Think Cyber Risk is only a big business issue?
Think again, here is one way a smaller businesses was impacted
In the early 2000’s a husband and wife had the idea to set up a specialist Ironmongery business to meet the needs of the trade and homeowners.
Over the next few years, the business grew outstripping the first warehouse and by 2010 they had moved into larger premises and had built a professional website that added reach and customers.
However, in 2010 the couple received a visit from a Fraud Investigator from the Bank. Around 50 fraudulent transactions had been seen in the previous 12 months indicating that there was a potentially serious issue with payment systems being used.
As investigations developed it became apparent that the root of the issue was the security of the firms website. It was evident that Card Holder information had been stolen and misused, but at the time of the frauds the systems in place breached the rules for Credit Card use that required compliance with the PCI DSS standard.
While action was taken to resolve the problem with the website design and a security firm (Security Metrics) and after this there were no further instances, the couple were warned to expect a fine for their failure to maintain their payment system obligations. This was anticipated to be between £10,000 and £25,000 from VISA and MasterCard. This was worry as the firm was under the impression that this was unlikely to be covered by their business insurance as they were not compliant with the relevant standard (PCI DSS).
However, the policy they had in place did provide cover for Privacy Fines (any fines or penalties that the firm is legally obligated to pay as a direct result of your breach of your privacy obligations where insurable under applicable law.
The company did subsequently received a fine for EUR10,000 (£8,500) with the fine detailing the reason being that the firm were not PCI DSS compliant, as required, when the breach of credit card data occurred. This was certainly at the lower end of the range of fines and they settled the fee, less the policy deductible of £5,000. It is worth pointing out that the company did consider the accountability of the website developer in this situation and initially sought to try and recover the costs they had incurred from him. However, as this was unlikely to be a simple or straightforward process the time and cost to pursue this avenue was not considered to be worthwhile.
Note: The fines were paid as they were deemed to be a breach of contract, it is currently untested if ICO fines would be covered but as these are probably deemed to be punitive claims the law in the UK would prevent a business claiming on their insurances.