Tips for Merchants and Consumers Facing a Data Breach

The high-profile data breach at Target made international news. But small and midsized businesses face the majority of cyber attacks and are even more likely to have employees mishandle data than large enterprises. Here are some tips for merchants and consumers when faced with a data breach.

All companies that handle personal information – including customer names and credit or debit card information – are vulnerable to security breaches and must comply with state and federal laws relating to data privacy and security. These breaches can be very expensive, resulting in fines and fees charged against the merchant by the credit card brands; legal and information security forensics fees; possible legal liability to consumers and regulators; and loss of consumer trust.

What should merchants do to prevent a breach?

1. Businesses that sell goods and services accepting credit and debit cards for payment should comply with the Payment Card Industry Data Security Standard (PCI DSS). This involves creating and maintaining a data security program before a breach occurs.
2. All businesses that handle sensitive data should designate a breach response team that includes legal counsel and crisis communications personnel.
3. Businesses should create a strong internal culture supporting information security and routinely educate employees about preventing data loss.
4. Merchants should ensure that their vendors are trustworthy and have appropriate technology and procedures in place to maintain data security.

What are the merchant’s first steps after discovering a breach?

1. Follow the incident plan, if one exists.
2. Confirm the nature and extent of the breach,preserving all logs and documenting actions.
3. Working with qualified information security experts, contain the breach and analyze its origins, performing as complete an audit of the incident as possible as quickly as possible.
4. Merchants should contact a qualified attorney promptly and follow all breach notification laws. In addition, merchants should contact their liability insurers; their merchant banks; law enforcement; regulators and the Attorney General if required by law; Consumer Reporting Agencies if required by law; and consumers affected by the breach.
5. To prevent future breaches and respond to consumers’ and regulators’ concerns, merchants should promptly implement appropriate information security programs, including conducting self-assessments, third-party audits, employee training, and the like.

What should consumers do if they are concerned their payment card data has been breached?

1. Consumers should immediately notify their credit and debit card companies and monitor all card statements for fraudulent activity.
2. Consumers may file a fraud alert with the credit reporting agencies if they suspect fraudulent use of their accounts. If a merchant offers free credit monitoring services following the breach, consumers should consider accepting the offer.
3. As always, consumers should adopt strong passwords and PINs, and change them regularly.

For more information on information privacy and data security law, including assistance with preparing data security programs and responding to a data breach, contact Rita Heimes at Verrill Dana at [email protected], or call 207-774-4000.