Data breaches aren't just worrisome for customers and financial firms. They can cost retailers millions of dollars to rectify.
Among the most recent notable data breaches is the Uniqlo Japan hack in May 2019 in which hackers reportedly accessed more than 460,000 accounts.
As retailers continue to collect more consumer data, cybersecurity experts say companies need to implement a comprehensive data protection strategy that includes training employees across departments, appointing internal cybersecurity representatives, vetting third-party partners and deleting unnecessary consumer data.
While retailers want to collect as much consumer data as possible to better serve customers (and thus potentially gain an edge over competitors), collecting more data means they'll need to be responsible for safeguarding the information they gather, Lillian Hardy, partner at law firm Hogan Lovells, said in an interview. She specializes in cybersecurity and data privacy-related investigations.
Now that storing data is more affordable, companies would rather store consumer data than delete it, Evan Sills, director of the security risk management firm Good Harbor, told Retail Dive in an interview. Companies think that having more information about consumers is better, but compiling too much data from customers directly, or from third-parties, makes it difficult for companies to discern what data points are worth deleting, he added.
"I've had companies tell me, 'We've been in operation for 35 years. We've never deleted anything.' Do you still need that information?'"
Partner, Culhane Meadows Haughian & Walsh
With data coming from various sources, companies have also amassed so much consumer data that they often don't know exactly what personal data they have, where they stored it, or where or when they obtained it, Linda Priebe, a partner specializing in data privacy and security at law firm Culhane Meadows Haughian & Walsh said in an interview. Companies need to map out where data is stored, determine how it is protected and develop a records retention protocol for deleting old data, she said.
"I've had companies tell me, 'We've been in operation for 35 years. We've never deleted anything.' Do you still need that information?'" Priebe said. "Those legacy systems may be vulnerable, because they don't get the upgrades for the most recent security protections."
Experts cite third-party partners such as vendors, suppliers and consultants as potential cybersecurity risks. Just as companies would ask questions about how a potential company runs, they should also ask about their third-party collaborator's security procedures, Sills said.
Firms may not be able to comprehensively vet their third-party partners' cybersecurity efforts, but Sills recommended companies start by locating and prioritizing their most significant risks based on two key categories: where the company's proprietary data is stored and which third parties have access to valuable information. Retailers should also ask whether partners have a chief information security officer, a position that shows how sophisticated they are in their data protection efforts, he added.
Consumers have pushed back against tech firms like Google and Facebook now that they have become more aware of how they share personal data, Sills said, adding that emerging technology that retailers are introducing like the Amazon Echo has brought forth security and privacy concerns. Amazon employees, for example, reportedly listen to Amazon Echo interactions to improve the voice assistant's responses to inquiries, a practice that seems invasive to many.
Retailers should also check if their third-party partners have the International Organization for Standardization's 27001 certification, said Priebe and Sills, with Sills adding that National Institute for Standards in Technology also has a thorough framework for cybersecurity.
While executives and consumers are aware of risks, cybersecurity experts say retailers need to conduct interdepartmental collaboration to prepare for data breach risks. Retailers should also include other departments of the company, including their communications, marketing or government relations departments, in their cybersecurity preparedness efforts, Hardy said. He added that retailers need to appoint representatives within each department who can take charge during a data breach.
Employees as a security threat
Employees can be a source for data breaches, too. Employees sometimes send sensitive information over email, steal confidential information or need more adequate cybersecurity training, Priebe said.
In general, most people don't realize that email is not a secure, confidential way to share information, and mobile apps don't have the best reputation for data protection, Priebe said. Retailers also need to make sure they're on the lookout for malware, a leading cause of data breaches, she said.
Misguided approaches to company technology can also lead to data breaches, experts note. A big mistake some companies make is allowing staffers to use their technology to work, but this policy could lead to leaks of company information and make it harder to wipe devices clean of data, Priebe said. Businesses need to also limit employees' access to sensitive information like customer credit card data, she said, adding that employees should not be sending financial information via email.
Beyond training employees to look for common breach tactics like phishing emails, Sills said companies need to weave cybersecurity awareness into the fabric of the company. Cybersecurity should be discussed during the onboarding of new employees and employees should be able to alert whoever is in charge of cybersecurity when they spot suspicious activity, he said.
Both Bret Cohen, cybersecurity expert and partner at Hogan Lovells, and Sills said they conduct exercises with clients where company executives come together and discuss how they would navigate a simulated cybersecurity crisis.
Developing a communication strategy around cybersecurity breaches can be particularly challenging for brands. In "run-of-the-mill" breaches, the brand can quickly determine what happened and what information was stolen. But in other instances when the consequences of the breach are unclear, retailers may not want to come forward until they can explain what happened, Hardy said. On top of harming credibility, brands also worry about complying with regulations that dictate when certain kinds of consumer data are taken during a data breach, Hardy added.
"The pressure on retailers has greatly increased due to a couple recent, large-scale breaches that are very prominent in the public," Cohen said, citing the resignation of Target CEO Gregg Steinhafel after the retailer's infamous data breach. "That has gotten a lot of attention at the board level."
No brand wants to get backlash from consumers after a data breach. But beyond unflattering headlines, Hardy said retailers could be hit with class action civil litigation from consumers, enforcement action from the FTC or a derivative lawsuit from shareholders if a breach drags down the company's stock price.
"There's definitely a lot of ways that [retailers] would have to respond in court after a data breach," Hardy said. "As we've seen in the news, there are a lot of notable, everyday-name companies that have, unfortunately, lost control of data held for U.S. consumers. The result of that can be significant."
Following the rollout of the General Data Protection Regulation in the European Union, companies are also paying attention to the California Consumer Privacy Act of 2018, which could set the standard for the future, Cohen said. Though many have not been passed into law, multiple states have introduced bills aimed at safeguarding consumer privacy, a sign that more U.S. lawmakers are paying attention to data protection, Cohen said.
As it stands, Hardy said, there is a patchwork of U.S. regulations with which retailers must comply, but Cohen added that retailers should keep an eye out for a new federal law.
"We see other states starting to talk about bills, and it's going to be prohibitively difficult to comply with these rules all around the country," Cohen said. "On the other side of the aisle, there have been discussions about how to best put in place a federal privacy law that still put in meaningful protections but doesn't overburden businesses."
Until regulators decide how much data retailers can collect and what standards retailers must meet to protect that data, it's up to companies to determine how seriously they will take this ongoing problem, Cohen said, adding that ultimately it's impossible to stop every threat or risk.
"Retailers have all kinds of business units, and I think that there are many that have a role in an incident response team," Hardy said. "It's important that all types of people within the organization are prepared for this, because it's not enough that it be legal and compliance."