At the RIMS 2012 Annual Conference & Exhibition in Philadelphia, one of the “hot topic” sessions will focus on the risks of near-field communication. Your first question is probably, “what is near field communication?” That is understandable. It is a new, emerging technology that few people know about right now. But many experts believe it will soon change the way consumers pay for good.
In short, it is a radio link established between two electronic devices, usually smartphones, that allow them to communicate when they are tapped together. Right now, the business focus on the technology mostly surround the new method of payment it can enable, as when one person can chip in for their share of the dinner bill by entering in a dollar amount and “crossing streams” with the person who picked up the tab. This, and other payment scenarios, represent one more way — and a convenient way at that — that our society is continuing to move away from using cash to buy stuff.
Here is how the session description describes the related promise and threats.
Now paying the check is as easy as using your phone. But this seemingly time-saving and convenient payment poses many threats. To some, the [near field communication] chips embedded in phones and the supporting technology are viewed as more secure than credit or debit cards, with features such as off-site shutdown if a phone is lost. Opponents argue that nearby readers can hijack personal information from nearby points-of-sale. This session will demonstrate this technology and examine the risks to companies that pursue this technology and how those risks can be managed.
The session takes place in the Philadelphia Convention Center on Wednesday, April 18 at 8:45 am. Be sure to attend to find out more. But for those who cannot get to to Philly, I reached out to Larry Collins, head of eSolutions for Zurich and a presenter at the session, to do a Q&A on the matter.
The upside of near field communication seems obvious — so much so that it seems like one of those technologies that the market will push into widespread use, perhaps before most companies really understand what they’re getting into. What are the major risks that businesses may be exposing themselves to?
Larry Collins: There are several issues that need to be considered. First is obvious: hackers or eaves droppers can steal vital information. A near field communication device such as a smart phone is basically acting like a two-way radio. It’s creating a “nearby electrical field” that theoretically only an authorized reading device can pick up. The concerns are that if the field broadcasts to strongly or if some one simply walks by you with an active reader as your smartphone is in its holster on your hip, they may be able to pick up the signal.
The second issue is data storage. The technology companies that are helping with these transactions also may be storing some of the data. Anyone who processes or stores this data is subject to the same privacy and security requirements that exist now for the credit card companies. Data privacy and security will be paramount.
Third is the issue of what the data gets used for. People who transact using near field may be assuming that they’re just making use of their credit card information. If you have their phone information or other data about the consumers involved, and want to use if for other marketing purposes, you may need the card owners permission to do so. Risk managers need to review related rules, such as how long you can keep the data and who gets to see it.
How much more difficult is mobile data to protect than, say, corporate servers housed in an office building or other protected location?
Larry Collins: The issue is that mobile data is still a some what new capability. Ultimately the back-end servers are the same infrastructure as traditional servers. It’s the front-end use of smart phones and smart tablets that is new and, as such, it’s this new use that’s of concern. The security exposures there are still somewhat unknown and may ultimately experience a higher level of breach. Stay tuned on that issue.
Are there any insurance options out there for this? Would this fall under cyber-risk policies that exist now?
Larry Collins: There are several insurance options available for these exposures, although it is important to identify the economic impact for which you are seeking coverage. For instance, an unauthorized party to an NFC-enabled transaction may gain access to either sensitive data (credit card numbers, names, addresses) or they may be able to steal or divert funds. There is risk transfer available for the financial loss elements of both scenarios.
The entity using the NFC technology to offer or enhance their services may incur substantial expenses upon loss of sensitive information, such as the cost of a forensics investigation, notification and provision of call center, credit monitoring. This can also include other fraud remediation services to affected parties, like legal and public relations consultation expenses. The breached entity may even be susceptible to third-party claims and regulatory investigations depending on the circumstances. On the other hand, the breached entity may lose the funds that were to be transferred during the transaction.
Insurance solutions are available for the majority of third party liability and first party expenses, although, it is important to analyze your coverage forms since all of the financial loss elements associated with a breach may not be covered by the same policy. Risk managers should assess the specific elements of financial or economic loss they are willing to retain versus those they need to transfer.
What advice would you give to companies that are beginning to consider using near field communication technology?
Larry Collins: The advice we offer is that companies should manage the exposure the same way they manage any other risk management exposure. Near field communications is great technology. However, existing privacy and security regulations — and there are many — apply to this new technology, too. If your company processes this kind of data, you have to maintain the confidentiality, integrity and availability of the data you capture. Make sure that the ultimate owner of the data — the customer themselves — is aware that you have it, that he has given his permission for you to have it, and that you use it as intended.
NFC technology is great — just make sure you’re company is managing the privacy and security exposures properly.