You’re on the hook. And you probably have no idea.
You’ve made everything secure. No credit card numbers in your files … your computer … or your cloud server. Everything is PCI compliant. And the credit cards are processed by Stripe, or Square, or some other major processor. And then you got sued. How did this happen?
The reality is you have unknown risk. It’s confounding. So, we asked Whitney Tabash to explain it.
Whitney is a Broker with All Risks, Ltd. She recently sat down for an interview and answered the following questions. You can jump to her answers by clicking on the links below.
Cyber Liability Self-Assessment
Who owns the data when you’re using a third-party payment processor?
There’s a common misconception about data, data ownership. Many businesses use third-party payment processors such as Square, Stripe, and PayPal. These allow you to take credit cards on your website, phone, or with point-of-sale software. You think you’re safe because you’re not storing their card information.
But that’s not how data ownership laws work. You’re still responsible for protecting that data.
Who does the law prosecute for a data breach if you’ve used a third-party payment processor?
The public perceives that they’re giving you their credit card to swipe. The law sees you as the owner of the data. And you’re responsible even if the breach happens to that payment processor system – even when it’s not your system.
You’re also bound to privacy laws. You collected the information and you are who the law sees as owning the data. And the privacy laws require you to send notifications to those impacted.
The example that surprised me the most is a small snow cone shop got hit. It was a pretty small claim – under ten thousand dollars. But they were still on the hook for damages.
What about attorneys who accept credit card payments?
QUESTION: What if I’m an attorney who takes credit card payment from clients and I’ve done everything to be PCI compliant. And I’m not storing credit cards locally. The client enters their card directly into a portal connected to Stripe or Square. Their credit card information is not stored anywhere on my site or on my premises. In fact, I don’t even know their credit card number. Are you saying I have liability if Stripe or Square gets hacked?
ANSWER: Yes, you do. Data ownership law puts the liability on who the public sees as taking that information. Now, I’m not a privacy attorney, but in most cases, the burden is on the person whose client is paying them. So, in your example, the attorney is taking credit card payment from a client. The client is giving their credit card to the attorney. He would be responsible for the data ownership.
How does data ownership law apply to data storage?
The same reasoning applies if you use a data storage company. If the data storage company gets hacked, it doesn’t change the fact that the client gave their information to you. You’re the person who is supposed to protect that data by law. You chose to use a third-party vendor. But the information that was hacked is really yours. You must notify your clients, customers, etc. – the third-party vendor doesn’t.
Summary
It may be hard to believe. But the data privacy laws hold you responsible if you’re the customer interface. You have financial liability. You also are the one required to notify customers if their data is breached by a third-party vendor. According to the law, you are still on the hook.
This is complicated and changing the world. If this situation happens to you, you’ll need a third party to guide you through the current notification laws. You’ll need a consultant if you don’t have Cyber Liability / Data Breach insurance. Otherwise, your insurance provider should help you navigate the process.
Bio
Whitney Tabash is an experienced Professional Liability broker at All Risks Ltd., the largest independently owned insurance wholesaler in the United States. Prior to joining All Risks, Whitney was a Senior Broker at Professional Liability Underwriting Specialists, Inc. With almost 10 years in the industry, she is a well-established resource on technology related exposures in the constantly changing regulatory environment. Whitney serves on the Texas Surplus Lines Association (TSLA) Membership Services Committee and was the youngest ever appointed Chair of the Texas, Oklahoma, Arkansas and Louisiana Chapter of the Professional Liability Underwriting Society (PLUS).
Disclaimer
Daniels-Head Insurance Agency (DHIA) seeks thoughts and insights from a variety of individuals and organizations in the industry. The guest content on this blog represents the individual opinion of the author and not that of DHIA. Nor is it the opinion of DHIA’s underwriters and business partners. Neither DHIA nor DHIA’s business partners are recommending, endorsing, or sponsoring any companies, or third parties mentioned in this blog.