There has been so much in the news lately about company data being breached and credit card numbers being stolen. Regardless of the size of your business, it is important to be aware of how data breaches can occur and to have a data breach response plan in place. In fact, PCI standards now require it. The following nine steps are designed to help guide you through what can be unfamiliar territory. The most important thing to remember is that prompt action is imperative! The risks associated with a data breach do not go away when a data breach is ignored; they grow—exponentially.
1. Don’t Cut Power!
Your first instinct upon learning that you may have been the victim of a data breach may be to “pull the plug,” i.e., power down your payment network and devices or log into those systems to alter passwords and security settings. While it is important to act quickly to stop a breach that may be in progress, you should act with care to preserve evidence, however your system may have been compromised. Although you should consider isolating compromised systems from your network (e.g., by unplugging network cables, not power). Before doing so, you should contact your processor or a PCI forensic investigator.
2. Identify a Lead Person.
Regardless of the size of your organization, identify one person to lead the data breach response effort. This ensures that all information about the breach and strategies for “next steps” find their way to one, responsible person in your organization.
3. Retain Privacy Counsel with Experience in Data Breach Response.
A complicated patchwork of federal and state laws now governs what steps businesses must take after learning that they have suffered a data breach. Indeed, most states require entities that suffer a data breach to notify potentially affected individuals, although the scope of that obligation and what information must be communicated to affected individuals varies considerably. It is therefore important to retain privacy counsel—with specific experience in data breach notification—to ensure that these requirements are followed.
4. Notify Your Insurer (or Insurance Broker).
Cyber insurance is increasingly common and may help cover the costs and potential liability associated with a data breach. Failure to notify your insurer promptly, however, can limit or undermine your coverage. Thus, whether through counsel or through your insurance broker, take steps to determine whether you have cyber insurance coverage and promptly notify your insurance company of a potential data-breach event.
5. Work with Your Processor.
Frequently, a notice from your processor will be the first you hear about a potential data breach at your location(s). Regardless of whether that is true in your case, be sure to work closely with your processor as soon as you learn that your payment systems have been (or may have been) compromised. Processors have a wealth of experience in responding to merchant data breaches and share your goal of minimizing liability exposure associated with any breach. Plus, if you don’t already have a “backup plan” in place, your processor can help get your payments system back up and running quickly and safely, even while the investigation into the data breach continues.
6. Retain the Help of a PCI Forensic Investigator (“PFI”).
Often times, the payment card brands will insist upon the retention of a PFI to investigate a potential data breach and ensure that the exposure has been contained. You can find a list of PCI Certified Forensic Investigation Companies at https://www.pcisecuritystandards.org/assessors_and_solutions/pci_forensic_investigators
7. Take Remedial Action.
Working with the PFI and your processor, promptly implement any recommended steps to ensure that the data breach has been stopped and that any system vulnerabilities have been properly remediated.
8. Implement a Communications Plan.
Working with counsel, you should develop a plan for how to communicate about the data breach—both internally and with the media and other outside parties.
9. Document Your Response and Preserve Records.
From data breach identification, to investigation, to remediation, be sure to carefully document the activities you are taking to contain and eliminate the data breach and preserve any records relating to the breach. Such records are not only useful to ensure that all appropriate actions are being taken to address the breach (in a sometimes hectic environment), but can be useful to minimize liability exposure associated with the data breach down the road.
Quikstone Capital Solutions works directly with Point of Sale (POS) partners that can provide efficient, compliant solutions to help manage your business and maintain high security. A merchant cash advance from Quikstone Capital Solutions is a business loan alternative that can help in these types of situations. We can help pay for the costs of a new system and ease such a transition with the assistance of our sister company Sterling Payment Technologies. Quikstone Capital Solutions and Sterling Payment Technologies management and sales team have decades of experience in the cash advance and credit card processing industries.
For more information on a Merchant Cash Advance
click on the apply now button below.
The information contained herein is intended to provide general information to recipients regarding issues related to data breach response. It does not provide legal advice.