PCI DSS. If your company deals with credit cards and you don’t know what those letters stand for, you should. While the public relations nightmares, response costs and expensive class action defense fees associated with major data breaches garner most of the headlines in the mainstream media, many companies that are victims of data breaches also face significant compliance costs, penalties and fines as a result of contractual relationships with credit card companies, credit card processors and banks. These all stem from a company’s failure to comply with PCI DSS.

So what is PCI DSS? It’s the Payment Card Industry Data Security Standard, which is the proprietary information security standard for organizations that handle branded credit cards from the major card brands, including Visa, MasterCard, American Express and Discover. PCI DSS compliance is an ongoing process and is far too complicated to discuss in detail here. For an overview of PCI DSS and the complete requirements, you can go here. But for our purposes, we will just focus on the risks of not complying.
Continue Reading

In 2014, we saw some of the largest, most expensive and most highly publicized data breaches in history. Unfortunately, the early forecast for 2015 does not appear to be any better. According to Experian’s 2015 Data Breach Industry Forecast, the risk of experiencing a data breach is higher than ever (almost half of all organizations have suffered at least one security incident in the last 12 months). In the Information Age, it has become increasingly clear that the question is when, not if, a company will have a cybersecurity incident. 

Speaking in June 2014 at a cyber risk conference at the New York Stock Exchange, SEC Commissioner Luis Aguilar emphasized the critical role that directors and officers must play in cybersecurity matters:

Given the significant cyber-attacks that are occurring with disturbing frequency, and the mounting evidence that companies of all shapes and sizes are increasingly under a constant threat of potentially disastrous cyber-attacks, ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s oversight responsibilities. . . . [B]oards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility do so at their own peril.

So what should directors and offers do to avoid becoming the “next Target” or the “next Home Depot?” 
Continue Reading