There was a recent article in CFO.com by the title as this article. In the article, the author Rotem Iram uses the hypothesis about a data breach that “You can’t lose a customer’s or an employee’s data if you don’t have it.” Essentially this article says ” A good offense will be your best defense.”
Therefore, you are a victim of a data breach. As I have written previously, it is not an “if,” it is a “when” scenario. How can you minimize the costs involved from both complying with federal, state and local laws and minimize regulator, if any, fines.
Mr. Iram’s contention, not to keep any data, specifically, data that will cost you money.
For example, if you do not keep customer’s addresses, you can be required to mail via the US Postal Service a letter telling them they’ve been hacked.
However, before he even proposed that ditty, he said destroy those records. His example on the surface makes sense; but if he were a CFO and not the CEO of a company that provides Cyber-Insurance he would know you just can’t do that willy nilly.
His example, “In 2015, the health insurer Anthem and its affiliates served 69 million customers, yet when they were breached that year, they exposed 78 million records. The extra nine million records most likely come from former customers.”
Now granted you can archive off-line old addresses. You can even destroy records that meet the statutory maximum age. However, he glossed over that point.
Not everything was off the cuff
He did make some very valid points.
- Make sure you log files capture the right data to prove that “even if they were attacked, no records were improperly accessed.”
- If you take credit-cards, make sure to only use chip readers. “MasterCard reported a 54% reduction in counterfeit card fraud costs at retailers who have switched to chip cards.”
- While he didn’t say this, I will suggest that you don’t keep records of the credit card transactions. Use a 3rd party merchant that is PCI compliant and just sends you the pertinent data for finalizing your order as being paid. As Mr. Iram said, if you don’t have the data, you can be held responsible.
- If you get breached, get experienced people to work the breach, your response and the on-going public relations nightmare.
- Lastly, which really should have been the first thing mentioned in this article; implement state of the art counter-cyber intrusion systems. They may not stop a breach but they do show that you have done everything possible which could minimize any fines or court awards when you lose the law suit(s) that will be filed.