Payment Cards and Data Breaches

A Q&A with Grayson Lenik
The retail industry is now the top target for cybercriminals, according to the 2013 Trustwave Global Security Report, and payment card data (PCI) is a critical area of concern. Yet many businesses, especially smaller retailers, are still unaware of basic PCI requirements. I asked Grayson Lenik, senior security consultant at Trustwave, for an overview of what small merchants need to know.

Can you give us a summary of the key PCI threats and requirements facing retailers today?
I wish I could say it was complicated, but it’s really not. The basics of the PCI requirements, such as installing a firewall to protect data and creating strong passwords, are still killing people, especially small merchants. Without a good firewall configuration, you’re leaving remote access wide open to the internet. As far as the passwords go, I don’t know if it’s that people are not in tune with the basics of security or whether they are not aware that they need to change the defaults, but either way, weak passwords combined with easy remote access are a recipe for disaster.

In the PCI arena, the biggest threat to everyone is organized crime—large crews who are dedicated to stealing cardholder data. There’s a sophisticated black market surrounding the sale of this information. If a hacker wants to find a specific credit card from a certain region he could easily find it. So we know the operations are out there and they are very well developed.

What areas are your clients struggling with most?
I really think the big piece is education. That’s the first priority. I handle these breaches all the time and I find out from the business owners that this is the first time they’ve heard of PCI compliance. They ask, ‘Why didn’t my merchant bank or anyone ever talk to me about this?’ That’s remarkable since the regulation has been on the books for 10 or 11 years. Aside from that, it’s the basics: storage of cardholder data, firewalls and two-factor authentication.

People worry that it’s going to be very expensive, but there are very simple ways to comply. There are whitepapers available geared toward smaller merchants, about purchasing and configuring a firewall for less than five hundred dollars. Trustwave specializes in managed security services and offers a preconfigured firewall complete with two-factor authentication, including digital certificates, which is ideal for a smaller business such as a restaurant or small retail store.

Thankfully, I think the mainstream media is starting to do a better job of covering the topic so people are becoming more aware that small merchants are also at risk.

Do you see any trends for key causes of a PCI breach?
I think that goes right back to the first question. We see a lot of everything but remote access and weak passwords are still the biggest causes of PCI breaches. The big trend we saw for 2012 was the rise in eCommerce attacks. It’s frightening to see how simple it is for hackers, even hackers with a low skill level, to exploit these sites. I would recommend anyone in the security profession or even anyone who develops websites to test their own security on their own websites. With even some minimal steps, you can prevent these attacks.

In summary…
PCI continues to be a thorn in the side for many clients, and for many of the reasons that Mr. Lenik mentions. Often, it is the simple mistakes and commonly known exploits that can trip up organizations—and some mistakenly believe they have no credit card liability exposure if they outsource credit card processing (this is not the case in the eyes of victims or their lawyers). I personally feel that PCI is a fairly complex, granular and ever-changing standard that can be costly for clients to comply with, year after year. To complicate matters, the class-action plaintiff lawyers look to PCI DSS as an industry “standard of care.” This can increase the liability for a company that suffered a breach and was found to be lacking in a PCI-required practice that might have contributed to the incident (even if they were otherwise 95% compliant). On the plus side, regarding PCI as a standard of care can be useful to businesses in retail and beyond.

Mobile Devices: Risk and Exposure

A Q&A with Nathan Steuer and Peter Coddington
Mobile devices are essentially computers that can go anywhere the employee goes. While these devices enable powerful computing capabilities, they are also easily lost and left unprotected, creating additional data security risks for organizations that use them. I asked Nathan Steuer, business development director, and Peter Coddington, CEO of PaRaBal, Inc., in Catonsville, MD, about limiting the vulnerabilities of mobile devices.

What are some of the key risk exposures facing businesses with mobile devices?
We believe that data in any enterprise, commercial or public, are the jewels of the kingdom, so when you bring devices into the ecosystem of the organization you are allowing that many more points to touch the data and potentially open it to the outer fringes. There are multiple forms the risk can take, whether it’s rogue behavior or an accidental leak, but ultimately the risk exposure is about losing control over that data.

How can network and data breach events occur through mobile devices?
Smart phones have a number of senses on them—they can communicate with wi-fi, Bluetooth, cellular networks, servers, near field communication technology and they can give out geographic information—so there a lot of ways to interact and all of these interactions are connected to your enterprise network. A rogue agent or employee can put an app on the phone that allows someone to get into the network; there are spearfishing methods through texting that create tiny URLs that lead back to the network; you can lose the phone and if there isn’t a proper password on it, anyone can access the data flowing through apps or email. If you think of all the different ways we communicate on the phone then you see that there are multiple opportunities for a breach.

Do you see any trends in this area?
As Bring Your Own Device (BYOD) is becoming the norm, employees are unknowingly exposing an organization’s data. These employees want to handle data properly on their mobile devices, but in most cases don’t know what constitutes red flag usage on their device. Another area is in undetected malware in Android apps. The sheer number of Android apps has multiplied a thousand-fold every six months. The Kaspersky Security Company released a report that said 99 percent of all attacks on mobile devices in 2012 were against Androids, but that’s not to say iOS isn’t vulnerable as well. So we’re almost seeing a throwback to the old Windows versus Apple security debate, and as Android leads market share it is more challenging.

How can a company mitigate this risk exposure?
It has to be a multipronged approach, through policies, insurance, training and potentially software solutions. There are a number of products attempting to address these issues but most organizations are not electing to run out and get them yet. We think the best place to start is by getting a mobile audit of your enterprise and understanding how many devices are involved in your network, then determining policies and controls for employees using them. But the controls need to be well designed so that they don’t interfere with productivity, for instance, requiring clunky passwords to be entered multiple times. There need to be strong user policies from a liability standpoint and thorough education for employees so they understand the risks they’re taking. Our advice is that now is the time to secure your devices and stay ahead of the curve—it’s only a matter of time until we see a catastrophic data breach on the level of Sony that starts with a mobile device.

What might insurers need to know about mobile device risks?
While a lot of carriers realize there’s a great deal of risk with mobile devices, they don’t necessarily know how to quantify that risk and how to include it in their policies, so we also help with that education on the insurer side.

In summary…
At NetDiligence® we continue to see cyber risk insurers, brokers and risk managers concerned about mobile device risk and security issues. Many have had actual losses and insurance claims paid out due to a breached mobile device housing vast amounts of personal data on their customers (not to mention intellectual property impacting the corporation). Mr. Steuer and Mr. Coddington raise some key issues about organizational risk (and legal liability) emanating from both mobile apps and mobile devices, which we believe will grow immensely over the next several years. The attack statistic trends they reference are staggering. Businesses in all sectors need to get proactive and start managing this exposure.

Vermont Privacy Breach Regulations

A Q&A with Ryan Kriger
Among state Attorneys General, Vermont has gained a reputation for being particularly aggressive about data breach and privacy regulation. To better understand the state’s Consumer Protection Act requirements and processes for data breach investigation, I talked to Ryan Kriger, Assistant Attorney General.

What should a small business know about complying with the Vermont law?
We have a guidance available on our website, which should be helpful. In the case of a breach, they should first contact law enforcement, their insurer, their lawyer, any IT people involved and, if there’s credit card information at stake, their processor. Their primary duty is to figure out what happened and get the situation under control. They have to notify us within 14 days of finding out about the breach. That preliminary notice is kept confidential. We want businesses to give notice to consumers relatively quickly, and the 14-day notice to us allows us to stay on top of things and make sure they are doing that. We did create a waiver last year—if your company has policies in place and you’re confident that you will comply with the law, you can be certified ahead of time as long as you sign the document and get it on file with us before a breach incident. If you have a certification on file, you don’t need to notify us within 14 days. Another subsection says that if the data collector is sure that the data never got into the wrong hands—say, a password protected laptop was lost for five hours, then returned—they can call and ask us if they still need to give notice, and we probably won’t require it.

If it’s a really big breach and we think it could be problematic, we may follow up with questions. If we perceive the company’s actions to be unreasonable, unfair or deceptive, such as in the case with TJX, then we will begin an inquiry. Often, this wouldn’t just be Vermont, but multiple states getting together and asking questions.

How might you approach a data breach incident?
The first step is that we want to make sure the business has covered all of the necessary notification. Notice to consumers should go out “in the most expedient time possible and without unreasonable delay.” Vermont has a 45-day deadline, but we think in many cases notice should go out sooner. We encourage companies to send us their notification letter before it goes out to consumers, and we can help them make sure it’s in line with the statute. Also, the sample letter to consumers gets posted to our website, so consumers can confirm that the letter itself is legitimate. The second thing is to make sure the company fixes the problems that led to the breach. Sometimes smaller businesses think it’s a one-shot deal and don’t want to change their business practices, but we remind them that they are on notice, and that the fine outlined in the Consumer Protection Act is $10,000 per violation. Now, we’ve never had to levy that fine as most people seem to want to resolve the issues, but we want businesses to know that we are here to protect consumers and they need to take that seriously. In the TJX case, it appears that the company may have been collecting credit card information at point of sale and transmitting it, unencrypted, over unprotected wi-fi networks. This sort of blatant violation of standard security practices, and the length of time that it was allowed to continue, clearly justified bringing an enforcement action. We’re not trying to trick people, and in most cases we can resolve things in a cooperative fashion, but when a company drags their feet, we will go after them.

What are some of the key weak spots that lead to a privacy/data breach incident?
It can be all over the map—certainly, not encrypting data where encryption is appropriate is one issue. Over-collecting data you don’t need, such as using SSNs as an identifier, could be another. Other problems we see: collecting credit card data through a homemade system that’s not PCI-compliant when you could be using a secure third-party system. Not changing passwords or updating software. In smaller businesses, it might be negligence about employees who could be stealing credit card information. In general, it’s a good practice to have the occasional forensic analysis or stress test. We have partnered with Norwich University to offer penetration testing to any small business in Vermont that wants it. The Verizon Report has shown us that small businesses are the prime focus of security breaches, so we are particularly sensitive to the needs of small businesses in Vermont.

What type of fines and penalties can a company face for noncompliance? Can the lack of certain actions or controls increase their culpability in your view?
I mentioned the $10,000 per violation fine, and we consider each day you go beyond the deadline a separate penalty. Our Consumer Protection Act doesn’t have an intent requirement, but we obviously take intent, negligence and lack of controls into account when we think about enforcement and penalties. A business suffering a breach calling us to ask what they can do, making it’s clear they want to do the right thing, is very different from a business that denies anything went wrong, after we’ve found out about the breach three months later. We are very cautious with our use of power and we’re not trying to bully anyone, but if we need to use a large fine to get a business into compliance, we will do so. If an enforcement action reaches a settlement agreement, called an assurance of discontinuance or consent judgment, we may seek penalties, but we will also seek injunctive relief, which is asking the business to change its behavior. For example, we may want the business to put security or compliance systems into place, offer restitution for consumers, or take other steps to make sure it doesn’t happen again. In general, we are eager to proactively work with businesses to protect consumers and create a productive, cooperative relationship in order to prevent breaches.

In summary…
I first met AAG Ryan Kriger at our NetDiligence® Cyber Risk & Privacy Liability Forum last year in Marina del Rey. I thought he might be guarded about the state’s approach to enforcement, but boy, was I wrong. He was actually very forthright in talking about how seriously Vermont takes the issue of consumer privacy, including violators of state regulation. He makes the point that his department is willing to work with organizations that suffer a data breach incident and will give them a roadmap to do the right thing by the victims (whose personal information is now in wrongful hands). What is clear is that organizations that demonstrate a lack of care (or even willful nondisclosure) will be penalized.

Ryan is also speaking at the upcoming NetDiligence® Cyber Risk & Privacy Liability Forum in Philadelphia this June 6-7.

Cyber Liability and Subrogation

A Q&A with Kenneth Levine
Subrogation is an emerging topic in cyber liability insurance, as insurance companies are starting to pursue compensation from any third parties that can be held responsible for a data breach. To get a better handle on the current reality of subrogation in this area, I spoke to Kenneth Levine, partner at Nelson, Levine, de Luca & Hamilton, LLP.

Can you explain subrogation in layperson terms? Why is it important?
Subrogation has actually been in place since the 1700s in England. After an insurance company pays out a claim, it is allowed to try to recoup the money from anyone who might have been responsible for the underlying loss. It’s very important in the insurance world, because, by its very nature, subrogation limits the losses for insurance companies, allows for lower premiums and spreads the risk more equitably. It has become an especially critical aspect of the industry in the past three or four years, as subrogation recoveries in most companies have now replaced investment income as the second most important revenue generator after premiums. Subrogation isn’t as well developed for cyber liability insurance, but these days it is an exciting area of focus. As more cyber liability policies are written, more companies are starting to ramp up their recovery efforts following cyber losses.

Can you share any scenarios in the cyber liability insurance world in which subrogation efforts might be viable?
Let’s just use the recent highly publicized network breaches at The New York Times and Wall Street Journal, both hacked at the beginning of 2013, as examples. Following such breaches, subrogation attorneys would work with forensic specialists to see if any third parties were secondarily responsible for the breach and whether viable claims could be asserted against them to get back any losses or expenses  incurred. For instance, these media companies most likely have contractors that assist with network design, maintenance and security, so you’d want to know whether the breach could have been prevented with antivirus software, alternate security controls or mandatory protocols that could have limited the vulnerability of the network. Overall, subrogation efforts would review whether the network was properly and reasonably secured, and whether anyone other than the newspapers’ employees was responsible for any deficiencies identified. In furtherance of such efforts, subrogation professionals would also look to see whether the newspapers had protections (or limitations) in their contracts with these possible subrogation targets.

What are some barriers or limitations to successful subrogation in the cyber risk space and how might they be avoided?
The biggest legal barriers are contractual limitations that some subrogation targets might have included in their service contracts. But before such limitations become an issue, factual impediments to the cyber investigation itself often create initial barriers by preventing forensics analysts from truly understanding the extent and cause of the data breach itself. Hackers are constantly coming up with better tools for gaining access and hiding their tracks, so it’s harder to discern how a breach happened, and exactly what security steps would have prevented it. Often, too, the forensic team will have to rely on the very people they may want to focus on for subrogation purposes, a company’s network contractor. These contractors are often the first ones who have their hands on the system after a breach, which can certainly present a conflict. We advise organizations that strongly suspect a breach to call their insurance company first—before bringing in their own network security contractors—to allow for a more proper investigation. We also try to educate companies to better review their contractual agreements with third parties so they are not signing away their recovery rights, or the rights of their cyber liability carrier. Forward-thinking cyber liability carriers with strong subrogation initiatives should be educating their insureds on these last two points before losses arise.  Finally, I was somewhat encouraged by President Obama’s call for the creation of more cybersecurity standards under his recent Executive Order. A logistical impediment to subrogation recoveries in this area is the lack of industry-specific standards for cyber security. Without clear standards, it is far more difficult to demonstrate that a network has been poorly designed or maintained, a necessary element to a successful subrogation effort. While such reasonable security standards are now rather well established in the PCC arena, they are far less solidified and accepted in other business contexts.

In summary…
I think subro expert Ken Levine nailed it here, explaining exactly why subrogation is going to be so important to the cyber risk insurance industry going forward. If you look at the underlying facts of many publicly reported cyber attacks and data breach events, it seems that in approximately 30 percent of cases, responsibility can be traced to a third-party vendor (service provider, Cloud, contractor) either upstream or downstream from the insured business—a direct consequence of corporate America’s trend of outsourcing computing. The annual NetDiligence® Cyber Liability & Data Breach Insurance Claims study and recent industry computer crime studies, like this one from Trustwave, underscore that fact. For this reason, subrogation will be a major part of the third annual NetDiligence® Cyber Risk & Privacy Liability Forum this June.

No more posts.