A criminal indictment announced last week charged three people with the largest hacking and identity-theft case in history. In addition, 30 civil lawsuits have been filed against one of the hacked companies, Heartland Payment Systems. These suits were filed by financial institutions, consumers and investors. More than 650 institutions were affected by the breach.
The cost to credit unions as a result of the Heartland breach has been high. On June 10, 2009, a judicial panel ordered the transfer of all related cases against Heartland Payment Systems to the Texas U.S. District Court. The class action will seek to recover costs incurred by financial institutions relating to the re-issuance of debit and credit cards as a result of the breach.
We’ve all heard the myth about why Willie Sutton robbed banks. But in today’s data age, there’s something arguably more valuable than money: personally identifiable information. And your credit union is the vault for that data.
The amount of data that has been breached is astounding. The Privacy Rights Clearinghouse reports that more than 262 billion records have been compromised since 2005 due to security breaches.
On March 4, 2008 the Federal Trade Commission settled its 17th security breach case. The details of the case alleged that Goal Financial did not sufficiently safeguard personal data of those applying for loan services and selling surplus hard drives that contained the personal information of 34,000 consumers. The settlement bars Goal Financial from future data security misrepresentations and requires the company to implement and maintain a comprehensive information-security program that includes administrative, technical and physical safeguards. The settlement also requires the company to obtain, every two years for the next 10 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order.
As we are finding in the Heartland Payment Systems, the costs, both financial and in reputation, associated with a security breach can be overwhelming. A leading insurance company recently estimated that the average costs associated with a data loss are about $166 per record.
Most general liability insurance policies and financial institution bonds will not cover first-party losses (losses associated with notification, credit card re-issuance, etc.) and will typically exclude losses that are not in the form of bodily injury or property damage. A financial loss due to a breach of private data is not typically covered.
To insure and mitigate this exposure, insurance companies have specific products designed to allow credit unions the ability to transfer this risk. However, standardized insurance policies are not offered and it is extremely important to review the policy language and have a firm understanding of what is and not covered. While many insurance companies offer cyber-liability and data-privacy policies, no two are the same.
When looking for a comprehensive solution, credit unions should look at:
• Business interruption coverage for any network outage, including extra expense.
• Cyber extortion coverage.
• Enterprisewide data privacy and unauthorized access coverage to include both electronic and nonelectronic information.
• E-media coverage for advertising injury.
• Broad definition of data privacy wrongful act to include failure to prevent identity theft or credit card and debit card fraud.
• Coverage for unsolicited electronic communication (spam).
• Broad definition of insured to include directors and officers.
• Employee unauthorized access to include rogue employees.
• Regulatory fines, fees and penalties included in coverage.
There are also some additional steps that credit unions should have in place to mitigate the risk. Make sure that you have a clearly defined data-security policy. Properly train and educate employees on the confidentiality of information and proper use of network security tools. Limit access to private information. Take reasonable and appropriate steps consistent with current technology to make sure that data is secure and that the integrity of information stored and transmitted is not corrupted. Develop written plans and procedures to detect any actual or attempted attacks on your systems, including an incident response policy. Include confidentiality agreements in your contracts with service providers.
Credit unions should also adjust and evaluate their plans on a regular basis. They can also hire an independent third party to evaluate the data security program, consider off-site storage of data utilizing the services of a third-party data center, and work with an attorney who has experience with privacy and security issues and can assist in offering legal advice and tools for complying with legislative and regulatory needs.
Cliff Rudolph is a credit union account executive at Parker, Smith & Feek, an insurance and risk-management brokerage. He can be reached at 425-709-3705 or cerudolph@psfinc.com