On August 1, TechCrunch reported that online retailer StockX did not reveal that it had suffered a data breach in May that exposed 6.8 million user records. Within days of discovering the breach, StockX emailed users and instructed them to change their passwords following what the company referred to as system updates on its platform, but did not mention a breach or security concern.
In addition to managing the fallout from the breach, StockX now finds itself embroiled in a controversy over whether it acted appropriately in response to the breach. The company has posted details on its website about the timeline surrounding the breach and offered reassurances to its customers as well as 12 months of free fraud and identity theft protection.
The StockX breach comes in the midst of a steady stream of headline-grabbing data breaches at prominent companies like Cafe Press, Asurion, Pearson, Poshmark and many more.
On July 29 Capital One announced it had experienced one of the biggest hacks in history, exposing more than 100 million customer accounts and credit applications.
The data stolen from Capital One included 140,000 Social Security numbers, 1 million Canadian Social Insurance Numbers, 80,000 bank account numbers, and other sensitive financial and personal information.
All of this has prompted widespread discussion about companies’ responsibility and capacity to safeguard individuals’ private data, or what cyber security experts call personally identifiable information (PII). Concerns have been raised not only about individual consumers’ privacy, but about the threats to businesses, especially those whose operations depend on third-party vendors handling proprietary and sensitive data.
“It really makes you think about who you are doing business with,” said Derek Kilmer, Manager, Professional Liability, Burns & Wilcox, Detroit/Farmington Hills, Michigan. “An organization is only as strong as the weakest link in the supply chain. This is why you see New York’s cybersecurity regulation require all covered entities to define minimum cybersecurity practices to be met by third party service providers should a business relationship be established. An obligation to your client base is that you do more than just protect the data you control, but have a real understanding of the cyber and privacy practices of those you partner with as well.”
Even companies that institute safeguards and security measures into their daily function are not immune to data breaches, Kilmer noted. “You can lessen your exposure, but odds are someone is going to find a way around them. It is only a matter of time. Vulnerabilities in cybersecurity are no longer just a concern, but a widespread epidemic.”
Hackers do not discriminate
No industry is immune to the financial and reputational devastation of a successful cyberattack. Hackers are equal-opportunity offenders using increasingly sophisticated schemes to gain access to private networks and encrypted data.
Financial services, health care, hospitality and higher education remain favored targets of cybercriminals, but there has been an uptick in attacks on retail and manufacturing as well.
In its most recent Financial Trend Analysis, the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) reported that in 2017 and 2018 manufacturing and construction was the sector most frequently targeted by business email compromise (BEC) attacks, in which hackers impersonate another employee or officer at a company, send fraudulent invoices, or fraudulent wire transfer requests.
While manufacturing and construction saw 20 percent of all BEC attacks in the U.S., the commercial services sector, including retail and hospitality, saw the highest jump in BEC attack rates, going from 6 percent to 18 percent year over year. Alarmingly, Verizon’s 2019 Data Breach Investigations Report shows 52 percent of all U.S. company breaches involved hacking and 43 percent of all breaches targeted small businesses.
According to the most recent data from Statistics Canada, over one-fifth of Canadian businesses reported data breaches that impacted their operations in 2017; 54 percent of those impacted businesses said that the breaches prevented employees from working and 30 percent incurred additional costs to repair systems and recover data.
Businesses that do not handle individuals’ financial or medical information are no less likely to suffer the effects of a data breach than those that do, said Karl Olson, Vice President, Professional and Management Liability Practice Leader, Burns & Wilcox Brokerage, San Francisco, California.
“Manufacturers are business-to-business; they do not have consumer information, they do not process credit cards,” Olson said. “But they have first-party exposure for ransomware or extortion attempts. If someone hacks into their network and they get shut down or locked out, they cannot operate.”
Hackers are not just skilled at fooling employees into wiring company funds into their accounts or paying false invoices, they are also adept at avoiding detection. The 2019 Cost of a Data Breach Report from IBM Security and Ponemon Institute indicates that it takes a U.S. company an average of 245 days to identify and contain a data breach.
If a company is found liable for failing to respond to a data breach in a timely or sufficient manner, the consequences can be devastating, as was the case with the American Medical Collection Agency, which filed for bankruptcy protection in June. The filing was a direct result of its massive data breach that began in August 2018, continued to March 2019, and has so far compromised over 25 million patients’ records.
An interwoven landscape
The financial costs of recovering from data breaches are not limited to the company directly impacted by a breach. Slack, a popular project-management platform that was used by over 10 million individuals daily in the first three months of this year, recently announced it had suffered a data breach in 2015. Many of those impacted users utilized the service on behalf of their employers, often in conjunction with other web-based platforms like Dropbox, which was also compromised in a 2016 attack.
About a third of organizations experience security incidents resulting from insider threats.
We live in an interconnected world,” said Neil Gurnhill, CEO, Node International, London, England—an insurance and underwriting company solely focused on cyber and technology risk. “Nearly all businesses will rely, in one form or another, on third party companies to help them to run their day-to-day operations.” If one of these companies exposes your data as a result of an attack like we have seen recently with Slack and Dropbox, Gurnhill explained, then it’s the responsibility of the business owner to address any resulting damages.
Although, as Kilmer pointed out, “about a third of organizations experience security incidents resulting from insider threats,” diligent business owners will be held responsible for the actions of employees whether their behavior was negligent or intentionally malicious.
The hefty burden of a data breach
After a business owner has what Gurnhill describes as “that heart-stopping, cold sweat moment of being made aware that something is not right,” the hard costs of a data breach can add up quickly.
In the wake of a breach, a company must enlist the services of a forensic expert to analyze its systems and determine the source and scope of the attack. If weak spots in its system are identified, a company must shoulder the costs of implementing new security systems, protocols, software and the like to address them.
Companies hit with a ransomware or malware breach may need to pay thousands of dollars to a hacker who has taken its system hostage. Once a breach and compromised data have been identified, companies must make regulatory notifications and inform affected parties.
New regulations are changing how companies are able to collect personal data and what they need to do with that data. They incur another layer of liability as well as costs to implement new standards.
Data breaches can also result in losses from business interruption or legal costs to defend or settle lawsuits, such as the $700 million Equifax recently agreed to pay in a settlement over its breach, $425 million of which was earmarked for restitution and credit monitoring services for the 147 million affected customers.
Repairing the reputational damage that results from a data breach is harder to quantify, but the costs can include losses from discounts offered to assuage disgruntled clients, closed accounts, lost business or reputation management services.
On top of all of these expenses are fines incurred when a company’s breach, or its response, violates the terms of governing bodies. Businesses may also have to pay penalties or costs to comply with regulations, such as the European Union’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act.
“New regulations are changing how companies are able to collect personal data and what they need to do with that data,” said Olson. “They incur another layer of liability as well as costs to implement new standards.”
Mitigating the fallout
Some casualty or property insurance providers offer cyber coverage as part of a package policy, Olson explained, but that coverage is often quite insufficient and more of a detriment to the insured’s true cyber exposure.
“Standalone Cyber and Privacy Insurance policy programs can provide much broader coverage for more exposures, provide better limits and claim resources,” he said.
“Cyber and Privacy Insurance is a response-based product,” explained Gurnhill. Policyholders not only get coverage for damages suffered, they receive immediate assistance from a panel of cybersecurity and privacy law experts.
“We respond very quickly, to stop the event from becoming worse, give the insured a clear picture of where they are, and get them back up and running quickly in a safe and secure manner. All that goes hand in hand with helping to manage the breach with the least amount of impact on their business as possible.”
Because of the evolving and complex legal and financial issues surrounding a data breach, enlisting the help of experts is strongly recommended, especially as part of a larger program to mitigate losses and repair damages when a breach occurs.
“The monetary impact of a large breach could take you out of business,” said Kilmer. Forget about the costs incurred for incident response, disaster recovery, ransomware, or broader business interruption losses which are all critical. Look at the tightening regulatory environment we now are seeing and increased consequence of non-compliance. Small and mid-sized organizations need all of the help and resources they can get to operate in compliance, create the proper privacy policies, and offer security awareness training for employees. The resources are a significant advantage and offer value outside of the insurance itself.
Blame for data breaches is often placed with company leaders. While Directors & Officers Insurance policies can provide assistance in such situations, the additional response services—legal guidance to avoid regulatory penalties and security guidance to recover from and prevent future attacks—provided with a Cyber and Privacy Insurance policy can prove invaluable.
“All bets are off when it comes to the layering (of application interfaces) and ways that breaches (can) occur,” said Gurnhill. “There are so many fail points, and like lava, they are constantly shifting. It is a very challenging landscape for any business owner or organization to truly get their hands around.”
“There is no way that you can truly eliminate the risk (of a data breach); there are so many potential things that can happen that are outside of your control,” Gurnhill advised. “Never has there been a more crucial time for businesses to consider investing in Cyber and Privacy Insurance.”