One easy way for retailers to manage cyber risk

Retailers can reduce cyber liability risk if managers know exactly where computer files containing sensitive information is stored.

Many retailers are “expanding their digital footprints” and storing personal information – such as customers’ names and addresses – on computers, noted Rocco Galletto, leader of Deloitte’s Cyber Security Managed Services practice in Canada, in an interview Friday.

Quite often what happens is a retailer “didn’t realize that a particular piece of data” was on “that particular” computer server or electronic storage device, suggested Galletto, commenting in general and not on any particular retailer.

A breach of sensitive data can be caused by “physical theft of electronic data,” a malicious insider or employee error, notes Wawanesa Insurance.

A retailer can be punished by government privacy officers – and even sued by people whose sensitive information was compromised – in the event of a data breach. This is true even if the retailer is innocent of any wrongdoing and the customer does not suffer a financial loss.

For example, Home Depot – whose payment card system was hacked in 2014 – agreed as part of a settlement to provide a fund of $250,000. That money is meant to compensate customers for the risk of a fraudulent charge on credit cards, the risk of identify theft and the inconvenience for checking their credit card statements.

Many commercial carriers offer insurance covering the cost of a lawsuit arising from such an event.

Retailers “need to inventory where their data is stored,” Galletto said.

“It’s about knowing where your [computer] assets are and where the information is contained on those assets – the servers, the storage and such,” Galletto added.

To manage cyber risk, retailers should have a data retention policy – which stipulates how long they retain certain pieces of data, Galletto said Friday, commenting in general and not on any particular incident or retailers.

There are processes for properly deleting computer data so that a criminal cannot recover it, he noted.

For example, to dispose of a computer hard drive, it should not simply be thrown in the garbage or recycling. Instead, the data needs to be “wiped” permanently, added Galletto.

Even if a retailer is not storing payment card data, a customer can still be vulnerable to identity theft. This is because a cyber criminal can “piece together” information (date of birth, for example) on that consumer from different databases, Galletto warned.

Several Canadian retailers have warned in securities filings of cyber risk posed by storing sensitive information.

For example, Laval, Que.-based Alimentation Couche-Tard Inc. (whose brands include Circle K) said it acquires “large amounts of personal data, including credit and debit card information” from customers as well as sensitive information about employees, business partners and vendors. Couche-Tard officials believe the firm has “adequate security controls” over its data but a breach “could nonetheless occur,” Couche-Tard said it its management discussion and analysis of its financial results for the year ending April 29, released July 9. A data breach could results in fines or lawsuits,  Couche-Tard warned.

Indigo Books and Music Inc. (whose retail brands include Chapters and Coles) reported this past May that its reputation could be harmed if there is a breach of records it holds containing sensitive information on employees and customers.