From Home Depot and Hudson’s Bay to Target and Eddie Bauer, retail stores have experienced their fair share of data breaches that have put thousands of consumers’ payment cards at risk. In its 2019 spotlight report on claims stemming from cyber incidents involving the retail sector, NetDiligence determined that hacking (30%) and malware/virus (27%) were the most common causes of loss, accounting for 57% of claims between 2013 and 2017. These two causes of loss also accounted for 94% of breach costs for that same five-year period.
“In general, the retail and franchise sector has always been deemed to be the most high-risk,” said Dan Lewis, vice president of the national management liability practice at Arthur J. Gallagher (Canada). “But, as it turns out, it hasn’t been the biggest sector for us over the past couple of years from a claims perspective, and probably has made up less than 10% of claims over the last year. Part of that has to do with a better understanding and better awareness around internal controls at some of those organizations, but also that every other sector has just become more of a target – professional lines, for instance, so accountants, lawyers, investment professionals, and others who also have very sensitive information.”
A few key qualities of this sector continue to make it vulnerable to cyberattacks, in spite of the increased awareness around retail stores’ exposure. For one, the continuous revolving door of employees entering and exiting these businesses can make it challenging to train staff on cybersecurity best practices.
“We see people come and go all the time, so keeping those people trained and understanding the company’s policies around not opening the wrong types of emails or how to protect personal information when it comes to processing cards, that’s going to have to happen over and over every time they bring in a new person,” explained Lewis. “That high turnover creates higher risk of accidents, even just employees making simple mistakes. About a third of all claims we’ve seen have been caused when an employee made a mistake and opened something [they shouldn’t have].”
Many retailers also don’t realize that if a data breach happens, the law applies in the jurisdiction where the affected party is based, and not where that store is based. If we’re talking about an online retailer in Ontario, and those products are being shipped to customers in Michigan, Michigan privacy laws apply in the case of a data breach, and the business has the obligation to notify customers under the state’s rules, according to Lewis.
The evolving PCI compliance framework and lack of clarity about the responsibilities of franchisees versus franchisors likewise make cyberattacks on this sector difficult to manage.
“I actually canvassed a few carriers to ask because I haven’t seen any PCI compliance claims paid to Gallagher policyholders. A couple of carriers said they handled 1,000 Canadian claims in 2018, and none of them were PCI compliance-related, so it’s a huge issue because it’s the baseline for compliance,” said Lewis. “While I haven’t seen the fines and penalties much in Canada yet, we’re definitely going to see more action around that as the number of breaches increases.”
Should a cyber incident occur, “From a franchise perspective, there’s a lot of confusion with some clients around whose responsibility it is – is it the franchisor, the Best Western or the Marriott, or is it Joe Smith, who owns three locations and uses their systems? While the brand might be compliant, the individual hotels might not be. [Joe] might not have the wherewithal or even know that he needs to be compliant, so there’s potentially a disconnect between what happens at an individual franchisee level and at the brand level.”
Small and medium-sized businesses can often come out on the losing end of a cyberattack, whether they’re franchisees or not. If they’re hit by a cyberattack and can’t open their doors for two or three days, their balance sheet is going to be severely impacted.
All of the costs around the loss of profit, extra expenses that go into getting systems back up and running, extortion payments, notifying customers, and more, all fall on the business owner’s bottom line.
“The reputational damage could also be huge for a smaller shop and make it really difficult for them to continue. Perhaps it’s a big enough situation that they can’t recover from it, if they don’t have coverage,” said Lewis.
With their retail clients, brokers can turn to real-life examples of cyber incidents to underscore the need for risk mitigation and risk transfer solutions.
“We usually start talking to a client about what the environment looks like today – these are what the average losses in Canada look like, these are losses across the whole retail sector, and so today, you, Mr. Owner, have that risk on your balance sheet,” said Lewis, adding that brokers can help clients determine the most valuable coverages, such as those related to business interruption or PCI fines and penalties. After all, “You as an owner probably don’t want to payout a $600,000 loss if you don’t have to.”