We recently posted a series of articles on the impact of an HVAC System to your bottom line, including the importance of a comfortable temperature for customer retention. Not long ago, in an attempt to maintain the kind of comfort that encourages folks to stay in stores on frigid winter days, Target authorized its HVAC vendor to monitor temperature, troubleshoot system issues and chances are, if you own a computer, or a television, or a radio, or a newspaper you know the rest of the story.
Target learned a hard lesson about vetting third party providers when the credit and debit card information of 40 million customers was stolen by malware installed on their point-of-sale terminals. An investigation into the security breach revealed that the data thieves likely gained access to Target’s computer systems by means of the electronic connection granted to Fazio Mechanical Services, Inc., a heating and refrigeration company in Pennsylvania. The financial losses that Target faces as a result of the breach may total in the hundreds of millions of dollars, including PCI non-compliance fines, reimbursement of financial institutions for the replacement of payment cards, and credit monitoring and legal fees for the millions of potentially affected consumers.
For over six decades Arista has been providing HVAC services to New York City’s commercial and high-end residential market. The Target scandal generated an internal discussion amongst our teams regarding security—both data, and physical. The following are some of our thoughts on the subject.
When you hire a contractor to service your HVAC system, you’re giving that company and its employees a high level of access to your property—both tangible and digital. Not only must you be able to trust your HVAC company to complete their work with care and professionalism, you must also be confident that they’ll treat access to sensitive personal information (like payment and customer details) with the same care and professionalism. That means trusting more than just the skill and expertise of your technician. It means trusting your service provider’s ability to successfully screen employees, maintain secure data systems and manage a company culture that promotes transparency, honesty and trustworthiness.
The approach taken by the Target data thieves might seem unexpected – exploiting an HVAC contractor’s connection to a retailer’s computer systems to rob them of customer financial data – but given the choice, criminals would rather find a less well-guarded access point to reach their objective than run straight at the security measures meant to stop them. It’s the high-tech equivalent of heist perpetrated by someone in a security guard uniform—you expect a level of security, so you don’t ask questions. So how can you protect yourself? The first step is understanding how to vet your HVAC company for reliability and security.
- Be sure that the company you are considering is licensed (according to whatever requirements are imposed by your state and city or municipality), bonded, and insured.
- Check the company’s standing with the Better Business Bureau to see if any reports or complaints have been logged against them, and how those complaints were resolved.
- Ask the company you are considering for a list of references from recent customers who can attest to the quality of the work and the contractor’s level of care and professionalism – and follow up with these references to ask for more detail about how their projects were handled.
In addition, take this opportunity to ask the HVAC vendor specific questions related to security and technology integration. We suggest putting the following questions to the company’s representatives (even if you aren’t concerned about data security):
- Who, exactly, will be working on your property?
- Does the provider bring in independent contractors for additional services, or will every worker be on the company’s own payroll?
- What physical and electronic access will the company’s workers need to your systems in order to complete their work?
- If you are prepared to give your HVAC provider external network access for monitoring, do you have the network and data security systems in place to ensure payment details can be cordoned off?
Vetting new vendors can be challenging enough, without worrying about security concerns. For more tips on finding the right service provider for your company, check out our post on 10 Questions to Help You Find the Perfect HVAC Service Provider. And, to learn more about transitioning a new service, download our white paper, Contract Confidence: Transitioning to a New HVAC Service Provider.
