Sector Under Siege
The Target data breach of 2013, in which hackers accessed 40 million credit and debit card accounts and the personal data of up to 70 million people, will likely go down as the event that piqued public awareness of the just how vulnerable their personal information is in the hands of retail organizations.
Legislation addressing how companies handle personal data goes back decades — the Song-Beverly Credit Card Act of 1971 (a California statute), for example, was amended in 1990 specifically to address the misuse of personal information by retailers for marketing purposes. Since then, the world has changed. Cyber risk touches every business sector to varying degrees, and with cyber crime an increasingly lucrative activity, data breaches are — according to media column inches at least — bigger and more common than ever.
Since the Target breach, Verizon has identified two more U.S. retailers who it said have been hacked; and in the ensuing media storm, lawmakers are scrambling to protect consumers. In March, Congress rallied retailers to support a nationwide standard for retail companies to quickly notify customers in the event of data theft in order to increase accountability in the sector.
The push for tighter laws is being played out not just in the United States but across many global economies. In this country, however, the state system means that retailers must navigate a rapidly and constantly evolving patchwork of privacy rules and regulations. Last year, the California Supreme Court ruled that the Song-Beverly Act’s privacy protections do not apply to online transactions. But in late January 2014, S.B. 383 was passed to amend the Act to fill the perceived gap in consumer identity protection.
Many retailer clients of insurance recovery lawyer Linda Kornfeld, a partner at Kasowitz Benson Torres & Friedman, would argue that traditional general liability coverages do not cut it when it comes to data privacy law violations. In 2011, many of those that operated in California faced litigation for collecting ZIP codes from credit card transactions. The state Supreme Court ruled that — despite several California court decisions to the contrary — ZIP codes counted as personally identifiable information (PII), therefore the retailers had violated the Song-Beverly Act.
Around 150 class action lawsuits were filed, and retailers got burned by their general liability insurers, who refused to pay out on the grounds that they had triggered exclusions by violating a privacy statute in the state. “This then prompted coverage litigation,” Kornfeld said.
Other Courts Follow Suit
Kornfeld said some retailers are still relying on general liability coverage rather than specialist privacy and data breach products, and may be exposed in a similar way — particularly as the California situation was mirrored in Massachusetts in March 2013. More recently, similar court rulings have been handed down in Wisconsin and Washington, D.C.
“Since the ruling last year, there has been a flurry of class action litigation being filed in Massachusetts,” she said, noting that Apple was sued there as recently as January.
“Retailers must be in strict compliance with these statutes, because the courts don’t seem to be interpreting them very favorably for the retailers.”
Kornfeld added: “Retailers that don’t have privacy and data breach cover in their insurance portfolio already should seriously consider buying it. They need to look at whether the coverage matches their risks and if the premiums match their concerns about exposure.”
If they take the decision not to buy specialist cover, she said, retailers should study the language of their traditional liability coverages to ensure it is flexible enough to cover them against privacy violation issues — both under existing law and in the instance that new legislation creates an exposure during the policy period. She also recommended working with counsel who is up to date on the various legislative changes taking place across the United States.
“If a retailer is sued with respect to the ZIP code issue, then they need to be aggressive in pursuing coverage, because insurers are taking very strong positions against coverage and I don’t agree that those positions are meritorious,” she said.
Paul Bantick, underwriter for technology, media and business at Beazley, which has insured six of the 10 largest data breaches in the world, said most retailers are up-to-speed on ZIP code collection laws and are also well protected against fines and penalties stemming from privacy violations.
“I haven’t seen any significant cases related to this for a while,” he said. “Most companies have changed their business practices — once you stop collecting the ZIP codes the exposure goes away. If a retailer is violating privacy laws and collecting ZIP codes when they shouldn’t be, that is covered by the cyber policy, which covers cyber liability and third-party claims arising from privacy violations.”
However, Kornfeld argued that while retailers adapted their business practices in California after the class action lawsuits of 2011, they may not necessarily have done the same in other states.
According to Bob Parisi, leader of the network security and privacy practice at Marsh, ZIP code collection is “the least of retailers’ worries.” He said a more relevant concern is keeping up with state and federal privacy regulations including mandatory incident response plans that first emerged on the East Coast and are now working their way west across the country. “Now if retailers hold personally identifiable information and are operating in various states, they have to have an incident response plan in place that meets a certain minimum level of efficacy,” he said.
“Retailers are also subject to nongovernmental regulations in the form of payment card industry (PCI) regulations set by card companies that require companies holding credit card information to comply with their standards,” Parisi said.
Data Breach Protection
Concerns over data privacy are intrinsically linked to the risk of data breach — after all, it is highly unlikely consumers would be aware of any violations of privacy law by a retailer or pursue litigation against them unless they were made aware that their personal information had been lost or stolen. The response required by Target to deal with the fallout from its data breach cost the company $61 million — half of its quarterly profits — in Q4 alone. And there is no indication yet of the value of class action suits the company may face when it comes to cyber liability.
Retailers are right on the front line of this evolving threat. According to Cisco Systems, the retail sector had 60 percent more malware encounters than the cross-industry median in 2013, but it was by no means the most attacked sector. By comparison, the agriculture and mining, electronics and pharmaceutical/chemical sectors all registered more than 600 percent above the median, while energy, oil and gas was 430 percent higher.
Yet, there is no denying that when it comes to personal data, retail companies offer some of the most attractive targets due to the huge number of records they possess. “The retail sector is just as exposed as banks, health care, airlines or hotels. All these companies hold the same type of information. However, retailers have a severity to them right now,” said Bantick.
“Are retailers becoming a greater risk, or is it just that some hackers have found a way to get through security and have been able to replicate that on several retailers? I don’t know yet if there is some kind of ‘worst class’ developing,” he said. “Clearly, it’s a bad patch for retailers. Maybe it’s another industry’s turn soon.”
Notwithstanding the coverage litigation controversies seen in California, Parisi said, the insurance market has done a decent job keeping up with the threats retailers face and continuing to provide appropriate coverage. “The market has been behaving fairly well in terms of responding to losses, and offering broad, flexible coverage,” he said.
However, he added, recent high-profile losses have put some carriers off the class. “In the last couple of months, we have seen some carriers search their souls as to whether they want to continue to insure retailers, but that’s hardly surprising,” Parisi said.
“Some carriers are aggressively pursuing the risk and asking tough questions, but when they get their answers they are more than willing to put up their capital to insure the companies. Others want nothing to do with retailers whatsoever.”
Meanwhile, Bantick said, it is naïve to think any company can completely eliminate the threat of data breach, warning retailers that it is a case of if, and not when, they will be attacked. However, with retailers accounting for about 25 percent of its cyber portfolio, it is little surprise Beazley is one of the carriers happy to provide coverage against the risk. “It’s what we do,” he said.
Target Breach a Threat to All
Computer security breaches that enable the theft of confidential financial information are no laughing matter. Just ask the 110 million or so people who have been affected by the infamous hack into Target’s customer-facing systems. So why should we in the insurance industry be sitting up and taking notice?
Internet sources report that this particular break-in used a form of memory-scraping malware technology that captures information as it is being input at the point of sale, but before it can be encrypted in the retailer’s systems.
We in the seemingly safe insurance sector may feel bad for our friends in retail, but before we get to feeling too comfy, it would be wise to consider that retail isn’t the only industry using point-of-sale (POS) devices. In fact, such input devices are used in lots of industries — retail, hospitality and health care among them.
It is that final class of users that should give us pause in the insurance sector. In case you weren’t paying attention, the Affordable Care Act requires electronic record-keeping. This naturally involves uncountable points of sale in doctors’ offices, clinics, and hospitals, not to mention places like Wal-Mart that are beginning to offer insured health care services.
Many of the individuals affected by the Target, et al., breach are promising never to do business with the involved retailers again. But what if the breached party was a major broker or insurer?
In the Target heist, an executive reported that someone had actually installed the malware on its POS systems. How that was done is a mystery at this writing, but one has to assume that these systems were connected to the Internet — which would allow the thieves to then retrieve the stolen data remotely. So, it seems likely that the malware was also remotely introduced into Target’s systems, as well as those of Nieman Marcus and other affected retailers.
These kinds of attacks are not exactly on the cutting edge of technology, however. According to InformationWeek, “Memory-scraping attacks date from at least 2011, when security researchers first spotted an advanced version of the Trackr (a.k.a. Alina) malware, which can be controlled via a botnet.” So, it won’t just be the most advanced thieves who pull off these kinds of crimes. The less-sophisticated, whether here or abroad, will likely be able to do the same.
Personal financial information is an extremely valuable commodity on the black market, and if you’re a criminal, it seems surprisingly easy to steal. Hackers can sell the credit card numbers for $35 to $100 each, while gold or platinum credit cards go for $60 each, business credit cards for $80 and some platinum cards for $100, said Cisco security researcher Levi Gundert in a blog posting. Interestingly, the information stolen in the Target incident includes names, addresses, credit card numbers, PINs and other data that enable thieves to assume an individual’s identity — which could lead to far bigger losses for those who are victimized.
Here’s the bottom line. Many of the individuals affected by the Target, et al., breach are promising never to do business with the involved retailers again. But what if the breached party was a major broker or insurer? Can insurance companies and brokers — already involved in a dog-eat-dog competition for insureds — afford to have that kind of backlash aimed at them?
The answers remain to be seen, but it is clear that with cyber crime escalating and becoming easier to perpetrate, our industry cannot stand back and hope the boogeyman goes away.
5 & 5: Rewards and Risks of Cloud Computing
Cloud computing lowers costs, increases capacity and provides security that companies would be hard-pressed to deliver on their own. Utilizing the cloud allows companies to “rent” hardware and software as a service and store data on a series of servers with unlimited availability and space. But the risks loom large, such as unforgiving contracts, hidden fees and sophisticated criminal attacks.
ACE’s recently published whitepaper, “Cloud Computing: Is Your Company Weighing Both Benefits and Risks?”, focuses on educating risk managers about the risks and rewards of this ever-evolving technology. Key issues raised in the paper include:
5 benefits of cloud computing
1. Lower infrastructure costs
The days of investing in standalone servers are over. For far less investment, a company can store data in the cloud with much greater capacity. Cloud technology reduces or eliminates management costs associated with IT personnel, data storage and real estate. Cloud providers can also absorb the expenses of software upgrades, hardware upgrades and the replacement of obsolete network and security devices.
2. Capacity when you need it … not when you don’t
Cloud computing enables businesses to ramp up their capacity during peak times, then ramp back down during the year, rather than wastefully buying capacity they don’t need. Take the retail sector, for example. During the holiday season, online traffic increases substantially as consumers shop for gifts. Now, companies in the retail sector can pay for the capacity they need only when they need it.
3. Security and speed increase
Cloud providers invest big dollars in securing data with the latest technology — striving for cutting-edge speed and security. In fact, they provide redundancy data that’s replicated and encrypted so it can be delivered quickly and securely. Companies that utilize the cloud would find it difficult to get such results on their own.
4. Anything, anytime, anywhere
With cloud technology, companies can access data from anywhere, at any time. Take Dropbox for example. Its popularity has grown because people want to share large files that exceed the capacity of their email inboxes. Now it’s expanded the way we share data. As time goes on, other cloud companies will surely be looking to improve upon that technology.
5. Regulatory compliance comes more easily
The data security and technology that regulators require typically come standard from cloud providers. They routinely test their networks and systems. They provide data backups and power redundancy. Some even overtly assist customers with regulatory compliance such as the Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry Data Security Standard (PCI DSS).
1. Cloud contracts are unforgiving
Typically, risk managers and legal departments create contracts that mitigate losses caused by service providers. But cloud providers decline such stringent contracts, saying they hinder their ability to keep prices down. Instead, cloud contracts don’t include traditional indemnification or limitations of liability, particularly pertaining to privacy and data security. If a cloud provider suffers a data breach of customer information or sustains a network outage, risk managers are less likely to have the same contractual protection they are accustomed to seeing from traditional service providers.
2. Control is lost
In the cloud, companies are often forced to give up control of data and network availability. This can make staying compliant with regulations a challenge. For example cloud providers use data warehouses located in multiple jurisdictions, often transferring data across servers globally. While a company would be compliant in one location, it could be non-compliant when that data is transferred to a different location — and worst of all, the company may have no idea that it even happened.
3. High-level security threats loom
Higher levels of security attract sophisticated hackers. While a data thief may not be interested in your company’s information by itself, a large collection of data is a prime target. Advanced Persistent Threat (APT) attacks by highly skilled criminals continue to increase — putting your data at increased risk.
4. Hidden costs can hurt
Nobody can dispute the up-front cost savings provided by the cloud. But moving from one cloud to another can be expensive. Plus, one cloud is often not enough because of congestion and outages. More cloud providers equals more cost. Also, regulatory compliance again becomes a challenge since you can never outsource the risk to a third party. That leaves the burden of conducting vendor due diligence in a company’s hands.
5. Data security is actually your responsibility
Yes, security in the cloud is often more sophisticated than what a company can provide on its own. However, many organizations fail to realize that it’s their responsibility to secure their data before sending it to the cloud. In fact, cloud providers often won’t ensure the security of the data in their clouds and, legally, most jurisdictions hold the data owner accountable for security.
Risk managers can’t just take cloud computing at face value. Yes, it’s a great alternative for cost, speed and security, but hidden fees and unexpected threats can make utilization much riskier than anticipated.
Managing the risks requires a deeper understanding of the technology, careful due diligence and constant vigilance — and ACE can help guide an organization through the process.
To learn more about how to manage cloud risks, read the ACE whitepaper: Cloud Computing: Is Your Company Weighing Both Benefits and Risks?