GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Data breaches, more than bad publicity

News

Industry Update

Insuring against compromise

Negotiating the economic currents

U.S. court trims AmEx's clause

ACH network gets more mobile

Features

GS Advisory Board:
Challenge breeds opportunity - Part I

PCI Compliance for Dummies

Sumedh Thakar and Terry Ramos

Standing together against online fraud

And the nominations are

Selling Prepaid

Prepaid in brief

eCommLink refocuses, targets global remittance

Data breach leads to payroll card fraud

Event Innovation Inc.
Stored value - That's the ticket

Views

Coming in from the cold at NEAA

Patti Murphy
The Takoma Group

The HMS odyssey

Ken Musante
Moneris Solutions Inc.

Education

Street SmartsSM:
Rules by which to thrive, not dive

Jason Felts
Advanced Merchant Services Inc.

How to write right

Nancy Drexler
SignaPay Ltd.

Dead-on delegation

Vicki M. Daughdrill
Small Business Resources LLC

Keep an eye on the store

Adam Atlas
Attorney at Law

The lowdown on downloads

Dale S. Laszig
DSL Direct LLC

Company Profile

TransFirst Holdings Inc.

MicroBilt Corp.

New Products

Giving salons, spas the Midas touch

TouchSuite Salon POS
Company: Invenstar LLC

RDC, scanner tandem for small merchants

Dep@sit
Jack Henry & Associates Inc.

Inspiration

Cut back without cutting out

Departments

Forum

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

February 23, 2009  •  Issue 09:02:02

previous next

Insuring against compromise

According to business and e-commerce attorney Holli Targan, some ISOs and processors are now offering payment card data breach insurance programs to their merchant customers. Data breach, or cyber liability, insurance typically covers losses incurred by a merchant due to fines imposed by Visa Inc. and MasterCard Worldwide and issuing banks' card replacement costs. It also protects companies against most forms of hacking, data theft or privacy violations.

But by offering this insurance to merchants, ISOs may be unwittingly subjecting themselves to state insurance regulation.

"Well, sometimes the state laws say that if the ISO markets the insurance they have to be licensed as an insurance agent," Targan said. "Most states require that insurance agents be licensed and each state law specifies activities that qualify a company as an insurance agent. But there are ways of structuring the offering by the ISO so that they don't fall into that trap, and in a way that makes sure they are not deemed an insurance agent."

False security

Targan said some insurance companies have indicated that ISOs don't need to be licensed to provide breach insurance to merchants. And while this may be true, it gives ISOs a false sense of security; they believe simply marketing the insurance qualifies them as agents under state law. Targan suggested that before ISOs proceed with data breach insurance programs, they conduct a thorough review of insurance statutes for the states in which they do business.

"It's really so state-law specific because every state insurance law is different," Targan said. "Talk to an insurance lawyer and get that person to help you interpret the state statutes. And examine the state insurance laws to make sure you're doing it the right way. Right now, I am not aware of any statutes that require such insurance; however, each state and each policy has its own coverage requirements and categories."

A numbers racket

Vimal Vaidya, founder and Chief Executive Officer at RedCannon Security Inc., said, "Data breaches remain the leading cause of financial losses in business, with over 75 percent of Fortune 1000 companies falling victim to data leakage, and this is not going to change without improvements in the enforcement of data security policies."

And consulting firm Vontu's 2007 Consumer Study on Data Security indicated 62 percent of respondents were notified that their confidential data had been lost or stolen; 36 percent said they would not use credit or debit cards to make a purchase with an unknown Web merchant; nearly half said they would not provide Social Security numbers on a Web site.

"We live in a wide-open world where information can very easily be copied, sent or shared, and over 100 million customers have been notified of a breach of their personal data," said Joseph Ansanelli, CEO of Vontu. "Smart companies understand this and are investing in solutions to protect against the loss of this sensitive data and ensure the trust of their customers."

Viable options

As a result of the ever-increasing tide of consumer data compromises, many companies today sell a wide range of insurance coverage. TSYS Acquiring Solutions and The Royal Group Service Ltd. LLC offer coverage regardless of a company's Payment Card Industry (PCI) Data Security Standards (DSS) compliance status. Their joint program covers the mandatory forensic audit when a breach is suspected, as well as any PCI DSS fines resulting from a breach.

Some data breach insurance companies, like Charlotte, N.C.-based Premier Insurance Management Services, cover "soft" costs related to breaches, including expenses, fines and penalties arising from government and regulatory investigations, crisis management, public relations and customer notification.

Tracy Vispoli, Vice President of Chubb & Son, cautioned that a network security breach is not a matter of if, but when. Vispoli noted that new laws in nearly half the states require companies to disclose security breaches to their customers residing in those states.

"Network security breaches expose companies to class-action lawsuits, as well as irreversible damage to the corporate brand," Vispoli said. "And these new laws add another layer of responsibility and cost by mandating that companies notify customers of actual or suspected security breaches. It's time for financial institutions to further tighten their data security controls and to prepare for the significant financial cost of this risk."

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

USAePay | Impact Paysystems | Electronic Merchant Systems | Inovio | Board Studios, Inc.