Written by Tara Swaminatha and Aravind Swaminathan

If your company has a Point of Sale (POS) terminal anywhere in its infrastructure, you are no doubt aware from the active media coverage that malware attacks have been plaguing POS systems across the country.

Just within the past week, the New York Times has reported that:

  • Companies are often slow to disclose breaches, often because of the time involved in immediately-required investigations;
  • Congress is beginning to make inquiries of data breach victim companies; and
  • Even those companies who have conducted cybersecurity risk assessments still get attacked, often during the course of implementing new solutions to mitigate potential problems and protect their customers’ payment cards or other personal information.
  • Former employees can be a source of information to the media about your efforts to investigate and secure your POS systems.

No Quick Fix

Even the best intentions, most competent efforts and unlimited budgets cannot fix a problem such as this overnight.  These fixes take time, and have become an unavoidable symptom of having POS terminals.

What should your company do?

(1) Launch a cybersecurity risk assessment, if you have not yet done so.

(2) Protect your risk calculations by engaging outside counsel and qualified cybersecurity experts to provide legal risk advice protected by the attorney-client privilege.  Keep C-suite executives and Boards of Directors informed.  The outside counsel, together with experts, should:

  • educate and advise directors and executives on legal and business risks associated with your company’s particular threats and vulnerabilities;
  • engage a qualified, experienced external cybersecurity team to review technical infrastructure and identify vulnerabilities stratified and prioritized by risk, likelihood of being exploited, and costs and time involved in remedying each one;
  • review  operational procedures across a multi-disciplinary team in your company, which are often overlooked and can have the greatest impact on the overall health of your risk profile;
  • help identify the most sensitive categories of information in your organization and develop data governance procedures tailored to your organization to add yet another layer of protection for your most sensitive assets;
  • regularly remind your team members, including from your third-party vendors engaged by counsel, about privilege and confidentiality obligations.

(3) Treat cybersecurity risk assessments and remediation efforts as an iterative process.  Constantly review your multi-disciplinary team’s recommendations as they change week by week or day by day.  Re-evaluate the spend allocated based on updated information about your risk landscape as the investigation and assessment progresses.

(4) Stay informed about updated regulatory requirements and case law on cybersecurity and privacy.  Ensure stakeholders understand these updates and charge them with implementing appropriate changes in their domains.

(5) Recognize that there is no such thing as perfect security, but that there is a tipping point over which your company will move outside the category of high-risk operations and into a safe zone.

(6) Allocate the necessary resources to get the job done – and done well.  If your company goes an extra mile in building security policies, procedures and technology that are better than industry standard, you can use your low risk profile as a market differentiator.  In addition to reducing litigation and reputational risks, validated strong security will increase customer confidence and loyalty.

(7) Review your insurance policies for adequate coverage to address interim risks.  While reputational risk cannot be insured against, insurance can be very valuable in the event of a breach.

In the retail industry in particular, the widespread compromises in Point of Sale Terminals resulting in staggering amounts of payment card theft is a hallmark of 2014.   A decrease in brand reputation alone is too high a cost to ignore.   If your company is – very understandably – not equipped to tackle the daunting task of finding and prioritizing vulnerabilities and choosing the best cybersecurity governance and technical plans, find someone who is.