by John Mayleben
What’s your plan?
We live in a world of intense data collection and the corresponding data mining (who hasn’t noticed that Facebook ads magically appear within seconds of you “googling” a unique phrase?). What are you doing to protect your customer’s data and, equally important, how have you planned for a data breach?
In the business environment today, it is not an “IF” but a “WHEN” you should be planning for.
Even the best organizations can have a data breach. It might be something as simple as one of these minor events:
• Confusing two customers with similar names and sharing data about one with the other;
•Pushing the wrong speed dial button on your fax machine and faxing a document to the wrong person;
• A phishing attack on your payroll person that allows someone to access your payroll records;
• A spam email that looks legit to someone in accounting, who forwards all of the W-2s to a bad guy; or
• A request for information about a specific employee that was sent by a bad guy.
How you react to the breach can mean the difference between a mildly annoyed customer, vendor, or employee and a public lawsuit that creates bad PR for your organization and the specter of huge fines or penalties.
While no one wants to have a data breach, you should be planning for the eventuality and then testing the plan periodically.
CYBER INSURANCE
One good place to start is with your insurance agent. If you haven’t already had a conversation about cyber insurance, you should. This is the policy that will typically come into play in the event of a data breach. These policies usually include some pre-planning tools and testing, along with the appropriate response plans. The good ones will offer tools to allow you to attempt to penetrate your computer systems and allow you to test your employees with spam and phishing emails.
The landscape of notification alone can be intimidating. In today’s smaller and smaller world of digital connectedness, you could have a computer server that is housed in one state, your business in Michigan and a customer in a third state. If you have a breach, who’s laws on notification apply? How quickly do you have to alert the person whose data was compromised? While this should be a federal issue (because of all of the cross-jurisdictional issues) the folks in Washington can’t seem to agree on the time of day, much less something as important as this. That has left the door open to each of the 50 states, and probably a few local governments, to craft their own rules and policies.
With this patchwork quilt of laws, you could be violating one of them and not even recognize it. To quote the state trooper handing you a speeding ticket, “Ignorance of the law is not an acceptable defense.” Just because you weren’t aware of the law in the state of residence for the customer whose data was exposed doesn’t waive the penalties.
Unfortunately, regardless of what goods or services you are selling, you need to be paying attention to the data you collect and where/how it is handled during its lifetime in your possession.
John Mayleben, one of the nation’s first Certified Payments Professionals designated by the Electronic Transaction Association, is an MRA consultant and national expert on payment processing.
