Is Self Storage Safe From Data Breaches?

Posted by Erica Shatzer on Apr 1, 2018 12:00:00 AM

What do Yahoo, Adult Friend Finder, eBay, Equifax, Heartland Payment Systems, and Target all have in common? They all secured a top spot on a list of the largest (or most significant) data breaches of the 21st century.

According to CSO from IDG Communications, Inc., which provides news, analysis, and research on security and risk management, in October of 2017, Yahoo acknowledged that all three billion of its user accounts had been compromised in a 2013 data breach.

In October of 2016, hackers exploited a vulnerability in Adult Friend Finder’s security and collected 20 years of data on six databases, thus impacting 412.2 million accounts.

eBay’s database was hacked in May 2014, exposing information about all of its 145 million users.

Personal data (including Social Security numbers) of 145 million people was stolen from Equifax, one of the largest credit bureaus, in July 2017. 

In March 2008, 134 million credit cards were exposed through an SQL injection that installed spyware on Heartland Payment System’s data systems. At the time of the breach, the company was processing 100 million payment card transactions per month for 175,000 merchants, mostly small- to mid-sized retailers.

Last but not least, Target’s data breach in 2013 compromised the personal identifying information of approximately 110 million customers. The company recently estimated the cost of the breach at $162 million.

Is Self-Storage Safe?

While the data breaches mentioned above all involve large, nationwide companies, self-storage businesses are not immune to cyberattacks. In fact, as self-storage facilities continue to offer their customers more internet-based services and options, such as online reservations, online payments, and customer portals, their vulnerability to cybercrimes increases.

Besides a facility’s computer system and security system, which nowadays are typically connected to the web, there are countless Internet of Things (IoT) devices that hackers could infiltrate in order to steal private information. An IoT device is defined as any nonstandard computing device that connects wirelessly to a network and has the ability to transmit data. Therefore, the smart TVs in a self-storage facility’s conference room and/or office aren’t off limits to cybercriminals. Likewise, smart locks and smart garage door openers could be hacked. Essentially, the more IoT devices that are utilized, the greater the risk. And the unsettling reality is that hackers find and exploit weaknesses, so it’s imperative to protect yourself from cyber liability.

Although self-storage may not seem like a hacker’s usual target, Don Sedlacek, vice president of claims for MiniCo Insurance Agency, LLC, reminds owners and operators that rental agreements may contain sensitive personal information. Similar to hard copies of rental agreements, which are to be kept in locking file cabinets, self-storage facilities must be diligent about protecting the personal identifying information that is stored within their computer systems and/or cloud storage sites and maintaining security through frequent system checks and scans. Of course, any issues or potential problems should be fixed immediately.  

“There is a need for cyber liability protection,” says Sedlacek. “The exposure may not be as great for self-storage, but the need is there.”

The Costs Of Cybercrimes

Obviously, the greater the number of customers’ records that are lost, stolen, or exposed, the more it will cost to remediate. Research by the Ponemon Institute, through its 2016 Cost of Data Breach Study, estimated the average cost of a data breach to be over $7 million.

Sedlacek notes that there are several requirements companies must meet in the event of a data breach, all of which come at a price. For starters, a business must make repairs to its system to prevent more damage from being done. Unfortunately, additional issues may be detected when repairs are happening. Recovering and restoring missing data also takes time (aka money). Tech support and faulty equipment replacements are just two of the costs that fall into the system repairs category. Companies may also need to hire a professional to investigate the data breach or cybercrime in an effort to hold the cybercriminal responsible for the damage.

Another loss to consider is the impact of business disruption. Managers may not be able to accept new tenants or sell retail items if the self-storage facility’s management software is unavailable due to repairs, and rental payments may be left unprocessed as well. It is even possible that the facility may need to remain closed until the problems are resolved, especially if the site’s access control system was jeopardized.

Then there are the costs associated with notifying the individuals affected by the data breach, providing credit monitoring, repairing individuals’ credit scores and/or identities, and dealing with possible lawsuits. There may be fines as well. Data breaches can attract fines from the Federal Communications Commission, Federal Trade Commission, Health and Human Services, the Payment Card Industry Data Security Standard, and other regulatory agencies.

“Legal expenses can escalate quickly,” says Sedlacek, adding that sometimes an expert or attorney must be hired to restore an individual’s credit or identity. “It doesn’t change overnight,” he says. Personally, Sedlacek knows of individuals whose lives were so disrupted from data breaches and identity theft that they had to obtain new Social Security numbers to start over with a blank slate.

What’s more, data breaches impact a company’s brand and reputation. Before the dust begins to settle, many companies spend top dollar to combat negative publicity, mitigate damage, and prevent a loss of customers. This usually involves hiring a public relations firm or PR specialist to deal with the media and handle the flood of phone calls.  

Cover Your Assets

In response to the ever-increasing number and types of cybercrimes, insurance companies have begun offering cyber liability coverages. These new policies address various kinds of exposures to protect policyholders.

First-party coverage provides protection for business interruption, crisis management, extortion/threat, and privacy and generally covers expenses incurred by the self-storage facility such as customer notification, credit monitoring, credit and identity repair, and computer and legal forensic services.”

Third-party liability coverage is another option. It covers security (failure of network security to prevent hacking or the transmission of computer viruses); privacy (failure to protect confidential or private information); media/content such as copyright infringement, libel, slander, and other forms of disparagement; and regulatory actions brought by state and/or federal agencies to enforce privacy regulations.

“If you haven’t already thought about it, or discussed it, do it now,” says Sedlacek, who advises self-storage operators to reach out to their insurance agents. “Contact your agent to discuss it.”

Up Your Game!

When it comes to protecting the sensitive information of your company and its customers, remember this sensible adage: An ounce of prevention is worth a pound of cure. As the businesses on the data breach list can surely attest, their money and efforts would have been better spent on security measures to prevent the data breaches from happening.

With that being said, take the time to make cyber security a priority at your self-storage facility. In addition to cyber liability coverage, here are some basic ways to prevent cybercrimes from damaging your business:

  • Use websites with secure connections; look for the green padlock symbol.
  • Utilize payment vendors and facility software that have earned Payment Card Industry Data Security Standards (PCI-DSS) certification.
  • Review the agreements and/or contracts of online third-party vendors to ensure that they contain a Hold Harmless clause in reference to data breach.
  • Follow smart password protocols such as creating strong passwords and changing them frequently.
  • Regularly back up your data and store the backup(s) at a secure location off site.
  • Purchase trusted security/anti-virus software and run scans/checks on a regular basis. 
  • Purchase data encryption software.
  • Hire a professional to evaluate your business’ network and correct potential issues.

Final Thoughts

Sadly, cybercrimes will continue to derail businesses and their customers as the internet becomes a more prominent part of our lives. Therefore, it’s best not to leave your cyber security to chance. Create a comprehensive plan that utilizes both prevention and protection. Your independent agent can be a critical source in navigating the challenges related to this complex and potential costly exposure. Work with your agent to review your various cyber exposures and obtain the proper coverage.  

Top Five Risks For Mid-Sized Companies

Rank Risks Percent 2017 rank
1 Cyber incidents (e.g. cybercrime, IT failure, data breaches) 39% 3(29%)
2 Business interruption (including supply chain disruption) 37% 1(35%)
3 Natural catastrophes (e.g. storm, flood, earthquakes) 32% 5(23%)
4 Fire, explosion 23% 7(17%)
5 Market developments (e.g. volatility, intensified competition / new entrants, M&A, market stagnation, market fluctuation) 21% 2(33%)

Source: Allianz Global Corporate & Specialty figures represent how often a risk was selected as a percentage of all responses for that company size. Responses equaled 516; figures don’t add up to 100 percent as up to three risks could be selected.

Erica Shatzer is the editor of Mini-Storage Messenger, Self-Storage Now!, and Self-Storage Canada.