Benjamin J. Goldfien is an account executive, professional liability, for RISCO Insurance Brokerage Inc. in East Providence. What that means is that he helps businesses prepare for and react to data breaches that occur in business-to-consumer and business-to-business transactions.
PBN: How big a problem are payment card data breaches in both B2C and B2B transactions, and what damage does a data breach do to the relationship that a business has with its customers, both B2C and B2B?
GOLDFIEN: This problem is big and getting bigger and seeing more media attention. A recent study performed by the Verizon RISK team showed they responded to 761 data breaches in 2010 up from 141 in 2009. Whether it is B2B or B2C, anytime payments are processed, that information is at risk from hackers. As companies and customers rely on more technology through the Web or “apps,” this problem is only going to get bigger.
A study done by Javelin Strategy & Research found that 40 percent of customers in some way changed their purchasing relationship after a breach. Thirty percent of customers never purchased goods from that organization again.
PBN: What is your liability for a data breach?
GOLDFIEN: If your company has a breach, you could be liable for costs to notify all of the affected customers, provide credit monitoring services and you may also need to fund the investigation as to what happened. The company’s credit card provider could also charge fees and penalties for fraudulent activity that resulted from the breach. On top of that, you may be required to update your systems and retrain your employees.
PBN: What should your first recovery steps be after you have found a breach?
GOLDFIEN: After a breach, a company will need to figure out how it occurred and is it still going on. It will need to implement strategies to stop the data loss. It will then need to come up with a plan to identify and notify the affected records according to the laws of the state. The organization will then need to remediate and correct any security issues. For many companies these tasks are daunting. With an insurance policy in most cases your first step is to call the insurance company, and they will assist you through the process.
PBN: How should a business protect itself from a data breach? Is technology the answer?
GOLDFIEN: The easy answer is yes and no. While having the latest technology to prevent these attacks is a start, for every new technology there are hundreds of people looking to circumvent that technology. The best way to protect your company’s assets is to purchase a Network Security and Privacy insurance policy. These policies can cover costs related to the breach, including investigative, notification, crisis response and costs related to suits that arise out of the loss as well as costs to get you back up and running.
PBN: What are the average costs associated with a data breach?
GOLDFIEN: Each stolen document could cost an average of $215, $144 of which was not directly related to the data itself. The costs involved include the cost of lost business because of an incident; legal fees; disclosure expenses related to customer contact and public response; consulting help; and remediation expenses that can include new technology and training.
