The news seems to be full of stories about the latest credit card security breach. The story is always the same: Thousands of credit card holders wind up with their card information in the hands of thieves. Breaches happen for many reasons, but the result is an unhappy customer who loses trust in the business. After all, if a company can’t keep information secure, why should that business be trusted with future orders?
Recovering from a security breach is possible, especially when the business is proactive. Customers want to know that the business has their best interest in mind. Find out how you should handle the situation with clients and what your next steps should be.
Image via Flickr by Philip Taylor PT
Sadly, yes. Thieves will always be thieves, and they’re always on the lookout for the easiest opportunity to steal information. You can’t just rely on a POS system to securely store credit card information. Hackers have figured out how to gather the data and turn that information into something usable.
Social engineering is another ongoing problem. Thieves pose as authority figures who seek passwords and other sensitive information from those in charge of customer accounts. Employees trained to respond to authority figures are the weakest link in these situations. Staff can give out information without realizing that they’re putting data into the hands of thieves.
Transmitting data over Wi-Fi network comes with its issues. If someone forgets to place the security setting on a router, anyone can tap into the network. A hacker using a “sniffer” can grab data and store it on a hard drive, then sift through the data later for usable information.
These thefts can happen to a business that has a low-risk or high-risk merchant account. Thieves don’t discriminate when stealing information.
After you see a theft, find out what information the thieves took. What data was taken, how much, and when did the theft occur? While time is of the essence, being thorough in your investigation is also important. The thief may not have accessed highly valuable information, but they harvested data they shouldn’t have. Or, perhaps the thief got into one database out of many, and those affected need to be contacted. Save time and panic by targeting who to tell and who not to tell.
Always contact customers to let them know what happened, what steps they need to take, and what the business is doing to handle the situation. While honesty is always the best policy, limit the information to what customers need to know.
Notify law enforcement authorities of the data breach. Also, consult with state law to determine if you need to follow reporting guidelines. A business needs to follow state laws for a data breach or potentially face fines for failing to report a violation properly.
A business needs to figure out where and how the security breach happened. Investigate internal routines, ask how data gets collected, and decide whether the theft was a one-time event or whether the problem goes deeper. A dedicated security team may need to examine business systems and networks to find out how the data breach took place. But don’t forget about the affected customers.
Unfortunately, customers won’t return to the business after a security breach caused them an inconvenience. What the business can do is to offer help with credit monitoring services or deliver a steep discount for a product or service. Customers want to know that the business is taking the steps to at least make up for the inconvenience. While offering some token of goodwill isn’t going to make everyone happy, the outreach can help demonstrate that the business wants to position itself as a reputable operation.
Minimize the potential for a security breach before one takes place. Test your system and network security, make sure all employees use secure passwords, and lock down all sensitive information so that only responsible parties can access that information. Customers may not see everything you do behind the scenes to protect their data, but thieves do and will move on to a less-secure target.