E-retailers can’t afford to wait until they suffer a data breach to figure out how to deal with such an attack, Chris Pierson, chief privacy officer, senior vice president, Citizens Financial Group, said last week at the Internet Retailer Conference & Exhibition 2011 in San Diego. “Make sure you have the relationships in place to combat breach,” he said. “Don’t do it on day one of the breach. “
That means that a retailer has to know who will handle all the essential roles, such as who will speak to the media. Doing so can prevent delays in notifying the public, which is often the biggest gripe voiced by consumers affected by a breach, he said. Most of the state and federal laws regarding notification state that merchants should alert the public without undue delay.
“The biggest issue is usually consumers asking, ‘Why did you wait so long to let us know?’” he said. “It’s something every company has to deal with.”
Along with internal employees who should be part of the pre-breach organization process, retailers should also determine whether they’ll also work with a data breach response who can help them navigate the various elements involved in breach response, such as determining what data is at risk and which, if any, customers or entities must be notified pursuant to state laws.
As part of a retailer’s breach preparedness, retailers should also look to every possible means of minimizing their risk for potential fraud. For instance, they should ensure that they use end-to-end encryption, which is the act of encrypting card data throughout the payment lifecycle from the time a card transaction is captured, through processing, and as long as it’s necessary to keep cardholder data on hand.
“You can’t stick your head in the sand,” he said. “You have to be ready.”