Google blacklists around 10,000 websites every day for malware, removing them from search results — and more importantly, malware can infiltrate customer data and expose your customers (and you!) to fraud and identity theft. Security breaches are a serious business.
To raise the bar on how companies respond to security issues, the GDPR introduces new rules governing what merchants must do when an EU resident’s data is exposed in a breach.
One of the continuing responsibilities of your “designated Data Protection Officer” is to ensure that your site is as secure as possible, which includes:
- Ensuring that your site is always using the latest version of WordPress.
- Ensuring that your site is always using the latest versions of WooCommerce and any other plugins.
- Deactivating and removing unneeded plugins or themes.
- Making regular, secure backups of your website data, especially WooCommerce data.
- Exporting and archiving completed orders to secure storage. The less data stored on your website, the less exposure you have — and the fewer customers you need to notify in the event of a breach.
- Requiring strong, unique passwords on all WordPress accounts.
- Limiting the number of people with access to wp-admin.
- Making sure each employee has a separate login. No shared accounts!
- Removing accounts immediately when employees or contractors leave your company.
What changed with the GDPR with regard to security breaches?
In addition to designating a Data Protection Officer, the GDPR requirements also include:
- Protecting personal data by employing techniques such as access restrictions, encryption, pseudonymization, backups, data minimization, and regular testing of all these techniques.
- Notifying the appropriate supervisory authority no more than 72 hours after of becoming aware of a breach of users’ personal data, including the number of users whose data was exposed, the nature of the breach, and what actions are being taken to mitigate its effects.
- Communicating this information to the impacted users, especially if the data breach exposed any of their unencrypted personal data.
- Considering the needs of any law enforcement investigations before publicly announcing the breach.
As always, we recommend consulting an attorney for the specifics around your business and the types of personal data processing on which your site depends.
Create a Security Breach Checklist
You need plan outlining what do if you do get hacked –– this guide lays out the key actions in more detail. Take a look and see what steps apply to you, then turn it into a checklist. At minimum, your checklist should include:
- Changing all passwords.
- Creating a fresh backup.
- Identifying the hack and removing their code and means of access.
- Contacting any supervisory authority required, especially in the EU.
- Contacting impacted customers.
- Looking at preventative measures that will prevent the hack from happening again, and taking action.
You might need professional help for some of these, particularly finding and removing the hack, might require professional help — decide who you’ll call in advance, so you’re not scrambling. If you have a big customer database, having a contact plan is a also good idea that will save you some stress.
Prevention is The Best Medicine
Hopefully, your store will never be breached! These steps should help reduce your risk , or the severity of any breach that does happen. In the worst-case scenario, a solid plan in place for dealing with the breach and informing your customers will reduce the fallout for everyone involved.
We’re heading towards the end of our GDPR series. Last but not least, we’ll explore why privacy is an ongoing process.