Security Considerations for the Retail Employer
Tuesday, June 2, 2015
Security Considerations for the Retail Employer

Related Practices & Jurisdictions
Print Mail Download i

In today’s connected data-centric world, the reality is that, at some point, a retailer will likely experience a data breach. Despite this inevitability, consumers, employees, and business partners view such incidents with a critical eye and will want to understand what steps the business took to prevent the breach and mitigate the incident.

In the past year, there has been an explosion in the number of cyber-attacks targeting retail employee and consumer data. There has also been a corresponding increase in the number of lawsuits and government investigations challenging a retailer’s practices that led to the data disclosure. Unfortunately, these challenges have the benefit of hindsight and, thus, retailers must take reasonable steps to protect their data and be ready to effectively respond when an incident happens.

While not all breaches are preventable, there are several critical steps that retailers can take to manage risk with regard to security incidents and protect against a foreseeable incident.

a.     Risk Assessment

Conducting a risk assessment is perhaps the most important step in managing data breach risk. While there are a number of different frameworks for conducting a risk assessment, the assessment should at a minimum:

  • identify all systems and processes that contain sensitive information,

  • document potential threats and vulnerabilities to those systems and processes,

  • identify additional security measures to mitigate risks to an acceptable level, and

  • monitor the progress of mitigation.

If an organization has conducted a risk assessment and put in place measures to mitigate risk, it is in a good position to refute arguments that the organization did not take reasonable steps to protect its data.

b.    Training

Nearly all of the major breaches reported this year have had some element of social engineering associated with them. In general, social engineering involves an outsider manipulating employees into performing actions or divulging confidential information. The most common forms involve phishing emails and phone calls designed to trick employees into divulging their credentials to access company systems. While it is important for employers to have systems in place to filter emails from likely sources of social engineering attacks, no system is perfect and these messages will get through. Thus, employers cannot rely on technical safeguards and should develop training programs to educate employees on social engineering attacks and cyber security more generally. This training should be an ongoing process designed to keep employees up to date on the types of attacks happening and things to be on the lookout for.

c.     Information Security Frameworks

In a data breach dispute, the argument usually boils down to whether the controls that the business had in place to protect information were reasonable. The reality for employers is that there are an incalculable number of ways in which data can be lost or their systems can be compromised. Consequently, it is impossible for businesses to prepare for every contingency. It is therefore recommended that businesses adopt an industry accepted framework for information security management. There are a number of frameworks available (e.g., HITRUST, ISO, and NIST) and, if such a framework is adopted and followed, it becomes difficult for plaintiffs to argue that the controls put in place were not reasonable to protect information.

d.     Vendor Management

Retailers rely on a host of vendors that may have access to their sensitive data or systems. Many of the largest and most damaging data breaches have occurred not because of an organization’s actions but rather because of its business partners. As a result of this threat, retailers should be cognizant of whom they do business with and put in place a process to thoroughly examine the IT security practices of their business partners before giving them access to information systems or data. At a minimum, retailers should request and review all compliance documentation such as risk assessments, evidence of training, and policies and procedures. In addition, retailers should push out questionnaires to test the IT practices of potential business partners as part of the request-for-proposal process.

e.     Encryption

Sophisticated system intrusions from skilled hackers are difficult for most businesses to prevent. The majority of data breaches are caused by employees losing company-owned assets containing sensitive information. To prevent these types of breaches, retailers should ensure that all company-owned laptops, desktops, and storage devices are encrypted. Under both state and federal law, if information is encrypted using a certified methodology, it is considered unreadable and not subject to breach notification laws.

f.     Data Destruction

Retailers can minimize the impact of a breach by instituting data destruction policies to purge data from company systems when no longer needed for a business purpose. Limiting the amount of data in a business environment reduces the risk profile of the organization. Additionally, because sensitive data is often stored in unintended locations, the business should routinely scan its environment to determine whether data is being stored inappropriately. If hidden repositories are found, the data should be moved to the appropriate location and business processes should be updated to ensure that data remains secure.

g.     Patching and Penetration Testing

Given the litigious environment around data breaches, organizations can no longer take a passive approach to information security. Software and systems become outdated quickly and organizations must take active steps to identify vulnerabilities and update systems as soon as possible. Organizations should run regular vulnerability scans to determine whether their systems require patching to bring them up to date. Additionally, at least on an annual basis, organizations should invest in a comprehensive penetration test to determine if their systems are vulnerable to outside attack. Engaging in such practices allows the employers to show that they took steps to actively manage their environment if their practices become challenged following a security incident.

h.     Incident Response Plan

When a breach occurs, employers should be prepared to address the breach quickly and effectively. In order to effectively respond to a breach, an employer should have an incident response plan in place that is fully documented, regularly tested for operational effectiveness, and regularly updated. This plan should identify any reporting obligations and those who need to be involved as soon as a breach is identified. This team should include the internal breach response team as well as any vendors that the employer would use to mitigate the incident. Because contracts take time to negotiate, it is a best practice to identify breach vendors and enter into contracts before a breach occurs. The breach response team should have a defined hierarchy of who makes decisions on behalf of the organization and who is authorized to speak for the organization.

©2024 Epstein Becker & Green, P.C. All rights reserved.

Current Legal Analysis

More from Epstein Becker & Green, P.C.

Employment Law This Week Episode 346 - DOL’s Expanded Overtime Salary Limits, EEOC’s Sexual Harassment Guidance, NY’s Mandatory Paid Prenatal Leave [Video, Podcast]
by: George Carroll Whipple, III
Litigating Nutrition: Class Action Battles Over Dietary Supplements [Podcast, Video]
by: Theodora McCormick , Jack Wenik
Matters of Time - SCOTUS Today
by: Stuart M. Gerson
Importance of Negotiating Maintenance, Repair and Replacement Obligations in Health Care Leases
by: Allison S. Zangrilli , Zlata Fayer
Unpacking Averages: Assessing the Products Included in FDA's Voluntary Malfunction Summary Reporting Program
by: Bradley Merrill Thompson
Employees Not in the Transportation Industry Can Be Exempted from Arbitration Under the FAA
by: Chelsea Hadaway
Employment Law This Week Episode 345 - Spilling Secrets: FTC Nixes Non-Competes Nationwide—Now What? [Video, Podcast]
by: Peter A. Steinmeyer , Erik W. Weibust
Federal Update on Cannabis Scheduling: Are State Legalized Cannabis Dispensaries to Become Pharmacies?
by: Lisa Gora , Natalie Moszczynski
CMS Finalizes Medicaid Access Rule: Significant Changes Ahead for HCBS Industry
by: Jeremy A. Avila , Melissa A. Borrelli
State Supreme Courts and Ballot Initiatives: Arizona, Florida Exemplify the Abortion Battle Playing Out in the States
by: Erin Sutton , Annie Lucatuorto

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins