ATM wiretapping
January 22, 2019Nationwide biometric database
February 5, 2019The number of data breaches have skyrocketed. It is shocking at times and it has affected nearly every American in one way or another. As a merchant you hope and pray that it never happens to you but it could very well happen. At JLE Business Consultants we hope that a data breach never happens to your business and by maintaining PCI compliance you greatly lessen your chances of it happening but no website or computer system is 100% secure. So, if your business has been breached what should you do?
That is the question that hundreds of merchants have asked themselves when they are faced with the horrible realization. First, we’ll get this out of the way. Doing nothing is NOT an option. Do not sit on your hands and pretend that it will go away. It won’t. In fact it will only get worse.
If you have discovered a breach once you start breathing again you need to act quickly. First, change all passwords, not only your own but all employees and everyone who has access to the system and that includes door codes. You need to determine what information was compromised and how it was compromised. This is of course easier said than done. Large companies have IT pros on staff that can do a forensic analysis, smaller merchants may not have that luxury and someone may need to be hired to do this. Also notify your legal team. They will be key in the coming days, weeks and months and they will be able to guide you in who to contact and what to do.
Take any affected equipment offline but do not take any system offline until the forensic analysis is complete. Once a machine has been cleared it can be brought back online. Don’t forget to change the passwords if you haven’t already. If a system was compromised it could very well stay compromised until those credentials are changed.
Next is the time to communicate. Most states have laws regarding data breaches and require notification if it happens. As painful (or frustrating) as it may be, notify whatever government entity requires notification. Internally make sure that everyone knows. If your customer’s information was inadvertently made public the public or your customer base can help by being on the lookout for that information. Don’t forget to also notify your local police department of the breach (this is identity theft after all) and if your local police are not able to investigate the state police or the FBI should be the next call. A data breach is hard enough, you don’t need the government coming after you as well for a failure to notify them.
When it comes to your customers be honest with them. There are some things that they may need to do on their end if their information has been compromised and the sooner they get started the easier it will be to resolve. You may not have all of the answers, especially in the first few hours or days but be honest with them. They may be angry with you but they will at least appreciate you being upfront about it and it may save the relationship.
When the issue has been identified it should be corrected immediately. Whether this is a software issue, a hardware issue or a physical security issue it is time to live and learn. No one is perfect after all. Some of the changes may be extreme and require everyone to change the way things are done. That is the way things go.
Once the issue has been fixed security will be on everyone’s mind but over time that will lax. Don’t let it. Keeping your business as safe and secure as possible should be at the forefront. That is what maintaining PCI compliance is all about. No system is 100% secure as has been evident in the past few years so make sure that you do everything that you can to avoid a data breach.