Insure This By Bill Velin
Small Companies and Data Breaches D
ue to the recent familiar retail data breaches, it is a good time to reiter- ate that automotive recyclers, both on the wholesale and retail level, are not im- mune from this exposure. Data breaches to small retail businesses are happening every day, and small businesses have al- ways been an interesting target for hack- ers due to the volume of information in their systems, including credit card data, employee data, and other information. You may think this is an insignificant risk compared to others, but you’d be surprised to learn that privacy breaches of data occur at a much higher rate than you might think, and causes significant financial harm beyond what you might expect, including reputational harm which can be catastrophic. The primary exposures in data breaches are: • Unauthorized access to or use of computer systems
• Black boxes and skimming devices • Unsecured wireless networks • Theft of proprietary information • Data or network sabotage • Corruption of digital assets • Theft or loss of portable media devices such as iPhones, back-up drives, thumb drives, etc. • Identity theft
Retail Exposures
Retail operations collect an abundance of sensitive information including credit and debit card numbers, names, address- es, e-mail addresses, copies of drivers licenses, and other highly sensitive infor- mation on employers and job applicants, and in many cases it is kept for years. Any breach of this information exposes you to litigation, regulatory scrutiny and pub- lic humiliation. The lawsuits arising from this type of data breach come from many sources including breach victims, issuing banks, the Payment Card Industry (PCI) and local and federal regulators. If a retailer is alleged or in violation of
16
a privacy breach law, it can be subject- ed to notification requirements. Most of the states have notification laws; this complicated and expensive process cre- ates civil liability if proper notification is not made on a timely basis. Also, the Federal Trade Commission and other federal entities can bring investigative actions against you and impose fines and penalties.
Top Management Risk
Owners, directors and officers are also at risk. Some have been sued for failure to provide adequate network security to prevent breaches or for failing to provide their company with sufficient resources or insurance to manage this risk. There are five myths that you shouldn’t believe: 1. DATA SECURITY AND PRIVACY IS NOT A PROBLEM FOR SMALL RETAILERS. Not true – bad things happen to retailers of all siz- es. Rogue employees, data thieves, and unscrupulous associates are always look- ing for opportunities to take advantage of even the slightest weakness or mistake. 2. WE CAN AFFORD TO SELF-INSURE THIS
RISK.As the hard economy continues, we tend to spend less on optional expens- es. Many small companies believe that if something happens to their data, they can afford to cover the costs. Well, a re- cent study by the Ponemon Institute puts the average cost of a small breach of 1000 records at $200,000! And, of course, most of those funds need to be liquid. 3. COVERAGE IS EXPENSIVE AND HARD TO
GET. Again, not true. Competition and a large pool of buyers have made coverage more cost-effective and easier to obtain. 4. OUR GENERAL LIABILITY POLICY WILL COVER US. Again, no. General Liability policies cover you for bodily injury and property damage. Courts consistently rule that data is not property and is “in- tangible.” 5. WE HAVE VENDORS THAT HANDLE OUR CREDIT CARD TRANSACTIONS AND IF THEY
HAVE A BREACH, IT IS THEIR PROBLEM NOT
OURS.This is generally not true! The data owner who collects the information has usually been found to be ultimately re- sponsible for what happens to that data. Breaches are, most often, successful be- cause preventative measures are lacking. Small entities must have strict policies and procedures, and a comprehensive plan for incident response. Consider this: • Have you adequately educated your employees about their responsibility to protect private information?
• Have you implemented procedures for access and use of private data, and is access limited on a “need to know” basis? • Do you restrict and/or encrypt data that is stored on mobile devices, includ- ing back-up tapes?
• Do you have procedures managing your contracts with business associates including indemnification, insurance, and significant limitations of liability? • Do you follow encryption standards? • Do you have a written policy regard- ing the dissemination of personal infor- mation on public and social media sites? • How often do you monitor networks, websites, and data bases to detect poten- tial issues?
• What will you do if a potential issue is identified?
• Do you have adequate reserves or in- surance protection to manage the finan- cial impact of a breach?
It is smart to have an incident response plan, and a forensics expert and privacy attorney on retainer, ready to mitigate the effects of the breach and deter any potential litigation.
Bill Velin is Vice President with Assured Insurance Group/Lee F. Murphy Insurance, one of the largest insurance agencies in the country, representing a variety of carriers. Contact Bill at (651) 294-
0705 or
billv@leefmurphy.com. Visit www.
leefmurphy.com.
January-February 2019 • AUTOMOTIVE RECYCLING
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60 |
Page 61 |
Page 62 |
Page 63 |
Page 64 |
Page 65 |
Page 66 |
Page 67 |
Page 68