By KEVIN P. KALINICH, J.D., national managing director at Aon Financial Services Group and leader of the national practice to identify exposures and develop insurance solutions related to technology errors and omissions,
miscellaneous professional liability, media liability, network risk and intellectual property
Data breaches have become more frequent, sophisticated and financially damaging for retailers. As many as 79 percent of retailers have experienced a breach, and for large organizations, the average total cost per breach is estimated at $6,300,000, according to the Ponemon Institute. Losses include difficult-to-insure damages such as lost future business and reputation to insurable damages such as customer class-action litigation and card cancellation and replacement costs.
Take the TJX Cos. Inc. breach for example; more than 45 million credit and debit cards were stolen by hackers, costing the organization more than $256 million.
Planning ahead will protect a retailer's financial statements as we approach the 2009 holiday season.
One effective method is for risk managers to educate their organization about the magnitude of potential ramifications regarding compliance--or lack thereof--with the payment card industry data security standards, or PCI DSS.
While there are numerous legal standards associated with data security, the 12 PCI DSS requirements are becoming an emerging benchmark that affect the liability of merchants.
The merchant agreement with the bank that is responsible for processing its card transactions dictates a merchant's plastic card obligations. Merchant agreements require the merchant to comply with the operating regulations and security programs of the relevant card brands: e.g., Visa, MasterCard, Discover and American Express. These requirements include PCI DSS.
Use of the PCI DSS compliance standard has expanded beyond the contractual obligation with the merchant bank to address what constitutes "reasonable security" in the context of regulatory actions (see the Minnesota Plastic Card Act and Nevada Data Breach Law) and civil actions (reference the de facto negligence standard applied in the Hannaford breach and TJX breach cases).
As such, a merchant's PCI compliance efforts are scrutinized to help determine "reasonable security" by different audiences--judges, juries, plaintiff attorneys and regulators.
A retailer's IT security department may believe that meeting the minimum PCI requirements is sufficient for the purpose of satisfying the merchant contractual agreement. However, to avoid liability from these additional constituencies, retail risk managers should understand that courts and regulators are scrutinizing breached entities to determine whether the merchant should be found negligent based, in part, on whether the merchant adopted "reasonable security" measures, which exceed the minimum PCI requirements.
WHAT TO DO NEXT?
How can a risk manager influence the PCI compliance process to reduce potential liability and stabilize its financial statements? Risk management should ensure that the PCI compliance process includes legal, insurance and finance personnel, in addition to IT security staff. Too often, IT security makes PCI compliance a "check the box" issue.
A recent survey by the Ponemon Institute found that only 28 percent of smaller companies comply with PCI DSS, as opposed to 70 percent of larger companies.
Engaging legal, finance and risk management in the PCI DSS process will benefit the financial well-being of the company beyond IT security. For instance, medium and large retailers are required to use one of eight payment card industry certified forensic investigators in the event of a breach. Risk managers should team with their legal counsel to advise IT security to consider use of an independent security assessor, in addition to this assigned assessor.
Why? An independent assessor can establish attorney-client privilege, act as a check and balance, and develop independent evidence of PCI compliance to defend the company in regulatory proceedings, contractual obligations and civil litigation.
Furthermore, risk management should educate their IT security department that "reasonable security" reduces legal liability in litigation, regulatory proceedings and contract disputes. Simply checking a PCI compliance box may not be sufficient to avoid liability depending upon the circumstances.
Risk managers and legal should make sure that IT security anticipates compliance by engaging and facilitating other company departments, including HR, IT, legal, procurement/outsourcing, finance and product development, as necessary, to help satisfy "reasonable security" standards.
However, if an organization is unable to comply with the requirements as they are
written, the PCI Security Standards Council (SSC) has provided a way to meet these requirements--through the documentation of "compensating controls."
Note that "compensating controls" may require collaboration with such other departments. As defined by the PCI SSC, compensating controls must satisfy the following criteria, among other conditions:
1. Meet the intent and rigor of the original PCI DSS requirement.
2. Provide a level of defense similar to the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against.
3. Be "above and beyond" other PCI DSS requirements. (Simply being in compliance with other PCI DSS requirements is not a compensating control.)
4. Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement
FOUR STEPS TO REMEMBER
Besides being alert of and proactive toward risk mitigation standard policies, procedures, training and technology, and aligning that with layered security and risk-based analysis, risk managers have three other risk mitigation and risk transfer mechanisms to reduce exposure to financial statements from privacy and security risks.
Risk managers should review their network risk and security insurance policies to verify specific detailed wording for PCI DSS related risks and exposures as set forth hereinabove.
They can also contractually limit liability with outsourced vendors. This will require coordination with procurement, IT Security and legal. Contracts with vendors should specify that such vendors are liable for breaches of IT security and data in the control or possession of such vendor. The vendor agreement should include a provision that holds harmless and indemnifies the merchant for vendor liability related breaches.
A fourth tool is a data breach response plan. Preparing a plan before it is needed presents the opportunity to develop a strategy in an organized manner by a team of clear-headed individuals with an appropriate combination of expertise and at a time when they are free of severe time pressures. Importantly, each department that is to participate in executing the plan (legal, IT security, compliance, marketing, PR, risk management and corporate management) should be involved in drafting it, both to ensure the necessary breadth of knowledge and to secure "buy-in."
For instance, lining up forensics experts, an outside law firm to determine which jurisdictions and which data breach notification laws apply, and a credit monitoring agency in advance of a breach could save a breached merchant thousands of dollars in response costs.
Of course, the value of each of these tools depends upon the scope of business and magnitude of credit, debit, loyalty, prepaid and gift card transactions. And a retailer's ability to maximize utility of each such implementation relies upon an understanding of the PCI DSS.
November 1, 2009
Copyright 2009© LRP Publications