What’s the News?

In October 2014, California Attorney General Kamala Harris released the California Data Breach Report, the state’s most recent analysis of data security threats facing businesses and consumers. The Report, which notes a dramatic 28 percent increase in data breaches in California in 2013, serves as a reminder to businesses nationwide of the constant threat of increasingly sophisticated cybercriminals — and the need for new and better approaches to safeguarding sensitive information.

Retailers Are a Top Target

While data security is a serious concern across all industries, a key take away from the Report is the special vulnerability of retailers. Retail data breaches accounted for 26 percent of all reported breaches in 2013, more than any other sector of the economy. In addition, retail breaches have the potential to reveal massive amounts of stored information. In 2013, 84 percent of all breached records in California were the result of retail breaches.

Unlike other industries, the large majority of retail breaches are the result of targeted efforts involving malware or hacking. Typically, skilled cybercriminals — often members of transnational criminal organizations — are able to hack into retailers’ computer systems and retrieve customers’ payment card data or Social Security numbers, which they sell on the black market. A single breach can be devastating. But not only large corporations are at risk: retailers of all sizes have been targeted — and the smaller the company, the less able it is to bear the cost of a breach.

What Businesses Need to Know Going Forward

As the Report explains, there are a number of methods retailers can use to prevent data breaches. Most importantly, retailers should utilize technology that devalues customer payment card data, reducing the incentive for hackers and thieves. For example, encryption can be used to disguise payment card data from its receipt at point-of-sale terminals through the purchase authorization. Similarly, tokenization, which makes payment card data unreadable by replacing it with a surrogate value, is a smart way to protect data in storage and during post-authorization processes.

As always, businesses in all industries should be vigilant about compliance with applicable regulatory requirements. As discussed in a previous alert, Massachusetts now requires businesses to ensure that third-party service providers protect their customers’ personal information. And the California Data Breach Report makes several legislative recommendations, including strengthened breach notification requirements. Expect other states to follow suit and consider new laws in light of the upswing in data breaches.