Security and data breaches don't favor one organization or industry over another and are taking place every day. Companies should consider the "how" of a breach -- as opposed to the "who" -- to evaluate their exposure to a similar event.
Retail operations remain a target to hackers due to the volume of information in their systems, including credit card information, confidential information for loyalty programs, and employee data. The victims of these attacks are an organization's most valued assets: their employees and customers.
Until recently, many thought data risk was trivial compared to other threats such as theft, slip and falls, and workplace violence. But with data compromise occurring at much greater frequency, it's one risk you don't want to underestimate. Reputational harm stemming from a poorly managed data breach can be catastrophic.Five myths you can't afford to believe
1. Data theft is not a problem for me -- my company is too small. Data privacy is a concern for organizations of any size. Rogue employees, data thieves, and unscrupulous business associates are looking for opportunities to take advantage of any weakness or mistake. Additionally, human error by negligent or careless staff account for a surprising number of data breaches around the country.
2. We can afford to self-insure the risk. As the economy continues to recover, companies are still closely watching discretionary spending, including certain lines of insurance coverage.
Many organizations wrongly believe that if something happens to their data, they can afford to cover the costs. According to a recent Ponemon Institute study, the average cost for a small breach of 1,000 records could easily exceed $200,000 -- a sum that many companies cannot easily absorb.
Remember, the majority of funds to respond to a breach need to be liquid. Breach vendors typically look for payment before or at the time service is rendered, and payment for postage is required when the letter is mailed, not 30 days later.
3. Coverage is expensive and hard to get. This perception was true five years ago but is not true today. Competition, claims experience and a larger pool of buyers have made network security and privacy liability coverage more cost-effective and easier to obtain.
Even with the recent proliferation of retail breaches, the market remains relatively stable. Some carriers, however, are more cautious when reviewing risks with a large volume of credit card data.
4. Our general liability policy will cover us. General-liability insurance covers bodily injury and property damage as well as advertising injury and personal injury. The courts have consistently stated that data are not property because they are intangible. The perils associated with advertising injury and personal injury are very specific.
While a properly worded lawsuit could trigger coverage, the main expenses from a data-privacy event are the breach response- and notification-related costs. There is little chance of these costs being covered under a general-liability policy.
5. We have vendors who handle our sensitive information and credit card transactions; if they have a breach, it's their problem not ours. This is not generally true. The data owner -- the person or entity collecting the data -- is ultimately responsible for what happens to that data.
Thus, a breach at a trusted business vendor could still lead to your obligation to provide notification and a decision whether to offer credit monitoring. Your contracts may require indemnification by your vendor, but if the breach is large enough, indemnification might not be enough to cover the costs or your vendor could file for bankruptcy.