When shoppers swiped their credit and debit cards to pay for purchases at Barnes & Noble stores last year, they didn’t expect to have their card and personal identification numbers (PINs) stolen. But hackers had breached point-of-sale keypad card terminals at 63 Barnes & Noble stores in nine states.
When the company discovered the attack in September 2012, it decided as a precautionary measure to discontinue use of all PIN pads in its nearly 700 stores.
At the Justice Department’s request, the company did not inform consumers of the data breach for more than a month so the FBI could investigate the crimes first. Although it did notify customers in late October, the retailer’s website at press time said the company was still seeking to identify compromised accounts.
Barnes & Noble thus became the latest in a long string of companies to face the public relations nightmare, financial drain and potential legal risks of coping with a significant data breach.
An October Ponemon Institute study found the average annual cost of cybercrime was $8.9 million per year per company, with a range of $1.4 million to $46 million. The companies in the study experienced on average 1.8 successful cyber-attacks per week.
The frequency of such incidents has made data security the top legal concern of 55% of in-house counsel, according to the 2012 Law and the Boardroom Study by Corporate Board Member and FTI Consulting. A plethora of federal and state laws designed to protect consumers also has helped push data protection to the top of the compliance priority list.
“Regulators understand that there are sophisticated criminals out there, but they also expect you to take the necessary reasonable steps to protect information,” says Linda Clark, senior counsel for data security and compliance at Reed Elsevier. “You may not get credit for doing the right thing, but if you don’t ... you will almost certainly not be looked upon favorably.”
Doing the right thing starts with encryption, the process of encoding information so it is unreadable to hackers. At least 46 states have enacted security breach laws requiring notices to consumers, but if personal information is encrypted, notice generally is not required.
“Following industry best practices encryption standards remains very helpful in minimizing both reporting requirements and litigation exposure in the event of a data breach,” says Michael Pennington, a partner at Bradley Arant Boult Cummings.
The safe harbor only applies if the decryption keys that allow the data to be viewed are not compromised. Therefore, strong key management is essential.
“The company should confirm that the decryption key was not stored with the encrypted data,” says Philip Gordon, head of Littler Mendelson’s privacy practice group. “As long as that is the case, the data owner would have no notification obligation.”
Experts strongly recommend encryption for mobile devices, which are easily stolen. For example, someone stole a laptop computer from a NASA employee’s locked vehicle on Oct. 31, 2012, the latest in a series of data breaches at the space agency. The laptop contained personally identifiable information for a large number of NASA employees, contractors and others. According to NASA, although the laptop was password-protected, it did not have whole disk encryption software, which means the thief could easily access the information it held. NASA pledged to have all laptops fully encrypted by Dec. 21, and in the meantime banned all unencrypted laptops from leaving NASA premises.
But encryption isn’t always effective in an ever-evolving technology environment. Pennington says data thieves apparently stole the Barnes & Noble data at the point of purchase, before it could be encrypted. According to some experts, even encrypted data no longer deters skilled hackers. “Business and criminals are constantly working against each other to come up with the latest technology to thwart the other in this area,” Pennington says.
This article was originally posted at InsideCounsel.com, a sister site of Credit Union Times.