There are many best practices that can be done to help reduce the likelihood of a data breach, but as they say there is no such thing as a 100% guarantee in life, so it is important to understand what could happen if a breach does occur. Of course, if you have no defenses in place to prevent a data breach, this will be informative in showcasing why that should be priority number one for the company after reading this blog. It is also usually assumed that a PCI breach and a data breach are the same thing, but this isn't always true - still, I'll be focusing on a PCI breach today.
The first thing that will happen following a breach is that impacted credit card companies will approach the bank that you work with to determine just how compliant you were. Depending on whether you can show that you did everything you could do or were just waiting for a breach to happen, the credit card companies may fine the bank - and if they do the bank will pass it on to you. Usually these fines can be pretty hefty - certainly in the $1000s, but depending on company size they can reach up to $100,000 per MONTH until the holes in PCI are fixed. If you don’t comply, your ability to accept credit cards can be revoked. Credit Card companies may still put a fine in place even if your company was compliant, and while this information isn't usually released it seems a fair bet to assume it will be less painful than what a company that wasn't compliant will be hit with.
At this point, local laws will take effect, and most states require notice to potentially impacted customers. Of course, if payment card information wasn't impacted the above paragraph wouldn't apply (for example, if Yahoo had a massive breach of usernames and passwords, PCI wouldn't apply unless your credit card info was in your account), but the state laws will apply regardless. Requirements and time tables will vary from state to state, but in a nutshell these customers need to be notified, and at this point it is best to put your best PR face on, as customers will want to know why it happened and what you were doing to stop it from happening. If you were PCI compliant that is a good feather to have in your cap, and detailing defenses that were in place will help to soften some of the inevitable black eye that will affect your brand.
Since there are many moving parts in network security, it is possible that a solution you invested in didn't perform as promised. Be careful about blaming any vendors - if you are 100% certain that the vendor allowed the breach, you can discuss it, but keep in mind that they can and will defend themselves. In the Target breach during the last holiday season, Target attempted to blame FireEye for their troubles, and FireEye immediately produced reports showing that Target was ignoring red alerts from the company. This made Target appear to be not only incompetent with their security, but also trying to pass the buck onto the first person in sight.
Obviously, none of these things are good, and the combined wrath of fines, inability to accept credit cards and a PR nightmare can devastate or even destroy the stoutest of organizations. Because of this, it is incredibly important to have defenses in place. Employees should be educated to keep private data safe, and it is very important to have network security equipment in place, such as firewalls and VPNs. Systems that take in sensitive data, such as POS systems, should be updated and have all communications secured and encrypted.
Alejandro
