Cybercrime has dominated news headlines this year, from a phishing scam at Snapchat to the WannaCry ransomware that crippled computers across the globe in May.
has become so prevalent that there is an online publication dedicated to it
called DataBreach Today.
crime is one of the fastest-growing threats to business operations, potentially
resulting in expensive claims and lawsuits. Self-storage businesses are not
immune to cyber hacking, especially with more customers paying online.
Self-storage operations store sensitive customer data that must be protected
as the number of high-value transactions exchanged through electronic channels
continues to grow, online criminals are devising new ways to intercept
communications or deceive computer users. As cybercrime technologies evolve, it
is becoming increasingly more difficult to protect data and defend business
global cost of cybercrime is expected to reach $2 trillion by 2019, a threefold
increase from an estimated $500 billion in 2015, according to Security Intelligence, an IBM
to the Identity Theft Resource Center, more than 29 million records were
exposed in 858 publicized breaches in 2015 across sectors including financial,
government, health care, and education. International Data Group detected 38
percent more cybersecurity incidents than the previous year.
cost per record stolen averages $158 globally, but exceeds $220 in the U.S.,
according to Ponemon Institute.
and mid-sized organizations (SMBs), defined as those with 100 to 1,000
employees, are increasingly targeted by cybercriminals. According to Keeper
Security’s “The State of SMB Cybersecurity” report, half of small- and mid-sized
organizations reported suffering at least one cyber attack over a 12-month
these businesses are themselves victims, they may still have to incur an
immense cost to reconstruct data, conduct required notifications, and face the
prospect of customer defection.
Security estimated the average cost of a data breach involving theft of assets
totaled $879,582 for SMBs, which spent another $955,429 to restore normal
business in the wake of cyber attacks.
owners need to protect their businesses and customers from hacking and other
cybercrime. Preparation should include prevention techniques to protect against
hacking as well as insurance coverage in case preventive measures fail.
addition to the major inconvenience, cybercrime can cause self-storage owners
and their customers, operators can be subject to fines and other financial
losses. Plus, customers whose confidential information has been divulged may
sue the self-storage business for negligence.
usually are required to notify affected customers when a security breach
occurs. Plus, there are additional expenses and possible litigation involved if
identity theft occurs, including offering customers one or two years of free
April, New Mexico became the 48th state, along with the District of
Columbia, to enact legislation requiring notification of security breaches involving
personal information. Alabama and South Dakota remain the only states without a
data breach notification law.
breach notification laws exist at the state level—each having their own breach
notification law,” says Scott Zucker, an attorney with Weissmann Zucker Euster
Morochnik P.C. in Atlanta. “Companies storing the personal information of
residents of multiple states—an increasingly common situation thanks to
Internet commerce—may need to comply with dozens of separate breach
notification standards in the event of a security incident.”
employees handle an assortment of sensitive personally identifiable information
(PII) not only for customers but also vendors, investors, partners, and
includes the full name of the individual, home address, email address, driver’s
license number, credit or debit card number, telephone number, date of birth,
and social security number. This personal information is put into the
facility’s system and stored on a local server, on a cloud server, or maintained
by a management software vendor.
According to Mike Gong, area vice
president of Arthur J Gallagher, who is based in Fresno, Calif., self-storage
data breaches can take several forms, physical and electronic. “If a business
owner or supervisory employee had a laptop in a car and the laptop got stolen,
that could be a data breach,” Wong says. “There’s a lot of information on there
that could be compromised.”
self-storage employees write personal information on paper and later toss it into
the garbage without shredding it. A dumpster diver could conceivably create a data
breach for the facility.
employee could go on a suspicious website and click on a link or open an email
attachment that installs a virus or ransomware on the company’s network.
employees increasingly cause cyber problems by downloading personal information
and planting viruses on company networks before leaving their companies.
relates a recent incident where a multilocation Texas operator had ransomware installed
on the company network, which locked out users for an entire week. “You can imagine
that created havoc and slowed down their efficiency for the business,” Gong
self-storage industry luckily hasn’t experienced a major data breach from an
outside hacker source, according to Zucker. None of the real estate investment
trusts (REITs) apparently have been affected, otherwise they would have to
disclose the information in their public filings.
there have been internal data breaches that have occurred by managers taking
tenant information and using it for their own benefit,” Zucker says. “I haven’t
seen a situation where an employee has taken information and sold it to a third
risks increasingly are appearing on the radar of insurance companies, which now
offer various forms of liability protection that cover data breaches and
identity theft. Cyber liability protection is designed to reimburse owners for
expenses resulting from a notification and also liability coverage if a
customer lodges a lawsuit as a result of a data breach.
the insurance is called cyber liability, data compromise, or privacy and
network security liability, this coverage protects against electronic or
physical theft of sensitive information. These policies typically cover first
party expenses for breach response, legal expenses, forensic investigation, notification,
credit monitoring, loss of business income, fines and penalties, cyber
extortion, and network security liability.
Insurance Agency’s business owner’s policy offers a data compromise option providing
a variety of assistance pertaining to a wide range of data breaches such as
electronic theft or hacking and covers certain costs related to notifying
customers of a breach, restoration of lost data, and credit monitoring.
also offers identity recovery coverage as part of its business owner’s policy.
This coverage offers services of an identity recovery case manager as needed to
respond to identity theft, including a step-by-step resource guide and reimbursement
of reasonable identity recovery expenses incurred to correct credit or identity
records as a result of identity theft. Coverage also includes the insured’s
lost wages (subject to limits), cost of up to 12 credit reports, postage,
phone, shipping, and certain legal fees.
advocates carrying limits of no less that $1 million for most cyber liability
policies. That’s because of the cumulative costs involved in meeting notification
the first-party expenses typically the business owner is going to incur, it
ranges between $200 and $300 per record,” Gong notes. “One single facility can
have 800 units and over time you have turnover on those units; you could have
several thousand records that you’re responsible for maintaining.”
this scenario, Gong estimates a facility owner could be looking at $400,000 in out-of-pocket
expenses if 2,000 customer records were involved.
a big proponent of operators having cyber liability insurance protection,”
Zucker says. “The amount of coverage all depends on the size of the facility
and the financial ability of the facility to insure itself. I always advocate
for as much insurance as you can afford.”
storage operators are adding cyber liability coverage to their insurance
policies as a result of the growing concern over cyber theft. “In the last few
years we’ve sold a lot more of it,” Gong says. “There’s more knowledge and a need
notes that several years ago insurance companies that provided this product
didn’t have a streamlined way for a customer to apply for the coverage. “A lot
of them would have an eight-page application that was mind-bending to any
layman who was not tech savvy. You’d have to have IT (information technology) or
a vendor to fill it out. It’s a lot easier to get a quote than it was five or
six years ago. I’ve seen an uptick because of that as well as people realize
there’s an exposure out there,” Gong says.
owners, however, don’t look into this insurance because of what Gong says is a
misconception about credit card processing in the storage industry.
people believe credit card processors will protect you from fines or
violations, but also first-party expenses where you’ve got to notify
,” Gong says. “If you look at the contracts of most credit card
processing companies, they indemnify themselves from that. As a merchant, you
have to take that on because customers don’t care who the storage operator has
chosen as their vendors to process credit cards. All they care about is they
did a transaction with you as a merchant or business owner.”
card processors might seek liability protection, Zucker says one reason there
has not been a major cyber event in the industry is because of the work of
these processors and management software providers.
lot of that is a credit to management software providers and merchant services
providers who work hard to make sure their systems are PCI (Payment Card
Industry) compliant and they require their customers to install proper
firewalls for access prevention,” Zucker says. “There’s a lot of good education
going on with respect to structural needs of the operator to prevent a data
who take automatic credit card and debit card payments regularly can put their
customers’ personal information at risk. Should a breach occur and customer
data ends up in the wrong hands, owners and operators face a multitude of
costly legal rules with specific requirements.
and MasterCard mandate that their merchants are PCI compliant, and management
software providers such as Raleigh, N.C.-based SiteLink are helping operators
to achieve that status by adhering to PCI best practices. The consequences of
non-compliance can threaten the business itself.
the event you experience a breach, you could face steep fines for PCI
non-compliance along with the possible costs associated with forensics and card
reinsurance,” says SiteLink Merchant Services COO Sheryl Scott. “So, the
merchant account holder must complete PCI compliance, proving they have
followed the best practices in protecting their business. For additional
protection, check with your insurance provider to verify you have the proper coverage
to protect against unauthorized attacks.”
recommends using chip readers at the store when accepting credit or debit cards
for added security. Plus, it can reduce the operator’s liability if a
fraudulent or stolen card were to be used. Financial institutions can push
liability back to the merchant if a chip card is not processed through a proper
want to try to encrypt as much data as possible that has private information,”
Gong says. “People send emails all the time that have a lot of information that
could be intercepted. Most people don’t have a form of encryption software on
their email system to hide that information.”
always a good idea to keep antivirus and antimalware software updated, as well
as firewall security (see accompanying sidebar). Passwords should be strong and
changed frequently. In addition, operators should have policies and procedures
on how to avoid phishing scams and establish obligations for using social
probably the biggest exposure most storage operators have today in terms of
getting a data breach is because of something an employee has done
inadvertently by going online,” Gong says.
a toxic online environment, where worldwide hackers are continually searching
for new victims, self-storage owners must use all available tools—including
insurance—to protect their businesses and customers from online criminal
Lucas is a freelance writer based in Phoenix, Arizona. He is a frequent
contributor to all of MiniCo’s publications.
Taking Preventive Measures To Avoid Online Crime
owners must remain aware and proactive in order to help reduce the threat of
cybercrime. Technology experts recommend business owners take a number of
preventive measures to lower the risk of a data breach:
All software should also be kept current,
including the Windows or Mac operating system, the browser (Internet Explorer,
Firefox, Safari, etc.), and other programs such as Adobe Reader and Adobe
Flash. Operating systems are periodically updated to keep technology current
and to fix security holes.
Be sure to have antivirus and antimalware
protection on all computers; also consider protection for smartphones and other
mobile devices. Antivirus software is designed to prevent malicious software
programs from embedding on your computer.
Install or update spyware blocking technology.
Spyware is software that is surreptitiously installed on a computer to allow
outsiders to observe your computer activities. Some spyware collects sensitive
information about computer users or produces pop-up ads on the web browser.
Ensure compliance with Payment Card
Industry Data Security Standards (PCI DSS). PCI compliant organizations are better
prepared to protect their data and have less of a chance of getting breached
when compared to organizations that are out of compliance.
Encrypt all your customer files and store
them in a secure location. Stay current on established protection protocols
such as encryption and newer technologies.
Be on constant alert for phishing scams.
Always check the email address before clicking on any links, especially from
financial institutions. Clicking on these malicious links will allow bank
usernames and passwords to be shared with criminals.
“air gaps” by leaving some information on computers that are not
connected to the Internet or leave some of the most sensitive information
Keep your firewall defense up to help
protect your computer from hackers who might try to gain access to steal
passwords or confidential information. Software firewalls are recommended for
single computers while hardware routers typically provide firewall protection for
Be careful of downloads. Carelessly
downloading email attachments can circumvent antivirus software. Never open an
email attachment from someone you don’t know, and beware of forwarded
attachments from unknown senders.
Turn off your computer. With the growth of
high-speed Internet connections, many users leave their computers on; however,
“always on” computers are more susceptible to attacks. Turning off the computer
cuts off an attacker’s access.