More and more companies are investing in cybersecurity insurance, which is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption and network damage.
By Mark E. Battersby, Contributing Editor
The dangers of Internet hacking and cyber thefts continue to make the headlines. This fall, Home Depot discovered a data breach that had apparently been going on for several months. Late in the summer of 2014, the theft of 1.2 billion usernames, passwords and email addresses by a Russian gang was revealed. Before that it was a massive theft of data from Target Stores Inc.
Unfortunately, fraud and financial data losses are not limited to retailers or even to one industry, making it extremely important for every convenience store business to protect its data and information.
Today, with c-store businesses of every size involved with some form of Internet connection and data storage of customer lists, books, records, receipts, tax documents, point-of-sale (POS) data, intellectual property and trade secrets, every retailer should recognize the security threats and risks inherent in living in a digital world.
Protection Basics
All businesses now correspond through e-mail, transfer information through the Internet, and hold training and business meetings online. Many businesses are even completely paperless. Responsibility for the protection of this data increasingly falls on the c-store business.
While the greatest risk might seem to lie with high-profile and high-risk businesses, it is small- to medium-sized businesses that are increasingly finding themselves at risk of data breaches and hacking attacks. According to a recent study by the U.S. Secret Service and Verizon, more than 72% of all data breaches occurred in small- and medium-sized businesses.
Any convenience store chain that collects names, social security numbers or other sensitive customer information, such as the data that is gathered as part of a loyalty program, is required by law to take the steps necessary to protect this data from loss and theft. It is the c-store operation’s obligation to protect the data and the financial information of its customers, suppliers and employees.
Problem Times 10
So-called “cyber hacking” is big business and, as mentioned, no one—not individuals not small businesses and not large corporations—is safe. All of a c-store operation’s data including the names of customers and their contact information, employees and the social security numbers along with supplier information are valuable information to a cyber-hacker.
In the U.S., most states have breach notification laws, and other countries are following suit. In other words, under many of those laws written notification must be sent to those affected. Even where such laws are not in place, a reputable c-store business should provide breach notification.
It should come as no surprise that social media sites can expose information at light-speed with little control. It is becoming more and more likely that a convenience store business’s reputation will suffer from a cyber security breach.
It’s not only a business site but also an employee’s activity on social media sites that can trigger liability, especially if the business is responsible for the sites. Defamatory statements, leaked information and copyright infringement are all growing concerns.
Unfortunately, losing the trust of customers can be much more damaging than the financial loss of repairing the effects of any breach. Making matters worse, a business can be held liable for the loss of third-party data. If there is a data breach, the operation could find itself facing expensive damage claims.
DIY Risk Management
How can any retail business manage the increasing threat of data security breaches and reinforce their security practices? Security experts agree that the easiest place to start is with strong password protection.
Yes, password protection—something a surprising number of IT-sophisticated businesses often fail to master. Many recently, exposed hacking cases have been traced back to weak passwords that were neither encrypted nor “salted,” or not changed regularly. Some cases even still used the factory default passwords. Salting is a way to randomize hashes by adding a random string (which is called a salt) before a password is hashed, which makes it much more difficult to crack the password hash.
If managing passwords for all of the operation’s servers, apps, cloud services, databases, tablets and laptops seems daunting, there are affordable password management professionals and software that will do it for you—usually avoiding the big price tag often associated with cyber insurance.
Other tips to help secure a c-store business’s data, reduce its liability and, in many cases reduce the cost of insuring against potential losses, include:
• Get a firewall. There are hardware and software approaches that are both cheap and easy to use.
• Conduct regular assessments of possible risks to reveal hardware, software and individual site vulnerabilities.
• Computers that are used for sensitive applications such as making electronic bank deposits, should be isolated from the rest of the c-store business’s network.
• Control access to data by limiting delivery and exchange of documents and information to secure channels.
• Get anti-virus software and use it. There are a number of popular packages, most of which are relatively inexpensive. Although free updates are usually included, make sure to update the program regularly or, better yet, allow the software to do so automatically.
• When an employee or contractor who has had access to the system leaves the c-store business, the employer should make sure their passwords are no longer usable. (Many employers lock an employee out of the system just before or at the same time he or she is being terminated.)
• Create—and implement—a data security plan that includes immediate notification of all affected parties. In many cases, it is the law.
• Share the liability by demanding similar protocols with suppliers, and checking for compliance.
Insurance to the Rescue
Little of a c-store business’s data is typically covered by insurance. Thus, liability for any loss of business, customer or employee data is probably not protected under a c-store operation’s insurance policies. Admittedly, some business insurance policies might offer general liability protection.
Directors and Officers (D&O) liability may, for instance, provide a measure of coverage for these areas. A business interruption insurance policy rarely helps in the event of a system failure because of a malicious employee, computer virus or a hack attack on a c-store business.
Identity theft, telephone hacking and phishing scams are all very real possibilities rarely covered by traditional business interruption policies.
Unfortunately, as the risk escalates, it is only after a hack attack that many retailers discover what is and what isn’t covered by their insurance policies and, by then, it’s usually too late.
Cyber Insurance
While few so-called “umbrella” or blanket liability insurance policies cover these types of losses, a relatively new type of policy, cyber liability insurance is available. Cyber liability insurance has been available for almost 10 years although it’s very rarely purchased.
Cyber liability insurance can cover hacker attacks, viruses, and worms that steal or destroy a c-store business’s data. Even e-mail or social networking harassment and discrimination claims can be covered along with trademark and copyright infringement.
This type of liability insurance will often cover lost profits resulting from a system outage caused by a non-physical peril such as a virus or attack.
A c-store business purchasing cyber liability insurance enjoys special protection from most digital issues. The new cyber insurance products available today can help protect the business from cyber problems that could cause tremendous hardships.
When looking into cyber insurance, common sense dictates that all potential risks should be covered including laptops, mobile phones and other portable devices that make it much easier to both store and to lose information. For example, a missing USB stick, a stolen iPad or a laptop left in a taxi are all real possibilities and, for a hacker, a gold mine.
There are also viruses being built just to attack mobile devices.
A good insurance company will ensure a policy holder has all the protection in place that is possible. They can make sure a firewall is in place to protect the network and help create social media policies that reduce risk.
Even if data is stored in the cloud, the c-store business may still be liable for a breach. Although controlling how a cloud provider handles the business’s data is almost impossible, cyber insurance can protect any operation from their mistakes.
Large corporations often have risk management budgets, while small businesses usually don’t. Unfortunately, most hack attacks target operations with fewer than 250 employees, a group where few have the financial means to pay the fines and lawsuits that can result from breaches or data losses, or to stay afloat throughout the process.
Hacking Threats
A few statistics to keep in mind about cyber risk:
• The cost of a data breach per record is $204.
• That cost can add up quickly. According to a Ponemon Institute report, the average total per-incident cost of a data breach was $6.75 million.
• Identity theft is the second most common concern among Americans today, according to Travelers’ Consumer Risk Index.
• A recent Pew Research survey showed 21% of Internet users have had an email or social networking account compromised or taken over by someone else without permission.
The bottom line for many retailers and their businesses is this: Hackers are getting more sophisticated every day, sometimes forming syndicates of like-minded criminals to share information and new techniques. Businesses, even independent convenience stores, are increasingly in their crosshairs and need to use every protection strategy available to combat the growing cyber threat.
Credit Card Liability Issues
Credit card companies have long sought ways to make credit card use safer and more secure for consumers. Widespread implementation of chip-and-pin cards remains on the horizon. More recently, Visa is tackling fraud at one of its more common sources: the gas pump.
Visa recently announced new software intended to protect consumers and gas stations by trying to detect the likelihood that someone is using a stolen, lost or counterfeit credit card to fill up. Visa Transaction Advisor, which is reportedly already in use at 25,000 service stations, analyzes 500 pieces of data that have already been collected about cardholders, such as location and past transaction history, to create a risk score between 0 and 100 for each card being used and to warn merchants.
While credit card theft is a major problem for many consumers, as merchants, every convenience store retailer should be aware of their ever-increasing liability. When, for instance, a brick and mortar merchant accepts a credit card, and the charge is authorized, and assuming the business conforms to the card company’s regulations, they will get paid, even if a stolen credit card is used. In general, when it comes to who is liable to pay for credit card fraud, the card company typically picks up the costs.
However the business that accepts the card will still have some associated costs that are not covered by this. These include the costs to process an order, to handle the charge-back, the shipping costs, etc. If a charge goes through with a stolen credit card the c-store may be hit with a chargeback, which can include not only having to refund money for a purchase but also penalties and fines from the card issuer, depending on terms set forth in the merchant agreements.
Although liability may or may not be limited, there are severe penalties for losing credit card data. Many merchant service agreements state that a business will be responsible for the expenses of forensic investigations, credit card reissuance costs and the fraud conducted on the stolen cards.
Bottom-line: liability for lost, stolen or misused credit card data may be limited, but every retailer needs to be aware of their responsibilities.