October 2018 - Grail Law - Pittsburgh, PA

Cybersecurity Insurance: Coverage for the Inevitable

Pittsburgh White Collar - Grail Law Firm

Hardly a month goes by without news of another credit card data breach. Merchants in nearly every sector have been hacked. While we often only hear about the large breaches that hit the biggest companies, small businesses are victimized the most. In fact, Verizon reported that 40% of the breaches it investigated in 2012 involved companies with fewer than 1,000 employees and that companies with fewer than 100 employees represent the single largest segment of breach victims. 31% of the cyber-attacks committed in 2013 were aimed at companies with fewer than 250 employees.

Most merchants—especially smaller ones—are unprepared for the costs of a credit card data breach, especially for claims from the credit cards’ issuing banks. Issuing banks will also often sue the merchant directly and its “clearing” bank for the costs of reimbursing cardholders for fraudulent charges on their credit cards (and for the costs of replacing those cards), alleging the merchant’s inadequate computer network security failed to prevent the breach. These damages claims against merchants are usually at least in the six figures, and can easily exceed eight figures.

There are additional costs on top of these damages, including legal fees to defend against, from breach-related litigation between and among credit card companies, issuer banks, acquirer banks and business owners. Other costs include those for forensic examination, cardholder notification, credit monitoring for affected cardholders, public relations expenses, bank fines, and costs incurred responding to government agencies’ investigations and lawsuits for failure to adequately protect consumers’ information. Most traditional lines of business liability coverage provide no coverage for data breach losses, and if they do, it is very limited. In fact, an increasing number of these policies have added exclusions for data breach related losses specifically.

Protecting your company through cybersecurity insurance

In order to best mitigate potential losses stemming from a data breach, businesses should consider purchasing comprehensive cybersecurity insurance specifically tailored to their operations and risk. Once you have determined your business is at risk for a data security breach, you should make the following assessment to ensure you have purchased the necessary amount of cybersecurity insurance to mitigate the potential risk:

1. Consult with your IT staff or a compliance consultant to obtain a comprehensive understanding of the business’s risk profile. This may include the amount, type, and location of the data your business maintains; your business’s network infrastructure; your privacy and data protection policies; and, your current level of compliance with regulatory and industry standards.

2. Identify the most likely types of common data security breach your business has exposure for, and determine the losses you could sustain. Common losses include breach notification costs, forensic investigations, credit monitoring, public relations costs, business income loss due to computer network failures and damage, replacement and repair costs for damaged/destroyed data, software, and hardware, extortion-related costs, and costs stemming from a breach perpetrated by a business’s own employees. Third-party losses, for which your business may be found liable, include defense and judgments stemming from data breaches for failure to protect protected and confidential information, administrative and regulatory investigation costs, including fines and penalties, liability to payment card companies for assessments, fines, costs and reimbursements arising from the merchant failing to be compliant with Payment Card Industry Data Security Standards (“PCI DSS”)(payment card company liability resulting from a data breach involving payment card data can be significant and is usually the largest liability stemming from such a breach)

3. Conduct a rigorous review of your current insurance coverage to determine what, if any, coverage it provides for your business’s likely types of data breach-caused losses.

4. Negotiate with your insurance carrier(s) the necessary terms of coverage for the business’s potential data breach caused losses. Keep in mind that cybersecurity policies are typically very negotiable. In negotiating the policy terms, ask questions in terms of the type of losses described above in order to determine whether or not the policy provides the requisite coverage.

While undertaking the process of getting your business protected, you should consider retaining outside computer security consultants and insurance coverage counsel. Yes, this adds expense to an already costly process—but adequate investment pre-breach can minimize exposure and damage post-breach.

The best means of avoiding these costs is to install sophisticated data security software and hire qualified computer security experts to monitor it, but no cybersecurity measures are perfect. And given the commonly held belief that it is not if your business suffers a data breach, but when, every merchant should consider purchasing cybersecurity insurance. Being proactive before a breach occurs is your best defense against costs that can be crippling to your small business.

How to Avoid a Data Breach from Point of Sale (POS) Malware

We asked our case expert, Forensic Tech/Systems Analyst Dr. Sean McLinden, to explain the recent wave of data breach attacks involving credit and debit / payment cards, similar to matters we’ve worked on for clients together. Dr. McLinden here explains how “bad guys” get away with it, and what you can do to avoid falling victim to their unlawful – and hard to detect – schemes.

Point of Sale (POS) malware is becoming increasingly common, for a variety of reasons. First, whereas older POS systems were highly proprietary, more modern systems use commodity components which often use public specifications for interoperability with systems from other vendors. Where there exists the opportunity to explore the code, there lies a greater opportunity to exploit it. This is especially true of components which use complex operating systems such as Windows and Linux, where there may be multiple lines of attack on your system(s).

There are two technologies the Payment Card Industry (“PCI”) use to protect data:

Encryption handles arbitrary types and sizes of data, but because it is based upon published algorithms, it can be exploited by those who know the algorithms and the encryption keys.
Tokenization, on the other hand, is often used to obfuscate structured, fixed length data (e.g. SSNs). An arbitrary ‘token’ is created to take the place of the real data, with the ‘mapping’ between the token and the real data stored at a secured server. Because the token is arbitrary, there is no way to determine the actual data that it represents. Encrypted data may be vulnerable anywhere it is communicated whereas tokenized data is vulnerable only before the token is obtained. In modern electronic commerce, this is usually the point of sale where the merchant ‘swipes’ the magnetic stripe or scans the card’s chip.

Until the token has been created and substituted, the raw data may exist in computer memory (RAM). Capturing the information can be as simple as taking a snapshot of the RAM and scanning it for unencrypted strings that match the pattern of magnetic stripe Track data. Unfortunately, the tools with which to do this are widely available and not, typically, identified by antivirus scanner software, as they are often used for legitimate purposes such as software debugging. Even the way in which these tools are packaged may not identify them as malicious until suspicion arises as a result of the detection of compromised accounts.

Because the tools used in many POS attacks are not identified as malicious, data breaches can be undetected for months — allowing for the collection of large volumes of data.

Because the tools used in many POS attacks are not identified as malicious, data breaches can be undetected for months — allowing for the collection of large volumes of data. In a client’s matter recently, customer data was compromised for more than six months before the vendor became aware that it had been compromised. That discovery came only after a process of elimination excluded all other vendors who had serviced the same customers.

While computer viruses are often identified by network activity (e.g. communication with Command and Control Centers), POS malware often creates temporary files of compromised credentials, using backdoors for intruders to retrieve these files at will. These backdoors may consist of accounts created by the POS installers for installation, configuration or support which were never deactivated after system installation, or where default passwords programmed by the system’s manufacturer or installer(s) were never changed. As a result, the vulnerability may be hiding in plain sight. The fact that vulnerable systems may be located in protected physical locations makes it more likely that legitimate remote administration tools may be installed which can be exploited if not properly secured. Worst of all, if the access is infrequent and by “known” users, this network activity may not be identified as suspicious.

In another merchant’s case from 2012, an account created for debugging was never deactivated. Even though the POS vendor informed its customers of the vulnerability, it did so only by mail. Some customers never read the technical services bulletin or implemented the recommendations, and the POS vendor never followed through to be sure that its recommendations had been followed. (There is another lesson to learn here: be certain to have regular maintenance performed by trained professionals who keep current with system changes on all of your businesses’ systems.)

POS malware represents a unique adaptation of tools and techniques to address the specific behaviors and potential vulnerabilities of the PCI processing chain. Because of the nature of tools used in the construction of a POS compromise, traditional antivirus products may be inadequate to address the needs of many common PCI environments. The same can be said for cybersecurity professionals who do not have extensive experience in the PCI/POS domain. Proper PCI audits can help to prevent attacks from known actors but, as the saying goes, you don’t know what you don’t know. Hiring professionals with proven track records in dealing with PCI/POS systems is essential to preventing adverse outcomes.