RISK MANAGEMENT &

EMPLOYEE BENEFITS

CONSULTANTS
Home | Services | Consultants | Articles | What's New? | Contact | Disclaimer

 

Articles

 

  

Articles

 

Are You At Ease With Your E-Commerce Exposures?

 By Joy M. Gänder, Risk Management Consultant

 

INTRODUCTION

 

You have heard the horror stories of lost laptops containing confidential information or hackers breaking into a company’s computer system, stealing customers’ credit card numbers and holding them for ransom.  Denial of service attacks have been launched against companies and websites.  Still, a number of executives and business owners are mistakenly under the impression that this will never happen to them.  However, protecting your computer system from such attacks could be the difference between opening your e-commerce doors tomorrow morning and posting the “closed” sign on your website.

 

So here is the $64,000 question:  What have you done to protect your business from the financial consequences of these attacks?  This article discusses some of the exposures businesses face as a result of providing on-line services, potential claim situations, and some tools that can be used to manage the exposures.

 

EXPOSURES ABOUND

 

Many individuals become customers because of the quantity and accessibility of the services offered.  For example, they can apply for credit cards, home equity or vehicle loans, pay bills, and access account balances – all online.  All of these services (and this list is not exhaustive) – present e-commerce exposures to businesses.

 

With this in mind, companies are exposed to a number of potential e-commerce claims.  For example, firms can suffer from: 

·         Claims alleging damages due to the release of confidential information.  Allegations may include, but are not limited to, invasion of privacy, mental anguish and emotional distress.

·         Claims alleging negligence for allowing unauthorized access to a customer’s account.

·         Computer extortion.  For example, a hacker steals customer information and holds it for ransom.  Case in point – eight financial institution websites were attacked and 23,000 card numbers were stolen.  Hackers publicly listed 6,500 of the cards, causing damages in excess of $3,000,000.

·         Virus attacks that destroy or manipulate system data.

·         Claims resulting from denial of service.  For example, a customer cannot complete a deal because he/she cannot access your computer system.

·         Public relations expenses.

 

·         Loss of membership goodwill.

As noted below, insurance is often available to fund many of these losses.  But who can put a price on the loss of goodwill, which isn’t insurable?

 

NOW WHAT?

 

There are a number of tools and procedures firms can take to protect its systems from attacks and unauthorized disclosures, and the resulting financial consequences.  These include internal and external computer system controls, contractual transfer and purchasing insurance.

 

Discussing how to protect a computer system from a security perspective is outside the scope of this article … and my IT prowess.  Having said that, below are suggestions which can assist firms with protecting their customers’ information and assets, and your bottom line.

 

Do you use an outside vendor?

 

If you use an outside vendor to assist with the computer system (particularly its security) then specific attention should be paid to the contract between you and the vendor.    Before it is signed, be sure that the remedies available under the contract are equitable from your standpoint, and truly acknowledge the severity of a breach of service or security.  The contracts we have reviewed often limit the vendor’s liability to essentially nothing, or only to the amount of the contract.  The last thing you want to discover at the time of loss is that your recourse for a $250,000 claim is limited to the contract amount of $30,000, even though the loss is due to the vendor’s negligence.  Therefore, we recommend that all contracts go through a systematic review process, with particular attention paid to the liability, indemnification and other risk management implications.

 

Worms on the Inside

 

In addition to securing your system from outside attacks, consider the internal disruptions that are caused by employees’ actions.  Employee handbooks should specifically address employees’ use of the internet, email and external media (CDs and floppy disks).  A number of companies have suffered disruptions and losses due to the actions of employees.  For example, an employee of a large financial institution obtained unauthorized access to account and credit card information for 68 of the entity’s accounts resulting in fraudulent purchases of approximately $100,000.  Or a disgruntled employee corrupts data making it useless, then quits, and leaves you holding the bag!

 

Insurance – A Financial Safety Net - Maybe

 

Let’s face it; bad things happen to good people.  If the pre-loss efforts described above fail, then insurance may be available to fund the financial losses associated with computer system disruptions.  However, we strongly advocate that insurance be used in conjunction with internal and external system controls and contractual transfer.

 

One must pay extremely close attention (read: READ YOUR POLIICIES) to insurance policies before relying on them to respond to e-commerce claims.  Off-the-shelf property, general liability, and directors & officers’ liability policies provide limited coverage (if any) for claims noted in this article.  For example, a basic property policy likely will not respond to the loss of information due to a virus because the computer system is not physically damaged.  Therefore, it is recommended that your e-commerce exposures be thoroughly reviewed with your risk management and insurance counselor to determine the types of coverages needed to protect your firm from losses.  Specific coverages to look for include computer system fraud, extortion, virus attacks, enhanced liability coverage, business income, and public relations expenses.  

 

CONCLUSION

 

E-commerce services are here to stay, but the risks associated with them can be properly - and collectively - managed through the use of pre and post loss tools.  These include system security procedures, contractual transfer and insurance coverage.  The time you take today to recognize and address the consequences of these losses will save you hours of anguish and frustration if they do happen.

 

Ms. Joy Gänder is the Owner of Gänder Consulting Group, LLC, a risk management and employee benefit consulting company.  The fee-for-service firm is headquartered in Madison, WI.  Ms. Gänder can be contacted at gander@ganderconsulting.com or (608) 286-0286.

 
Copyright © 2007  Gänder Consulting Group, LLC

Phone: (608) 286-0286 | Fax: (608) 442-6811