Home | Association News | Bankruptcy & Insolvency | Credit & Collections Management | Credit Laws
Focus on Members | Industry & Economic News | Financial Analysis | Professional Development | Glossary

TD


Nine Promising Jobs in the News

1. Tax accountant

2. Compliance director

3. Credit manager/supervisor

4.Senior financial analyst

5.Network administrator

6.Information systems security manager

7. System engineer

8. Medical records clerk

9. Executive assistant

Read more...






Accountemps® A Robert Half Company Rober Half® Finance & Accounting

Credit & Collections Management

Creditors, Suppliers and Security Breaches
by Adam N. Atlas, lawyer advising payments businesses
atlas@adamatlas.com, www.adamatlas.com

Once upon a time, all the suppliers had to worry about what was the credit of their customers and the legal effectiveness of the security liens that they took on inventories. Now, debtors and creditors alike, for that matter, live under the constant threat of security breaches which can have consequences of a material order of magnitude. As a lawyer advising payments companies, I thought it would be interesting to discuss security breaches from the perspective of creditors and suppliers:

    1. What is a Security Breach? From a payments perspective, a security breach is an instance when a business has been storing payment information, such as credit card numbers, bank account numbers or other personal information, and copies of that information is obtained by third parties not having the right to access the information. The best examples of these kinds of breaches are the theft of large quantities of credit card numbers from large retailers. The thieves in these breaches are often never found because they hide behind overseas servers and layers of deceit. Much like a theft of inventory, the theft of data is usually followed by the thief selling the stolen goods into a market that is interested in purchasing stolen data. Within hours of the data compromise, stolen credit cards are often used for all they are worth, with the criminals taking the funds and disappearing, sometimes before the victim of the theft even knows they have been robbed. We are not talking, here, about one-off theft of a debit card and pin number, we are talking about the theft of thousands or tens of thousands of credit card numbers.

    2. What are the Effects of a Security Breach? The immediate effects of a security breach are first of all reputational. Some consumers may stop shopping at a retailer (whether on the internet or otherwise) that is reported to have given up to thieves thousands of credit card numbers. A number of US states have adopted breach disclosure rules that require the victim of a breach to inform the individuals concerned that their financial information has been compromised. I am not aware of Canadian law to this effect. Within the credit card processing industry, however, there is a set of self-imposed (i.e. Visa and MasterCard imposed) rules that provide for serious fines for having data compromises involving credit card data. These fines run quickly into the hundreds of thousands of dollars for breaches of only a few tens of thousands of cards. That kind of expense can put a medium-sized business out of business overnight. Canadian privacy laws, although ostensibly stronger than their American counterparts, are not coupled by strong sanctions, so victims of security breaches, oddly enough, are not much in fear of the law in Canada.

    3. Get Your Own House in Order. Before making demands of debtors as to security compliance, make sure that your own security is up to date. There are independent consultants that can provide advice on the various standards to which you may wish to hold yourself, such as the PCI standard. When auditing and augmenting your own security systems, pause to consider the allocation of liability for failure as between you and the IT consultants that are implementing the solution you have selected. Many IT supply agreements cap the liability of the supplier at the price paid for their work. If you deal in any reasonable amount of data, then that cap will make the IT supplier indemnification all but useless to you. An IT supplier that guarantees that your system will be compliant with one or another security standard should have some measure of liability for their failure to do so. There are many horror stories of business owners that were not aware that their particular payments software was out of date and therefore not capable of stopping one or another kind of intrusion. This ignorance has lead to breaches and enormous fines that would have otherwise been avoided.

    4. Get to know the Payments Habits of your Debtor. As a creditor, you are probably running your borrowers through reams of checklists in order to run your clients through your underwriting policies. It is recommended that a data-security checklist be added to standard underwriting practices. Consider asking questions like: do you store cardholder data? Is the data you store encrypted? Is the data you store subject to a need-to-know access restriction? Are your hard-drives useful outside of the boxes in which they are now located? Naturally, the complete list of questions would be driven by a mixture of technical, legal and underwriting knowhow and agendas within your organization. The security profile of your debtor will always influence your underwriting of their account. You may wish to procure third-party input into the activities of a debtor, such as reviewing their bank statements or payment processor statements.

    5. Require Notice of Breaches. As between creditors and debtors, a lot can be accomplished contractually in order to potentially mitigate some of the losses that may be caused by a security breach. For example, it is recommended that creditors require their debtors to disclose to them the occurrence or the potential occurrence of a security breach. This kind of notice to a creditor can help the creditor make quick decisions as to flow of funds and access to funds. Security breaches, by their very nature, rarely remain secret. Consequently, the debtor is not giving up much by undertaking to notify a creditor of a breach. Depending on the wording that has been accepted, the creditor can then act accordingly, either withholding additional funds or mandating a security audit or other changes that would help the debtor and, by extension, the creditor.

    6. Consider Taking over Processing. Taking receivables on behalf of debtors is one of the oldest means of securing payment. However, contemporary payment systems give debtors a variety of means of receiving payment. Some of those means can be redirected to first credit the account of a creditor who, after taking their regular payment, can remit the balance thereof to the debtor. Some creditors, known as cash advance businesses, take this principle to a higher level, systematically taking 100% of receivables and then paying a fixed percentage back to a debtor merchant after deducting their fees. Any arrangement of this kind merits careful legal review.

    7. Fragility of Liens. Liens, security interests or hypothecs, as they are known in Quebec, are only as good as the assets that they secure. Data, by its nature, is difficult to secure – both legally and technically. Consequently, creditors should rely as much on ‘physical’ protection of debtor data as they do on any legal framework within which the debtor’s assets are managed. Thieves don’t run a PPSA search before infiltrating a debtor’s system.

Creditors should embrace new payment systems because many of them can improve cashflow and also be revenue centers for their debtors. On a parallel track, however, creditors are well advised to take cognizance of the security risks and protections that their debtors have taken in relation thereto.

Adam Atlas Attorney at Law, a lawyer advising payments businesses atlas@adamatlas.com, is licensed in Quebec and New York. Nothing in this article shall be interpreted as legal advice. Instead, this article is for general information purposes only.