Retail Businesses, Cyber Liability & Cyber Security Insurance
Accepting credit card payments at your retail location makes you part of the Payment Card Industry (PCI stands for Payment Card Industry). The PCI Security Standards Council, which is a voluntary council, has issued Data Security Standards dealing with cyber security for credit card data (PCI DSS) which are voluntary regulations for the Payment Card Industry. In particular, the council issued PCI DDS Requirements 5 and updated V3.2 in May of 2016 which impacts retail stores substantially.
The most important aspect of these regulations in regard to retail sales is that non-compliance with the voluntary regulatory standards to prevent a data breach can result in making your organization ineligible to be a point of sale for credit cards.
The Council itself does not have compliance enforcement ability over the retail industry. This power rests with the credit card companies who are the founding members of the Council e.g. Visa, Master Card and American Express. Thus, these regulations have far reaching impact on your ability to be a vendor who can accept credit card payments and as a result your compliance is necessary if you want to use credit cards. If you become ineligible of course it can reduce your profit.
Putting aside any theoretical discussion regarding compliance issues with voluntary security standards, they are meant to protect the public by preventing data breach, so stringent guidelines were put in place protecting the consumer purchasing the products you sell from invasion of privacy, theft, fraud and identity theft due to payment by credit card under Requirement 5.
For those who are not computer savvy, Requirement 5 in a very condensed nutshell states you must protect all data systems against malware and regularly update anti-virus software of all programs. The sub parts further break it down in regard to the actions you must take to implement Requirement 5 which essentially means
- you must take all possible steps to prevent a data breach by identifying all threats and detecting all known types of malicious software and malware,
- ensure that all protection software programs are current and updated, perform periodic scans
- document the scans in logs and track everything you do to keep current, ensure that all antivirus and malware programs can’t be disabled or turned off.
- If you have to shut down the anti-virus and /or malware programs for a limited time frame for an approved legitimate reason you have to have authorization from your management, and
- document all details in yours logs and run all security protocols when the programs are back up and running and perform a security scan. See the PCI Basics & Quick Guide for more detail. http://PCIcomplianceguide.org
Accomplishing all these tasks is very difficult to achieve. Not even the Democratic Party has been able to complete insulate itself from cyber-attack. So it is fair to assume that you might have some difficulty accomplishing all of the required tasks without a really top notch IT person or department. There are Quality Security Assessors who specialize in conducting technical assessments of your compliance defense system. See Cb Defense PCI DSS Anti-Virus White Paper, Carbon Black Arm your Endpoints. http://www.coalfire.com
Numerous companies also sell antivirus and malware platforms that you can purchase and have the platform itself tested to ensure that it does comply with the PCI regulations.
While you may think all of this is unnecessary or over kill just think of the cyber-attacks against national retailers (e.g. Target, Home Depot and E-Bay).
If you are ever sued by customers for a data breach that occurs within your retail business, compliance with the PCI industry standards may actually support your defense as it is considered a best practice to comply with these security standards and it helps to establish that you used a high standard of care in dealing with data and client’s privacy. Because you have a high risk for data breach it is in your best interest for you to have data/ breach/cyber security Insurance. In saying that, you also want to consider other insurance needs in addition to cyber insurance.
Most carriers offer retail establishments either a business owner’s package with a combination of: standard features including:
- commercial general liability
- business property and inventory with or without enhancements or stretches (interestingly property coverage does not include an outdoor sign that is not attached to the building so you would need a rider in that instance)
- property in transit floater, or inland marine
- business income loss with endorsements for utility outages and direct damages
- worker’s’ compensation
- e-commerce sales
- burglary, theft or crime; and employee dishonesty
- spoilage and a food contamination rider if you sell fresh or frozen food items
- mechanical or electrical breakdown
- Commercial auto if indicated.
- And, most agents and carrier often suggest umbrella insurance.
But at the same time carriers and agents do not emphasize the need for cyber security or data breach, nor are they usually offered as part of a BOP. This may be because this type of insurance is fairly new and the parameters for cyber insurance are not completely developed or formalized. While there is very limited cyber coverage in the business property insurance portion of the policy, it is insufficient for anyone who is required to meet the standards for payment card industry as this requirement makes it self-evident that there is a legal duty and a standard of care in the payment card industry and if you are negligent and fail to meet the standard it may increase your liability to your customers for a data breach.
Thus, any PCI retailer will want to ensure that the cyber security policy they choose has provisions for coverage of regulatory fines, notifications of customers, first and third party damages and defense coverage which triggers at the earliest moment possible.