Human Approach to Cyber Security
A few weeks into the new year, the CEO of an online shoe and clothing company sent e-mails to 24 million account holders informing them of a security breach. And news broke late last year that a security lapse by some franchisees of a national sandwich chain allowed Romanian hackers to access data from some 80,000 customers and make $3 million in fraudulent charges.
These types of reports are not uncommon, and breaches are no less troubling or expensive when calculated on the basis of system repairs and upgrades, customer notifications, restoring stolen money or merchandise and loss of confidence by shoppers who, with every card swipe, entrust retailers with their personal financial information.
“Security breaches are here to stay,” says Bob Parisi, senior vice president for insurance broker and risk advisor Marsh. “Any company that handles or touches confidential information, any company that relies on technology is going to have an issue.”
Security threats confront retailers from many different directions: from the handling of actual consumer data, to the gathering, storage and transfer at point of sale. And then there is the human factor — silly mistakes, misplaced data, inadvertent lapses in procedures and, of course, dishonest employees.
“Looking at just insurance is not a solution,” Parisi says. “Companies need to go through a process — build a risk profile, find out where they are in terms of a security risk.”
Marsh’s role in this process is to act as consultant and broker.
“We help them get a better handle on their operational risk,” Parisi says. “We put them through a process that we have created ... [to] help them understand their risk and also help them identify the vulnerabilities.”
“We have a Marsh security tool to help clients engage in a risk management exercise, give them a sense of where most recent security risks have been — frequent vs. infrequent, severe vs. trivial and the dollar value of those risks,” he says. “We have them put their [security] investment where they have the biggest risk. Intellectual property insurance is not where a retailer should be, other than with the store name, but privacy breaches are probably a big thing.”
An October 2010 ruling by the U.S. Court of Appeals for the Ninth Circuit, Krottner vs. Starbucks Corp., may have far-reaching consequences because it broadens the definition of what constitutes harm or potential harm to consumers affected by a breach.
Parisi says the potential impact of the ruling is “huge” because it changes the standard that was previously in place. Before, someone who sought standing in a legal complaint involving a cyber breach had to prove harm or imminent threat of harm, but this ruling suggests that the mere fact that a consumer has been notified of a breach, is worried about it and might feel the need to seek protection from its consequences gives them standing.
“If time and efforts can be quantified as damage or loss, then everybody who receives a notice could have standing, and that could open up the flood gates,” Parisi says. To date, however, courts are still relying on the old standard.
“There’s no simple answer about technical vulnerabilities,” he says. “Most breaches are not necessarily happening because somebody is doing something wrong. What we see is that over half of the breaches are either from a loss of paper records, a malicious insider or someone losing a laptop or other storage device.”
Parisi describes the human factor as being “most important” for retailers. Just as employers have learned the importance of avoiding a “hostile work environment,” the same tools and attitudes can be brought to bear on the importance of privacy and security. “We tell our clients the easiest way to have the biggest impact on privacy breaches is education,” he says.
Pure-play e-tailers have greater exposure than bricks-and-mortar retailers, but the difference is not significant, Parisi says. “The [customer] information they hold has been commoditized, so unless they can find infallible employees or remove all human greed ... it’s a question of when, not if” a breach will occur.
U.S. retailers with international operations “face additional threats, [and] not just in terms of the complexity of having to deal with a larger array of systems and customers and environments,” he says. “We have seen countries start to adopt privacy legislation — like several European Union countries, Canada, Hong Kong and South Korea. And dealing with multiple jurisdictions creates systems that must be more complex ... making them more likely to have more issues from intrusions and attacks.”
Looking ahead, “There will be more breaches, undoubtedly, and we will see a very robust, very evolved set of case laws,” Parisi says. “Krottner and its progeny will have migrated across the country as things will become more complicated from a technology perspective. Think of the mobile technology — the ways of paying for gasoline by waving a cell phone and digital wallet. These things are efficient and helpful, but they create new exposures and we will see the risk continue to evolve.”