What Happens When Your Store Is the Victim of a Data Breach?
Lifecycle of a Data Breach for Small Retailers
A data breach isn't a one-and-done occurrence. Breaches are really the beginning of a series of headaches, legal expenses, and wallet-busting costs that can overwhelm storeowners.
If you've never had a breach at your store, you're probably unfamiliar with everything involved. So let's start with the basics. You can typically divide a breach into three phases:
Recognize | Repair | Respond & Recover
- Recognize: discovering the data breach.
- Repair: fixing the data breach.
- Respond & Recover: handling inquiries, notifying authorities, and helping customers avoid identity theft.
But even these three phases don't really paint a clear picture of what you'll have to do during a breach. Let's start with day one, when you've just discovered a breach.
Day One of a Retailer Data Breach: Here's What Happens
The moment you learn about a data breach, it's already too late. Cyber criminals have already broken into your store, stolen its data, and may have already committed identity theft against some of your customers.
Verizon's data breach study shows that 60 percent of the time, criminals are able to compromise an organization within minutes — yet it can take weeks or months for an organization to notice it's been breached.
You read that right. It only takes minutes. By the time you finish reading this section, a hacker could have broken into your network. And you probably wouldn't have noticed.
So how do you find out you've been hacked?
- Often, law enforcement officials contact you to tell you that there's been a pattern of identity theft among your customers.
- Law enforcement officials, banks, and security professionals track reports of identity theft.
- When a pattern emerges — i.e., the victims all shopped at your store in the last six months — it's safe to assume that there's a breach.
Remember that famous data breach at Target ? Well, Target discovered and stopped the breach on December 15, but criminals had been stealing their data since November 27. Despite all the security professionals Target employs, it took weeks for the company to realize what had happened.
Data Breach Timeline: Ins and Outs
After discovering a data breach, you'll have to fix the issue that led to the breach and try to control its damage. These two steps are interrelated. After law enforcement officials, banks, or security professionals notify you that your store's been hacked, you'll want to take these steps:
- Contact your insurance provider if you have Cyber Liability Insurance.
- Hire a security professional and contact your POS service provider to figure out where the breach is occurring.
- Patch your system, upgrade, or take other measures to stop the leak.
- Review your legal obligations and state data breach laws.
- Contact the state attorney general or consumer protection agencies, and contact customers affected by the breach (if required by state law).
- Offer free credit monitoring to customers (not always required by law).
- Handle customer complaints and respond to ongoing inquiries.
Depending on the size of your breach, it could take months or even up to a year to fulfill these obligations. States often require you to notify customers within 30 or 45 days of discovering the attack. So you'll have to work quickly to get your IT repaired and make sure you're ready to handle the influx of complaints.
Next: The Hidden Benefit of Cyber Liability Insurance for Stores