Why Your Clients Need to Be Concerned About Cybersecurity

I attended Interface's recent cybersecurity conference in Phoenix as a volunteer with the Cloud Security Alliance's Southwest chapter.

I attended only one session (after all, I was there to staff CSA's booth) I figured I'd understand. This was a presentation by Tucson business attorney Kathy Delaney Winger, who speaks about why clients need to concern themselves with cybersecurity.

I drew two conclusions from Winger’s talk:

1. Any business that issues credit cards must take steps to protect consumer information.
2. Any business that sells online or collects other personal information must do the same.

Businesses That Issue or Back Credit Cards Must Protect Consumer Accounts

Banks are responsible for breaches and fraud that, as Winger notes, used to be part of doing business.

It’s not just that consumers can only be held liable for the first $50 charged to a credit card. Any business that offers a credit card must do more to protect consumers beyond paying off a few hundred or thousand dollars fraudulently charged to credit accounts.

The 2013 Target card breach changed expectations for how banks protect consumer information

It all started with the 2013 Target breach. Banks that underwrote Target’s cards and its card-holding customers sued Target for negligence. In the past, courts would have dismissed these charges—after all, that’s the reason why customers are only held responsible for $50 in the case of fraud. It was a cost of doing business.

But by the time lawsuits were being heard in 2015, state and Federal courts were catching up to the reality of point of service (POS) electronic payments. (Several were hearing lawsuits against Target brought by lawyers for consumers and banks.) It’s more than a $50 loss—a stolen financial account can open the doors to access a range of personal information that can devastate consumers and companies that hold their personal information.

Think of what goes into a credit application:

• Social security numbers
• Banking information
• Private residential and workplace addresses

This is pretty personal stuff. No one wants the first two to be in the public domain or revealed without our express permission, while others may prefer to keep their whereabouts private for any number of reasons.

Courts concluded that businesses that issue or back credit cards have a responsibility to take specific steps to protect their customers against hackers. In Target’s case, it failed to take these steps and it should have.

And consequently, banks and credit unions credit cards have the same responsibility to consumers who use their cards.

Cybersecurity Responsibility Trickles Down

The second message I took away from Winger’s presentation is that if your clients sell anything online, or handle any kind of personally identifiable information (PII), they had better pay attention to the security on their websites.

Credit card issuers want to be sure that other businesses that collect their customers' information are just as secure as they.

Small businesses are just as liable for data breaches as any international bank. Pretty much all banks now have cyber insurance policies. You can be sure that these insurance companies will go after businesses whose breaches have impacted their customers.

Over 60% of data breaches happen at small and medium sized businesses, Winger says. And half of all small businesses shut down within six months of a cybercrime against them.

Winger shared what she advises her business clients to take with vendors who can access personal information, including:

• Making sure their vendors meet security standards for storing information listed by HIPAA (for medical data) and the FTC (for consumer data)
• Including an indemnification clause in vendor contracts for losses they suffer if the vendor fails to protect sensitive information
• Making sure vendors have cyber insurance coverage