Data breaches seem to be the norm these days, whether they are at Yahoo, Home Depot, or, more recently, Michigan State University. And ecommerce merchants are not immune. My firm has recently handled data breach responses for small ecommerce companies that were affected by a breach of the LemonStand ecommerce platform.
Ecommerce merchants must take the risk of a data breach seriously. A breach that exposes customers’ data carries enormous potential liability. It can cause a business to go bankrupt.
But there is some good news. According to “2016 Global Security Report” by Trustwave, the security firm, only 38 percent of global data breaches target ecommerce stores. Traditional brick-and-mortar retail stores are the most targeted — roughly one-third of overall data breaches target magnetic strip data obtained from point of sale machines.
It can be difficult, however, to detect a data breach. Forty-one percent of worldwide breaches are detected by victims, while 58 percent of breaches are reported to their victims by regulatory bodies, credit card companies, and banks. This, again, is from the Trustwave report. The average median time between a network intrusion and detection is 168 days for external detection and 15 days for internal detection.
Responding to a Data Breach
What should you do if you, as an ecommerce merchant, discover or are notified of a breach? In general, develop a response plan, execute on that plan, and analyze your response efforts.
To do this, the first step is to appoint a data breach team leader — a key decision-maker with experience in infrastructure and security protocols — to work with the company’s insurance agent, law enforcement, internal and external public-relations teams, and outside legal counsel.
Once a team leader is selected, document the events surrounding the discovery of the breach, such as the date, time, and method of discovery.
Then, neutralize the risk of further breach by changing passwords, locks, access codes, and even physical keys, if necessary.
After that, contact law enforcement.
Accessing the Damage
Next, analyze the effect of the breach. This involves determining the personal and personally identifiable information that has been compromised, and identifying the affected individuals.
Beyond that, access the risk of future breach and retain outside consultants and professionals to remedy it.
Then, work with outside counsel to determine a proper response. This involves reviewing the company’s litigation risk, such as negligence claims or claims that may arise out of contractual obligations, such as service agreements or a privacy policy.
Notifying Consumers, Others
Forty-six states require some sort of notification when information has been compromised. Once the risk of litigation has been identified, examine compliance with those requirements. Some states may require attorney general notification or public notification, while others may require private notification.
The company’s insurance carrier should also be notified to take advantage of cyber insurance coverage, if applicable.
Minimizing Risk
Finally, develop a strategy for reducing the company’s risk associated with the breach. Many breached companies have offered credit-monitoring services or identity-theft-monitoring services to victims of the breach, to reduce the further risk of loss or harm. Others have offered informational packets or even some form of compensation to reduce their risk of liability. Each circumstance is different.
If your ecommerce company if facing a data breach, contact an attorney immediately. Otherwise, it is worth reviewing a recent PDF guide from the U.S. Federal Trade Commission, “Data Breach Response Guide for Business,” which addresses the subject in more detail.
As always, contact an attorney for a review and analysis of your specific situation.