The cost of data breaches for small businesses
When it comes to identity theft, many small-business owners leave the door wide open with a welcome mat inviting cyberattackers in. That may sound like hyperbole, but it's not far from the truth. Payment data thieves often target small businesses, expecting their security measures will have plenty of holes. Oftentimes, their assumptions are correct. Trustwave research reports that small merchants make up 90 percent of the data breaches that impact businesses. In addition, the top three industries that suffer from these attacks include retail, food and beverage and hospitality.
Most of the time, small businesses aren't even aware that payment data has been stolen until another party informs them. A credit institution will discover a sudden rise in fraud, trace it back to a single source and contact either the merchant or a law enforcement agency. This is a serious problem for both merchants and consumers alike, especially since businesses that are most frequently targeted are also least able to afford the consequences, and these costs can be significant. Even a suspected data breach will trigger a series of events that can damage or even ruin a brand.
If your business suffers from a data breach, the costs can be enormous, depending on the legal and regulatory requirements you need to comply with. Expenses may include:
Forensic examination of your payment system
Regulations require that even a suspected data breach warrants an in-depth forensic analysis to determine if the breach actually happened, and if so, how bad the damage was. An investigator from outside the company will have to do the analysis, often requiring you to take your point-of-sale system offline to preserve evidence. These costs can range from $20,000 to $50,000.
Communication with customers
Many states require companies to notify customers when their personal information may have been compromised. Depending on how many customers you have and where they live, these notifications can add up to thousands of dollars in costs, including written letter notifications you need to send multiple times to ensure you have made an adequate effort to contact these individuals.
Credit counseling services
In some cases, you may have to provide credit monitoring or counseling services to affected customers for up to 12 months after the breach occurs.
Payment card industry fees
These can make up some of the largest costs for merchants. If the forensic analysis proves that your business was not in compliance with PCI regulations when the breach happened, the payment card associations, and even your bank, could charge you with fines as great as $50,000 or more, including any fraudulent charges that result from the stolen data.
Despite the widespread belief among merchants that they are not liable for the fraudulent use of payment cards, you could be found liable in a lawsuit.
Card replacement fees
You may have to pay the cost of reissuing credit and debit cards to customers whose personal data was compromised.
Improving POS system
Depending on what the culprit of the breach is, you may have to upgrade or replace your POS system to prevent future breaches. These investments may include servers, software and hardware.
PCI assessment after fixes are made
Once the security problems have been addressed, you will need a PCI assessment from an outside Qualified Security Assessor before you can accept payment cards again.
The direct costs of a security breach can add up to enormous sums of money for a small merchant, but the damage does not stop there. The event can result in customers losing trust in your business, resulting in a public relations nightmare.
Loss of consumer confidence
When customers shop or eat at your establishment, they are trusting that you will keep their personal information safe and secure. A Ponemon Institute study found that more than one-quarter of affected customers terminate their relationship with the responsible business after just one breach. You should also avoid portraying your company as a victim of the breach. Customers are the true victims in a data breach, and are unlikely to extend you much sympathy.
Data breaches often impact a lot of people, and often make the news. Even small merchants whose customers number are in the hundreds can expect some negative publicity about the event, and news segments, particularly articles archived on the Internet, will be easily found for years. The best thing to do is be honest and proactive when dealing with the press. Once data has been compromised, it cannot be taken back. What matters after the fact is how you will prevent future fraud.
Loss of business with payment card companies
Card Issuers such as MasterCard, American Express and Visa can refuse to do future business with you after a breach. When customers lose the convenience of using cards for payment, they're likely to become frustrated and take their business elsewhere.
The costs to your reputation and bottom line are formidable enough, but what about the time and energy it will take to get your business back on track? Like most problems, the best way to help prevent customer data from being compromised is by taking preventative measures beforehand. Check with your payments provider and make sure that your data security program stays up to date. Preventative maintenance will not only save you money and time; it may save your business.