Emerging Ways to Pay
With massive data breaches among big box retailers and major banks consistently making headlines, the cry for more secure consumer payment methods has reached a crescendo.
Yet, the critical question remains: Will emerging technologies — from “chip/pin” credit cards to Apple Pay, Google Wallet and other similar e-payment products — stem the data risk tide?
And if so, will there be a winner among the group? Will there be a single payment system that can give both retailers and their customers a sense of security that currently doesn’t exist?
It’s much too early to tell, experts said. The main challenge now may be sorting through the various technological options — in addition to the potential cost and difficulty of implementing a new standard system.
Video: Mashable took Apple’s new payment system to the streets of New York City to see how it worked.
For example, some large retailers such as Wal-Mart, Rite Aid and CVS recently announced they would not accept Apple Pay, which uses the iPhone and major credit cards as its “touchless” payment delivery system.
Those large retailers and others are planning to use an alternative e-payment technology, called CurrentC, which bypasses major credit cards completely. The retailers favor that system because it eliminates the transaction fees charged by credit card companies to retailers.
According to Aaron Press, director of e-commerce and risk solutions at LexisNexis Risk Solutions in Dallas, each of the various mobile wallet systems has its own advantages.
One key benefit of systems such as Apple Pay and CurrentC is that they do not pass actual card data to the merchant, so there is no account information either in storage or in transit that can be compromised.
“If the wallet systems are secure, then consumers benefit from not sharing their payment credentials with merchants,” he said. “This means that even in the event of a breach, the consumer will not have to worry about their information being stolen and dealing with the hassle of disputing fraudulent charges or receiving new account numbers.”
In addition, said David Katz, leader of the privacy and information security practice group at Nelson Mullins in Atlanta, Apple Pay’s biometric Touch ID technology makes it “difficult for a thief or imposter to use an iPhone to complete transactions fraudulently.
“Consumers whose phones are stolen or misplaced can easily use the ‘Find my iPhone’ feature to suspend all payments,” he said.
“Even if the world magically adopted chip/pin technology overnight, hackers would simply find a new way to turn card data into money.” — Russ Spitler, vice president of product management, Alien Vault
However, he added, with 800 million credit cards on file — not to mention the brand new watch/fitness trackers that contain large amounts of health data — Apple may have succeeded in making itself the primary target.
Press noted that it is not yet clear whether Apple Pay or CurrentC will be vulnerable to fraudulent use.
E-wallet providers must ensure that the credentials being provisioned and used actually belong to the consumer attempting to use them, and that the applications, processes and infrastructure are secure, he said. The biometrics used with the Apple Pay process are helpful, but not a panacea.
Apple Pay, however, represents a security improvement over magnetic stripe architecture since it requires stealing a victim’s phone and successfully duplicating their fingerprint to commit fraudulent transactions, said Paco Hope, principal consultant at security consulting firm Cigital, in Dulles, Va.
Apple Pay also includes architecture (such as proxy numbers instead of account numbers) that contributes additional security, he said.
Russ Spitler, vice president of product management at Alien Vault, a security provider in San Mateo, Calif., called Apple Pay a “major move” for the payment industry.
While the underlying technology is not new, Apple has the market share and mindshare to make it popular, he said. Shifts in payment technology are driven by consumer demand, not retailer preference.
“In the past, Apple has proven to manage private data very responsibly — they take encryption seriously and implement it well,” Spitler said. “They are still prone to attacks against their users such as the recent iCloud issues — but they are working to add more features to help safeguard even in that situation.
“With Apple Pay, I am hopeful we will turn the corner on the horrible status quo of credit cards,” he said.
Because the U.S. adopted credit cards faster than they spread across Europe, Spitler said, the infrastructure in the U.S. is antiquated and entrenched, such as the point-of-sale (POS) systems reliant on magnetic stripe technology.
Moving past that to new EMV-based credit cards (also referred to as chip-and-PIN, chip-and-signature, chip-and-choice, or generally as chip technology) will require a major retrofit of a very distributed payment system in use for a long period of time, he said.
Video: A brief look at some of the advantages and challenges with EMV technology.
“Each corner store will have to invest in new technology at great cost to themselves and without any demand from the consumer; that’s a really difficult request to make of a small business,” he said.
EMV supports dynamic authentication (numbers change with each transaction), which means a cardholder’s data is more secure on a chip-enabled payment card than on a magnetic stripe card, and is much more difficult to copy or counterfeit.
“Magnetic stripe technology makes it dirt simple to clone a card once you have the electronic data associated with it,” Spitler said.
However, he said, the use of chip/pin technology does not guarantee the long-term elimination of risk.
“Even if the world magically adopted chip/pin technology overnight, hackers would simply find a new way to turn card data into money,” Spitler said.
Hope said that payment networks are introducing risk management beyond simply accepting or denying charges. Contactless payment systems deployed in the UK, for example, are usually dependent upon a variety of limits on total amount, number of transactions and transactions per time period.
“This is what it looks like when modern risk management meets the retail experience: the strength of the security measures in place,” he said. “Retail customer data in the future will be much more carefully protected using similar designs.”
Regardless of what type of payment system is used, Collin Hite, who leads the insurance recovery group at Hirschler Fleischer in Richmond, Va., said all businesses should have cyber insurance, even though many companies still don’t believe they are likely targets.
The first party aspects of such coverage can be critical to a business since the insurance pays for forensic investigation and re-securing the network, in the event of a data breach, he said.
“This is typically the largest cost — not the actual loss of information of the consumers,” he said.
“While we know the Fortune 500 to 1000 are considering specific cyber coverage, middle-market businesses need to understand that they are as vulnerable as the ‘big boys,’ ” he said.
Craig Young, a mobile security researcher for Tripwire, in Portland, Ore., said the best risk management strategy is to move to the next technology as quickly as possible.
“The ancient swipe and sign technology that dominates American retail is long overdue for a funeral,” he said. “For years, credit cards have been low-hanging fruit for thieves with a variety of techniques to steal card data, reproduce cards and start spending.”
LexisNexis’ Press added that it’s way too early to declare a front runner in mobile payments, and that magnetic stripe cards will be around for several more years.
“There is no security salvation or fraud magic bullet, but many of the new technologies offer a lot of promise,” Press said. “EMV will drastically improve POS security and reduce counterfeit fraud. Biometrics is a promising option for identity verification.”
But, he warned, new technologies can open the window to new problems while shutting the door to known issues. Adding new technologies such as mobile, he said, increases the number of potential blind spots.
“Companies need to evaluate the risks and benefits of adding any new commerce technology or channel to their environment,” Press said.
Ratcheting up Reporting Rules
Everyone agrees on the merits of reducing accidental workplace fatalities and serious injuries.
Yet, according to some employment lawyers, including the former head of the U.S Department of Labor’s Occupational Safety and Health Administration, impending OSHA reporting rule changes that go into effect on Jan. 1 are going to make things look worse.
Under the revised rule, employers will be required to notify OSHA of work-related fatalities within eight hours, and work-related in-patient hospitalizations, amputations or loss of an eye within 24 hours.
Previously, OSHA’s regulations required report of work-related fatalities and in-patient hospitalizations of three or more employees.
“That could lead to huge numbers in terms of reporting.” — Ed Foulke,partner, Fisher& Phillips
“Under the former rules, very rarely would more than three people go to hospital in a single incident, so the new rules can exponentially increase reporting,” said Ed Foulke, former head of OSHA under George W. Bush and a partner with Fisher& Phillips in Atlanta.
Also, all employers covered by the Occupational Safety and Health Act, even those who are exempt from maintaining injury and illness records (10 or fewer employees), are required to comply with OSHA’s new reporting requirements.
Foulke said the injury reporting requirements are “significant” changes.
To complicate matters, he said, OSHA has expanded the definition of amputations, so that even the loss of the tip of the finger, for example, without bone loss, now is considered an amputation, which is a reportable injury.
“That could lead to huge numbers in terms of reporting,” he said.
Foulke also said that the updated regulations add 25 new industries — such as “bakeries and tortilla manufacturers,” auto dealers, building supplies, beer, wine and liquor stores, performing arts companies and lessors of real estate — to those required to keep OSHA 300 injury and illness records.
Those records will be posted on the OSHA website, he said.
“OSHA never talked about it during this rule-making process for three years,” he said. “Plaintiff’s attorneys, unions, anti-industry groups and other organizations can easily obtain that information, and that could lead to increased litigation.”
According to the Bureau of Labor Statistics, 4,405 workers died on the job in 2013.
In announcing the new rules on Sept. 11, U.S. Secretary of Labor Thomas Perez said workplace injuries and fatalities are “absolutely preventable, and these new requirements will help OSHA focus its resources and hold employers accountable for preventing them.”
OSHA said it will not do an inspection based on every report, but rather will “interact” with the employers who file reports.
The “most obvious effect” of the new rules, said Bill Principe, a partner in Constangy’s Atlanta office, “is that when you report one of these types of cases, you can almost expect an OSHA inspection. And that gives you a chance to prepare properly. But no one knows at this point how long you are going to have to prepare.”
“A relatively minor accident could trigger additional citations.” — Nickole Winnett, senior associate, Jackson Lewis
On the flip side, Principe said, the new regulations could overwhelm OSHA, with the sheer volume of new data coming in.
“I would believe that these types of report cases almost would take the place of general inspection schedules,” Principe said. “OSHA hasn’t said that the call-ins definitely will trigger an inspection, but that could turn out to be the case.”
Nickole Winnett, a senior associate in the Washington, D.C. office of Jackson Lewis, said the new OSHA rules “will require additional resources and time spent on providing the information, responding to follow up questions and, in some cases, being investigated for these types of accidents.”
She noted that once OSHA decides to do a worksite inspection, it can look for other safety issues as well.
“A relatively minor accident could trigger additional citations,” Winnett said.
The best strategy for employers, Foulke said, is to know what OSHA standards apply to them and make sure the company is in full compliance.
“They need to know what is required within every applicable standard,” he said, estimating, for example, that 50 percent of employers in the U.S. today have not done a basic workplace hazard assessment. “It’s important for several reasons, including maintaining a safer workplace.”
Risks of Wearables
While wearable devices are being touted by many as the next big thing on the consumer computing front, opinions differ on whether or not gadgets like smart glass, fitness tracking bracelets and smart watches will ever match the hype.
Whether or not they succeed in terms of sales and eventual widespread acceptance, however, legal and insurance experts believe this latest tech trend will bring added risk, both for employers whose workers use wearable tech on the job and for those who manufacture and — by extension in some cases — manage those devices.
Much like “bring your own device” (BYOD), where employees conduct company business on their personal smart phones and tablets, wearable technology use requires strong cyber policies to avoid company exposure.
But wearable technology goes a step farther in that products such as smart glass (Google Glass is just one example) bring a new dimension to risks in such areas as workers’ comp and product liability.
Currently, there are mixed views on wearable technology’s true impact. On the optimistic side, according to Statista, an Internet-based statistics provider in New York City, the global wearable device market is expected to grow from $5 billion in 2014 to $12.6 billion by 2018.
Tempering that is a 2013 Harris Interactive poll of 2,577 U.S. adults, where overall opinions seem to be mixed, with Americans slightly skeptical. According to the Harris poll, about half of Americans believe wearable tech is just a fad (49 percent) and not likely to become as common as smartphones (also 49 percent). Roughly one-third of the respondents (35 percent and 37 percent, respectively) disagreed.
While the jury is out on the “stickyness” of wearable devices, their potential as workplace tools, for example, is undeniable. However, there exists the double-edged sword of balancing productivity with various risks.
Boston-based Anand Rao, a principal in PwC’s insurance practice, said that for the insurance industry, smart glass products can augment a claims professional’s capability of adjudicating claims.
“Smart glass products can create an almost a real-time assessment of losses in personal or commercial lines,” he said. “It could speed up efficiency. I can definitely see smart glass being used more in that area.”
Privacy Protections at Risk
Yet, while wearable technology may boost productivity aross several business sectors and in general areas, such as employee training, risk exposures are obvious, Rao said.
For example, an employee wearing company-issued Google Glass might become distracted and cause an accident. Or, they may injure themselves at work after becoming distracted.
“It’s definitely an issue by causing a distraction when driving or walking or doing other things,” he said. “The notion around changing someone’s focus, that is an obvious risk. If an individual consumer does it, there’s not much you can do. But if an employer has authorized use and something happens, it becomes a serious issue.”
Company-issued glass also can be used to invade someone’s privacy, as Google Glass is able to capture real-time facial images and video, and search and/or post data on that person.
Shawn Ram, technology practice leader at Crystal & Company in San Francisco, said companies that engineer and deliver wearable devices such as fitness wristbands also face exposure.
“If a fitness wristband device is collecting information on me, it puts me in a position whereby the company can be broaching privacy-related concerns,” he said.
The private health data on such devices also puts the manufacturer at risk if protected data is lost.
“That is a topic that is much discussed, but due to the current nature of wearables, you won’t find companies managing the risk like hospitals or large cloud-based companies,” he said.
PwC’s Rao said regulatory laws are needed. Right now, he said, it is unclear who owns the data and who can see the data generated by wearables.
“If a health or life insurance carrier is getting that data and charging a higher premium, that’s not what you want,” he said. “It must be used only for the purposes that have been stated. If insurers start making use of data to do something else, that’s not acceptable.”
Data Security Concerns
Christine Lyon, a partner in the Palo Alto, Calif., law office of Morrison Foerster, said there is concern that employees may use smart glass to collect and record proprietary information.
“For insurance carriers, risk managers and employers, the world of wearable devices will evolve very quickly, making it a challenge to keep up from a risk transfer perspective.” — Shawn Ram, technology practice leader, Crystal & Company
“This is not unique to wearables but it’s another front that requires attention,” she said. “And the smaller these devices get, the harder they are to identify that someone is using one. Also, the smaller they are, the easier they are to lose.”
She said wearables are similar to BYOD because a company’s workers may have data on third-party devices that have not been properly vetted.
Smart glass, she said, is a “different animal” than other wearables because it is so stealthy in collecting information — raising questions about when and how that data is used.
“This is fertile new territory because so much is unknown right now,” Lyon said.
But, she said, the focus should be more on data security than litigation at this point.
Companies need to establish policies with specific rules for the use of wearables, which means they should see if current policies are broad enough to cover the risks associated with wearables.
“We haven’t seen any claims or litigation yet around wearables,” Lyon said.
“Employers are dealing with it on an ad hoc basis for the most part.”
Michele Lange, director of legal technologies for Kroll Ontrack, a data recovery company based in Minneapolis, specializes in issues related to e-discovery and technology’s role in the law.
She said wearables should be included in a company’s BYOD policies to proactively address issues such as security of the device data and preservation and collection of electronically stored information (ESI) if a regulatory request is issued.
Video: Tech experts discuss medical uses of wearables at the SXSW conference in Austin, Texas.
“The only way to prevent liability is to completely disallow wearables,” she said.
“But we know that’s an imperfect solution. It’s better to manage their responsible use, considering the influx of the technology will be difficult to curtail.”
Lange noted that part of the allure of wearables is the promise of efficiency and convenience, and nowhere are these values more embraced than in the workplace. Thirty years ago, computers were not on every desk, but today it’s impossible to imagine the workplace without them.
“Whenever technology can offer a business a more efficient employee base and cost-savings due to increased productivity, it will catch on. It’ll be no different for wearables,” she said.
“As these devices evolve into stand-alone technologies, we can assume more issues will arise because they’ll begin to store their own data,” she said. “The tricky part for businesses and courts is knowing where to draw the line between personal and private data, and that which is relevant to litigation.”
Recovering data from a fitness tracking wearable, for example, could be a great tool to fight a workers’ comp claim. But it’s also a privacy law minefield touching everything from the Privacy Act of 1974 to potentially even HIPAA, she said.
Wearables are going to be a headache for employers, she said, calling the emerging technology a “high-risk, high-reward innovation.”
While tech-savvy firms may hand out wearables to employees to increase productivity, she said, more conservative businesses may not and risk missing a competitive edge.
But what happens if the wearable produces adverse health effects? Or if an employee who is driving to work and using work-issued Google Glass gets in a car accident?
Also, how can you protect trade secrets and intellectual property when an employee can record everything they look at through their glasses — with the employer being none the wiser?
“These are the questions lawyers will be asking in the coming years as even bigger tech players like Apple join the wearables industry,” she said.
Speaking of Google Glass as a potential headache-causing wearable, Ram said that product recall is another outcome that may dampen the hype around wearables. Risks arise as wearables become more invasive and closer to the skin.
In fact, in March 2014, the U.S. Consumer Product Safety Commission issued a total recall of the Fitbit Force, one of the most popular fitness tracking wristbands on the market.
Fitbit Inc. had sold more than one million Fitbit Forces, but some users developed allergic contact dermatitis to “the stainless steel casing, materials used in the strap, or adhesives used to assemble the product, resulting in redness, rashes or blistering where the skin has been in contact with the tracker,” according to the official CPSC recall notice.
“When you use a cell phone, you can put it down,” Ram said.
“Wearables are always on you, other than when charging. Recall for wearables is something not being adequately addressed by the insurance marketplace right now.
“For insurance carriers, risk managers and employers, the world of wearable devices will evolve very quickly, making it a challenge to keep up from a risk transfer perspective,” Ram said.