Though over 70% of data security breaches are targeted at small businesses or particular industries1, it’s rare that the business itself discovers the breach. Most events are detected by a law enforcement agency or a third party, such as a bank or a card association, that notices a rise in fraud that can be traced back to a specific merchant. When a breach of payment data is reported (or even suspected), it kicks off a series of unavoidable and costly actions:
- A mandatory forensic examination: The card associations require that a merchant suspected of having a data breach undergo a forensic examination to determine if a breach has actually occurred and, if so, to what extent. You will need to hire an outside examiner to conduct the investigation, which may last from days to weeks. This examination may require the shutdown of your point-of-sale system during that time in order to preserve evidence.
- Notification of customers: Most states require that customers, and in many cases the state attorney general, be notified if financial information is suspected of being compromised in a data breach. Depending on the number of customers and their locations, the process of sending notifications may cost thousands of dollars. What’s more, you may have to send written letters to each customer multiple times to ensure adequate communication with them.
- Credit monitoring for affected customers: You may be required to provide up to a year’s worth of credit monitoring and/or counseling services to customers affected by your breach.
- PCI compliance fines: As noted in a 2015 report by Verizon, “Of all the data breaches that our forensics team has investigated over the last 10 years, not a single company has been found to be compliant at the time of the breach.” If the forensic investigation shows that your business was not in compliance with the industry regulation at the time of your breach, the card associations and/or your acquiring bank may levy fines against your business, especially if the cards have been used in actual fraud cases.
- Liability for fraud charges: Many merchants assume they have no liability for the fraudulent use of payment cards after a data breach. This is not necessarily the case; lawsuits may claim liability on merchants for security breaches.
- Card replacement costs: Card issuers may require that you pay the cost of reissuing debit and credit cards of those customers whose data has been compromised.
- Upgrade or replacement of POS system: Depending on what is uncovered to be the source of the breach, you may have to invest in upgrading or replacing your POS system, including servers, software and/or card swipe devices.
- Reassessment for PCI compliance: Once you have repaired or replaced your POS system, in order to qualify to accept payment cards again, you must undergo a complete PCI assessment by an external qualified security assessor (QSA).
When all is said and done, the direct costs of a data breach for a small business can be very costly. The numerous indirect and non-monetary consequences can be equally or even more damaging to your business:
- Loss of customer confidence and trust.
- Damage to your brand and good business reputation, especially as word travels quickly through social media and review sites.
- Considerable time that you and other employees will have to devote to dealing with and recovering from the breach event.
- Loss of payment card privileges, meaning your business will not be permitted to accept debit and credit card payments if the card associations refuse to do business with you.
Considering these various significant impacts, it’s critically important that your business security strategy keep pace with the evolving threat of cybercrime.
1. Tegan Blackburn, LLC, National Cyber Security Recognition, October 2014