Cyber criminals don’t discriminate

Auctioneers need to protect and insure their databases.

By James Myers, contributor

Cyber criminals are a crafty bunch, and they continually evolve in order to get around various security measures many companies with any type of digital footprint try to employ.

According to a 2017 nationwide survey released by the Harford Steam Boiler Inspection and Insurance Co., 53 percent of businesses in the United States have experienced a cyber attack.

If you think these cyber attacks are only directed at big corporations and not your auction business, think again. Hackers don’t discriminate, and if you leave door open, so to speak, they’re going to poke their heads in a look around. Their activity could leave you liable, costing you a lot of money.

This is an issue that Larry Harb, of IT Risk Managers, and Greg Magnus, of ER Munro Co., deal with daily.
Harb has covered clients with cyber insurance for more than 20 years, at first insuring online Auctioneers, then Auctioneers with any type of digital footprint.

“The question comes up,” Harb said of Auctioneers he covers, “‘why do I need another policy?’”

The answer is that most insurance policies Auctioneers have, which are general liability, don’t cover everything.

Harb and Magnus both advise Auctioneers to look at their contract from back to front, because the contract will spell it out toward the end what isn’t covered in a general liability policy. Most will exclude all electronic media, including databases where sensitive client information is stored.

But, why does this matter? It’s simple – getting hacked can sink your business. Almost every Auctioneer has digitally recorded who is bidding at the auction, their address, phone number and other identifying information, including credit card numbers.

And, while you might be working through PayPal or other third parties to handle payment, you’re still liable for that data.

“Every state has now passed a law that says if you do business in our state and you lose personally identifiable information of a resident of our state, you need to notify all of your customers,” Harb said.

Magnus added that the cost associated with notification is between $50 and $225 for each person notified. So, if your database has hundreds of peoples’ information on it, you’re looking at major losses.

Magnus said that when Auctioneers apply for coverage, they’ll look at whether or not they have firewalls in place and assess what the Auctioneer does to prevent data breaches and keep hackers out of their system.

“It gets you thinking about your processes and what you can be doing better,” he said, adding that some will outsource their IT to add an extra layer of security. “We’re here to educate you and protect your business.”

Harb and Magnus said their cyber policies (Harb prefers the term “database policies”) will cover network security, privacy and liability for any issues with Payment Card Industry (PCI) compliance.

“If you are taking credit cards and you lose the credit card database,” Harb said, “now you can have the Payment Card Industry come after you. If you lose data and you are not PCI compliant, they can fine you, and the policy will respond to that – it responds to fines and penalties.”

No two cyber policies are alike.

Harb and Magnus advise Auctioneers to talk to their insurance agents so that when the worst happens, i.e. ransomware attack, password attack, denial of service attack, etc., they’re covered.

This article was an excerpt from a presentation given at the 2018 NAA International Auctioneers Conference and Show. Want even more tips regarding this topic? NAA members can access the full audio of this presentation and many others in the NAA Education Portal.