/target-earnings/5829469/. FAILURE TO SHRED CUSTOMER DOCUMENTS
4
Embed
PROTECTING YOUR BUSINESS: MITIGATING DATA BREACH · and keep their customers, employees and businesses protected. Get in touch with a Society agent today by visiting societyinsurance.com
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
For 20 days spanning from November 27 to December 15, 2013, the retail giant Target Corporation experienced one of the
largest data breaches in American history. The information consisted of everything from some 70 million customer names
and 40 million credit and debit card numbers to the short verification codes on the back of the compromised cards.
In addition to forcing the retailer to book a reported $61 million in direct costs related to the breach, it also scared
customers away from shopping at their stores—which resulted in a 46 percent drop in net profit in the holiday quarter.
Although the exact full costs of the breach are not yet known, security analysts have pegged the costs at upwards
of $400 million.1
While most businesses aren’t nearly the size of Target, a data breach can be even more impactful for a small business
without the resources of a larger corporation. Fortunately, there are steps even the smallest businesses can take to
mitigate the possibility of a data breach or its destructive impact if one is experienced.
What Is Data Breach?
Data breach is the exposure of sensitive customer information due to hacking, theft or the accidental release of data.
Business owners are expected to be custodians of customer information and have a reasonable expectation to protect
their customers’ data. Some examples of actions leading to data breach may include:
• Failure to shred customer documents
• Medical records falling off a truck on a freeway
• Skimming devices that steal customer data installed in credit card machines
• Lost laptop computer containing sensitive customer data
• Printed social security number on mailings
PROTECTING YOUR BUSINESS:
MITIGATING DATA BREACH
1Society Insurance | P. 888.576.2438 | 150 Camelot Drive, P.O. Box 1029, Fond du Lac, WI 54936-1029 | societyinsurance.com
1. Horovitz, Bruce. Data breach takes toll on Target profit. USA Today. February 26, 2014. Retrieved from http://www.usatoday.com/story/money/business/2014/02/26/target-earnings/5829469/.
FAILURE TO SHRED CUSTOMER DOCUMENTS
2Society Insurance | P. 888.576.2438 | 150 Camelot Drive, P.O. Box 1029, Fond du Lac, WI 54936-1029 | societyinsurance.com
Data breach should not be confused with identity theft—which is when thieves target individuals to obtain credit card
and financial information—or cyber liability, which refers to the individual targeting of businesses to steal their financial
information via hacking.
It Can Happen to Anyone
Big or small and no matter the industry, data breach is a real concern to any business. From restaurants and bars
running hundreds of credit cards every night to medical offices with piles (both electronic and physical) of sensitive
patient information, it can happen to anyone.
Thieves often “start small” to ply their methods—while there may be less reward in skimming card information from a
small corner bar than there is in the mega-retail market on the other side of town, it’s an easier target that carries less
risk of being caught.
Additionally, it’s important that business owners don’t automatically assume that anything dealing with stolen card
numbers is the bank’s problem. In fact, payment processors often have contracts with businesses that give them the
right to recoup certain costs from the business.
For example, one major credit card merchant typically assesses a charge of $2.50 per card that is exposed in a breach.
While that doesn’t seem that significant on its face, consider how many customers hand over a credit card at even the
smallest restaurants: Example, 5,000 exposed cards would cost a business $12,500 in bank costs alone.
How to Prevent Data Breach
At its core, preventing data breach is equal parts common sense and technical knowledge. It’s important to take a
balanced approach in thwarting the threat because neither avenue alone can address all issues. An ounce of prevention
is worth a pound of cure.
Remember that data breach isn’t only an electronic issue—simple theft is a concern. Ensure that a data protection
program is in place to protect against nonelectronic threats.
Ensure vendors only have the right amount of access. A vendor working on cooking equipment shouldn’t have
access to a financial system, for instance. Monitor vendors when they’re on site as much as is reasonable. As it turns
out, a third-party vendor was responsible for the Target breach!
Monitor internal systems and databases on a regular basis to ensure that there’s nothing nefarious going on. Data
breach cases often go on for weeks or even months before someone notices, and the sooner you can put a stop to a
data breach, the better.
Make sure any passwords on mobile devices are encrypted and strong.
3Society Insurance | P. 888.576.2438 | 150 Camelot Drive, P.O. Box 1029, Fond du Lac, WI 54936-1029 | societyinsurance.com
Update all computer systems. A surprising number of businesses, for instance, are still running the Windows XP
operating system, for which support ended on April 8, 2014. The bottom line is that Microsoft will no longer be
patching known vulnerabilities in XP, which leaves computers open to possible data breaches.
Being PCI compliant goes a long way toward preventing data breach. PCI compliance means that a business is
adhering to the requirements developed by the PCI Data Security Standards (PCI DSS) council. While it doesn’t
completely eliminate the risk, it protects data against easily avoidable threats.
Stay as up to date as possible on the latest techniques scammers are using. Bluetooth skimmers, RAM scrapers
and malware programs are three common methods that thieves use to take advantage of businesses on a regular
basis, and enterprising crooks are coming up with new methods constantly. Knowledge of the enemy is crucial in
any battle, and fighting to protect customer data is no different.
Perhaps most importantly, educate employees and ensure they understand all the processes in place to mitigate
data breach. An owner or manager can only do so much; the people that deal in the day-to-day operations of the
business also need to be aware of what to do and why to do it.
How to React to a Data Breach
In the case of a possible data breach, the business owner should contact
the financial institution that processes their payments immediately. They
will begin to guide the process. The insurance agent or carrier should
also be notified at this time—the sooner they’re involved, the better from
a liability standpoint.
From there, clear communication with affected customers is crucial. While it
may not technically be required at this point (laws in some states differ in this
regard; consult local authorities for guidance), the best practice in general is to be forthright and honest. In the long
run, customers will value honesty even if it is likely to be embarrassing in the short term.
In fact, as incredible as the direct expenses from a data breach can be, it’s the reputational harm that can do irreparable
damage to a business. The more that can be done to put customers at ease, the better. Clear communication of the
situation will help convince customers that the business is not a risky place to shop, eat, etc.
Finally, make sure any services offered to customers fit the nature of the exposed data. If only debit or credit card
information is exposed, credit monitoring is nothing more than a waste of money—without a Social Security number,
a new credit line cannot be opened via an exposed credit card alone. Simply counsel customers to keep an eye on their
own accounts. Most likely, of course, the affected financial institution will issue a new card.
If Social Security numbers are exposed, don’t just offer one year of free credit monitoring. That’s the “cheap and easy” way
out and is a disservice to customers—after all, Social Security numbers don’t expire and could be exploited at any time.
A DATA BREACH IS EMBARRASSING, COSTLY AND POTENTIALLY BUSINESS CRUSHING. BUT IT IS AVOIDABLE.
4Society Insurance | P. 888.576.2438 | 150 Camelot Drive, P.O. Box 1029, Fond du Lac, WI 54936-1029 | societyinsurance.com