Are You Protecting Customers’ Credit and Debit Card Data?

It’s hard to ignore the fact that data security breaches seem to be increasing in frequency and severity, particularly those involving credit and debit card data. Just ask Home Depot, Michaels Stores, Neiman Marcus, or their 50+ million customers whose payment card data may have been compromised in 2014. To reduce the chances of making the list in 2015, preventative measures must be taken by every business that accepts credit and debit card payments.

The PCI Security Standards Council developed the Payment Card Industry Data Security Standard (PCI DSS) to encourage and enhance cardholder data security. This standard includes 12 requirements.

Build and Maintain a Secure Network and Systems

  • Install and maintain a firewall to protect cardholder data.
  • Do not use defaults for system passwords or security parameters.

Protect Cardholder Data

  • Protect stored cardholder data.
  • Encrypt transmission of cardholder data.

Maintain a Vulnerability Management Program

  • Protect systems against malware and regularly update anti-virus software.
  • Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

  • Restrict access to cardholder data to those who need to know.
  • Identify and authenticate system access.
  • Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

  • Track and monitor all access to networks and cardholder data.
  • Regularly test security systems and processes.

Maintain an Information Security Policy

  • Maintain a policy that addresses information security for all personnel.

The PCI Security Standards Council also provides a number of tips and strategies to increase the security of payment card data, such as:

  • Never store Sensitive Authentication Data, such as the full track contents on the magnetic stripe or chip, card verification codes/values, or PINs.
  • Ask point-of-sale vendors about the security of payment card systems.
  • Do not store cardholder data that is not needed.
  • Consolidate and isolate cardholder data that is needed.

The Council notes that the PCI DSS provides minimum security requirements that may be enhanced by additional controls and practices. Various laws, rules or regulations may also require enhanced security measurers. For example, under the Fair and Accurate Credit Transaction Act (FACTA), electronically printed credit and debit card receipts given to customers cannot include a card’s expiration date or more than the last five digits of the card number.

Sometimes security measures aren’t enough to prevent a data security breach, so businesses should use insurance to manage their cyber risks. There are a number of cyber liability products that protect against privacy injuries, such as identity theft, and that cover the cost of complying with various data breach notice laws. However, given the complexity of the risk, an experienced insurance agent should be consulted to ensure that adequate coverage is obtained.

A solid understanding of your insurance needs is the key to overcoming the quality versus cost argument. An experienced and reputable independent insurance agent can help you purchase insurance that is both economical and effective.

If you would like to learn more about insuring against cyber risks, contact us.

If you would like to subscribe to our newsletters please click here.

SEC Commissioner Emphasizes the Importance of Cyber Insurance

Cyber risks are a growing concern among businesses of all kinds. In a recent speech given at the New York Stock Exchange, SEC Commissioner Luis A. Aguilar emphasized that cyber security should be a number one priority of businesses and regulators alike and warned companies, and more specifically their directors, to “take seriously their obligation to make sure that companies are appropriately addressing those risks.”

The New York Stock Exchange’s Governance Services Department hosted the Cyber Risks and the Boardroom Conference where Commissioner Aguilar expounded on the responsibility of corporate directors to consider and address the risk of cyber-attacks. The commissioner made it clear that despite all efforts to prevent a cyber-attack, companies should prepare “for the inevitable cyber-attack and the resulting fallout.”

In 2014, there have been high-end data breaches of large companies, with data, personal records and financial information stolen and sold on the black market before the company has even discovered a breach occurring. In May, eBay discovered that hackers had infiltrated their system and stole personal records of 233 million users.

Domino’s Pizza was also hacked, with over 600,000 Belgian and French customers’ records affected. These hackers demanded $40,000 in ransom from the pizza chain in exchange for not selling the data, which included names, addresses, emails, and phone numbers.

Just last week, August 5, 2014, the largest data breach in history occurred when a Russian crime ring stole more than 1.2 billion Internet usernames and passwords.

While many companies are concerned about the threat of cyber-attacks, and have implemented security protocols to reduce them, it is clear to security experts that all vulnerabilities are nearly impossible to eliminate. For this reason, a growing segment of companies that collect personal data are including Data Breach and Cyber Peril insurance in their risk financing strategy. These insurance contracts are complex and vary by insurer, but are worth considering given the financial costs associated with notification expenses, litigation and harm to one’s reputation.

If you have any questions or would like to discuss your insurance options, please contact us.

If you’d like to subscribe to our weekly newsletters please click here

Florida’s New Data Breach Notice Law

Florida has a new law to combat the recent surge of data security breaches involving sensitive personal information. On July 1, 2014, Florida’s current data breach notification statute will be replaced by the Florida Information Protection Act of 2014 (Act). Though similar to Florida’s current statute, the Act makes some significant changes that businesses must incorporate into their data security practices and procedures.

Under the Act, sole proprietors, partnerships, corporations, trusts, estates, cooperatives, associations and other commercial entities that acquire, maintain, store or use personal information (Covered Entities) are required to take reasonable measures to protect and secure such personal information. The Act broadens the definition of Personal Information to include:

  • An individual’s first name or first initial and last name in combination with that individual’s social security number, driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity. (Broader)
  • Financial account, credit and debit card numbers, in combination with any security code, access code or password.
  • Information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional. (New)
  • An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual. (New)
  • A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account. (New)

Like the current statute, Personal Information does not include information that is encrypted, secured or modified by any other method or technology that removes personally identifying elements or that otherwise renders the information unusable.

In the event of a breach, Covered Entities must follow one or more of the Act’s various notice requirements. The Act generally defines a breach as unauthorized access of electronic data containing personal information. Covered Entities must notify each individual in Florida whose Personal Information was, or is reasonably believed to have been, breached no later than 30 days after the Covered Entity determines that a breach occurred or has reason to believe a breach occurred. Under the current statute, Covered Entities had 45 days to provide notice.

This notice, which may be sent by mail or e-mail, must include:

  • The date, estimated date or estimated date range of the breach
  • A description of the Personal Information that was or may have been accessed during the breach
  • Contact information that individuals can use to inquire about the breach

If a Covered Entity is required to notify more than 1,000 individuals at a single time, the Covered Entity must also provide notice to all national consumer reporting agencies. If a breach affects 500 or more individuals in Florida, the Department of Legal Affairs must be notified no later than 30 days after the Covered Entity determines that a breach occurred or had reason to believe a breach occurred. This is a new notice requirement.

If a Covered Entity uses a third-party vendor to maintain, store or process Personal Information, then that third-party agent must notify the Covered Entity no later than 10 days after the third-party agent determines that a breach occurred or had reason to believe a breach occurred. Though a third-party agent may provide the required notices, the Covered Entity is ultimately responsible for compliance with the Act.

The Act also requires Covered Entities and their third-party agents to take all reasonable measures to dispose, or arrange for the disposal, of customer records containing Personal Information within its custody or control when they are no longer retained. Disposal shall involve shredding, erasing, or otherwise modifying the records to make Personal Information unreadable or undecipherable through any means.

Unlike the general descriptions provided in this article, the Act is highly technical and very specific. Though the Act does not create a private cause of action, civil penalties of up to $500,000 should be enough motivation for Covered Entities to learn more about Florida’s new law and ways to limit the new risks with insurance.

If you would like to learn more about insuring against data security breaches, contact us.

If you would like to learn more about preventing data security breaches, take our online course Information Risk Management: Strategies for Preventing and Mitigating Information Security Breaches.

If you would like to subscribe to our newsletters please click here.