Data Breach Liabilities - PCI Penalties, GDPR and a Warranty
Data breaches seem to be a regular feature in the news nowadays, especially since GDPR regulation kicked in last year. This higher frequency of articles announcing newly-hacked-victim-organisations gives an idea of the growing scale of the security problem - a trend that we have been talking and warning about for years.
Organisations particularly at risk of compromise are online businesses - eCommerce websites. In fact eCommerce websites are currently the most targeted type of organisation within the Payment Card Industry - simply because the crime is so much easier to execute. The reward for criminals is not as high as targeting a bank, but the crime is a lot easier to pull and scale too.
The Foregenix Digital Forensics and Incident Response team is one of the most active PCI Forensic Investigation teams globally. According to banking partner sources in the UK and across Europe, we help more hacked eCommerce organisations with our forensic and incident response capabilities than all of our European competitors combined. The reason for telling you this is to make the point that we get to see emerging trends a lot earlier in the trend cycle due to the volume of hacked eCommerce websites that we are helping.
What we learn from all of these investigations is then passed on to our clients and partners to educate them in protecting their businesses from similar attacks.
The unique view that we have on early cybersecurity trends in the market has led us to create solutions that help small to medium sized eCommerce businesses protect themselves against the threats we're encountering daily. Two of the products we’ve developed are:
We monitor over 6 million websites globally for attack trends, vulnerabilities and risk of compromise. We can tell you very quickly if your website is at risk of being breached, or if it is already hacked. We provide this for free to use on a one off basis at https://foregenix.com/webscan.
Help yourself - it’s FREE with no strings attached - and uses the latest indicators of compromise and research from our Threat Intelligence Group.
FGX-Web provides baked-in security for eCommerce websites with solution options that support start ups through to market-leading eCommerce websites. Our solution scales and protects our clients’ eCommerce websites from hackers. We’re not only providing the tech to secure your website - we are so confident of providing you with the best security protection and monitoring for your website that we provide a breach protection warranty of up to £100,000/website/year for our Enterprise clients. Yes, we’re confident that with our security solutions in place, your business will be secure - and we’re prepared to offer our clients a significant warranty to support that.
The Cost of PCI Data Breach
In conversations we have with clients and prospects, the subject often turns to the cost of a breach and what exactly could a small to medium business expect to pay. A considerable number of articles have been written over the years highlighting the cost of a data breach to small and medium sized organisations. Here are a couple of articles we’d recommend you reading:
- According to WorldPay/Vantiv, the average cost of a breach for small to medium sized organisations in the US is $117,000
- Dave Whitelegg - a respected UK-based security blogger posted an article showing how the costs can scale from fairly modest levels to significantly expensive
- Barclaycard has a fairly old - but useful - article they published on an example small eCommerce business breach costs
- Hiscox - a UK-based insurance company, conducted a study in late 2018 and found that the average cost of a breach for a UK SME business is £25,700.
Feedback that we have had from the card brands, acquiring banks and breached organisations is that the typical cost for a breach of an eCommerce merchant processing over 10,000 cards in a year is €18/card. When you factor in the average time between breach and detection being 5.5 months (based on our forensic team's experience), it is fairly easy to work out how many cards could have been stolen and what the associated costs could be.
As a first example, let’s imagine an eCommerce business was processing 60,000 transactions (let’s assume a unique card per transaction to keep it easy) in a year. And let’s assume the business was average in their capability to detect the hack.
- Transactions/year: 60,000
- Dwell time: 5.5 months
- No of cards stolen: 27,500
- Liability: €495,000
This excludes forensic investigation costs and any other potential fallout such as legal, PR, etc.
You can see how the numbers stack up quickly. Fortunately the card brands have favourable terms for businesses who identify the breach and notify their bank and the card brands quickly - in fact there are a few ways to get the cost down, but all require the victim to be proactive, to work with their bank and the brands and to sort out the breach quickly. Our advice would be to contact your acquiring bank to get more detailed information as this is not published publicly.
As a second example, let’s imagine a small eCommerce business, processing under 8,000 transactions (let’s assume a unique card per transaction again) in a year. Let’s assume again that they’re also average in their capability to detect the hack.
- Transactions/year: 8,000
- Dwell Time: 5.5 months
- No of cards stolen: 3,660
- Liability: for breaches of smaller organisations with eCommerce only channel, both card brands waive liability costs and an assessment charge of roughly €3,000 is charged to handle the incident by Visa. In addition, the organisation will be required to undergo a PFI Lite (there are specific qualifying criteria - check with your bank if you qualify) which will cost up to €5,000. Total liability to expect: ~€8,000 (excluding legal etc)
A point to add to this is that no GDPR penalties have been factored into this article - there are a huge number of articles with information on the GDPR penalty structures. A good place to view the penalties issued by the ICO is: https://ico.org.uk/action-weve-taken/enforcement/
If you’d like to get a free monthly security scan, delivered to your inbox, scan your website here: