B2B Payments: Shifting Potential Liability

There are a lot of things that keep chief security executives up at night including disasters, theft of intellectual property, budgets, compliance, training and securing mobile devices. Added to this list is a growing awareness of the financial liability associated with a data breach.  There have been well-known reputable businesses who have suffered large-scale data security breaches, some of which have been well publicized but most of which have received little or no publicity.  But they are all victims of the ever-increasing volume of attacks directed at corporate systems.

The April 2012 Update to the Navigant Information Security & Data Breach Report documents this trend, comparing some startling statistics between Q3 2011 and Q4 2011:

• There was an 88% increase in the number of records breached from quarter to quarter (Q3: 1.02 million records vs. Q4: 1.93 million records).
• 50% of Hacking incidents targeted corporate entities in Q3, while 67% targeted corporate entities in Q4.
• The average number of records breached per incident increased 71% from quarter to quarter (Q3: 18,253 vs. Q4: 31,069).

The same report analyzes the causes of data breaches and the results show that risks abound internally as well as externally:

• Theft (40%)
• Hacking (23%)
• Public Access or distribution (23%)
• Loss (8%)
• Unauthorized Access/Use (3%)
• Improper Disposal (2%)

As the B2B payments industry has been slowly migrating away from check payments to electronic payments, many businesses have gathered banking information about their suppliers.  This is usually the supplier’s bank account and routing numbers which are needed for processing electronic payments via ACH or wire.  But the very data that enables efficiencies and lowers cost in payment processing now creates a potential financial liability should the AP system come under attack and suffer a data breach. 

In the past year, I have talked to a number of companies who are attracted to outsourced payment execution in part because they would no longer need to maintain such banking information in their systems.  Shifting the responsibility of securing data to a vendor who has deep expertise in securing financial systems is a very attractive proposition.  Interestingly enough, I also see suppliers who will readily accept invoice payments via a virtual credit card in part because that payment method does not require them to share their banking information.

What are your thoughts on shifting potential liability?  I'd like to hear from you.