When shoppers swiped their credit and debit cards to pay forpurchases at Barnes & Noble stores last year, they didn'texpect to have their card and personal identification numbers(PINs) stolen. But hackers had breached point-of-sale keypad cardterminals at 63 Barnes & Noble stores in nine states.

When the company discovered the attack in September 2012, itdecided as a precautionary measure to discontinue use of all PINpads in its nearly 700 stores.

At the Justice Department's request, the company did not informconsumers of the data breach for more than a month so the FBIcould investigate the crimes first. Although it did notifycustomers in late October, the retailer's website at press timesaid the company was still seeking to identify compromisedaccounts.

Barnes & Noble thus became the latest in a long string ofcompanies to face the public relations nightmare, financial drainand potential legal risks of coping with a significant databreach.

An October Ponemon Institute study found the average annual costof cybercrime was $8.9 million per year per company, with a rangeof $1.4 million to $46 million. The companies in the studyexperienced on average 1.8 successful cyber-attacks per week.

The frequency of such incidents has made data security the toplegal concern of 55% of in-house counsel, according to the 2012 Lawand the Boardroom Study by Corporate Board Member and FTIConsulting. A plethora of federal and state laws designed toprotect consumers also has helped push data protection to the topof the compliance priority list.

“Regulators understand that there are sophisticated criminalsout there, but they also expect you to take the necessaryreasonable steps to protect information,” says Linda Clark, seniorcounsel for data security and compliance at Reed Elsevier. “You maynot get credit for doing the right thing, but if you don't … youwill almost certainly not be looked upon favorably.”

Doing the right thing starts with encryption, the process ofencoding information so it is unreadable to hackers. At least 46states have enacted security breach laws requiring notices toconsumers, but if personal information is encrypted, noticegenerally is not required.

“Following industry best practices encryption standards remainsvery helpful in minimizing both reporting requirements andlitigation exposure in the event of a data breach,” says MichaelPennington, a partner at Bradley Arant Boult Cummings.

The safe harbor only applies if the decryption keys that allowthe data to be viewed are not compromised. Therefore, strong keymanagement is essential.

“The company should confirm that the decryption key was notstored with the encrypted data,” says Philip Gordon, head ofLittler Mendelson's privacy practice group. “As long as that is thecase, the data owner would have no notificationobligation.”

Experts strongly recommend encryption for mobile devices, whichare easily stolen. For example, someone stole a laptop computerfrom a NASA employee's locked vehicle on Oct. 31, 2012, the latestin a series of data breaches at the space agency. The laptopcontained personally identifiable information for a large number ofNASA employees, contractors and others. According to NASA, althoughthe laptop was password-protected, it did not have whole diskencryption software, which means the thief could easily access theinformation it held. NASA pledged to have all laptops fullyencrypted by Dec. 21, and in the meantime banned all unencryptedlaptops from leaving NASA premises.

But encryption isn't always effective in an ever-evolvingtechnology environment. Pennington says data thieves apparentlystole the Barnes & Noble data at the point of purchase, beforeit could be encrypted. According to some experts, even encrypteddata no longer deters skilled hackers. “Business and criminals areconstantly working against each other to come up with the latesttechnology to thwart the other in this area,” Pennington says.

This article was originally posted at InsideCounsel.com, a sister siteof Credit Union Times.