Cyber Perspective – Payment Card Losses
In October 2013, P.F. Chang’s China Bistro, Inc. experienced a cyber breach at 33 of its restaurant locations, compromising 60,000 customer payment cards.
The insurance carrier denied $2,000,000 in losses, so Chang’s initiated litigation. The U.S. District Court for the District of Arizona recently ruled in favor of the insurance carrier in an 18-page ruling.
Firestorm Fraud and Cyber Breach expert Jack Healey provides a high level analysis:
Food service has been hit particularly hard by breaches. The latest estimate is 40% of all credit card thefts occur in restaurants. Wendy’s, Noodles, CiCi’s Pizza have all announced breaches in the past 60 days. With the exception of CiCi’s Pizza these breaches occurred from external remote sources. CiCi’s was the result of thieves posing as POS repairmen and they loaded the malware on the premises. Food service gets hit hard because it can be a dishonest employee who steals the cards as easily as an outside hacker. Credit card numbers can be sold from $0.15 to $0.50 a piece. The ‘chip’ has NOT had an impact because the information still resides on the magnetic strip.
Many retailers took notice when Target and Home Depot paid out multi-million dollar amounts to their merchants. But it is the small business community that have been hardest hit; these are the ones you don’t read about.
Third party agreements – merchant, cloud services, Point of Sale (POS) – all include exclusions and limitations of damages today. The service providers believe in Gartner’s “Adaptive Security” in that “all companies should assume that they are in a continuous state of compromise”and so, have carved out cyber incidents and damages – even when the third party is at fault.
With very few options and no leverage, the small retailer has to pay the merchant the damages. These damages are included in their merchant agreements. All merchants have amended their agreements to make it clear that the retailer is responsible for the cost of the breach. Online merchants are at even higher risk.
In short, the financial damages that a merchant may suffer due to a data breach could be quite significant, even if the number of records exposed was seemingly small (60,000 in this particular incident).
To avoid this scenario, partner with focused specialists like JLT to design and implement effective cyber insurance solutions that address payment card costs and other potentially uninsured loss situations
Additionally, companies can practice good common sense to protect themselves if they receive credit cards:
- Understand PCI compliance and investigate using a 3rd party vendor to manage credit card purchases if the retailer must retain credit card information. The third parties ‘tokenize’ credit cards, so the retailer does not actually have credit card information, but rather the retail chain has only a code which represents the credit card.
- As a business, update your virus and firewalls daily.
- Encrypt data before sending.
- Have an independent party review your Cyber Incident Security and Readiness Plan.
To learn more about Firestorm Cyber Incident Security and Readiness Plan review, contact us.
JLT Specialty USA is the U.S. platform of the leading specialty business advisory firm, Jardine Lloyd Thompson Group. Visit JLT at https://www.usa.jlt.com.