For 20 days spanning from November 27 to December 15, 2013, the retail giant Target Corporation experienced one of the largest data breaches in American history. The information consisted of everything from some 70 million customer names and 40 million credit and debit card numbers to the short verification codes on the back of the compromised cards.
In addition to forcing the retailer to book a reported $61 million in direct costs related to the breach, it also scared customers away from shopping at their stores—which resulted in a 46 percent drop in net profit in the holiday quarter.
Although the exact full costs of the breach are not yet known, security analysts have pegged the costs at upwards of $400 million. While most businesses aren’t nearly the size of Target, a data breach can be even more impactful for a small business without the resources of a larger corporation. Fortunately, there are steps even the smallest businesses can take to mitigate the possibility of a data breach or its destructive impact if one is experienced.
What Is Data Breach?
Data breach is the exposure of sensitive customer information due to hacking, theft or the accidental release of data. Business owners are expected to be custodians of customer information and have a reasonable expectation to protect their customers’ data. Some examples of actions leading to data breach may include:
• Failure to shred customer documents • Medical records falling off a truck on a freeway• Skimming devices that steal customer data installed in credit card machines • Lost laptop computer containing sensitive customer data• Printed social security number on mailings
Data breach should not be confused with identity theft—which is when thieves target individuals to obtain credit card and financial information—or cyber liability, which refers to the individual targeting of businesses to steal their financial information via hacking.
It Can Happen to Anyone
Big or small and no matter the industry, data breach is a real concern to any business. From restaurants and bars running hundreds of credit cards every night to medical offices with piles (both electronic and physical) of sensitive patient information, it can happen to anyone.
Thieves often “start small” to ply their methods—while there may be less reward in skimming card information from a small corner bar than there is in the mega-retail market on the other side of town, it’s an easier target that carries less risk of being caught.
Additionally, it’s important that business owners don’t automatically assume that anything dealing with stolen card numbers is the bank’s problem. In fact, payment processors often have contracts with businesses that give them the right to recoup certain costs from the business.
For example, one major credit card merchant typically assesses a charge of $2.50 per card that is exposed in a breach. While that doesn’t seem that significant on its face, consider how many customers hand over a credit card at even the smallest restaurants: Example, 5,000 exposed cards would cost a business $12,500 in bank costs alone.
How to Prevent Data Breach
At its core, preventing data breach is equal parts common sense and technical knowledge. It’s important to take a balanced approach in thwarting the threat because neither avenue alone can address all issues. An ounce of prevention is worth a pound of cure.
- Remember that data breach isn’t only an electronic issue—simple theft is a concern. Ensure that a data protection program is in place to protect against nonelectronic threats.
- Ensure vendors only have the right amount of access. A vendor working on cooking equipment shouldn’t have access to a financial system, for instance. Monitor vendors when they’re on site as much as is reasonable. As it turns out, a third-party vendor was responsible for the Target breach!
- Monitor internal systems and databases on a regular basis to ensure that there’s nothing nefarious going on. Data breach cases often go on for weeks or even months before someone notices, and the sooner you can put a stop to a data breach, the better.
- Make sure any passwords on mobile devices are encrypted and strong.
- Update all computer systems. A surprising number of businesses, for instance, are still running the Windows XP operating system, for which support ended on April 8, 2014. The bottom line is that Microsoft will no longer be patching known vulnerabilities in XP, which leaves computers open to possible data breaches.
- Being PCI compliant goes a long way toward preventing data breach. PCI compliance means that a business is adhering to the requirements developed by the PCI Data Security Standards (PCI DSS) council. While it doesn’t completely eliminate the risk, it protects data against easily avoidable threats.
- Stay as up to date as possible on the latest techniques scammers are using. Bluetooth skimmers, RAM scrapers and malware programs are three common methods that thieves use to take advantage of businesses on a regular basis, and enterprising crooks are coming up with new methods constantly. Knowledge of the enemy is crucial in any battle, and fighting to protect customer data is no different.
- Perhaps most importantly, educate employees and ensure they understand all the processes in place to mitigate data breach. An owner or manager can only do so much; the people that deal in the day-to-day operations of the business also need to be aware of what to do and why to do it.
How to React to a Data Breach
In the case of a possible data breach, the business owner should contact the financial institution that processes their payments immediately. They will begin to guide the process. The insurance agent or carrier should also be notified at this time—the sooner they’re involved, the better from a liability standpoint.
From there, clear communication with affected customers is crucial. While it may not technically be required at this point (laws in some states differ in this regard; consult local authorities for guidance), the best practice in general is to be forthright and honest. In the long run, customers will value honesty even if it is likely to be embarrassing in the short term.
In fact, as incredible as the direct expenses form a data breach can be, it’s the reputational harm that can do irreparable damage to a business. The more that can be done to put customer at ease, the better. Clear communication of the situation will help convince customers that the business is not a risky place to shop, eat, etc.
Finally, make sure any services offered to customers fit the nature of the exposed data. If only debit or credit card information is exposed, credit monitoring is nothing more than a waste of money—without a Social Security number, a new credit line cannot be opened via an exposed credit card alone. Simply sounsel customers to keep an eye on their own accounts. Most likely, of course, the affected financial institution will issue a new card.
If Social Security numbers are exposed, don’t just offer one year of free credit monitoring. That’s the “cheap and easy” way out and is a disservice to customers—after all, Social Security numbers don’t expire and could be exploited at any time.
How to Lessen the Possible Damage
The cost of even a small data breach can be wildly expensive. While most businesses won’t have the $61 million of damage Target suffered, typical costs can include:
- Internal investigation: $14,000
- Regulatory compliance: $125,000
- Notification and crisis management: $28,000
- Class action lawsuits: $5,000 per person exposed
With costs for even small data breaches ranging into the tens and hundreds of thousands of dollars, it’s simply not an option to go without data breach coverage. One problem, however, is that not all data breach coverage is created equal. Many insurance policies do not adequately cover the various costs involved in a data breach.
Here’s what to look for when considering a data breach policy:
- Internal investigation costs
- Regulatory compliance costs
- Notification to customers/clients
- Notification to governmental authorities
- Printing and mailing costs
- Proactive monitoring services
- Legal liability—victims will seek to recover their costs, perhaps as part of a class action suit
- Electronic and non-electronic acts or accidents that result in the exposure of sensitive customer information
A data breach is embarrassing, costly and potentially business crushing.
But it is avoidable.
Beyond the simple steps identified in this white paper, it’s important to simply think about what else you could be doing to protect your customers. If there’s anything that comes to mind that you could be doing but are not, well, it’s simple: you should do it as soon as possible. Every passing day is another opportunity for thieves to get their hands on your customers’ sensitive information and ruin your business forever.
Society’s team of risk control experts take care of the details that will help business owners avoid catastrophic losses and keep their customers, employees and businesses protected. Get in touch with a Society agent today by visiting societyinsurance.com and learn more about how to best protect your business.