For 20 days spanning from November 27 to December 15, 2013, the retail giant Target Corporation experienced one of the

largest data breaches in American history. The information consisted of everything from some 70 million customer names

and 40 million credit and debit card numbers to the short verification codes on the back of the compromised cards.

In addition to forcing the retailer to book a reported $61 million in direct costs related to the breach, it also scared

customers away from shopping at their stores—which resulted in a 46 percent drop in net profit in the holiday quarter.

Although the exact full costs of the breach are not yet known, security analysts have pegged the costs at upwards

of $400 million.1

While most businesses aren’t nearly the size of Target, a data breach can be even more impactful for a small business

without the resources of a larger corporation. Fortunately, there are steps even the smallest businesses can take to

mitigate the possibility of a data breach or its destructive impact if one is experienced.

What Is Data Breach?

Data breach is the exposure of sensitive customer information due to hacking, theft or the accidental release of data.

Business owners are expected to be custodians of customer information and have a reasonable expectation to protect

their customers’ data. Some examples of actions leading to data breach may include:

• Failure to shred customer documents

• Medical records falling off a truck on a freeway

• Skimming devices that steal customer data installed in credit card machines

• Lost laptop computer containing sensitive customer data

• Printed social security number on mailings

PROTECTING YOUR BUSINESS:

MITIGATING DATA BREACH

1Society Insurance | P. 888.576.2438 | 150 Camelot Drive, P.O. Box 1029, Fond du Lac, WI 54936-1029 | societyinsurance.com

1. Horovitz, Bruce. Data breach takes toll on Target profit. USA Today. February 26, 2014. Retrieved from http://www.usatoday.com/story/money/business/2014/02/26/target-earnings/5829469/.

FAILURE TO SHRED CUSTOMER DOCUMENTS

2Society Insurance | P. 888.576.2438 | 150 Camelot Drive, P.O. Box 1029, Fond du Lac, WI 54936-1029 | societyinsurance.com

Data breach should not be confused with identity theft—which is when thieves target individuals to obtain credit card

and financial information—or cyber liability, which refers to the individual targeting of businesses to steal their financial

information via hacking.

It Can Happen to Anyone

Big or small and no matter the industry, data breach is a real concern to any business. From restaurants and bars

running hundreds of credit cards every night to medical offices with piles (both electronic and physical) of sensitive

patient information, it can happen to anyone.

Thieves often “start small” to ply their methods—while there may be less reward in skimming card information from a

small corner bar than there is in the mega-retail market on the other side of town, it’s an easier target that carries less

risk of being caught.

Additionally, it’s important that business owners don’t automatically assume that anything dealing with stolen card

numbers is the bank’s problem. In fact, payment processors often have contracts with businesses that give them the

right to recoup certain costs from the business.

For example, one major credit card merchant typically assesses a charge of $2.50 per card that is exposed in a breach.

While that doesn’t seem that significant on its face, consider how many customers hand over a credit card at even the

smallest restaurants: Example, 5,000 exposed cards would cost a business $12,500 in bank costs alone.

How to Prevent Data Breach

At its core, preventing data breach is equal parts common sense and technical knowledge. It’s important to take a

balanced approach in thwarting the threat because neither avenue alone can address all issues. An ounce of prevention

is worth a pound of cure.

Remember that data breach isn’t only an electronic issue—simple theft is a concern. Ensure that a data protection

program is in place to protect against nonelectronic threats.

Ensure vendors only have the right amount of access. A vendor working on cooking equipment shouldn’t have

access to a financial system, for instance. Monitor vendors when they’re on site as much as is reasonable. As it turns

out, a third-party vendor was responsible for the Target breach!

Monitor internal systems and databases on a regular basis to ensure that there’s nothing nefarious going on. Data

breach cases often go on for weeks or even months before someone notices, and the sooner you can put a stop to a

data breach, the better.

Make sure any passwords on mobile devices are encrypted and strong.

3Society Insurance | P. 888.576.2438 | 150 Camelot Drive, P.O. Box 1029, Fond du Lac, WI 54936-1029 | societyinsurance.com

Update all computer systems. A surprising number of businesses, for instance, are still running the Windows XP

operating system, for which support ended on April 8, 2014. The bottom line is that Microsoft will no longer be

patching known vulnerabilities in XP, which leaves computers open to possible data breaches.

Being PCI compliant goes a long way toward preventing data breach. PCI compliance means that a business is

adhering to the requirements developed by the PCI Data Security Standards (PCI DSS) council. While it doesn’t

completely eliminate the risk, it protects data against easily avoidable threats.

Stay as up to date as possible on the latest techniques scammers are using. Bluetooth skimmers, RAM scrapers

and malware programs are three common methods that thieves use to take advantage of businesses on a regular

basis, and enterprising crooks are coming up with new methods constantly. Knowledge of the enemy is crucial in

any battle, and fighting to protect customer data is no different.

Perhaps most importantly, educate employees and ensure they understand all the processes in place to mitigate

data breach. An owner or manager can only do so much; the people that deal in the day-to-day operations of the

business also need to be aware of what to do and why to do it.

How to React to a Data Breach

In the case of a possible data breach, the business owner should contact

the financial institution that processes their payments immediately. They

will begin to guide the process. The insurance agent or carrier should

also be notified at this time—the sooner they’re involved, the better from

a liability standpoint.

From there, clear communication with affected customers is crucial. While it

may not technically be required at this point (laws in some states differ in this

regard; consult local authorities for guidance), the best practice in general is to be forthright and honest. In the long

run, customers will value honesty even if it is likely to be embarrassing in the short term.

In fact, as incredible as the direct expenses from a data breach can be, it’s the reputational harm that can do irreparable

damage to a business. The more that can be done to put customers at ease, the better. Clear communication of the

situation will help convince customers that the business is not a risky place to shop, eat, etc.

Finally, make sure any services offered to customers fit the nature of the exposed data. If only debit or credit card

information is exposed, credit monitoring is nothing more than a waste of money—without a Social Security number,

a new credit line cannot be opened via an exposed credit card alone. Simply counsel customers to keep an eye on their

own accounts. Most likely, of course, the affected financial institution will issue a new card.

If Social Security numbers are exposed, don’t just offer one year of free credit monitoring. That’s the “cheap and easy” way

out and is a disservice to customers—after all, Social Security numbers don’t expire and could be exploited at any time.

A DATA BREACH IS EMBARRASSING, COSTLY AND POTENTIALLY BUSINESS CRUSHING. BUT IT IS AVOIDABLE.

4Society Insurance | P. 888.576.2438 | 150 Camelot Drive, P.O. Box 1029, Fond du Lac, WI 54936-1029 | societyinsurance.com

© 2014 Society Insurance

Summary

A data breach is embarrassing, costly and potentially business crushing.

But it is avoidable.

Beyond the simple steps identified in this white paper, it’s important to simply think about what else you could be doing

to protect your customers. If there’s anything that comes to mind that you could be doing but are not, well, it’s simple:

you should do it as soon as possible. Every passing day is another opportunity for thieves to get their hands on your

customers’ sensitive information and ruin your business forever.

Society’s team of risk control experts take care of the details that will help business owners avoid catastrophic losses

and keep their customers, employees and businesses protected. Get in touch with a Society agent today by visiting

societyinsurance.com and learn more about how to best protect your business.

How to Lessen the Possible Damage

The cost of even a small data breach can be wildly expensive. While most businesses won’t have the $61 million

of damage Target suffered, typical costs can include:

• Internal investigation: $14,000

• Regulatory compliance: $125,000

• Notification and crisis management: $28,000

• Class action lawsuits: $5,000 per person exposed

With costs for even small data breaches ranging into the tens and hundreds of thousands of dollars, it’s simply not an

option to go without data breach coverage. One problem, however, is that not all data breach coverage is created equal.

Many insurance policies do not adequately cover the various costs involved in a data breach.

Here’s what to look for when considering a data breach policy:

• Internal investigation costs

• Regulatory compliance costs

• Notification to customers/clients

• Notification to governmental authorities

• Printing and mailing costs

• Proactive monitoring services

• Legal liability—victims will seek to recover their costs, perhaps as part of a class action suit

• Electronic and nonelectronic acts or accidents that result in the exposure of sensitive customer information