Like we needed a new worry…the economy, the oil spill, families hunkering down and not driving to vacation spots this summer, two wars and unknown consequences of health care legislation that no one seems to understand. Now, the government has added new industries to its regulations concerning data security, and therefore subject to the government’s red flag rules. Petroleum Marketers and convenience store operators who accept credit cards are now included under these rules.
Business information theft has been an ongoing issue for years. The information superhighway is now infested with highway robbers looking for credit card numbers, social security numbers and dates of birth, anything that can be converted to a quick buck. Because of technology, geography no longer limits theft. An outside hacker, operating anywhere in the world, can access a company network, getting valuable and damaging customer information. In fact, the primary threat of data breach comes from other countries.
The new red flag rules require you to notify all possible customers who MAY HAVE had their information seen, accessed, or in any way, compromised. The cost associated with these requirements is estimated on a national basis to be $50 per customer, including response to liability lawsuits, contact costs and remediation expenses. Want even better news? Your current insurance program most likely does not have you covered.
What can I do to protect my business from the expense, embarrassment and loss of customer goodwill that could arise from a data breach? According to industry specialists, there are two loss control measures that can help reduce the frequency and severity of data breach exposures. First, a security audit performed by a certified computer data specialist is recommended. They will test your firewalls, your security updates and check for open access points. Second, it is recommended that you have a penetration test performed on your operation. They will actually employ a hacker to try to break into your system to test for vulnerability. Actually, your completion of these two items and having the reports on file and up to date greatly reduces your liability exposure because it shows that you have exercised a duty of care to protect your customer’s data.
As mentioned previously, traditional insurance policies have major gaps in this area. The insurance industry has responded to this loss exposure with a developing data-breach/cyber-security liability coverage. There is no industry-standard policy form yet, and a market poll shows coverage and pricing can vary widely. Most policies begin at $2,500 minimum premium for $1,000,000 of coverage including liability, notification costs and repair/restoration.
Risk managers recommend BOTH contracting with a data specialist to perform a security audit/pen test AND purchasing data breach insurance. The time to act is now while the cost is still relatively low. It is better to pay a little now than a lot later, a risk management lesson that can be very costly to learn the hard way.