Debit and credit cards are now the primary form of retail payment. Many retailers may not realize, however, that by accepting credit cards, they expose themselves to the risk of a data security breach and significant potential costs and legal liabilities.

Retailers should consider the major sources of direct costs following a data breach. These costs always include the retaining of a PCI (payment card industry) certified forensic investigator as required by the PCI Council. Costs also typically include the retaining of a privileged forensic investigator (often by the retailer’s law firm or general counsel); the hiring of outside counsel; public relations and crisis management; and consumer notification including printing and mailing costs and protection services offered to consumers.

In addition to the direct costs following a data breach, retailers often face three forms of liability from third parties: payment card brand fees; regulatory costs arising from investigations from the FTC, SEC and State Attorneys General, for example; and class action exposure. Contrary to what many retailers believe, retailers are typically not shielded from liability by their card processor or device manufacturers in the event of a payment card data breach. The “fine print” in the contracts for these products or services usually includes a number of provisions that place the liability on the retailer.

Finally, retailers may want to evaluate whether a cyber-insurance policy is needed, and if the policy they are considering provides appropriate coverage, retention and limits in light of the costs detailed above.

Click here  to read the full whitepaper by David Zetoony and Courtney Stout1Credit Card Data Breaches: Protecting Your Company from the Hidden Surprises


 

[1] Suzanne Gladle of McGriff, Seibels & Williams, Inc. contributed to the whitepaper.