As online retailer Zappos tends to the fallout from the massive data breach it revealed Jan. 15, security experts are sizing up its response. InformationWeek's Mathew J. Schwartz outlines eight lessons experts are taking from the incident:

No. 1: Planning in advance for a breach softens the blow. It appears that Zappos, which is owned by Amazon.com (NASDAQ: AMZN), had some important security measures in place, such as hashing user passwords and keeping credit card information in a separate database.

No. 2: Having a response plan in the waiting, including a breach notification system, can ease the post-breach process. Zappos notified employees customers of the breach by email.

No. 3: Wasting time before warning customers about the breach rarely helps. Zappos issued a "clear, timely notification" to customers, instructing them to change their passwords.

No. 4: Following PCI DSS requirements, particularly cryptographically storing credit card numbers, is not just an empty compliance burden; it's a security step that can save real money.

No. 5: An email notification to customers probably isn't sufficient. "Disappointingly, there is no mention of the security breach on the front page of the Zappos website--one platform you would imagine they would use to inform their customers that there was a security problem of which they should be made aware," said Graham Cluley, senior technology consultant at Sophos.

No. 6: It would be useful to prepare to handle site traffic from users outside the United States following a breach. The Zappos site was not accessible to non-U.S. users as of Tuesday.

No. 7: Using a trusted external site to post important information for users seeking access from outside the United States can be helpful.

No. 8: Enlisting the entire company to address the breach's aftermath makes it look like the company is doing everything possible to help customers.

For more:
- see Mathew J. Schwartz's article at InformationWeek

Related Articles:
More companies learn of breaches from law enforcement
Banks replace SecurID tokens
Honda hit with class action lawsuit after data breach