The news headline “Jimmy John’s Notifies Customers of Payment Card Security Incident” caught our attention because the credit and debit card information was stolen at 216 Jimmy John’s locations, some of which are in states where Taft has offices (Arizona, Illinois, Indiana, Kentucky, and Ohio). Taft continues to develop services to protect and advance client and community interests.
Following are five important questions from the Taft Cybersecurity practice that your organization should be able to answer.
1. Do you continuously monitor your network and partners for security breaches? The Jimmy John’s data breach resulted from a compromised account of its point-of-sale system vendor. Jimmy John’s did not report how it learned of the data breach, but news of a breach often comes from the banks and financial institutions that issue credit and debit cards or law enforcement like the FBI. It is not enough to monitor your own networks. You must also pay attention to those of your business partners.
2. How long will it take you to detect and stop a data thief? It took Jimmy John’s more than seven weeks to learn of the data breach and another five weeks to contain or stop the theft of information. In its Sept. 24, 2014, press release, Jimmy John’s reported that it learned of the breach on July 30, 2014, and that the intruder stole data between June 16 and Sept. 5, 2014. Taking weeks, if not months, to learn of a data breach and then stop or contain it is not unusual. How long would it take your organization to stop a data thief?
3. How quickly will you issue notice of the breach to affected customers? The National Conference of State Legislatures recently reported that 47 states and the District of Columbia have enacted laws requiring private and government entities to notify customers of security breaches of personal identifiable information. The notice requirements for your business must be minimally in line with those of local laws and preferably of a nature to keep your customers informed before they learn of the data breach from other sources. For instance, Ohio law requires customer notification of a data breach under certain circumstances “in the most expedient time possible but not later than forty-five days following…discovery or notification of the breach.” (Ohio Rev. Code § 1349.19.)
4. Will there be regulatory fallout? Many states require that notice of a data breach be provided to the attorney general, and requirements placed on an organization vary based on state laws and the type of breach. Target Corporation reported in its recent Form 8-K filing that its 2013 data breach has been the subject of investigations by state and federal agencies, including state attorneys general, the Federal Trade Commission, and the Securities and Exchange Commission. So, in addition to class action lawsuits brought by customers and lawsuits by business partners, your organization may also have to defend an investigation or prosecution from state or federal agencies.
5. How will your other business partners be affected? Just as Jimmy John’s was a victim to a business partner’s compromised security, so too is Jimmy John’s a potential security threat to its partners, e.g., franchisees, vendors, and financial institutions. You need to protect your business through insurance and appropriate contract language for indemnification from your business partners, but you must also adopt best practices to demonstrate that your business takes data security seriously.