Data Breach Coverage: It's Better To Be Safe Than Sorry

With an estimated 1.8 zettabytes of information created and stored in 2011 alone, there has never been a more opportune time for hackers to challenge franchise data security, according to a DC Digital Universe study. Numerous yearly reports announce the increasing strain of data breaches among large and small businesses alike. Since it may seem impossible to predict and protect against each possible scenario, have you considered breach coverage or breach insurance to act as a fail-safe solution?

The real cost of compromise

What many businesses don't realize is that the compromise fine assessed by most merchant processors ($5,000 to $50,000) is only the beginning of penalties associated with a data breach. Other costs may include the following:

• a required forensic investigation ($12,000 to $100,000);
• onsite assessments by a certified Qualified Security Assessor (QSA) for years following the breach ($20,000 to $100,000);
• an increase in monthly card-processing fees;
• year-long credit monitoring services for compromised customers;
• card reissuance penalties ($3 to $10 per card);
• customer fraudulent charge reimbursement;
• federal/municipal fines;
• loss of customers;
• brand damage, especially if negligence was a determining factor; and
• legal fines, if sued by customers.

Breach coverage: the best medicine

For franchisees looking to mitigate business risk, breach coverage is no longer optional. Many security professionals state, "It's not a matter of if you are breached, but when." When all other security protocols have been followed, breach coverage exists to address the financial hardships your business will endure in the aftermath of a compromise.

Financial assistance

Most breach coverage programs cover costs relating to a card data compromise up to a financial limit (e.g., $100,000). The best breach coverage programs cover all compromise expenses relating to the Payment Card Industry Data Security Standard (PCI DSS), HIPAA requirements, and the Gramm-Leach-Bliley Act data security standards. Beware of breach coverage or breach insurance programs that narrowly interpret industries, or that allow expenses to be spent only on specific fines and penalties relating to a breach. Breach protection makes the most financial sense when combined with other tools that reduce actual risk, such as internal scanning tools that help find and remove stored card data, and strong policies that help prevent data loss.

Security policies

Business security often fails because organizations lack security policies that regulate employee interaction with sensitive data. In fact, 87 percent of small and medium-sized businesses don't have a formal Internet security policy for employees, according to the National Cyber Security Alliance and Symantec. Some breach coverage programs include templates that offer general security guidelines that franchises may use to create customized company policies for employee training to secure payment card processing.

Liability discovery tools

Unprotected card data is the number-one reason hackers target businesses. Implementing a card data discovery tool is one of the most important security measures a franchisee can perform to immediately reduce liability. Most franchisees don't contemplate the entire lifecycle of data, and don't realize payment card data may be stored on their system. A card data discovery tool sniffs a network and locates unencrypted payment card data for secure deletion. A study by SecurityMetrics found that 71 percent of merchants store card data, often unknowingly. The key to effective card data discovery is to deploy a tool that searches quickly, accurately, and with as little disturbance to systems as possible. Some breach coverage products include such a tool to locate card data.

Is it worth it?

The cost and amount of breach coverage varies by provider. For example, SecurityMetrics Assurance includes a card data discovery tool, data protection policy, security consulting, and covers $100,000 in the event of a breach. It is available to franchisors for as low as $70 per year per merchant ID (MID).

Reflect on these three factors when considering what coverage plan is right for your franchise:

1. Flexibility. Will your vendor cover more than just regulatory fines, such as card reissuance and response costs?
2. Coverage and premiums. How much will a breach coverage program cost you per month/year, and how much coverage does your franchise need? The size of your franchise will help determine which type of breach coverage fits best.
3. Vendor options. Does your breach assurance provider include additional risk mitigation tools or discounts for PCI-compliant businesses?

Peter Clark is manager of franchise sales at SecurityMetrics, responsible for establishing and fostering relationships with franchisors, strategizing corporate payment security initiatives, and internally centralizing franchise communication. He can be reached at pclark@securitymetrics.com or 801-995-6431.