Camera-Managed AmazonGo Stores Prime Target for Cyber Breach

Amazon has been using software applications to follow and understand its customers for a decade. It has been using its virtual assistant, Alexa, to listen to its customers for the past two years. And now, through its AmazonGo stores, it will use a network of sensors and cameras to watch its customers.

Last week, Bloomberg reported Amazon is considering a plan to open as many as 3,000 new AmazonGo stores in the next few years. Cashiers are absent from these convenience stores; customers use a smartphone app to enter the store, and cameras and sensors track what they take and tally their purchases. The first AmazonGo store opened in Seattle in 2016.  Analysts say the expansion could generate between $3 billion and $6 billion in revenue for the retail tech giant; just as importantly, it could give Amazon access to unprecedented customer data.

Yet that data collection has a catch for businesses.

The more “high-tech” and connected a business is, the greater the focus needed for securing the technology and all data that flows through it, according to David Derigiotis, Certified Information Privacy Professional (CIPP), Corporate Vice President and National Professional Liability Practice Leader, Burns & Wilcox.

Make sure your business is protected in the event of an attack

Gartner, a consulting firm, estimated that 8.4 billion devices were connected in 2017 and more than 20 billion will be by 2020. As of March, there were approximately 4.7 million developers in the world creating these types of connected devices to help consumers in their homes and with their health. Earlier this month Amazon unveiled new Alexa technology to control microwaves, TVs and car infotainment systems. Apple’s newest Apple Watch is being marketed by the company as a medical device, with the ability to offer an ECG to wearers at any time.

With the increased use of connected devices, comes a greater need for coverage.

Cyber & Privacy Liability Insurance covers the costs associated with managing a cyber-security incident including unauthorized access to sensors, cameras or any connected device. It pays for forensic investigations, legal costs and regulatory fines, business interruption, social engineering and phishing attacks, the creation and mailing of a notification letter to customers, as well as credit monitoring or other services offered to customers.

“Many policies offer pre-breach services to help with incident prevention and preparation,” Derigiotis said.

A Commercial General Liability (CGL) policy may cover bits and pieces of a cyber-security incident, but Derigiotis said the needed limits and scope of coverage pale in comparison to a standalone Cyber & Privacy policy. It is not the true intent of a CGL policy to address cyber and privacy risks.

A standalone cyber liability policy providing a $1 million limit can cost less than $1,000 a year for many small businesses. Policies can scale into the tens of millions of dollars of coverage to meet the needs of larger businesses that have higher risk profiles, such as retailers, healthcare companies or educational institutions where a large amount of personal data is managed. We evaluate risks based on a number of factors including the clients operating industry, record count, annual revenues, and overall security posture, said Erica Rangel, Professional Liability Broker, Burns & Wilcox.

“It’s in the interests of brokers to educate each client so that they have the proper amount of coverage according to their risks and exposure,” Rangel said.

“Every business needs to consider this type of policy because the protection is very critical in today’s connected and ever-changing world.” – Erica Rangel, Burns & Wilcox

If a breach or hack occurs on a business network, that business is ultimately liable. This week Uber was ordered to pay $148 million to settle claims over a 2016 data breach that exposed personal information of more than 25 million of its U.S. users. Even when an organization hires a third party to handle its data, it is up to the business to notify its customers of a breach, such as when 87 million Facebook users had their personal information harvested by third-party vendor Cambridge Analytica. Regardless of who handles the data, the owner of that data needs insurance to help protect its assets, or the viability of the business could be at risk.

“Every business needs to consider this type of policy because the protection is very critical in today’s connected and ever-changing world,” Rangel said.

How employers can help employees limit risks

Cyberattacks on small businesses are on the rise, and there are many steps that organizations can take to increase protection. But nothing is foolproof, and unbeknownst to them, employees are the biggest culprit, posing a threat to businesses. That’s because employees are the “weak link” that hackers can pick to get into a company’s network, said Andrew Alston, CEO of BreachAware Limited, a risk analysis and cyber security company in London.

In August, three Ukrainian men were arrested on charges they targeted employees of Chipotle Mexican Grill and other businesses to steal millions of customer credit card numbers.

“Employees often don’t take the steps needed to protect client data and businesses who let these employees use their network and their technology will (often be held) responsible,” said Alston.

“Employees often don’t take the steps needed to protect client data and businesses who let these employees use their network and their technology will (often be held) responsible.” – Andrew Alston, BreachAware

Employers should mandate that employees change their email passwords on a regular basis, and approved software patches from companies like Microsoft or WordPress should be automatically installed, Alston said. Employees should follow the compliance teams of their IT groups and realize that one hacked device could lead to other connected devices being impacted by malware, a Trojan horse virus, keylogger or even malicious apps.

“Phishing is still the most common way to hack into a system and that’s done through (employees) as the weak link,” Alston said. “If you have a keylogger, you can literally make hay with people’s data.”

Consumers need to be savvy when looking at company privacy policies

In addition, consumers need to review the details provided in terms and conditions whenever they interact with a technology product or service, Derigiotis said. This can include using a device like Google Home or Amazon Alexa, signing up for newsletters and even using email.

“We need to ask ourselves – is what we’re using here worth it given how our information as consumers may be used,” Derigiotis said. “It may be time-consuming but you do want to go through conditions or a privacy policy to see how that (provider) is storing, collecting and protecting your data. Ask yourself, is the risk of my privacy or security worth the convenience this technology is offering?”

He referenced VTech, a provider of interactive, electronic toys for children that violated a U.S. children’s privacy law by collecting data without obtaining proper consent and failed to take reasonable steps to secure the data it was collecting. Earlier this year the U.S. Federal Trade Commission fined Vtech $650,000 for not encrypting customer information as it had claimed.

Last year a reported 148 million consumers were affected when credit reporting bureau Equifax was hacked.

Rangel said that many companies have taken steps to streamline and simplify the terms and conditions that business vendors and consumers need to approve to use their products and services.

“You really want to do your research as a consumer and consider the reputation and resources of providers,” Rangel said. “A lot of companies will rush (a product) out to the marketplace because tech is so competitive, but they do so without having the right commitment to security.”

Who’s ultimately responsible? The business that owns the technology

An organization needs to be aware of all the places on its network where data can be collected or stored, as you cannot properly protect what you don’t know you have, Derigiotis said. Cameras, microphones, digital systems, tablets and laptops can all expand a company’s “attack surface” and add to the potential for risks. Mobile phones, whether provided by the employer or owned by the employee, can also be a source of security concerns.

In other words, the more connected a business becomes, the more risks it faces.

Employers should ensure firewalls are in place, anti-virus software is up-to-date and passwords are complex and not reused in other places.

“As a business you need to know what you are collecting and how that data is being managed internally,” Derigiotis said. “Not every employee needs to access the entire network. It all needs to be considered as part of your security and privacy process.”

As with any coverage need, an insurance broker or agent must be consulted. Click here to forward this article to your insurance broker or agent to ask if you need this coverage, or share this with clients to start the conversation and ensure proper protection.

This information was provided by Burns & Wilcox, North America’s leading wholesale insurance broker and underwriting manager. Burns & Wilcox works exclusively with retail insurance brokers and agents to assist clients like you with their specialty insurance needs. Ask your insurance broker or agent to review your Commercial General Liability (CGL) or Cyber and Privacy Liability policy to ensure you have proper protection.