According to the 2015 State of Data Security Intelligence study, only 25% of UK businesses believe they are capable of detecting all data breaches, and only 33% rated themselves as very good at containing breaches when they do happen – even though a single data breach can now cost a company on average over $3m.
While it’s the last thing we expect or want to happen, a data breach is always a possibility for any contact centre, and being prepared for the worst could save you not only from further data loss, but from losing a significant amount of money too.
Should the worst happen, here’s a handy guide on what to do and when…
A data breach might never happen, but that doesn’t mean preparing for one is a bad idea. In fact, PCI DSS Requirement 12.10 suggests the first reaction to a data breach should be to implement your Incident Response Plan.
In the event of a breach, having a detailed and comprehensive plan is your best chance of mitigating its impact, so ensure you have one drawn up and sent out to any responsible parties. Make sure the individuals involved have a clear understanding of the arrangement and their part in it so that your response to a breach can be immediate and effective.
However, just having a plan isn’t enough; make sure it is also thoroughly tested and run through several times to limit the risk of mistakes or missed steps in the event of an emergency.
Have a PFI on Retainer
While hiring a Payment Card Industry Forensic Investigator might not always be necessary, some acquirers or payment brands require an investigation even when a breach is only suspected, so make sure you know your obligations.
It can be a good idea to hire a PFI on retainer so their services will be immediately available to your contact centre should you need them. Bear in mind that all PFIs must be completely independent from your company, with no links to any third-party providers that you use.
When a data breach is detected, it can be tempting to log in to your compromised system and change all your passwords (or shut it down and reboot it entirely) in an attempt to take back control and minimise data loss. However, doing so can be the fastest way to wipe out vital evidence that will help your PFI identify the cause of a breach.
Part of your call centre’s incident response plan should be to preserve as much evidence as possible by following these simple steps:
- Do not log in to or switch off a compromised system.
- Instead, learn how to isolate your system from the network – for example, by unplugging the network cable – to minimise data loss immediately.
- Preserve all logs from the time of the breach.
- Make a record of any action you do take, including dates, times and the member of staff involved.
For a PFI to work as effectively as possible, it is vital that your employees understand the PFI’s role and are available to talk with them on request. Make sure your employees understand that it is not the PFI’s job to find someone at fault, merely to identify the nature of a breach and prevent it from happening again.
A clear understanding of this will ensure your employees are completely transparent, helping the PFI to conduct their investigation much more quickly.
Notify Relevant Parties
Most payment cards, banks, business partners, and third-party providers will require notification of a data breach by contract, so it is essential you contact the relevant people as soon as you can. Your PFI might also require access to third-party facilities so it’s a good idea to have an arrangement drawn up in advance to allow this to happen quickly and easily.
Act on Advice Immediately
A PFI should begin an investigation within five working days to ensure any faults or weaknesses in your system are identified as soon as possible. Once you have their report and advice, it must be acted on immediately to prevent further data loss or a successive breach. If necessary, update your incident response plan with any recommendations and make sure all employees are aware of any changes made.
If you’d like to find out more about PCI DSS compliance and how data security risks can be mitigated with a secure card payment solution – prevention is the best cure, after all – please get in touch with our expert consultants today.