In his keynote, Bob Russo, PCI's General Manager, urged us all to remember that that hacking isn't adorable
anymore. In the first generation of
computers, the hacker's image was of the outsider high-school kid trying to
impress his friends. Today, credit card
and data hacking is part of an elaborate world-wide underground economy of
organized crime. This threat goes far
beyond mere vandalism or mischief.
Losses are in the hundreds of billions of dollars, and the disruption
and existential risks to a business from a breach can be acute.
Most companies that accept card and electronic payments,
and that have data to protect, have focused on the Cyber Crime exposure. But, from my standpoint as an insurance professional, it's clear that many organizations
that are fairly sophisticated in their physical risk and health & safety
practices sometimes still lag in their data security practices. An indicator of this is the relatively
limited penetration of Cyber Liability and Privacy Liability insurance coverage
among all classes of merchants. Fortunately, the perception is changing.
E-Commerce vendors and companies that accept cards and electronic
payments are paying far more attention to contractual data security standards, such as
PCI-DSS, and to legal exposures for breach, such as from HITECH or HIPAA.
There is also greater public awareness of a larger trend
that's been happening for years, which is the competition between nations for control of
the internet, and competition for both political and commercial control of
data. Among the highlights of the
conference was a presentation by Mr. Misha Glenny, an English author and
journalist, and expert in the field of internet crime. Mr. Glenny discussed
how the general threats of "cyber malfeasance" include not just Cyber
Crime, but also Commercial and Political Espionage, and Sabotage/Warfare. (This link will bring you to a terrific TED Talk that Mr. Glenny presented in Scotland in 2011.)
One particularly chilling example cited by Mr. Glenny was of a hack of SOCA, the UK's cyber crimes law enforcement unit, in which the perpetrators were able to alter the contents of criminal records on SOCA's database. (Frankly, I'm very concerned not just about credit card payments compromise, but also about overall data compromise. Imagine a breach of your company's computer systems that, in an act of spite, vandalism, or whatnot, wipes or corrupts all your data...)Another terrific presentation was by Jacob Ansari, an analyst from 403 Labs. 403 Labs is a leading provider of forensic analysis and investigation of credit card and data security breaches. Jacob pointed out that, generally, the method behind most data breaches isn't glamorous, and most involve basic stuff, like bad passwords, insecure remote access, un-patched systems, default credentials, or a simple breakdown in the human data control chain. Yet the costs and implications are acute: Contractual and Civil fines and penalties, forensic investigation costs, cost of correctives, legal expenses, reputational damage, and loss of business.
Both Mr. Glennie and Mr. Ansari pointed out that many
breaches take place in food service and hospitality, with documented cases of
breaches along the human chain of custody of the card. That is, a common cause of breach is not a
hack, but people in the payment chain. Chip and PIN technology, and the
(hopefully) coming adoption of the EMV Security Standards into United States,
may help reduce this hazard. (Under the
EMV standard, which is widely in use in Europe, the card doesn't leave your
hand when you make a purchase. Instead,
you dip your card into a reader, and enter your PIN. This helps reduce face-to-face fraud.)
So what does insurance have to do with all this? From the standpoint of companies exposed to
privacy breach violations of the PCI Standard, or the violation of another
privacy standard such as HITECH or HIPAA, it's important to consider Privacy Liability
insurance. A well-constructed Cyber Liability policy would help pay for the third-party liability costs associated with a breach.
But insurance is not the overall solution to data security. While insurance is getting better at dealing with third-party liability claims, it still isn't the best solution to first-party data recovery. Imagine a breach or a physical loss that wipes out your data, and your backups fail. Even if the insurance company hands you a check to help pay for data recovery, how would you realistically go about recovering all of your contacts, client information, financial records, archives, intellectual property, and pictures of your kids? At best, a well-constructed insurance policy would help pay for first-party loss-of-data recovery costs. But the insurance company can't reconstruct your data for you.
From the standpoint of any company that maintains data that's essential to operations - that is, everybody - it's essential to harden systems against physical damage or penetration, and to maintain robust backup systems. Whether the compromise of your data is the result of a breach, or the result of something a lot less glamorous, like a drive failure or a leaky pipe above your server room, the end result can be disruptive and disastrous.
But insurance is not the overall solution to data security. While insurance is getting better at dealing with third-party liability claims, it still isn't the best solution to first-party data recovery. Imagine a breach or a physical loss that wipes out your data, and your backups fail. Even if the insurance company hands you a check to help pay for data recovery, how would you realistically go about recovering all of your contacts, client information, financial records, archives, intellectual property, and pictures of your kids? At best, a well-constructed insurance policy would help pay for first-party loss-of-data recovery costs. But the insurance company can't reconstruct your data for you.
From the standpoint of any company that maintains data that's essential to operations - that is, everybody - it's essential to harden systems against physical damage or penetration, and to maintain robust backup systems. Whether the compromise of your data is the result of a breach, or the result of something a lot less glamorous, like a drive failure or a leaky pipe above your server room, the end result can be disruptive and disastrous.
One last point: Everybody uses their credit cards, and
over time, your numbers can be compromised.
So, once a year, I ask American Express and Mastercard to reissue me new
cards, with new numbers.
(Note: PCI has developed the Data Security Standard, also known as the DSS. The DSS is the credit card community's best-practices technique of maintaining data and payment card security. The link above is a brief layman's introduction to DSS Version 2.0. Part of what we were doing at the meeting was working on the introduction of DSS 3.0.)
