The United States Computer Emergency Readiness Team (US-CERT, a Division of Homeland Security) has stated that there are two types of businesses in the United States: those that have experienced a cyber-incident and those that will experience one. Ironically, the Department of Homeland Security recently disclosed If you collected the data… You own it…PERIOD!that personally identifiable information, known as PII in the industry, of roughly 240,000 current and former employees of homeland security was found in the possession of a former employee. If this new strain of criminals can penetrate Homeland Security systems, it is a fair bet that they are fully capable of hacking most any car wash operation system. This is particularly alarming for the car wash industry as so much of wash-operation revenue is dependent on the gathering and transference of data — primarily through credit card transactions. This fact alone places the safeguard of that data squarely in our laps.
The reason so many businesses fail after a breach is simple — they are not properly prepared. First off, surviving a breach is a very complicated process. There are federal and state laws that must be complied with. Some states mandate reporting within five days of a breach or face fines that could range from $50,000 to $750,000. Businesses must coordinate with forensic professionals, attorneys, and public relation firms; call centers must be established, credit monitoring/restoration services must be arranged, and more. Consider the following: • 60 percent of small businesses close their doors within six months after a data breach • 19 percent of small businesses will have a breach within the next 24 months • 38 percent of customers leave following a breach • 85 percent will leave if it causes personal consequences • 49 percent of breach victims will sue
After contemplating those statistics it’s amazing that 40 percent of businesses are able to stay open following a breach. Nearly a quarter of all breaches are due to unintended disclosure and not an outright cyber-attack. These types of breaches are generally a result of employee error, either intentional or accidental. Most unintentional breaches that have been examined could have been prevented with better employee training. Employee training should concentrate on e-mail procedures and recognizing threats including phishing. In addition, 25 percent of breaches could have been prevented simply with better system password requirements including password complexity and frequency of password changes. Finally, all portable devices that contain corporate or customer information must be encrypted.
IT IS YOUR PROBLEM
The simple truth is that your wash operation is responsible for an astounding amount of private data. There is data from your employee systems — social security numbers, home addresses, family medical information, retirement account information, and bank account numbers (direct deposit pay). There is data from corporate clients (fleet accounts) — addresses, bank account numbers, credit card payments, and credit rating information. Of course, there is also any data collected from credit payments — regardless of where the information is stored or how long it is retained.
Many wash owners are of the opinion that a breach cannot affect them and, if it does, they have protected themselves by one or more of the following measures: • Credit Card Processors • Purged immediately, daily, weekly…whatever • Do not own the machines • All processing of cards are by a third party • Were installed and are maintained by an outside third party • All data is stored in the “cloud” The ugly truth regarding the liability for a data breach is that, ultimately, whoever gathered the data is responsible for it, regardless of how long they have it or where it is stored. Some credit card processors will claim to relieve the wash of credit card liability. However, most contracts will limit the credit-processing company’s liability to a dollar amount equal to three to six months of processing fees. In addition, unless strict protocols are followed on everything from installation, processing, firewalls, passwords, and more, their liability may be eliminated altogether. In addition, the Payment Card Industry (PCI) has established more than 25 different penalties, fines, adjustments, fees, and charges that are levied upon a retailer following a data security breach. PCI expenses that roll back to the retailer, through contract, following a breach may include: • Retention of PCI certified forensic investigator — mandatory • Public relations firm • Consumer notifications — mandatory • Payment card brand fees and penalties (Visa, MasterCard, AmEx) • Regulatory cost — mandatory • Credit monitoring/restoration — mandatory • Class action litigation — defense and settlement
At some point you will need to make a decision whether to accept the financial risk of a breach or transfer that risk to an insurance company. Let’s take a look at just how much a breach could actually cost. (These figures are based upon 176 actual insurance claims from small “Main Street” businesses with a median record count of less than 1,500.)
The average total cost of a breach is $665,000: • Forensics, legal, and consumer notification - $498,750 • Legal Defense - $19,950 • Legal Settlement - $66,500 • Regulatory Defense - $53,200 • Regulatory Fines - $6,650 • Payment Card Industry Fines - $33,250 To transfer the risk to an insurance company through the purchase of a cyber/data breach insurance policy would only cost a fraction of this amount in annual premiums. It is important to point out that not all policies are the same, and this is not one of those items to seek out the cheapest cost available. There are literally hundreds of carriers that offer varying degrees of coverage. Most carriers will offer a modular policy enabling you to add or remove coverage based on your specific needs and desires. Following are items that should be considered as you explore various coverage options.
TOOLS AND COVERAGE
Any carrier considered should offer a vast array of free risk-management tools, beginning with the ability to assess your operations vulnerabilities following through to establishing effective policies and procedures to reduce the risk of a breach. Additional services available should include: • Employee training on handling secure data • Online compliance and breach response information • Newsletters and e-mail notifications regarding key legal and regulatory developments • Expert phone or online support to all questions • Data breach coach including incident response coaching • Regular risk webinars and updates An insurance policy is simply a legal document that explains what an insurance carrier will do in exchange for a premium paid. The insurance carrier will honor its legal obligations as stated within the insurance policy, no more no less. The actual policy chosen should include basic insuring agreements for both third-party and first-party exposures. First-party coverage provides insurance for risks/exposures that affect you directly. Third-party coverage provides insurance for risks/exposures that also involve an outside party in some manner.
First-party coverage would be the most often thought about type of coverage and would include items that were a direct cost to your wash following a breach event. Following is a list of just a few of the more common items that would fall under first-party coverage: • PCI certified forensics investigator — It is mandatory that following a breach/cyber event a forensics investigator (certified by the Payment Card Industry) complete an investigation to determine the cause and scope of the event. • Cost of legal services — It needs to be determined whether your operations were in compliance of all laws and regulations at the time of the breach event, and that you remain in compliance during the recovery of an event. • Cost of hiring a public relations firm — The general public will need a great deal of reassurance that measures have been taken to ensure that a breach could never happen again. To get that message out, the talents of a skilled public relations firm will be required. • Cost of providing credit-monitoring services for your affected customers — State laws require that all customers be provided credit-monitoring service. Some may require credit restoration services if further damage is caused by released information.
Third-party coverage would include exposures caused by outside parties and/or rogue employees. Following is a list of common items that would fall under third-party coverage: • Damages resulting to customers from “accidental” release of information or breach of any “cloud” servers that may have been utilized. • Damages resulting to customers from the breach of payment service providers. • Coverage for regulatory fines, penalties, or assessments that may be incurred from either the state or federal level. • Coverage for fines, penalties, or assessments that may be incurred from the PCI industry. • Contractual coverage for the breach of merchant services agreements.
In addition to the basic insuring agreements, there are several optional coverages that should be considered: • Cyber Extortion, also known as ransomware — A hacker gains control of your system and holds it hostage until a ransom is paid. • Cyber Terrorism — Hackers gain control of an entire network of companies. • Business Income Loss — In the event a cyber/data breach event caused your business to shut down for an extended period of time, this coverage would help pay most of your ongoing expenses. • Data Protection Loss — Coverage for costs incurred to restore data from backup or damaged hardware • Financial Fraud Attack — A third party uses fraudulent instructions to one of your employees to transfer funds. The funds are not “stolen;” they are voluntarily given through a trick, devise, or scheme.
As you have no doubt determined by now, seeking to protect your wash operations can be a daunting task. It is critical that you seek out an insurance professional with a great deal of experience in designing and implementing insurance coverage. While not a guarantee of knowledge or professionalism, it would be advised to consider only working with insurance professionals that have obtained the Certified Insurance Counselor (CIC) designation. In addition, coverage should only be considered from insurance carriers that are “A” rated or better from A.M. Best Company. It is important to remember that any insurance plan is only as good as the agent that designs it and the financial stability of the insurance company backing it.
The actual coverage chosen must be based on the unique exposures of your operations. It should be designed and developed by an insurance professional with in-depth knowledge of both cyber issues and the car wash industry.
The time spent developing the proper protection against this threat to your wash operations should ensure that you are not one of the 60 percent of businesses that shut their doors permanently following a breach.
Dan Tharp, CIC, RWCS, is property/casualty insurance licensed in all states (except Alaska & Hawaii) and is the vice president of sales for The Insurancenter and the director of the Car Wash Division. Dan has been assisting business owners protect their operations, customers, and employees for over 30 years. For questions regarding this article or any other insurance matter he can be reached at DTharp@theinsurancenter.com or by calling (800) 444-8675.