Multi-Unit Franchisee Magazine Issue I, 2013 | Page 78
Security
By Peter Clark
Data BreachCoverage
It’s better to be safe than sorry
W
ith an estimated 1.8
zettabytes of information created and stored
in 2011 alone, there has
never been a more opportune time for
hackers to challenge franchise data security,
according to a DC Digital Universe study.
Numerous yearly reports announce the
increasing strain of data breaches among
la rge and small businesses alike. Since it
may seem impossible to predict and protect against each possible scenario, have
you considered breach coverage or breach
insurance to act as a fail-safe solution?
The real cost of compromise
What many businesses don’t realize is that
the compromise fine assessed by most
merchant processors ($5,000 to $50,000)
is only the beginning of penalties associated with a data breach. Other costs may
include the following:
• a required forensic investigation
($12,000 to $100,000);
• onsite assessments by a certified Qualified Security Assessor (QSA) for years following the breach ($20,000 to $100,000);
• an increase in monthly card-processing fees;
• year-long credit monitoring services
for compromised customers;
• card reissuance penalties ($3 to $10
per card);
• customer fraudulent charge reimbursement;
• federal/municipal fines;
• loss of customers;
• brand damage, especially if negligence
was a determining factor; and
• legal fines, if sued by customers.
Breach coverage: the best
medicine
For franchisees looking to mitigate business
risk, breach coverage is no longer optional.
Many security professionals state, “It’s not
a matter of if you are breached, but when.”
When all other security protocols have been
76
Multi-Unit Franchisee Is s ue I, 2013
followed, breach coverage exists to address
the financial hardships your business will
endure in the aftermath of a compromise.
Financial assistance
Most breach coverage programs cover
costs relating to a card data compromise
up to a financial limit (e.g., $100,000). The
best breach coverage programs cover all
compromise expenses relating to the Payment Card Industry Data Security Standard
(PCI DSS), HIPAA requirements, and the
Gramm-Leach-Bliley Act data security
standards. Beware of breach coverage or
breach insurance programs that narrowly
interpret industries, or that allow expenses
to be spent only on specific fines and penalties relating to a breach.
Breach protection makes the most financial sense when combined with other
tools that reduce actual risk, such as internal
scanning tools that help find and remove
stored card data, and strong policies that
help prevent data loss.
Security policies
Business security often fails because organizations lack security policies that regulate
employee interaction with sensitive data. In
fact, 87 percent of small and medium-sized
businesses don’t have a formal Internet
security policy for employees, according
to the National Cyber Security Alliance
and Symantec. Some breach coverage programs include templates that offer general
security guidelines that franchises may use
to create customized company policies
for employee training to secure payment
card processing.
Liability discovery tools
Unprotected card data is the number-one
reason hackers target businesses. Implementing a card data discovery tool is one
of the most important security measures
a franchisee can perform to immediately
reduce liability. Most franchisees don’t
contemplate the entire lifecycle of data,
and don’t realize payment card data may
be stored on their system. A card data discovery tool sniffs a network and locates
unencrypted payment card data for secure
deletion. A study by SecurityMetrics found
that 71 percent of merchants store card
data, often unknowingly. The key to effective card data discovery is to deploy a tool
that searches quickly, accurately, and with
as little disturbance to systems as possible.
Some breach coverage products include
such a tool to locate card data.
Is it worth it?
The cost and amount of breach coverage
varies by provider. For example, SecurityMetrics Assurance includes a card data
discovery tool, data protection policy,
security consulting, and covers $100,000
in the event of a breach. It is available to
franchisors for as low as $70 per year per
merchant ID (MID).
Reflect on these three factors when
considering what coverage plan is right
for your franchise:
1. Flexibility. Will your vendor cover
more than just regulatory fines, such as
card reissuance and response costs?
2. Coverage and premiums. How much
will a breach coverage program cost you
per month/year, and how much coverage
does your franchise need? The size of your
franchise will help determine which type
of breach coverage fits best.
3. Vendor options. Does your breach assurance provider include additional risk
mitigation tools or discounts for PCIcompliant businesses?
If you handle, process, or transmit a
single card over your network, you are at
risk of financially damaging your business.
To fall back on the overused phrase, it’s
better to be safe than sorry with breach
coverage.
Peter Clark is manager of
franchise sales at SecurityMetrics, responsible for establishing
and fostering relationships with
franchisors, strategizing corporate payment security initiatives, and internally centralizing franchise communication.
He can be reached at pclark@securitymetrics.
com or 801-995-6431.