I had the pleasure of attending the PCI Security Standards Council’s North American Community Meeting in Las Vegas this week. PCI is a consortium formed by American Express, Discover, JCB International, MasterCard Worldwide, and Visa, and its mission is to standardize and enhance worldwide credit card and payment account security. In other words, PCI works to keep credit card transactions safe from theft, breach, and compromise, and the Community Meeting is a great forum to learn about recent developments in cyber threats, theft of credit card data, breach of data security, and overall computer data safety.
In his keynote, Bob Russo, PCI’s General Manager, urged us all to remember that that hacking isn’t adorable anymore. In the first generation of computers, the hacker’s image was of the outsider high-school kid trying to impress his friends. Today, credit card and data hacking is part of an elaborate world-wide underground economy of organized crime. This threat goes far beyond mere vandalism or mischief. Losses are in the hundreds of billions of dollars, and the disruption and existential risks to a business from a breach can be acute.
Insurance Coverage for Data Breaches
Most companies that accept card and electronic payments, and that have data to protect, have focused on the Cyber Crime exposure. But, from my standpoint as an insurance professional, it’s clear that many organizations that are fairly sophisticated in their physical risk and health & safety practices sometimes still lag in their data security practices. An indicator of this is the relatively limited penetration of Cyber Liability and Privacy Liability insurance coverage among all classes of merchants. Fortunately, the perception is changing. E-Commerce vendors and companies that accept cards and electronic payments are paying far more attention to contractual data security standards, such as PCI-DSS, and to legal exposures for breach, such as from HITECH or HIPAA.
There is also greater public awareness of a larger trend that’s been happening for years, which is the competition between nations for control of the internet, and competition for both political and commercial control of data. Among the highlights of the conference was a presentation by Mr. Misha Glenny, an English author and journalist, and expert in the field of internet crime. Mr. Glenny discussed how the general threats of “cyber malfeasance” include not just Cyber Crime, but also Commercial and Political Espionage, and Sabotage/Warfare. (This link will bring you to a terrific TED Talk that Mr. Glenny presented in Scotland in 2011.)
One particularly chilling example cited by Mr. Glenny was of a hack of SOCA, the UK’s cyber crimes law enforcement unit, in which the perpetrators were able to alter the contents of criminal records on SOCA’s database. (Frankly, I’m very concerned not just about credit card payments compromise, but also about overall data compromise. Imagine a breach of your company’s computer systems that, in an act of spite, vandalism, or whatnot, wipes or corrupts all your data…)
Another terrific presentation was by Jacob Ansari, an analyst from 403 Labs. 403 Labs is a leading provider of forensic analysis and investigation of credit card and data security breaches. Jacob pointed out that, generally, the method behind most data breaches isn’t glamorous, and most involve basic stuff, like bad passwords, insecure remote access, un-patched systems, default credentials, or a simple breakdown in the human data control chain. Yet the costs and implications are acute: Contractual and Civil fines and penalties, forensic investigation costs, cost of correctives, legal expenses, reputational damage, and loss of business.
Both Mr. Glennie and Mr. Ansari pointed out that many breaches take place in food service and hospitality, with documented cases of breaches along the human chain of custody of the card. That is, a common cause of breach is not a hack, but people in the payment chain. Chip and PIN technology, and the (hopefully) coming adoption of the EMV Security Standards into United States, may help reduce this hazard. (Under the EMV standard, which is widely in use in Europe, the card doesn’t leave your hand when you make a purchase. Instead, you dip your card into a reader, and enter your PIN. This helps reduce face-to-face fraud.)
So what does insurance have to do with all this? From the standpoint of companies exposed to privacy breach violations of the PCI Standard, or the violation of another privacy standard such as HITECH or HIPAA, it’s important to consider Privacy Liability insurance. A well-constructed Cyber Liability policy would help pay for the third-party liability costs associated with a breach.
But insurance is not the overall solution to data security. While insurance is getting better at dealing with third-party liability claims, it still isn’t the best solution to first-party data recovery. Imagine a breach or a physical loss that wipes out your data, and your backups fail. Even if the insurance company hands you a check to help pay for data recovery, how would you realistically go about recovering all of your contacts, client information, financial records, archives, intellectual property, and pictures of your kids? At best, a well-constructed insurance policy would help pay for first-party loss-of-data recovery costs. But the insurance company can’t reconstruct your data for you.
From the standpoint of any company that maintains data that’s essential to operations – that is, everybody – it’s essential to harden systems against physical damage or penetration, and to maintain robust backup systems. Whether the compromise of your data is the result of a breach, or the result of something a lot less glamorous, like a drive failure or a leaky pipe above your server room, the end result can be disruptive and disastrous.
One last point: Everybody uses their credit cards, and over time, your numbers can be compromised. So, once a year, I ask American Express and Mastercard to reissue me new cards, with new numbers.
(Note: PCI has developed the Data Security Standard, also known as the DSS. The DSS is the credit card community’s best-practices technique of maintaining data and payment card security. The link above is a brief layman’s introduction to DSS Version 2.0. Part of what we were doing at the meeting was working on the introduction of DSS 3.0.)