Articles & Blogs

A Retailer’s Guide to Protecting Customer Data


Retail establishments collect and maintain a wealth of confidential data, not the least of which is credit and debit card information of customers. This type of data makes retail establishments particularly likely to be targeted by hackers; this industry has been one of the top five targeted industries for the past several years. Two of the largest hacks were against national retailers. Both breaches allowed hackers to access customer credit and debit cards, and in both attacks, hackers were able to gain access through hacking a third-party vendor.

Any retailer who collects personally identifiable information of individuals online will be subject to a number of laws and regulation about gathering, protecting, and disseminating customer data. It is vital for all retailers, and particularly those doing business online, to have an organization-wide security program. The recommended elements for such a program may vary depending on the company’s size, online sales, and other use of technology. In any case, a retail establishment must internalize and adopt some sort of program to prevent unauthorized access to customer and employee information and to protect itself from liability, should any such access occur. With that in mind, a retail establishment’s organization-wide security program certainly should include the following elements:

  1. A written information security policy made available online to all customers (and employees upon hiring and annually thereafter, with required acknowledgment of receipt and defined disciplinary steps for violations.)
  2. Annual training of employees with regard to the importance of data security and implementation of the information security policy.
  3. Classification of data stored by the retail establishment by degree of confidentiality, and access controls limiting employees from viewing or downloading data not within their level of access or necessary purview.
  4. A data breach response plan, designating the responsible persons within the company to be notified of any potential breach, identifying pre-screened IT vendors and outside counsel to assist in the response, and outlining the requisite steps to be followed by the team, including remediation of the breach, identification of affected records, and notification in accordance with applicable state or country’s laws to customers and other individuals whose personally-identifiable information was included in those records.
  5. Third-party outside audits by independent vendors conducting risk assessments, security audits, and penetration testing on some regular basis (frequency determined by the degree of risk created by the nature of the retail establishment’s practices, customers, and operations.)
  6. Record retention policies that limit the amount and type of electronic and paper records maintained by the company and providing for destruction and deletion of those records on a schedule in line with industry standards.
  7. Mandatory use of a virtual private network or similar utility for remote access to the company’s network and requirements for encryption of documents transferred to any removable media, laptop, smartphone, or other device, so that files are not accessible from any such device lost or stolen.
  8. Other appropriate technological tools for the shutoff of remote access, allowing the disabling or deletion of devices remotely, and requiring regular changing of mandatory complex passwords for access to the company’s network.
  9. Controls on physical access to the company’s offices and facilities to prevent the theft or loss of paper files and third-party access to computer hardware on-site.
  10. Policies for vendor access to the company’s network and physical locations, along with indemnification language in contracts with vendors allocating the risk for a data breach resulting from any intentional or negligent acts by the vendor’s employees.
  11. Due diligence in the selection and use of cloud-computing vendors to store and maintain confidential documents to ensure the vendor has adequate safeguards in place to protect that data.
  12. Appropriate cyber-insurance in addition to or as an endorsement to general liability policies.

Cybersecurity is a constantly changing area that affects all of us on a daily basis. While there is a sense of apathy among those outside of the arena, retail establishments have a legal responsibility to take reasonable steps to ensure that customer information is adequately protected from inadvertent or unauthorized disclosure or unauthorized access. Proper training and policies in cybersecurity practices are essential for all retail establishments.