When Wei Wong, owner of Sushi Mushi, a popular Japanese food bistro in Texas, installed a phone add-on to take credit and debit card payments straight from his employees’ phones, his revenues skyrocketed. Yesterday the Feds told him that his customers’ credit and debit card numbers were posted for sale on an underground website. Malware planted in his employees’ point-of-sale telephone systems snared over 10,000 card numbers, encrypted PINs, and CVV codes. Every hacker in the Ukraine now wants their own missile launch system. Is Sushi Mushi to blame?
Yes, Texas law requires Wei Wong to notify each of the 10,000 customers because their “sensitive personal information” was, or is reasonably believed to have been acquired by an unauthorized user. A May 2013 Cost of Data Breach Study sponsored by Symantec reported that the average United States data breach cost per record was $188. A 2012 Verizon Risk Team study shows that in 2011, over 174 million records were reported breached. The average cost to an organization resulting from a data breach incident is now reported to be upwards of $6.65 million.
When? What if Not?
Sushi Mushi is required to provide notice “as quickly as possible,” with exceptions made for criminal investigations (which must be documented). If no notice is issued, Wei Wong risks statutory penalties of $100 per individual per day for any failed or delayed notification, not to exceed $250,000 for a single breach. But these notice costs plus forensic investigation, credit monitoring, public relations efforts, and lawsuits are nothing compared to the biggest possible cost – the company’s reputation.
Who’s to Worry about Cyber Theft?
Most businesses that maintain a computer network with “sensitive personal information” [an individual's first name initial and last name with social security number, driver's license or government-issued identification number; or account number or credit or debit card information with security code]. Also, almost any health care-related business.
Could It Be Worse?
If Sushi Mushi’s customers can get a class certified, Wei Wong’s liability will almost certainly include mandatory payment of identity theft and credit monitoring services, imposed auditing requirements, injunctions to cease and desist improper retention of customer data, reimbursement of funds stolen and costs expended in issuing new cards, disgorgement of Sushi Mushi profits during the time of the breach, and forced adoption of certain security measures.
Tilting the Scales in Your Favor
Consider Insurance. Many businesses purchase Commercial General Liability policies. However, it is increasingly likely that a general CGL policy will not cover a cyber-security breach; more insurance carriers are excluding cyber security breaches from their CGL policies. Check out purchasing cybersecurity insurance going forward to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage.
Steps to Protect Your Company –
- Identify all sensitive data handled by your company.
- Make sure it is secure. Encryption mitigates the Texas statutory liability and penalties.
- Implement and maintain security systems – both computer system security measures and physical. Passwords, encryption, firewalls, anti-virus software are important; physical security measures are also important.
- Lock sensitive data and dispose of it by making sure it is properly shredded. Simple employee negligence, such as losing a lap top or failing to shred personal data before disposing of it in the trash is a frequent culprit. Confirm that all employee’s know the protocol to keep customer data safe.
- Implement a response plan to deal with a breach after it occurs. A plan in place will help reduce your risk of incurring fines as well as cut costs for notifying.
- Detection, confirmation and quick remediation are key. If you are compromised, know where and when bad things are happening – real compromises, not false alarms – so they can be shut down. As Verizon’s 2014 Data Breach Investigations Report shows, speed matters, both in detection and dwell time (time between discovery and remediation). After mere minutes critical data can be exfiltrated from a network.
- Quick remediation is critical, but so is insight. With so many states pushing to codify stringent breach notification requirements, waiting days or weeks to let customers know what may have happened with their data simply won’t cut it going forward.
 The definition under the Texas statute also includes information regarding an individual’s physical or mental health information; the provision of health care to the individual; or the payment for the provision of health care to the individual;4 this information is referred to as “protected health information” or “PHI” in the health care industry, and is also subject to the privacy and security restrictions of the federal privacy statute known as HIPAA. Texas entities subject to HIPAA will have to determine whether they have breach reporting obligations under HIPAA, the Texas statute, or both, since the standards and requirements of HIPAA and the Texas statute are different.