In our last article, we talked about cyber liability insurance, why we carry it, and why it's important for our clients that we do. Now, I'd like to examine the anatomy of a data breach - we'll use the recent Target hack - and look at what the costs would be if it happened to a theoretical small retail store.
What's significant about the Target breach is not just the volume of information, but also the sophistication of the attack and the sensitivity of the information that was stolen. At last report, Russian hackers got away with approximately 110 million customer records, including personally identifiable information (PII) and credit card numbers. As a retailer, it's this information that should concern you the most. Fines for a breach of this type of information include up to $500,000 per incident and the remediation to those affected by a data breach range from $90 to approximately $300 per record. These numbers are not taking into account potential lawsuits (class action or otherwise) from affected customers.
I'll put these numbers in perspective. The Target breach resulted in 110 million affected customer records. In addition to the incident fine of up to $500,000, Target could be liable to pay costs and remedies to the affected customers totalling $33 billion. To be perfectly honest, that amount probably won't be imposed, but we can extrapolate to look at the impact on a smaller retail operation.
Assuming a small, average volume ecommerce operation, a typical store will be keeping records on slightly north of 700 customers per year.1 In the event of a data breach where information is stolen, a small retailer that has been operating for 5 years is going to be subject to costs and remediation amounts between $320,000 and $1,000,000. That's more than enough to bankrupt any small business.
As a Web consulting company, we can be held liable if it's proven that data was compromised through a vulnerability in an application, whether we configured an off-the-shelf solution or created a custom solution from the ground up. By hiring a company with an active cyber liability policy, you can protect your business in the event of a data breach and assure your customers that you take protecting their private information seriously. You can also be assured that something like this doesn't happen:
It might not look like much, but the blurry sections of this screenshot are actually very helpful to someone looking to gain access to private information that could be kept in this site's database. In addition to the username and password (which would give a hacker immediate access to all data if they're able to establish a connection to the database directly), there's also useful information for attempting some of the most common attacks on the OWASP Top 10 list. It may not be (and probably isn't) deliberate, but a simple configuration error can leave your business and your customer's data vulnerable. It's all just a Google search away - that's how we found this particular document while researching a Magento extension.
Hiring local (versus outsourcing somewhere off-shore) means you have a greater chance of finding a company with a policy that will protect both you and your customers. Sure, you could send your custom development work off-shore and save quite a bit on the hourly rates now (we receive emails offering rates of $7.50 to $20 per hour from South Asian and Eastern European "companies"). But what happens if they mess up or just decide they don't want to finish the project? You're left with little to no recourse and, potentially, hundreds of thousands of dollars in damages to pay to your customers. Is saving on the hourly rate up front worth the long-term risk?
1According to Internet Retailer, the average retail sale for an ecommerce site was $115 in 2013. Let's assume a modest operation getting an average 3 orders per day, which amounts to annual sales of approximately $126,000. Let's also assume that 35% of the customers are repeat customers, which results in 712 customers per year. Let's further assume the ecommerce site has been operating for 5 years. This means the store is keeping records on approximately 3,560 customers.