A Day at the Breach | NACS Online – Magazine – Past Issues – 2010 – June 2010
Sign In Help

The Association for Convenience & Fuel Retailing

Skip Navigation LinksNACS Online / Magazine / Past Issues / 2010 / June 2010 / A Day at the Breach

A Day at the Breach

Brought to you by NACS EZ PCI

Most retailers don’t know about the growing legislation and regulatory reach surrounding personal data —a trend that promises to increase in stringency and affect almost every function within your retail organization. To give you an idea of that reach, here are a few processes that occur regularly at the average store.

Hiring: Your store manager receives an application for part-time employment. On that application is personal data protected by most states and pending federal regulation. Does your company have a policy on how that application is received, forwarded to corporate, stored in the employee file and eventually destroyed? If you use an outside firm to do background checks, do they have a privacy policy? Increasingly, your company is liable for the theft of any personal information beyond name and address (basically).

Extending Credit: Your wholesale business extends credit to stores operating as a DBA, LLP or even a corporation with personal guarantees. Under the Federal Trade Commission’s FACTA "Red Flags" rule, you are classified as a "creditor" and are obligated to have in place a program to:

  • Identify ways personal data can be compromised.
  • Detect attempts of a compromise.
  • Respond "appropriately" to any compromise.
  • Keep your program up to date.

When you combine the increased legislative focus on personal data with PCI requirements, you quickly see similar challenges —only with different data to protect.

This is why NACS stresses establishing a "data security czar" in your organization who has the authority and cross-functional scope to build an enterprise-wide data security policy. With your czar in place, your organization can adopt a standardized cultural and training approach that reduces the threat of a data compromise.