Hardly a month goes by without news of another credit card data breach. Merchants in nearly every sector have been hacked. While we often only hear about the large breaches that hit the biggest companies, small businesses are victimized the most. In fact, Verizon reported that 40% of the breaches it investigated in 2012 involved companies with fewer than 1,000 employees and that companies with fewer than 100 employees represent the single largest segment of breach victims. 31% of the cyber-attacks committed in 2013 were aimed at companies with fewer than 250 employees.
Most merchants—especially smaller ones—are unprepared for the costs of a credit card data breach, especially for claims from the credit cards’ issuing banks. Issuing banks will also often sue the merchant directly and its “clearing” bank for the costs of reimbursing cardholders for fraudulent charges on their credit cards (and for the costs of replacing those cards), alleging the merchant’s inadequate computer network security failed to prevent the breach. These damages claims against merchants are usually at least in the six figures, and can easily exceed eight figures.
There are additional costs on top of these damages, including legal fees to defend against, from breach-related litigation between and among credit card companies, issuer banks, acquirer banks and business owners. Other costs include those for forensic examination, cardholder notification, credit monitoring for affected cardholders, public relations expenses, bank fines, and costs incurred responding to government agencies’ investigations and lawsuits for failure to adequately protect consumers’ information. Most traditional lines of business liability coverage provide no coverage for data breach losses, and if they do, it is very limited. In fact, an increasing number of these policies have added exclusions for data breach related losses specifically.
Protecting your company through cybersecurity insurance
In order to best mitigate potential losses stemming from a data breach, businesses should consider purchasing comprehensive cybersecurity insurance specifically tailored to their operations and risk. Once you have determined your business is at risk for a data security breach, you should make the following assessment to ensure you have purchased the necessary amount of cybersecurity insurance to mitigate the potential risk:
1. Consult with your IT staff or a compliance consultant to obtain a comprehensive understanding of the business’s risk profile. This may include the amount, type, and location of the data your business maintains; your business’s network infrastructure; your privacy and data protection policies; and, your current level of compliance with regulatory and industry standards.
2. Identify the most likely types of common data security breach your business has exposure for, and determine the losses you could sustain. Common losses include breach notification costs, forensic investigations, credit monitoring, public relations costs, business income loss due to computer network failures and damage, replacement and repair costs for damaged/destroyed data, software, and hardware, extortion-related costs, and costs stemming from a breach perpetrated by a business’s own employees. Third-party losses, for which your business may be found liable, include defense and judgments stemming from data breaches for failure to protect protected and confidential information, administrative and regulatory investigation costs, including fines and penalties, liability to payment card companies for assessments, fines, costs and reimbursements arising from the merchant failing to be compliant with Payment Card Industry Data Security Standards (“PCI DSS”)(payment card company liability resulting from a data breach involving payment card data can be significant and is usually the largest liability stemming from such a breach)
3. Conduct a rigorous review of your current insurance coverage to determine what, if any, coverage it provides for your business’s likely types of data breach-caused losses.
4. Negotiate with your insurance carrier(s) the necessary terms of coverage for the business’s potential data breach caused losses. Keep in mind that cybersecurity policies are typically very negotiable. In negotiating the policy terms, ask questions in terms of the type of losses described above in order to determine whether or not the policy provides the requisite coverage.
While undertaking the process of getting your business protected, you should consider retaining outside computer security consultants and insurance coverage counsel. Yes, this adds expense to an already costly process—but adequate investment pre-breach can minimize exposure and damage post-breach.
The best means of avoiding these costs is to install sophisticated data security software and hire qualified computer security experts to monitor it, but no cybersecurity measures are perfect. And given the commonly held belief that it is not if your business suffers a data breach, but when, every merchant should consider purchasing cybersecurity insurance. Being proactive before a breach occurs is your best defense against costs that can be crippling to your small business.