With major data breaches making headline news on a near-weekly basis, the retail industry is increasingly focused on cybersecurity. When creating their cybersecurity plans, retailers should:
• Create a strong cybersecurity team that is cross-sectional, and include personnel from legal, information technology, human resources, and communications or public relations departments. The team should also include at least one member of senior management.
• Conduct a “privacy survey,” which is the process of identifying the legal, regulatory, and contractual obligations to protect data. Among other things, retailers should consider their obligations under state laws to protect “personally identifiable information” (“PII”), which generally includes data that can be used to identify a specific individual including social security numbers, driver’s license numbers, financial account information, and other identifying information.
Retailers should also consider their contractual obligations, which likely include obligations to protect payment card information (“PCI”) under the rules established by card brands like Visa and MasterCard.
• Understand their technical systems, including developing a detailed understanding of where sensitive data is stored.
• Segregate sensitive data from regular data and protect it with additional physical, technical, and/or procedural safeguards (including firewalls, password protection and encryption).
• Implement “privacy by design” when developing cybersecurity solutions. This means that the company should create policies and procedures that account for customer privacy, legal compliance, and data protection throughout the data lifecycle (i.e., collection, processing, storage, and destruction).
As part of this effort, the company should develop comprehensive policies to address privacy and data security, including:
- A “bring your own device” (BYOD) policy governing whether, and under what circumstances, employees can use their own devices to conduct company business;
- A password policy requiring the use of strong, complex, unique passwords;
- Personnel policies (including onboarding and off-boarding policies) that enhance security; and
- A network tracking policy requiring regular monitoring of network traffic for evidence of suspicious access.
• Train employees on how to identify and prevent attempted cyber-attacks.
• Manage vendors and scrutinize the adequacy of their cybersecurity policies and procedures before entering into a business relationship with them. Contractual safeguards should be taken to minimize risk, including by requiring safeguards to protect sensitive data, providing rights to audit the vendors’ security practices, and requiring vendors to notify the company if a breach occurs. The contract should allocate risk in the event that a breach at the vendor harms the company. (Among other things, companies should consider requiring vendors to carry cyber insurance, and to name the companies as additional insureds.)
• Engage in cybersecurity information sharing through, for example, the Retail Cyber Intelligence Sharing Center (“R-CISC”). The R-CISC allows industry players to keep abreast of evolving cyber-attack tactics and industry security standards.
• Consider cybersecurity insurance, which, depending on the policy, may cover (i) forensic investigation and system restoration costs; (ii) defense and indemnity costs associated with litigation resulting from the loss of personal information or other sensitive data; (iii) defense costs and penalties associated with regulatory investigations; (iv) notification costs and credit monitoring for affected customers and employees; (v) losses attributable to the theft of the policyholder-company’s own data (including transfer of funds); (vi) business interruption costs attributable to a cyber-attack; (vii) costs required to investigate threats of cyber-extortion and payments to extortionists; and (viii) crisis management costs, such as the hiring of public relations firms.
Unlike many traditional policies, cyber liability policies differ significantly because they are not (yet) based on a standard form. It is therefore critical to carefully review the exclusions of cyber policies with a broker and coverage counsel. (For example, carriers may try to rely on breach of contract exclusions to deny coverage for assessments arising from payment card information breaches because retailers are often contractually obligated to pay such assessments.)
• Develop an incident response plan, which is a detailed plan that outlines how a company will respond to suspected cyber-events. These plans help companies quickly and effectively investigate and remediate attacks. Among other things, an incident response plan should identify the leaders of the response team and present easy-to-follow, scenario-based responses to different types of cyber incidents. For each scenario, the plan should clearly delineate the first steps that must be taken and include a timeline of major investigative events.
The plan should also provide for the involvement of experienced legal counsel in all aspects of the investigation of a suspected cyber-event (including communications about the potential event, remediation efforts, and disclosure and reporting) to ensure that the investigation is protected under the attorney-client and work product privileges. Privilege is critical because the company may soon find itself the defendant in a variety of lawsuits, including lawsuits by regulators, customers, issuing banks, or investors.
• Develop a business continuity plan to facilitate rapid and efficient data recovery and resumption of operations. This is important because cyber-attacks may result in victim-companies losing access to their data and systems. For example, many companies have been affected by the Cryptolocker malware, which encrypts (and renders useless) the company’s data unless and until a ransom is paid. If companies are not prepared for these types of attacks, they may suffer a substantial interruption of services that can be extremely costly.
The first step in creating an effective business continuity plan is identifying critical systems. Systems should be prioritized in order of the maximum time that each can be down without causing substantial harm to the business. The company must then select a back-up system.
In considering which back-up system to choose, the company should consider the following factors: how quickly the data needs to be restored, how much data must be stored, and how long data must be maintained. It is critical that the company’s back-up system be sufficiently segregated from the company’s day-to-day systems so that a cyber-attacker cannot access the back-up system during an attack.
Conclusion
A strong cybersecurity program is an essential part of any long-term business strategy. Retailers developing their approach to cybersecurity should ensure they incorporate the features discussed herein.
Emily Westridge Black is an attorney in the Austin office of Haynes and Boone, LLP, and Chris Quinlan is an attorney in the Dallas office. Both specialize in data security, white-collar criminal defense, and the prosecution and defense of compl