Processing Your Payment

Please do not leave this page until complete. This can take a few moments.

December 1, 2014

Protecting your domain: Big or small, cyberattacks a reality for Maine businesses

Photo / Tim Greenway Anthony E. Perkins, an attorney at Bernstein Shur, says nearly every state has its own laws on data-breach notification.

With news of major data breaches hitting corporate giants like Target, Home Depot and Morgan Stanley in the past year, it may be easy to forget that cybersecurity issues are not just limited to big companies — even if the smaller ones believe they're well protected.

Portland-based Otto Pizza, which has grown to nine locations throughout New England in just five years, learned that the hard way when its corporate office received a phone call earlier this year from the Secret Service.

It was the second full week of August and the Secret Service had let the company know that Otto had been the target of a “point-of-sale” attack that impacted systems at its two Portland restaurants, says Eric Shepherd, Otto's director of marketing and communications.

The breach had only impacted about 3% of meal transactions between May 1 and Aug. 13. But that still meant that credit card and debit card numbers of around 900 customers were potentially exposed. So the company put all work aside and focused on the breach.

“Obviously, we were immediately horrified,” Shepherd says in recalling the event, which involved working with state and federal authorities, upgrading systems and ultimately issuing communications to customers through several different channels, online and offline.

The breach was a surprise, Shepherd says, because the company had been certified as being compliant with the Payment Card Industry Data Security Standard, known as PCI, a set of protocols originally created by major card companies like Visa and MasterCard.

“We had passed [PCI certification] with no issues. Zero,” Shepherd says. “As far as we knew, we were doing everything we needed to do.”

As it turns out, Otto wasn't alone in thinking so. According to a report from the U.S. Computer Emergency Readiness Team, a division of the Department of Homeland Security, the Secret Service estimates that more than 1,000 businesses nationwide were impacted by the same malware that infected Otto's POS systems.

“Everyone wants to believe they're always doing what they can,” Shepherd says, “but the [hackers] were targeting certain combinations of hardware and software.”

Taking responsibility for ‘cyber resiliency’

Otto is not alone in facing cyberattacks as a small business. The wave of cyberattacks against businesses across the board appears to be increasing.

A report published in September by Traverse City, Mich.-based Ponemon Institute found that 43% of surveyed U.S. businesses experienced a data breach that involved the loss of more than 1,000 records this year, a 10% increase over 2013. The report, which was commissioned by credit information company Experian, was based on responses from 567 executives.

On the small business side, the National Small Business Association found in its 2013 technology survey that 44% of 845 business owners said their business had been targeted by a cyberattack, whether it was a data breach or other kind of cyberattack.

For Sari Greene, the founder of Portland-based Sage Data Security, the perception that small businesses may not be vulnerable to cyberattacks has to change.

She says that means businesses should adopt the concept of “cyber resiliency,” the idea that being targeted by a cyberattack is an inevitability and that businesses should invest in ways to mitigate risk and continue operations when an attack happens.

“For better or worse it's the responsibility of any business that is connected to the Internet,” says Greene. “The [hackers] are going to prey on organizations that are vulnerable.”

Greene said besides employing a data security firm like hers, businesses can take certain steps to protect themselves against cyberattacks and assure that they are being “cyber resilient.” This includes using encryption to secure data, being up-to-date on firewalls and anti-malware software and keeping logs of all Internet activity. It can also be as simple as not storing certain kinds of sensitive information if the business doesn't really need it.

“It doesn't have to be onerous and it doesn't have to be disruptive,” she says. “We know consumers want to do business with organizations they trust. It's a civic duty but it can also be a market differentiator.”

Greene says it's important to note that the theft of sensitive data is just one of three prominent kinds of breaches that can impact companies. The other two are service disruption and an appropriation of resources, which can involve cybercriminals gaining access to a critical piece of infrastructure, posing potential national security implications.

“The reason people should be extremely concerned is this isn't just an economic issue, but a national security issue for us,” she says. “There are enemies that will be glad to attack our infrastructure. We all have a responsibility to put safeguards in place.”

Curtis Picard, executive director of the Retail Association of Maine, says cybersecurity involves a constant education with members “because it's such a complex issue.”

The high cost of hacking

How much can a data breach and other cyberattacks cost a company? Shepherd says he estimates that Otto Pizza spent at least $10,000 to account for lost labor and to pay for IT costs, an attorney, a public relations firm and associated costs.

“I think it's fair to say during the data breach there were three or four people in our internal organization that were dedicated to this issue on a good week or two,” he says. “It was pretty expensive and put some projects on hold.”

The National Small Business Association's 2013 technology survey found that the average cost of a cyberattack was nearly $8,700, while the average cost for a small business that had a bank account hacked was surprisingly lower, at around $7,000.

For larger businesses, the costs can be much greater. According to a recent report by the Ponemon Institute, the cost of a data breach ranged from $135,000 to $23 million. The average organizational cost in 2014 was $5.85 million, an increase from $5.4 million in 2013, based on responses from 314 companies in the United States and nine other countries.

In this country alone, the report, which was commissioned by IBM, found that costs associated with fulfilling mandatory notification requirements averaged around nearly $510,000.

Anthony E. Perkins, an attorney and shareholder at Bernstein Shur in Portland who specializes in data security, says because nearly every state has its own data breach notification law, companies that do business in multiple states have to do far more legwork and pay more when dealing with a breach of their own.

Perkins says in one case he handled for a small client, 23 states were involved.

“We spent a huge amount of time to make sure notice letters were properly segmented,” he says. “It takes a lot of manpower to put that kind of analysis together. And if you're not a large business, it takes a group of people away from their daily responsibilities.”

The current situation can admittedly be a giant headache, Perkins says, which is why he thinks businesses would be better served if there was just a federal statute that gave them the same set of protocols for every state instead of 47 different ones.

Who should pay for data breaches?

When it comes to data breaches, banks and credit unions have their own set of costs, even if their systems weren't breached in a cyberattack.

John Murphy, president of the Maine Credit Union League, says he estimates data breaches have in the past year cost Maine credit unions around $2 million for the replacement of credit and debit cards and an additional $500,000 for covering fraud.

“There's a lot of labor associated in handling all of this,” Murphy says. “The real cost, however, is the inconvenience to consumers.”

Chris Pinkham, president of the Maine Bankers Association, says while his group has yet to fully calculate the cost of data breaches for Maine banks, it is, “in a word, significant.”

“We're there to provide security and service on cards,” he says. “But, if they're compromised on a third party [system], we're dealing with the cleanup.”

Murphy and Pinkham say that the implementation of microchips in credit and debit cards, otherwise known as chip-and-pin technology, will help protect consumers. That's because the technology — which has been standardized by Visa and MasterCard and has been widely used for years in other countries — creates a one-time code for transactions that would be useless to anyone outside the transaction.

Banks and credit unions are in the process of implementing chip-and-pin technology, Murphy and Pinkham say. Retailers are expected to have new systems ready to accept the technology by October 2015, when card companies begin to shift the liability of data breaches involving signature-based transactions to retailers.

The large costs incurred by banks and credit unions in major data breaches like the one at Target last December has renewed the debate over who in the transaction chain should be held liable. In response to a lawsuit filed by five banks, a lawyer for Target said in November that the company does not have a legal responsibility to pay banks funds that were lost as a result of the data breach, according to a report by Bloomberg. The lawyer said that's in part because the card payments were processed by third-party vendors.

Picard, of the Retail Association of Maine, says when considering the debate, it should be noted that merchants have to pay interchange fees to banks and credit unions, in part for fraud prevention, whenever credit and debit cards are swiped.

Perkins, of Bernstein Shur, says a recent ruling by the Connecticut Supreme Court could also have an implication in the debate. In that ruling, the court found that patients can sue health care providers for failing to adhere to best industry practices without violating federal privacy laws, like the Health Insurance Portability and Accountability Act.

The ruling in part provides the basis for new standards in protecting sensitive data, Perkins says, which in turn could form the basis of further negligence claims in data-breach cases, including against non-health care companies.

“HIPPA and these types of laws are providing the base for what prevailing standards should be,” he says, “so even if you don't technically violate HIPPA, you could still be found liable for negligence.”

In general, Greene, of Sage Data Security, says she hopes businesses will act on increasing cybersecurity measures on their own, regardless of government oversight.

“I will hope that small businesses opposed to regulation will recognize the business reasons to be invested in security,” she says. “A responsibility to customers and security is good for business.”

Read more

Machias Savings Bank CEO Larry Barker talks about northern expansion and economic recovery

Adding depth to ‘shallow economies’: In field of New Markets Tax Credits, CEI has found a niche

Move over, Mississippi. Maine's on the rise

Staples data breach exposes Maine credit cards

Anthem data breach impacts Maine consumers

Sen. King to host cybersecurity briefing for Maine businesses

Sign up for Enews


Order a PDF