Just prior to the Christmas holiday in 2013, the prominent retail chain Target announced that it had been the target of a massive hack of its credit card processing systems. The breach compromised as many as 40 million credit card numbers. Law enforcement authorities and Target’s own investigators confirmed that stolen card numbers were coming up for sale on Internet sites catering to identity thieves at anywhere from $20 to $100 per card.
The complaint reads, in part: “Target failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach.”
All businesses are at risk
If Target’s modern Internet security and encryption can be hacked into, so can yours. And if your business fails to protect this information against criminals both internal and external to your organization, you could be liable for damages.
Target was named a defendant in a lawsuit within days of the news breaking. Naturally, Target can afford the top attorneys in the country to defend its interest. For most small or medium-sized businesses, the attorney’s fees alone involved in mounting a defense would be a very significant hardship, even in much smaller cases.
The fact is that credit card thieves, hackers, and extortionists attack small businesses every day. Servers in restaurants, for example, can swipe a credit card using a smart phone and a tiny reader they can carry around in their pockets – or photograph your accounts receivable records. Advances in technology and business methods have also created new dangers for businesses, and an emerging area of insurance and law centered around cyber-risks.
As a small business, your risk isn’t confined to credit card numbers and transactions. You could be facing immense liability from any of these cyber-crime related risks:
- Security breaches business checking accounts
- Electronic theft of money you hold as a fiduciary for your clients or customers
- Health insurance records
- Theft of e-mail addresses
- Customer bank account and other billing information
- Personally-identifiable medical information
It’s not just criminals that can cause a claim, either. Your servers could be destroyed in a fire, or infected with a computer virus.
Damages can quickly total into the hundreds of thousands or millions of dollars, depending on the size of the business and the nature of the data that was destroyed, compromised or stolen.
Insuring Against the Risk
Fortunately, it’s now possible to insure against the devastating effects of a cyber breach or network disaster. While there is no “standard policy form” at this point, most policies currently available will provide coverage against the following types of risks:
- Data destruction
- Data recovery costs
- Business continuation
- Data theft costs
- Legal fees arising from cyber risks
As with any type of insurance, definitions matter, so look beyond the monthly or annual premium costs to see how each peril is defined, and review any exclusions, before electing a carrier or policy.
Who To Involve
Selecting appropriate coverage is frequently a team effort. Best practices include getting input not just from management and from a licensed insurance agent, but also from dedicated IT personnel, who may be tracking the latest scams and risks in their own professional reading and can help keep management apprised of risks and vulnerabilities.