By John C. Stivarius, Jr.
From Restaurant INFORMER, 2014, Vol. 4, Issue 4
Recently in the news are accounts of various businesses who have been victimized by a security breach allowing intruders/hackers access to credit card information. Jimmy John’s had a potential security breach involving customers’ credit and debit card data at 216 of its stores and franchised locations. The breach allegedly was caused by an intruder who obtained the log-in information from a vendor then remotely accessed the point-of-sale systems. P.F. Chang’s China Bistro was victimized by an intruder who stole the credit and debit card information of customers for nearly eight months. These are just a few of the many examples of data breaches which seem to permeate the news.
Is your business taking affirmative steps to reduce the likelihood of a cyber attack? There are essentially two types of attacks. One involves the point-of-sale at the location, wherein the theft occurs from locally held stored information. The other happens through the internet stored information at host locations. The most pertinent question to any business is “Do you know where you currently stand?” You also need to be thinking about:
- How capable is the business in the protection of the data?
- When is the last time the data was cleaned of extraneous metadata, eliminating IP addresses, email addresses and the like?
When customers allow for their data to be stored, they will expect that the business is taking all measures and steps to protect this data. If the information is stolen, the customer will most certainly look to the business for blame. Once this happens, the business reputation and credibility is at stake, trust is reduced or eliminated and potential liability soars. It matters not that your business is a Fortune 100 company or a smaller operation.
Below is a list of some of the steps a business may take to reduce the exposure to a cyber-hacker. The list is not an exhaustive list, but suggestions to undertake.
- Always store the data of the customer in an encrypted database. This makes use of the data much more difficult for the hacker to use it if acquired.
- Avoid using a singular password to access any database storing customer information. Use multiple layers and require that the passwords be changed on a regular basis and frequently.
- Check to make certain your business is running a malware detection system on the servers and workstations and take steps to ensure the applicable firewalls are up at all times and secure.
- Clean your information. Review the currently published documents and web pages and eliminate unnecessary metadata, internal names, IP addresses, email addresses and the like. This may discourage a potential attacker since the attacker generally searches for these types of information.
- Inform and educate everyone in the business, from the top to the bottom, to understand the enormity of keeping the information protected and secure and how to protect it. For example, initiate well-designed procedures and back them up by training and a general culture of strictness in the procedures.
- Always approach this problem knowing that adjustments must be made. Keep your software, malware and the encryption up-to-date. Implement some type of security controls and frequent checks.
- Check your insurance policies to see if the coverage is available for data security breaches.
- Have your counsel review the hold harmless agreements and make sure the clauses cover data security breaches.
- Have a disaster plan ready to implement in the event of a data security breach. These plans will prove very valuable in the event your business is the unfortunate victim of an attack. Document the changes you have made, the security steps you have taken and the updates your business makes.
Document the changes you have made, the security steps you have taken and the updates your business makes.
As much as businesses are attempting to reduce their exposure, hackers are working equally diligently on breaching the security. The protections are an on-going and living necessity.
Mr. Stivarius heads the Complex Litigation Group at Elarbee Thompson Sapp & Wilson, LLP in Atlanta, Georgia.