How to Respond to a Breach of Client Data

Data breaches appear to be the norm nowadays, whether they’re at Yahoo, Home Depot, or, more recently, Michigan State University. And ecommerce merchants aren’t immune. My firm has just handled data breach answers for small ecommerce companies which were affected by a breach of their LemonStand ecommerce platform.

Ecommerce merchants must take the chance of a data breach seriously. A breach that exposes clients’ data includes enormous potential liability. It can cause a company to go bankrupt.

But there is some fantastic news. In accordance with”2016 Global Security Report” by Trustwave, the security company, just 38 percent of international data breaches target ecommerce shops. Traditional brick-and-mortar retail shops are the most concentrated — approximately one-third of entire data breaches target magnetic strip information obtained from point of sale machines.

It can be hard, however, to discover a data breach. Forty-one percent of global breaches are detected by sufferers, while 58 percent of breaches are reported to their victims by regulatory bodies, credit card companies, and banks. This, again, is from the Trustwave report. The average median period between a network intrusion and detection is 168 times for outside detection and 15 times for inner detection.

Responding to a Data Breach

What should you do if you, as an ecommerce merchant, find or are advised of a breach? Generally speaking, create a response plan, execute on that plan, and examine your response efforts.

To do so, the first step would be to appoint a data breach team leader — a vital decision-maker with expertise in infrastructure and security protocols — to work with the provider’s insurance broker, law enforcement, internal and external public-relations teams, and external legal counsel.

After a team leader is chosen, record the events surrounding the discovery of the violation, like the date, time, and method of discovery.

After that, neutralize the danger of further breach by changing locks, passwords, access codes, as well as physical keys, if needed.

After that, contact law enforcement.

Accessing the Damage

Then analyze the effect of this breach. This involves determining the private and personally identifiable information that’s been compromised, and identifying the affected people.

Beyond this, access the probability of future breach and keep outside consultants and professionals to cure it.

Then, work with outside counsel to ascertain a proper reaction. This involves reviewing the provider’s lawsuit risk, such as negligence claims or claims that may arise from contractual obligations, such as service arrangements or a privacy policy.

Notifying ConsumersOthers

Forty-six states require some type of notification when information was compromised. Once the danger of litigation was identified, examine compliance with these requirements. Some states may require attorney general notification or public notification, while some might require private notification.

The provider’s insurance provider should also be advised to benefit from cyber insurance policy, if applicable.

Minimizing Risk

Finally, develop a strategy for reducing the business’s risk connected with the breach. Many breached businesses have offered credit-monitoring services or identity-theft-monitoring services to victims of the violation, to decrease the additional risk of loss or injury. Others have offered informational packets or even some kind of compensation to decrease their risk of liability. Each circumstance is different.

If your ecommerce firm if confronting a data breach, then contact a lawyer immediately. Otherwise, it’s worth reviewing a current PDF guide from the U.S. Federal Trade Commission,”Data Breach Response Guide for Business,” which addresses the topic in more detail.

As always, contact a lawyer for a review and analysis of your particular situation.