Authors

Friday, May 9, 2014

Are you Using a Mobile Payment System? Part II: Best Practices and Cyber Liability Insurance

Last week we introduced some of the basic policies and procedures a business owner should implement to keep their customers’ data and their business safe (Are You Using a Mobile Payment System? Part 1: Keeping Customer Data Safe).  We will finish the discussion this week by talking about being compliant and about insurance you may want to consider to further protect your business.

One more employee consideration

Aside from informing employees about how to handle, use, and store mobile devices it may be prudent to include background checks during the applicant screening and hiring process (bit.ly/1ftpQaA), if you do not already.  Some pre-hire background checks include requesting credit and criminal records (http://1.usa.gov/1uvVxV9).  Businesses that ask employees to handle payments, regardless if they are mobile device-based, have the right to require such background checks (http://1.usa.gov/1o36hbK).

Strategy for PCI compliancy

We introduced the concept of the PCI (Payment Card Industry) Security Standards Council and being compliant with their standards, but what does the entail?  The following table summarizes the responsibilities of the small business owner and the six goals that comprise “security best practices” (http://bit.ly/Oz1G1j).
Source: PCI Security Standards Council 
The PCI also has resources for small businesses, which they consider to be more vulnerable to security breaches than large companies, and several short videos to further demonstrate how retailers can protect consumer data (http://bit.ly/1rZWa5e).

What cyber liability insurance can offer

You may already have a comprehensive insurance policy or riders that protect your business incase of theft, fire, disaster, and even when essentials employee are unable to perform their duties.  As mobile payment systems and threats to these systems have evolved so has the insurance industry.  Cyber liability insurance is one such addition and “is designed to protect businesses” from:

Lawsuit damages
Lawsuit defense costs
Breach notice costs
Data restoration costs
Breach extortion costs (http://bit.ly/1iUntyb)

The following site includes a list of questions that can help you assess your level of risk and issues that should be discussed with an insurance agent (http://bit.ly/1rZK0sX).  Just a few of those listed include:

“What security controls can you put into place that will reduce the premium?
What is expected of you to reduce or limit the risks?
What and how big [of] a difference to your future premiums will a claim make?
Do all portable media/computing devices need to be encrypted?
Are malicious acts by employees covered?”

This source further suggests asking potential insurers if you, the small business owner, will have to participate in post claim tasks (e.g. alerting customers about the breach) or if they provide “a point of contact” to oversee all processes after a claim is initiated.

What might cyber liability insurance cost?

Of course costs vary by type of business, geographical market, and factors that impact your general policy (e.g. number of policies held, number of claims within a certain period) but according to one source “a cyber add-on to an existing liability policy might cost $300 a year while a separate policy could cost $1,000 or several multiples of that” (http://bit.ly/Sxrgqv).  Other sources state that policy premiums can be much higher (http://bit.ly/1shcr7Q).  Having cyber liability insurance may “pay off” even if a claim is never filled.  According to once source: “Cyber insurance also can help boost your business by giving customers and business partners more confidence in you” (http://bit.ly/Sxrgqv).

After a breach is detected

So, what do you do when you experience a security breach?  Insurers and IT security experts stress notifying the authorities and your insurance company as soon as a breach is expected. Also, finding and repairing the breach quickly is crucial, as well as keeping records of all procedures that were followed after the incident (in addition to having a good record keeping system to begin with; http://bit.ly/1uwoAb3).

Though no one ever wants to experience this type of disaster, taking precautions, being diligent in your practices, and being prepared is a must.  As our use and dependence on technology grows, with all the associated benefits and advantages such systems provide, it can only be assumed that business owners will need to be aware of possible security situations of which they will need to be aware.  

Kathy Kelley is a professor of horticultural marketing in the Department of Plant Science
Robert C. Goodling, Jr. is an extension associate in the Department of Animal Science

No comments: