Module Two – Data Breach Repercussions

Few phrases concern businesses more than the words ‘data breach’ and it seems not a week goes by without a high-profile data breach recorded in the media.

Introduction
Data security and the Contact Center
The financial impact of Cyber Crime
Test your Knowledge

Introduction

Welcome to the second module of PCI Pal’s Summer School!

Few phrases concern businesses more than the words ‘data breach’ and it seems not a week goes by without a high-profile data breach recorded in the media. In Module One, we learned about the stringent requirements of PCI DSS for handling card payment data. Now we discover more about data breaches, the implications of these and non-compliance with PCI DSS, as well as the overarching challenges faced in complying with data privacy laws.

Data security and the Contact Center

So, what is a data breach? Whilst once considered to occur when personal information was accessed without authorization, the definition of a data breach has developed with the ever-increasing digital world we live in. The GDPR defines a data breach as a

“breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized, disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

Having data that should be encrypted by ransomware or destroyed is also classed as a data breach, even if the data was never accessed by an unauthorized user. And, selling data on to a third party when the authorized holder did not get consent or legal grounds to do so is also a breach of data.

All businesses are susceptible to cybercrime and must look after their customers’ personal data with utmost importance. But the contact center, which processes large amounts of personal data every day, is all the more vulnerable to cybercriminals.

Whatever the business, if it is processing and storing sensitive information – whether that is customer payment details or employee information – it is that business’s responsibility to keep it safe or face serious financial sanctions.

The financial impact of Cyber Crime

PCI Compliance and associated fines

Although achieving and maintaining good data security practices such as PCI Compliance builds trust with customers, it’s important to remember that being found non-compliant could cost businesses more than just reputation, whether or not they have suffered a data breach.

As we know from module one, if a business stores, processes or transmits payment card data, they need to comply with PCI DSS requirements. With the objective being to ensure that wherever within an organization cardholder data is present, it is adequately protected.

Even if PCI DSS compliance is outsourced to a third party or another company, legal and regulatory culpability still falls upon that business as well as the outsourcer. And, if they are found to be non-compliant with PCI DSS requirements, they will most probably face financial costs, such as:

Fines

These are at the discretion of the business’s acquiring bank but have been known to range from tens to hundreds of thousands of pounds.

Recurring charges

Businesses could also face recurring charges from their merchant account. Again, this is entirely at the discretion of the banks but has been known to run into hundreds of pounds a month.

Increased costs of insurance and claims

Non-compliance increases the risk of sensitive cardholder data being exposed should a business suffer a data breach. It also means that the business’s network is insecure and vulnerable to attack in other areas and is therefore seen as high risk from insurers. This could increase a company’s premium and affect insurance claims should they need to make one.

The financial impact of Cyber Crime

Data privacy laws and associated fines

Credit card data is personally identifiable information (PII) and therefore means it is subject to more regulation than PCI DSS alone. Within Europe the General Data Protection Regulation (GDPR) sets out how personal data should be stored, transmitted and handled.

PCI DSS and the GDPR sit on the same branch in that a breach of PCI compliance is a breach of the GDPR and therefore is subject to the same punishment for non-compliance.

Financially, this can mean a fine of up to €20m or 4% of a business’ global turnover in the most severe cases.

But fines are not just limited to data in the EU:

Module two flags

But it’s not just immediate fines that should concern businesses – the legal culpability for data security falls on the merchant and results in potential lawsuits from customers.

If businesses choose to ignore PCI DSS or other data protection responsibilities, they are not just risking a set of small charges from their banks and merchant services. Should they suffer a breach of financial data, the cost will likely snowball because of global data protection standards. In addition to the fines and potential legal fees and payouts, it is likely that consumers will spend their money elsewhere if a data breach occurs and it could cost companies further financially and by loss of reputation and trust.

The financial impact of Cyber Crime

Consumer trust and spending habits

As consumers’ awareness of data security and the value of their personal information increases, so does their trust in influencing how and how much they spend with organizations that have suffered a security breach.

Research shows that 44% of UK consumers and 83% of US consumers will stop spending with a business for several months in the immediate aftermath of a security breach or a hack.

Even more significantly, a further 41% of UK consumers and 21% of US consumers will never return to a brand or a business post-breach, representing a significant loss of revenue. For any consumer-facing business, this figure offers a stark warning.

1
2
3
4
5
6
7
8
9

Which of the following is classed as a breach of data?

Please select an option before moving onto the next question.

When a business processes and stores sensitive information, who is responsible for keeping the data safe?

Please select an option before moving onto the next question.

If a business stores, processes or transmits payment card data, what do they need to comply with?

Please select an option before moving onto the next question.

What % of UK consumers asked would not return to a business post breach?

Please select an option before moving onto the next question.

What % of US consumers asked would not return to a business post breach?

Please select an option before moving onto the next question.

How much can a business be fined if found to breach GDPR?

Please select an option before moving onto the next question.

How much could a breach of PIPEDA cost a Canadian business?

Please select an option before moving onto the next question.

How much could a breach of The Australian Privacy Act cost an Australian business that suffers a data breach?

Please select an option before moving onto the next question.

How do small-medium enterprises prove their PCI compliance annually?

Please select an option before moving onto the next question.

Checking your answers...

Why not take a look at the next module?

Module Three looks at Building a Human Firewall

 

Next Module