It’s been called one of the largest data breaches of all time.
The 2013 breach of Target’s customer data exposed 70 million customers and 40 million credit and debit cards to hackers. These hackers apparently had free access to Target’s entire network for days.
The thieves not only grabbed credit and debit card numbers, they got the corresponding 4-digit PIN numbers as well. On top of that, they stole names, addresses, phone numbers, and email addresses of previous shoppers, regardless of last time they shopped at Target. That would allow them to do some real damage.
(You can read an interesting report on Krebs On Security about how Verizon security experts were asked to expose weaknesses in Target’s security, and found the thieves had nearly unfettered access to the entire system, from deli scales to self-scan cash registers to credit card payment systems.)
When a breach like this occurs, the merchant has several steps they’re supposed to take, depending on the state and federal laws, and industry regulations. First, they notify the authorities (in Target’s case, it was the FBI). Next, they’re supposed to notify all customers affected by the breach via snail mail. Finally, they’re supposed to provide one year of credit monitoring service.
Imagine the cost of sending a single letter in a single envelope with a single stamp multiplied by 70 million people. If you could do it for $.50 apiece, you were getting off cheap. In Target’s case, that’s $35 million just to tell people their personal information had been stolen.
This also means changing passwords for everyone in the company, and training them on proper password creation. In Target’s case, the Verizon security experts were able to crack 472,308 of Target’s 547,470 internal passwords (86 percent). This allowed them to access various internal networks within Target.com. This included the email network, stores network, and even the headquarters in Minneapolis.
There are all kinds of security changes and updates that have to take place as well. This means bringing in extra IT staff or outsourcing to a professional cyber security firm, as Target did.
The security experts also found many servers were missing critical Microsoft patches. Some were running outdated web server software, many with known vulnerabilities. According to Krebs On Security, the experts didn’t even need to know the login credentials to get in.
Needless to say, Target took immediate action. Krebs On Security said Target spent “hundreds of millions of dollars” to bring in new leaders, build teams of security experts, and even open a “cyber fusion center.”
Several banks lost millions of dollars when they were forced to reimburse customers who lost money. Not to mention the money they spent in replacing debit cards — Citibank replaced every debit card that was even remotely possibly included in the data theft.
As a result, Target was the victim of several multi-million dollar lawsuits. In March 2015, they settled a lawsuit filed by their customers for $10 million. In August 2015, they settled with Visa for $67 million. And in December that year, they settled a class action lawsuit with several U.S. banks and MasterCard for $39 million (after the banks originally rejected a $19 million deal).
Despite everyone’s best efforts, cyber theft and hacking isn’t going away anytime soon. We’ve got things like chips in our debit cards and chip readers at cashier stations, but adoption is slow. And people still aren’t being smart about their computer use, either at work or at home. That means anyone who accepts credit and debit cards and stores that information is vulnerable to data loss through cyber theft.
There have been approximately 6,430 data breaches between August 2005 and August 2016, and 878,880,440 records total have been stolen in that time. And that’s just the financial and personal data. That doesn’t include attacks on websites and blogs to distribute malware, distributed denial of service (DDOS), and other cyber attacks.
Cyber security experts agree: the question is not whether your computer network gets hacked, it’s when it gets hacked. It’s going to happen eventually. The question is whether you have the proper security in place to reduce the damage. Is your data backed up securely and in more than one location (including an off-site location)?
And most importantly, do you have cyber liability insurance?
Cyber liability insurance exists to protect your customers. It protects you in the sense that you’re not on the hook for millions of dollars. It also helps you respond if there is a data breach or data loss. So, in that sense, cyber liability insurance protects your customers. It helps you follow the law, helps you notify the customers, and helps to protect them from future fallout.
If you suffer from a data breach, even if it’s only 3,000 customers for a small ecommerce business, there are certain steps your insurance company will help you take in order to meet any state and federal laws. These can include the following:
But rather than making you try to figure out everything that needs to be done, your insurance company will step in, hire the right vendor to handle everything, and they’ll notify your customers and manage the credit monitoring. This is typically not done in your office; the vendors do it out of their own office, unless they need direct access to your records.
Cyber liability together with your General Liability insurance can also cover loss of income if you’re the victim of a DDOS attack or hacking that brings down your network, website, or ecommerce store.
In short, nearly everyone needs it. If you do anything on the Internet, or do anything that uses a computer, you need it. The Internet is so vital to business today, it’s hard to imagine that as little as 10 years ago, it wasn’t a big concern to the industry. But now it’s in everything we do. Here are a few examples. If you:
In short, if you have a computer for your business, you need cyber liability insurance. This includes attorneys, CPAs, mortgage lenders, Realtors, and so on. It includes medical professionals, health-care practices, nursing homes, and home health care companies.
For example, if you had ABCShoes.com, a hacker could use ABCShocs.com (notice the C at the end of Shocs) as their redirect site. And if your customers don’t pay close attention to their address bar, they might think they’re on the same website, and enter their credit card information for a purchase. The thief is then able to use the credit card or sell it to other hackers and thieves.
In the B2B world, such as manufacturers and distributors, if your work depends on the proper functioning of your computer network — storing financial and customer information, specs on your products, proposals and operating instructions, etc. — your data is valuable to competitors, including overseas manufacturers who might want to pirate your technology.
There’s also pure link hijacking, because you registered with a fly-by-night web host or domain registrar (the place where you buy your domain names, like GoDaddy). One friend’s website was hijacked in a way that when a visitor clicked three links on his website, they would be redirected to a black market Russian pharmaceutical website. In other cases, these hackers might target all the buy/checkout buttons, and redirect users to a fake page on their site to capture credit card information.
Even in a retail business, like clothing or shoes, you may think you’re safe because you don’t store credit card information, because that’s all kept on the credit card processor’s site. Or you may be PCI compliant (a set of security standards to ensure any company that accepts and stores credit card information maintains its security), but that doesn’t make you safe. Even Target was PCI compliant when they were hacked.
Hackers will often target PCI compliant companies, because they may not have strong security elsewhere. Once the hackers are inside a network, they can look around until they find their way to the store credit card information.
And finally, hackers can even try to attack the space between the credit card machine and the processor, intercepting the data as it travels through the phone lines. If that’s not secure or encrypted, there’s still plenty of danger.
Basically, if you work in a cash or check-only business, like a small building contractor, you can probably get by without it. Otherwise, you need cyber liability insurance.
But if you’re not sure, please ask your insurance professional about it.
We’ve already covered data breaches and theft due to hacking, but there’s a lot more to it. Cyber liability insurance will also cover costs associated with notifying your customers, monitoring their credit for one year or more, and any other surprise incidental costs associated with your state, federal, and even industry-related laws and regulations (such as HIPAA issues for a healthcare business).
It can cover the business income side of things when a website or network goes down. Let’s say your company does all its business online, and something happens to your ecommerce server. It doesn’t have to be malicious cyber activity, it could be that the web host suffered a fire or storm-related blackout. Regardless, your company is losing revenue because of the site loss.
That’s when the business income section of your cyber liability or general liability insurance kicks in. It will trigger after 48 – 72 hours of downtime, and cover the income you’ve lost during that downtime. When the electricity went out in New York City during Hurricane Sandy, a lot of companies were covered by their business income coverage.
Of course, this is also why you should work with an external web host, because they usually offer a 99.99 percent uptime guarantee, and will do everything they can to be up as soon as possible. But if you sell thousands of dollars per day, you don’t want to fall in that .01 percent for several days.
It can also cover data that’s lost in a fire or physical theft. This kind of thing is typically covered in general coverage, but can be expanded and customized to fit some needs of special data and other valuable information a company might own.
Previously, businesses stored their backup data on in-house servers, or on CD backups stored in someone’s desk drawer. But that had the potential of being lost in a fire or flood. (And many people discovered they hadn’t done their backups correctly when they went to restore their lost data.) So security and disaster recovery experts recommend storing backups offsite, and even in the cloud.
As a result, cyber liability insurance policies have expanded to also cover cloud-based backups or offsite locations. In the beginning, the insurance policies focused on customer-specific information — banking information, personal information, credit cards, credit history — it has expanded. Now it can cover other forms of data, like financial records and other financial information.
The coverage can even extend to businesses that might go out of business because of data loss. (The fact that this can even happen reinforces a very strong argument for having more than one backup method of data, including an offsite location and a cloud-based location.)
Of course, all of these stipulations are set up when you first purchase your cyber liability insurance. Like where your data backups are stored, how much is kept, how long they’re kept for. There are also questions about the size of your company, length of time in business, what you want covered.
And when corporations are more complex, have more employees, more locations, etc., there will be more stipulations. These include having two forms of backups, regular frequency of backups, and regular validation of those backups.
There may even be IT and security requirements, especially if your business stores a lot of sensitive data. This is typical of a large retailer or hospital.
Cyber liability insurance exists for a reason. If you don’t have it, or don’t feel you have the right coverage, please speak to an insurance agent about the kind of cyber liability coverage you should carry. In the meantime, here are a few other things you can do.
At times, it may seem like you’re fairly safe from anything happening to your network. If you own a small business, you may think, “I’m so small, the hackers won’t even pay attention to me.”
Except this isn’t true. We’re long beyond the days of computer jockeys trying to break into a corporation’s mainframe. The theft is automated and hackers can launch attacks on hundreds and thousands of servers in minutes. Even a small business’ servers can be of some use to hackers, even if it’s a matter of using it to launch attacks on other servers.
If you want true peace of mind, you need to talk to two people:
Cyber liability insurance may be a small part of your total business insurance needs, but it can be one of the most important policies you have. This will keep you, your business, and your customers safe if and when your data falls into the wrong hands.