The Retail Data Breach Environment
This session at the NetDiligence® Cyber Risk Summit examined the unique legal and practical issues when confronting a data breach and point-of-sale malware attacks that are becoming a common threat to the retail industry.
Speakers included:
- Stuart Panensky, Partner, FisherBroyles LLP
- Ruston Miles, Chief Strategy Officer, Bluefin Payment Systems
- Carrie Parikh, Vice President Legal, Wyndham Hotel Group
- Andrea Arias, Attorney, FTC
- Anthony Dulce, Vice President North American Financial Lines Claims, Chubb
A typical credit card transaction is a two-party system between consumer and merchant. The consumer has an issuing bank and the merchants have an acquiring bank – both of which underwrite their respective customers. The process flows to the payment network (credit card companies) through the customer, retailer and these banks. The retailers have a merchant service agreement with the credit card companies, which governs the relationships between those parties. All of these various parties can bring forth legal action if a breach occurs.
There have been several laws created intended to help protect privacy and credit card practices. The FTC provides both regulatory and industry guidance, offering merchants with data security standards and controls. Merchants are expected to manage these throughout the year. The FTC analyzes retailers using four items: 1) the whole picture (policies, practices), 2) if practices are reasonable and appropriate (company size, business nature), 3) security measures (with knowledge that there is no such thing as perfect security), 4) are practices unreasonable (even without known breach). Often, many retailers do not learn they have been breached until a common point of purchase (CPP) analysis is performed and uncovers a problem.
Once a breach has occured, a merchant is required to retain a qualified service provider to investigate a payment card industry (PCI) forensic investigation (PFI). The results are reported directly to credit card associations and brands. Implications of these findings set the basis for PCI-related fines, penalties and assessments. Cyber coverage may permit independent forensic investigations, which often yields better results because the PFI is in the pocket of the large credit card companies.
There are many consequences of non-compliance. Merchants can face loss of reputation, financial fees and fines, litigation and sanctions, and even loss of the ability to accept certain credit cards.
The FTC often tries to settle with companies first before seeking litigation. Common FTC remedies outside of litigation can include:
- 20-year consent orders
- Injunction against misrepresentations
- Comprehensive data security program appropriate to organization’s size, nature of activity
- Biennial third-party assessments of these programs
- Requirements such as disclosures or software updates
- Civil penalties for use and order violations
Insurance coverage details are important for retailers. First, an organization wants to make sure they have the correct coverage for breach scenarios, including things like network security coverage, assessment coverage and regulatory fine coverage. Common policy exclusions often include coverage for not maintaining standards or betterment (updates to the retailer’s systems). It is also important for retailers to do their due diligence before hiring third-party vendors and evaluating that outsourced vendors are handling data correctly. Outsourcing is not a bullet-proof vest and breaches can occur through vendors. The retailer still has to take responsibility when a breach occurs and there is severe reputational risk associated with that.