FROM THE HILL
By Ashley Ailsworth
Sealing the Cracks
Containing Costs in the Data-Breach Era
“Data breach” is a term used to describe a wide variety of lapses in security that result in unauthorized access to information stored in electronic form. High-profile mega data breaches receive the greatest media attention, but small and mid-size companies face the same risks.
“We often hear about the large Fortune 500 companies getting hacked, but most of the reported data breaches in the United States happen to small businesses,” said Adam Baille, senior vice president at Liberty Automotive Group. “This is because small businesses don’t usually have the protections and security in place like the large corporations do, and they are usually much easier to infiltrate.”
From malware that collects login and password information to hackers getting their hands on unencrypted data and the theft of credit- and debit-card information during payment transactions, the opportunities for modern criminals abound. “Today, the targets in the automotive aftermarket are the retailers, wholesalers and manufacturers who collect customer credit card and personal information data,” said Bob Corwin, first vice president at Alliant Insurance Services. Unfortunately, standard criminal liability insurance does not always cover costs incurred due to data breaches, and other policies may not pick up the slack. “As general liability insurance carriers exclude security breaches and other electronic threats that could give rise to a claim, it has never been more important to consider adding cyber liability coverage to your company’s risk management portfolio,” added Corwin.
High Cost of a Data Breach
Some of the most substantial costs of data breaches come from lawsuits brought by affected customers, financial-service providers, the Federal Trade Commission and state attorneys general. Costly investigations into the source and cause of the breach are often required. Private suits arising out of a data breach are usually based on state security breach notification, data disposal, consumer protection and unfair business practice laws.
Agreements between merchants and financial institutions, such as credit-card issuers and processors, normally allocate liability for payment card fraud. However, financial institutions have also instituted lawsuits alongside consumers, claiming that the breached company failed to maintain adequate security and demanding that the company pay for reimbursing customers for fraud and card reissuance costs.
Almost all states currently require companies to issue some form of notification to customers whose personal information has been compromised by a breach. Affected customers commonly file suit following notification of a data-breach event, alleging that the company violated state laws and breached a duty to exercise reasonable care in collecting, using and storing personal and financial information obtained from its customers. Contract claims may also be brought when customers assert that they have an express or implied agreement with the business to protect their information. If a company fails to adhere to its stated privacy policies, this failure can lead to similar claims from consumers and trigger federal action by the FTC.
Whether a lawsuit is based in tort, contract, state or federal statute, companies that experience a security breach could end up liable for losses suffered by customers whose information has been compromised, and breached companies are often required to provide credit monitoring and identity-theft prevention services to affected customers. According to Baille, “Costs can run into the tens of thousands of dollars, which is why the average cost of a data breach in 2013 was upwards of $300,000 in the United States.”
Best Practices and Insuring Against the Inevitable
In light of the substantial risks inherent in using, collecting and storing electronic data, companies should consider implementing aggressive internal policies to protect data and respond to data breaches.
After significant losses caused by breaches at major retail chains, credit- and debit-card issuers are encouraging merchants to replace older magnetic strip-reading payment terminals with terminals equipped with electronic chip-reading technology. Card issuers will be shifting liability for fraud onto merchants who do not install the more secure chip-reading payment terminals by October 2015. Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is also necessary for ensuring that the major card brands help cover costs in the event of a breach involving cardholder data.
Switching to the new payment terminals that process “chip” cards, complying with PCI DSS, protecting sensitive data through encryption, securing servers and assessing your system’s vulnerabilities are all important steps.
If cloud computing is used, contracts with cloud service providers should include provisions to assure that data shared over the cloud is secure. Check out “Securing the Cloud: Key Contract Provisions” in the February 2015 issue of SEMA News for information specific to data security in cloud computing. Becoming familiar with the state security-breach notification laws is also important. For more detailed information on achieving data security, visit the FTC’s “Business Center” and other useful resources listed below.
No matter how comprehensive a company’s cyber-security strategy, insurance products to cover data-breach losses are a necessary fallback. Companies should be aware that general liability or similar insurance products may not cover these losses. Cyber liability insurance, also known as data-breach insurance, is offered specifically for this purpose.
“Purchasing a separate cyber liability policy though an insurance company that specializes in this type of coverage is the best way to get proper protection,” said Baille.
A cyber policy must provide coverage for losses incurred by third-parties as well as coverage for the company’s direct first-party losses. “The direct loss of productivity, profitability, reputation, data loss and even costs associated with regulatory government investigation and penalties must be included,” explained Corwin.
Policies that cover costs incurred by reason of a data breach often require businesses to institute adequate cyber controls, such as encrypting data, maintaining firewalls and secure servers and having in place an incident-response plan.
Bob Corwin at Alliant Insurance Services noted five controls that are essential:
- Boundary firewalls and Internet gateways: These are devices designed to prevent unauthorized access to or from private networks, but good setup of these devices, either in hardware or software form, is important for them to be fully effective.
- Secure configuration: Ensuring that systems are configured in the most secure way for the needs of the organization.
- Access Control: Ensuring only those who should have access to systems have access and at the appropriate level.
- Malware protection: Ensuring that virus and malware protection is installed and up to date.
- Patch management: ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor have been applied.
SEMA PAC President’s Club Spotlight: Luanne Brown
Luanne Brown is the founder and president of eTool Developers, headquartered in Grand Rapids, Michigan. She is a five-year member of the SEMA PAC President’s Club and currently serves on the SEMA Board of Directors.
“As an entrepreneur who provides business services to the automotive aftermarket, I support SEMA PAC because I recognize how important the work that is being done by SEMA’s Washington, D.C., team is to our industry and to my own business,” Brown said. “To have a voice in Washington is crucial to the future of our industry—especially today. I just had to get involved. I encourage you, my fellow SEMA members, to join us and have your voice heard, too!”
For more information on SEMA PAC, please contact SEMA PAC and Congressional Relations Manager Christian Robinson at 202-783-6007 x20 or firstname.lastname@example.org.