The Green Sheet Online Edition
August 25, 2008 • Issue 08:08:02
Data breach insurance has your back
At the 2007 Northeast Acquirers Association Conference, Tom Mulligan, Vice President of C.L. Frates and Co., heard the buzz about the TJX Companies Inc. security breach - the largest in U.S. history. Mulligan and his colleagues at the Oklahoma City-based insurer wondered why there wasn't an insurance policy that covered merchants (and their acquirers) should a breach occur.
So the insurer tweaked their Corporate Identity Protection Policy to create the Merchant Data Security Policy.
In case of a breach, the policy covers level 2, 3 and 4 merchants up to $50,000. The policy covers the costs of the mandatory audit required by the card networks as a result of a data breach; the policy also pays for the ensuing monetary assessments or fines levied by the networks and the time and expense of the audit. Moreover, the costs of card replacement and state-required notification letters are also included.
The policy, underwritten by worldwide insurer International Insurance Group Inc., requires no deductibles. ISOs and merchant acquirers are set up on the policy at a cost of $2 or less per merchant, depending on the size of the portfolio. Acquirers can mark up the cost of the policy to their merchants if they so choose.
Mulligan called the policy "sleep-at-night coverage," especially for level 3 and 4 merchants. Although the networks technically punish the banks for data breaches, the costs are passed along to the ISOs and acquirers which, in turn, pass along the costs to merchants, Mulligan said.
"Ultimately it comes down to the merchants and they are liable to pay the forensic exam, the fines and penalties," he said. Forensic exams start at around $10,000. For level 4 merchants in particular, that's a lot of money.
"So if your merchant is Dan's Shoestore in San Francisco, you may not have $10,000 to spare," Mulligan said. "That's the first bill." He added that the second bill comes after the forensic audit, when the card companies say, "'Well, hey, Dan's Shoestore, they were out of compliance that day, so we're going to fine them $20,000 every month that they're out of compliance.'"
Because of their smaller finacial size, level 4 merchants are most at risk if a breach should take place. Mulligan put it bluntly:
"If you've got a level 2 that has a breach, they probably have the financial resources to pay $50,000 or $100,000, $200,000. The $50,000 would help offset [the costs], but it probably wouldn't pay the whole thing.
"It wouldn't put my level 2 merchant out of business. Level 3 it might. And level 4 it probably definitely would."
C.L. Frates has met with resistance from acquirers that argue they have no need for data breach insurance, since acquirers routinely ferret away funds to be used in case one of their merchants is breached.
Mulligan counters that the policy is a tax deductible item. Furthermore, the policy provides liability insurance to acquirers if they are sued because of a breach.
But Mulligan also said the policy has other benefits that rainy day funds do not provide. Included in the policy is a crisis management service for affected merchants, as well as identity recovery services for consumers.
Both services are designed to mitigate damage to merchants' reputations, keep them in business and retain their customers.
Mulligan also considers the policy a perfect value added service ISOs and merchant level salespeople can sell to merchants.
"The sales team of the ISO can let every merchant know that starting X date, they are not liable for the first $50,000 of a breach, they're fully protected, and there is an insurance policy written through AIG, the largest insurance company in the world, that is there backing them up," Mulligan said.
C.L. Frates and Company
800-221-1825 ext. 409
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.