Archive for December, 2013
Is your business PCI compliant?
As you have likely heard, Target recently had credit / debit card information stolen from over 40 million of their customers. Target’s credit/debit card data breach is a great reminder why every merchant needs to be PCI compliant. You don’t need to be a multi-billion dollar retailer to be concerned about the safety of your customer’s credit card security. These types of breaches happen to large and small merchants alike, but whether or not your business is PCI compliant can drastically change the outcome of a breach. If a merchant has a breach and is not PCI compliant, they will receive severe fines and be responsible for any charges of any stolen information. If you take credit card payments and are not comfortable with PCI compliance requirements, please contact me.
We reached out to our friends at Nelson Mullins, a leading law firm with expertise in the payments industry. They shared this advice with us to share with you!
Top Ten Things Companies Can Do IN ADVANCE Of A Data Breach:
10. Review Your Breach Response Plan – If you have a plan, review it now and if necessary update it immediately. The threats are constantly changing, and everyone needs to have thought carefully about current risks and current risk tolerances within the company. If you don’t have a plan, you need one and you need one fast. The environment is volatile, and there are serious consequences from a regulatory and governance perspective for being inadequately prepared.
9. Assemble Your Team – Your team leader needs to be identified now, in advance of a crisis. During a breach or crisis situation, things happen fast and decisions affecting the entire company will need to be made thoughtfully, with judgment and maturity and in the best interest of the company. There will need to be a balance among the various interests and a person to call balls and strikes when disagreements about the appropriate course of action develop. What legal wants may not be what marketing wants under the circumstances. Decisions of consequence will need to be made and in a short period of time.
8. Secure Outside Counsel Immediately in the Event of a Breach or Data Loss – In the event of a breach or data loss requiring notification, every part of this process should be subject to the attorney client privilege. This should be someone that can effectively marshal the internal team and provide leadership and guidance while the company is under sustained fire from the media.
7. Begin the Investigation Immediately – The sooner you are able to get your arms around what has happened or is happening, the sooner you can fix it. The investigation will be real time and require a constant flow of information to the necessary decision makers. Here is where the attorney client privilege is very important. Until you know the scope and seriousness of a breach or data loss, things should be on a need-to-know basis only, and a record must be made along the way to explain how decisions were made based upon the known information at the time. This record becomes important from a legal and regulatory perspective, and it must be protected by the privilege.
6. Be Prepared To Engage Outside Experts – Depending on the nature and scope of the data breach or data loss, you will need to engage outside experts. You will be required as part of the notification process to describe the incident and what was accessed and how you stopped it. If the breach is the result of a network intrusion, you will need to understand and be prepared to explain how this happened and what it means to your consumers. Depending on the complexities, outside experts will need to help you answer these questions.
5. Be Prepared to Explain Some Things – At its core, this “event” will be a crisis. Even the most steady executive may panic. You will need professional crisis communication to work closely with your team and most importantly your outside counsel to deal with implications to the brand, your customer’s questions, and any legal or regulatory fallout that may occur as a result of the breach. You will be required to give your customers a telephone number where questions can be asked and answered. You will need to be prepared to do this soon after the data breach or data loss. A well-developed script for those customers and any media inquiries will be valuable and important as things begin to unfold.
4. Correct the Problems – Consider your whole environment. Consider a thorough and complete risk assessment. Proper preparation involves a plan, but a comprehensive review of overall data security, IT governance, and information governance is critical and necessary. A weakness in any of these areas or a lack of focused planning can lead to vulnerabilities for bad guys to exploit.
3. Have A Well-Developed Response to Explain to Regulators – Once a data breach or data loss occurs, you should think in terms of immediately being “on the record.” People need to think in terms of hours and not days. You will be required to notify your primary regulator as soon as possible. You are going to want to have something to say, and your reporting of the matter will immediately be followed with a question regarding what steps you have taken in response to the data breach or data loss. It is important to remember that from the first minute the breach is reported, you are making a record that could be reviewed by your regulator.
2. Practice the Plan – Train your employees to execute the plan. Run scenarios. Have the team meet and work through some practice scenarios and hypothetical situations. Yes, people are busy and don’t like to play pretend crisis. Yes, people think they have too much to do with actual real life business scenarios, but the truth is that practice makes perfect and training is part of any disaster response scenario. The same thing is true with respect to a breach. Day one of the breach is not the time to be introducing team members to one another.
1. Act Now Don’t Wait – The sooner you can review your plans and engage your team the better. Budgets matter and planning is important, but delaying a plan or re-prioritizing this could be an expensive mistake. Data breaches and data loss matter to customers. The loss of trust cannot be accounted for in next year’s budget. The stakes are high, and the risks are real.
Please don’t hesitate to contact Equitable Payments or Nelson Mullins for assistance with PCI compliance to protect your customers and your business!
Darrah Brustein has recently been quoted in several publications. You can see them here: