Stories about data breaches have been much in the news of late. While large retailers, where the theft of personal data affects tens of thousands of customers, generate most of the headlines, even the smallest of businesses are not immune to this scourge and face potential exposure to costs, liabilities, and administrative headaches. In this article, we discuss two of the most common data-breach questions small-business owners ask.

I own a couple of car washes, not a multi-billion-dollar business like Target or Home Depot. Do I have anything to worry about regarding computer hackers and identity thieves?

Customers using credit/debit card systems assume that the transaction is secure and that their private information is protected. Industry experts refer to that information as Personally Identifiable Information or PII. While data breaches at giant retailers like Target and Home Depot grab the spotlight, it’s just as realistic a scenario for car wash owners of all sizes. In fact, most small businesses in the United States already have been exposed, or likely will be soon. The loss or theft of private information can be expensive, drive away customers and even result in legal penalties. Experts say that small business owners who don’t make protecting customers’ PII a top priority could soon find themselves out of operation.

After a data breach event business owners can face a multitude of costs from many different fronts. Credit card companies are entitled to chargeback any fraudulent charges if specific security measures were not followed. In addition, costs will be incurred for alerting customers of the event, paying for their credit monitoring services, investigating how the breach occurred, and taking additional steps to ensure it doesn’t happen again.

A Ponemon Institute survey found that 55 percent of small businesses had a data breach and 53 percent of those businesses had multiple breaches. Yet, surprisingly, only 33 percent of the businesses notified the people affected, even though 46 states, the District of Columbia, and Puerto Rico require that individuals be contacted when their personal information is compromised.

So, why would a small business owner risk fines and their company’s reputation by ignoring a data breach? They don’t believe it will happen to them. When it does, they’re not prepared and don’t know how to respond.

Others aren’t aware that most states require them to tell individuals, or believe the laws don’t apply to small companies. They do. And failing to comply may risk bad publicity, angry customers, and lost business opportunities. Recent research from the Ponemon Institute and Symantec estimates that it costs businesses $188 per record lost. Some basic math quickly reveals that even a minor breach could break most small businesses. Let’s assume that your car wash services 750 vehicles per month that utilize credit/debit card services and that criminals somehow were able to access the PII of an unknown number of clients. Since all customers must be notified this potentially could result in costs exceeding $141,000. (The General Liability portion of business insurance policies will generally not cover this type of loss.)

I outsource payment processing to a third party and have no card data in my computer systems. Do I have any risk from a data breach?

It is estimated that 85 percent of breaches occur at merchants that have less than 1 million annual transactions. Experts are perplexed about the lack of awareness by small merchants when it comes to cardholder data security in the face of an increasing threat landscape. Merchants continue to simply rely on their vendor without doing any auditing and without negotiating for appropriate contractual protections. It is imperative for a merchant to know:
• If a vendor improperly installs the payment application with a weak default password
• If a vendor does not adequately secure remote access and cardholder data is compromised
It is the merchant — not the vendor — who will be required to reimburse the merchant bank.

Merchants in this scenario may then look to the vendor for indemnity, only to find that the contract limits the vendor’s liability to a small amount (e.g., an amount equal to three months of fees paid by the merchant to the vendor).

In addition to these fees almost every state has a notification law that requires the owner of data to notify individuals whose personal information was compromised. The merchant also faces the decision of offering credit monitoring, which ranges in cost from $10 to $25 per person. Some merchants, who may not have address information, elect to put notices of the compromise on their website. And some state attorneys general post notification letters on their website. A public disclosure of a breach, especially if a significant number of individuals are involved, can result in affected individuals filing punitive class action lawsuits. The merchant can also face an investigation by a state attorney general as well as an investigation by the Federal Trade Commission.


Regardless of the size of your operation or whether you choose to utilize third party payment processing, you are at financial risk from even a minor data-breach event. Unless your operation has large cash reserves on hand, you may want to transfer all or a portion of that risk to an insurance company by purchasing a data breach insurance policy. Data breach policies will generally provide two types of coverage: first-party liability and third-party liability.

First-Party Liability will provide coverage for things like:
• Legal and forensic services — cost of investigations related to a breach.
• Crisis management and notification expenses — the cost of notifying customers and other response-management expenses
• Good faith advertising — the cost of ad campaigns to announce the breach

Third-Part Liability will provide coverage for expenses resulting from lawsuits from customers, as well as the cost of any other legal actions taken against your company.

Any data breach policy considered should include separate coverage limits for first-party and third-party liability coverage. Most carriers offer additional services to assist customers through a data-breach event as well as assisting in the prevention of such events. Data-breach coverage should be reviewed annually as your card usage and general revenue changes. Coverage should be reviewed by an agent who is well versed indata-breach exposures.

Dan Tharp is vice president of sales of Joplin, MO-based The Insurancenter.
He can be reached at: