Scott Reynolds is CEO of Member Insurance, which provides risk management and insurance solutions to hardware stores, building material dealers, lumber dealers and related businesses throughout the U.S. and Canada. The agency provides cyber liability products, which are policies specifically designed to protect business owners from the costs of data breaches, hackers and lost or stolen information.
Reynolds answered questions from Hardware Retailing to help independent home improvement retailers like you understand, prepare for, prevent and recover from cybercrime.
Hardware Retailing (HR): We hear about big data breaches on the news, but what’s the difference between those and what a smaller business might face?
Scott Reynolds (SR): There really is no difference. The way a hacker could get into a large business would be similar to how they get into a smaller business. The Target breach that’s so well known had to do with an HVAC contractor having access to the computer systems in a store. With access to the computer system in any size store, a hacker will have access to all kinds of personal information and/or all kinds of information about customers. There’s not going to be a whole lot of difference between the method a hacker uses with a large business versus a small business.
HR: Is the same sort of data targeted, regardless of the size of the business?
SR: There are two broad categories of information. You have personally identifiable information, and that includes social security numbers, credit card information, driver’s license numbers, addresses, and could include things such as passwords. Then there’s personal health information and that includes more information that may likely be protected by [Health Insurance Portability and Accountability Act] HIPPA.
HR: What can a retailer do to prepare for the worst?
SR: First, they need to review what they’re doing with the information they receive. This includes how they receive it, and where their potential exposures are that they know of. Where are credit cards getting swiped? How many access points are there to the information on those credit cards? Where are records being stored?
Then, of course, you need to review what you have in place should an attack occur. Primarily what you’re talking about is your cyber policy. Your cyber policy provides coverage that may protect you from having to shut down your business or having to defend a case in court that may be prolonged for months. You have to be prepared for those costs, and having an insurance policy is the easiest way to be prepared for those costs. If you do have an insurance policy, review what services are available through the policy. Some cyber liability policies will include services like a data breach coach, someone who would help you through the process in the event of an attack. They would help you through how to notify customers whose data has been exposed, etc. Really, what they need to do is assess their own exposures and make sure they have adequate coverages and services on their cyber policy.
HR: Do you ever come across retailers who think that they don’t need a cyber policy?
SR: Sure we do. In most cases it’s because, to their knowledge, it’s never happened to them. In all honesty, it’s a position that’s taken in many exposures. Most stores haven’t been wiped out by a hurricane, but that doesn’t mean that you shouldn’t have proper property coverage in place to protect your building due to damage from a wind storm.
A data breach is something that many people have not experienced in any type of a significant way, so they don’t feel the need. But statistics show that small business are the target of hackers, much more so than large businesses. A study by Visa in recent years indicated that 80 percent of all data breaches occurred at small businesses rather than large businesses. I think it’s because the hackers don’t necessarily look at the size of the businesses that they’re hacking. By nature, there are a lot more small businesses in our country than there are large businesses, so more small businesses get hacked.
HR: In layman’s terms, what costs would an independent home improvement retailer have to cover when trying to deal with and then recover from a data breach?
SR: In terms of categories, the initial cost is the cost of forensics. And it can be quite expensive. Basically, It is trying to figure out how the hackers got in and how the data breach occurred. When did it happen? Are they still exposed to the data breach or to the hacker? How do you put a stop to it now? You want to assess what type of information has been compromised or what information the hacker has had access to. It’s important to note that the cost of forensics can, and usually do, exceed the cost of attorneys. So, that initial phase of forensics can be quite expensive. You could easily spend $20,000 or more before you even involve attorneys.
Then, of course, there are the legal expenses. Who do you need to notify of the breach? You need to know the laws in your state in terms of who needs to be notified, and if you do need to notify, you need to identify the costs associated. There will be mailing costs, call center costs, public relations costs.
You can also have PCI fines. Payment Card Industries is what PCI stands for, and it’s kind of an industry regulatory body. You could have fines imposed on you for not being PCI compliant.
You’ll have a potential very large cost, which is the business interruption. If you end up having to shut down your business for some period of time, the cost to the business is substantial, and you could incur all these costs and not even have a lawsuit. If you’re sued, that will, of course, include other costs. Without insurance, you would have to pay attorneys and possibly the cost for which you’re liable—your negligence.
HR: What are the biggest cyber threats out there today?
SR: There are three main categories: hackers accessing databases, hackers skimming credit card information and human error on the part of the business owner or staff, meaning staff members releasing information in error.
HR: Why might a data breach put a small company out of business?
SR: They could go out of business because of money. The cost of forensics, the cost of legal in pursuing the scope of the data breach, the required communications, the disclosures to the clients. Investigations could go on for weeks or months, and if you don’t have coverage, that means you also don’t have any built-in services, so you’re going to be doing it all on your own and if you hire anybody to help, you’ll have to pay them by the hour at pretty hefty rates. Unless you can reach some kind of settlement—which can be difficult because you would be dealing with a lot of customers standing in line who’ve been hacked—this could go on and the legal costs could cause you to shut your business for a temporary period of time and perhaps permanently.