In 2015, we saw the United States government get hacked by Chinese hackers and the US banking system take steps to combat credit card fraud through data breaches when the major credit card companies implemented chip and signature technology. One major bank even went the European route and issued chip and PIN credit cards in the United States.
Moreover, on the front lines of industry, things are rapidly changing. As evidenced by excellent seminars at the IFA Annual Convention in February, the ABA Forum on Franchising in October, and Fox Rothschild’s own experience, 2015 was a year of transition in responding to data breaches. And that transition was to containment. Some of us are old enough to remember the Cold War, and containment–the idea that the Free World could keep Soviet-style communism in check by “containing” it within certain geographic boundaries–was the strategy.
What is containment in the context of data breaches? It is an acknowledgement that data system breaches and hacks are going to occur. That 100% security is simply not possible. As my colleague Scott Vernick recently noted in Politico,
“Deterrence, 100 percent deterrence, is very hard to come by. Containment, I think you can do a much better job and get better results. Empirically, that’s what I’m hearing from clients and what I’m sensing about the way in which the cybersecurity industry is trending.”
In other words, while you still need to build a wall of defenses to deter attacks, you also need a plan for when your defenses fail and contain the damage.
So, if containment is now the name of the game, what do you do? The first thing you do are to take the following steps:
- Acknowledge that, while necessary, security walls and other deference measures are highly unlikely to be 100% effective at defeating determined hackers.
- Admit to yourself that breaches will occur.
- Have two plans in place: one for before the hack and one for after the hack.
- The “before” plan should include a detailed review of what data is stored on your systems and where is it stored. Map it out so you know. Also, take a hard look to see if you really need all of the data being stored. As storage has become cheaper, more and more data is being stored for longer and longer periods of time. Importantly, conduct a review with all of your vendors. In many of the high profile breaches of the last three years, vendors’ systems were used as a “back door” into the primary target.
- The “after” plan is what to do after you learn of a hack. This means having your IT, insurance, PR, marketing and legal team, and response plans, in place. Getting in front of the breach is essential. You want to reassure your customers and, if a franchisor, your franchisees, that you are putting their interests first.
Finally, franchisees and franchisors need to work together on data security. Franchisees are on the front lines too, and 45% of hacking attacks are directed at small businesses. Operations manuals must be updated to reflect best practices, including requirements of carrying cybersecurity insurance. Franchisors should audit their franchisees’ data security practices and, as we transition to containment, plans for containment after a breach as well. While a franchisor can’t step in when a data breach is limited to a franchisee without some risk to the franchise model, that risk needs to be weighed against the potential harm to the brand. Properly implemented, containment can prevent the contagion of data breach from destroying your brand.