Protecting Against Security Breaches in the Retail Industry

December 2014

Steven B. Hymas, II

California Grocer, Issue 6


Over the last couple of years, security breaches have become a major concern of both consumers and retailers. Since 2013, there have been numerous reports of high profile security breaches of retailers, including Target (affecting up to 70 million individuals), Home Depot (with approximately 56 million payment cards being affected), Neiman Marcus (with up to 1 million payment cards potentially being affected), Michaels (affecting around 2.6 million payment cards), P.F. Chang’s, and more; and, the rate of the breaches is accelerating.

On October 28, 2014, Attorney General Kamala Harris released the second annual California Data Breach Report, in which she raises the alarm about the jump in the number of security breaches over the last few years. In the report, she notes that 18.5 million people in California were involved in breaches reported last year, which is more than a 600% jump from 2012 (though a large part of those figures comes from the Target and LivingSocial security breaches which affected about 7.5 million Californians each), and that 84% of retail industry breaches were the result of malware and hacking.

This issue is not going away. In fact, security experts predict that the number of breaches, especially on a big scale, will keep growing. However, there are ways for retailers to protect against security breaches, many of which are outlined in the California Data Breach Report.

For instance, the report recommends that retailers should:

Promptly update their point-of-sale terminals so that they are chip-enabled; and install the software needed to operate this technology;

Implement appropriate encryption solutions to devalue payment card data, including encrypting the data from the point of capture until completion of transaction authorization;

Implement appropriate tokenization solutions to devalue payment card data, including in online and mobile transactions;

Respond promptly to data breaches and notify affected individuals in the most expedient time possible, without unreasonable delay; and

Improve substitute notices regarding payment card data breaches.

However, not all of these solutions are immediately available or under the control of retailers. As noted in a recent story by Shan Li and Andrew Khouri in the Los Angeles Times, the process of implementing chip-enabled point-of-sale systems and technologies will take some time in the U.S. Some large retailers like Target and Home Depot have committed to adopting the EMV system (the chip enabled system named for its developers Europay, MasterCard and Visa), but the U.S. has fallen behind other parts of the world. Furthermore, retailers generally do not control all of the parts that go into devaluing and protecting payment card data, since many parts are controlled by third parties.

Therefore, to better protect yourself and your customers, you need to remain vigilant and implement a properly structured privacy and data security program. Some recommendations for your program are as follows:

Have a Leader: Designate a privacy officer who will champion and be in charge of your company’s privacy and data security program.

Define and Support your Program: Clearly define the privacy officer’s roles and responsibilities, all other supporting roles and responsibilities, and the goals and expectations of the program. Make sure your privacy officer and the program are fully supported by the organization.

Assess:

Inventory: Inventory your computer systems and data collection practices to determine what equipment and systems are used, what information you collect and store, how and where it is stored and used (including marketing and storage procedures), and what third parties are involved. Implement and verify system logging to track and identify system issues.

Know your Obligations. Learn and understand industry best practices and standards, and applicable regulations and laws—such as the California Online Privacy Protection Act (requiring a posted privacy policy that meets certain requirements), California’s data security breach notification law (requiring notification when a person’s unencrypted personal information may have been acquired by an unauthorized person), and the California Supermarket Club Card Disclosure Act (prohibiting the disclosure of rewards card customer information except for purposes of mailing card information to reward card members).

Find Vulnerabilities. Verify whether all equipment and software are current (with all necessary software updates and patches installed), compliant with applicable standards (such as the Data Security Standards of the Payment Card Industry Security Council), and that they are properly configured, encrypted, and secured. Audit all of your user accounts to make sure no account has unneeded permissions, there are no dormant or unused accounts that should be deleted, and that all passwords are strong. Test on your systems, including third party audits and assessments (like SSAE 16) to assess the integrity your systems.

Improve:

Address Vulnerabilities. Analyze your inventory and vulnerability assessments to identify your vulnerabilities and address them.

Policies. Develop and publish policies and procedures regarding your privacy and data security program, as well as any privacy policies and terms of use for your customers that use your sites.

Train. Routinely train your employees and contractors on your policies and procedures and best practices. Follow up on the training to make sure it is properly implemented.

Limit Risk. Only use, collect, and store data that you need. Have a data retention and destruction policy in place to ensure data is only stored as long as needed and property destroyed. Ensure that all data is stored at properly secured locations in the United States (including any data collected and stored by third parties).

Require Compliance. Require in any agreements with vendors and contractors that they:

Represent and warrant that their systems (a) are developed and tested according to proper standards (including penetration testing and other necessary testing); (b) implement proper encryption and tokenization and other security procedures; and (c) are compliant with applicable standards, laws and regulations;

Agree (a) to strong confidentiality provisions, (b) that you own your data, and (c) that they will not disclose, share, or sell any data without your express written consent (and, if they do, the data will be properly aggregated and anonymized and they agree to be liable for any disclosure or use in violation of your agreement with them or applicable law); and

Agree to provide you with routine SSAE16 and any other applicable assessments or audits (as well as the disclosures and attestations of any of their subcontractors).

Control: Remember that this is a continuous (not a one-time) process; and, your program should be structured to continually repeat and improve these steps to help control the quality of the program.

Also, remember that these steps will help, but not totally protect you from all breaches. Therefore, it is also important to make sure to get proper protections in case of a breach, such as:

Have a response program in place to (a) quickly notify affected individuals of any breaches; and (b) address the breaches.

Verify that you have adequate cyber risk insurance coverage.

In your agreements with vendors and contractors, (a) include indemnification provisions to cover breaches; (b) ensure that their liability for indemnification, confidentiality breaches, and security breaches are not capped; and (c) include requirements that they maintain adequate cyber risk insurance.

Lastly, this is simply an overview of some suggested tips and suggestions to help improve your privacy and data security program. It is important to also consult and rely on experts where you and your organization need assistance and expertise.