[BreachExchange] Cybercrime and Data Breach a Rising Threat to All Employers
Audrey McNeil
audrey at riskbasedsecurity.com
Wed Apr 5 19:09:42 EDT 2017
http://www.jdsupra.com/legalnews/cybercrime-and-data-breach-a-rising-82965/
Over the past six months, we have observed a significant uptick in
inquiries about data breach and other cyberthreats from area businesses.
We are asked about pursuing claims for recovery of funds lost due to fraud
by hacking, state notification procedures in the event of a data breach
affecting employees, and general questions about how to prepare or respond
to other IT security problems. The whole subject area is a complex mix of
technical and legal issues and it touches nearly every aspect of the
current business environment. Moreover, the costs to companies that are the
victims of cybercrime and data breach are significant and, unfortunately,
it is no longer uncommon for the costs to bankrupt small and medium-sized
businesses within a short time after the breach is discovered.
Types of cybercrime incidents
Data breach and other cyberthreats come from all quarters and they affect
individuals and organizations of all sizes. Given the recent news about the
Central Intelligence Agency and the National Security Agency being the
subject of now infamous data thefts, including the CIA losing control of
its own toolbox of hacking tricks, many employers are likely to think that
there is little that can be done when the government agencies tasked to
defend our country’s cybersecurity and armed with a government-sized budget
have proven vulnerable. But the size and scope of cyberthreats are not
exaggerated and require vigilance and defenses regardless of your
organization’s size.
So-called “Black Hat” hackers and cybercriminals are after all types of
information that are useful to further a hacking scheme or that can be
monetized easily and anonymously, making it an attractive crime. Phishing
attacks, which prey on human psychology, are attempts to get a victim
unwittingly to click on a link in an email or otherwise provide information
that can be used to unleash malware in an organization’s network or to
provide an entryway for theft of critical or confidential information.
Ransomware attacks steal access to business data by encrypting the content
of company-owned devices preventing users from accessing it until a ransom
is paid. The advent of Bitcoin and other cyber-currencies, which allow for
anonymous transactions over the Internet, have only emboldened ransomware
schemes by making them very difficult to trace. Both types of attacks are
designed to exploit weaknesses in human psychology more than technical
weaknesses in software or hardware. Simple theft or loss also can be a
source of data breach. Employees now carry around huge troves of business
data in their mobile phones, laptops, and other devices. The theft of a
mobile phone or the loss of a laptop by leaving it behind at airport
security can be an event that causes all kinds of headaches for an employer.
Data breach incidents have a panoply of repercussions for businesses that
suffer them. Not only is there the threat of liability for the damage, but
also the reputational harm with client relationships and in the
marketplace. Retailer Target Corporation, which was the subject of a 2013
data breach, reported $61 million in losses from the breach and received
only $44 million in insurance coverage for the fourth quarter of 2013, when
the breach was announced. Those figures do not include the costs of
litigation, fraud claims, and investigation expenses that Target continued
to incur well after the breach was announced. In 2015, Target paid a
settlement of approximately $10 million to settle a class action suit by
consumers affected by the data breach. And the data does not include the
lost sales that may have been attributable to the lost confidence in
Target’s security.
What information do you have that you need to protect?
Even organizations that are not specifically tasked with handling or
protecting sensitive data should carefully consider what kinds of
information they possess that requires protection and where it is located.
A firm does not need to be a financial services company or a healthcare
provider to have sensitive data that may subject it to legal liability if
the information is lost or compromised through a data breach incident.
Small businesses of all types will have personnel information about their
employees, customer lists, and other intellectual property that should be
kept from prying eyes either because it is personal information or it
contains the trade secrets for the business. Employee and benefits files
with information about payroll, tax withholding, insurance, and retirement
plans likely will contain personal identifying information that is subject
to federal and state law governing protection of data, such as social
security numbers, bank account numbers, and dates of birth. The electronic
payment systems at retailers large and small can be an avenue for stealing
the credit card numbers of customers.
Employers also need to think about where their data is located and how it
moves around. Company data is not just on company personal computers and
servers. It now moves around on a wide variety of devices and storage
locations. Mobile phones, tablets, and laptops all carry company data and
files and travel with your employees. Cloud-based services also may hold
data. And employees may use their own devices or download company files to
their home computers and networks or use their own cloud-service providers
such as DropBox, Google Drive, or iCloud. Some of this data may even be
replicated or stored in unforeseen ways by data backup systems that move
data to other storage formats or locations. Moreover, most businesses rely
on many vendors that provide services for which confidential information
needs to be passed back and forth and that transmission can be a weak spot
that is susceptible to exploitation. Examples of these vendors are banks,
payroll processing companies, accountants, bookkeepers, lawyers, IT
consultants, or any Internet-services vendors, such as an Internet service
provider or a cloud-based software provider.
What are an employers’ responsibilities and potential liabilities around
data breach?
Courts and government agencies are constantly evolving their approach to
cybercrime and data breach issues. The Federal Trade Commission has taken
the lead for the federal government as the enforcement agency for data
breach and cybercrime incidents. A 2015 decision from the U.S. Court of
Appeals for the Third Circuit affirmed the FTC’s authority to regulate
cybersecurity under its authority to regulate “unfair or deceptive acts or
practices in or affecting commerce.” The case involved the Wyndham Hotels
and Reports where hackers had successfully accessed Wyndham’s computer
systems and stolen personal and financial information of consumers leading
to over $10 million in fraudulent credit card charges. The court concluded
that the FTC has a broad mandate to hold businesses accountable for not
adhering to cybersecurity practices that unreasonably expose personal data
to unauthorized access and theft.
The FTC does not limit its enforcement to large hotel chains. From 2013
through the present, it has pursued LabMD, Inc., a small medical testing
laboratory in Georgia that exposed the medical information of approximately
10,000 consumers to a peer-to-peer file sharing network called Limewire
that had been set up by an employee on a billing department computer. As a
result, LabMD’s billing files were exposed to the entire peer-to-peer
network. Files from the company were later discovered in California during
a criminal investigation. The FTC’s order faulted LabMD for failure to
protect its computer network or employ adequate risk assessment tools,
failure to provide data security training to its employees, and failure to
adequately restrict and monitor computer practices of individuals using its
network. LabMD began to wind down its operations in 2014, largely due the
fallout from the data beach and FTC enforcement action.
In a more salacious case, the FTC and 13 states and the District of
Columbia recently settled with Ruby Corporation, the firm that ran the
infamous Ashley Madison site for matching people looking to have
extramarital affairs. Millions of subscribers to the site had their usage
exposed when hackers attacked the site. Ashley Madison had sold a service
for an extra fee that purportedly removed all traces of a user’s usage of
the site. But the data was retained and exposed in the hacking incident.
The firm settled for $17.5 million, but was only able to pay $1.66 million.
State attorneys general also are taking up the mantel for protection of
employees and consumers within their jurisdictions. State statutes
requiring notification of employees or consumers in the event of a data
breach are now on the books in 47 states and the District of Columbia.
These statutes have provisions for the timing and content of a notice of
data breach that vary from state to state. Employers faced with a data
breach situation involving employee or consumer data may have both a notice
obligation to the employees or consumers and an obligation to notify the
state attorney general’s office of the breach. Such notice brings with it
reputational risks and the attention of law enforcement agencies. In
February 2017, Boeing Corporation notified the Attorney General in
Washington that personal information, including birth dates and social
security numbers for 36,000 employees, was sent to the spouse of an
employee who wanted help with formatting a spreadsheet.
While cybercrime and data breach are relatively new subjects for courts,
old legal doctrines, such as breach of fiduciary duty and negligence can be
used to assign liability to employers or other parties. Companies may also
face contractual liability to their clients or customers if their contracts
include indemnification provisions for damage or have other contractual
requirements that are breached through a cybercrime incident. And the
possibility of trebled damages exists if employers are found to have
breached unfair trade practices statutes.
Defenses and other protection
Employers should think about their defenses from cybercrime and data breach
from three different angles: (1) technical solutions; (2) employee
training; and (3) insurance.
With respect to technical solutions, employers should make sure that they
are constantly updating their software with the latest updates and patches
so that they are protected by their software vendors’ latest efforts at
closing known hacking exploits. Employers should purchase and deploy
malware and anti-virus software and should consider tools available to
filter and prevent employees from using websites that are known to be in
the control of hackers and cybercriminals. Password policies should require
both a complex password and changing of the password on a periodic basis.
Password management software can be employed to ease the burden of these
policies on employees and also give employers a way to enforce the policies.
Employee training also is essential. Most technical solutions can be
defeated by an employee who unwittingly or carelessly opens the door to a
hacker as in the Boeing incident. Insurance industry data shows that
one-third of data breach and cyberthreat claims have at their root some
form of employee negligence. Training regimens should not only include how
to use malware and anti-virus software or password managers, but also
should include real-world drills for phishing attacks. IT staff or
consultants can test organizational readiness by sending out emails
designed to induce an employee into clicking on link or providing their
login information for a critical business system such as email. The results
can be provided to management. Employees should be trained to identify
telltale signs of phishing scheme, such as poor grammar or spelling in the
message, strange syntax from a sender you know, a message about an
otherwise unknown event, or links that do not look like they go to where
you would expect them to go, such as to domains located in foreign
countries.
Insurance is the third element of the defense triad. Data protection or
cybercrime insurance policies are being marketed aggressively by insurance
companies due to the constantly expanding threat. Insurance always should
play some role in any strategy to defend against legal liability, just as
businesses use general liability insurance to protect against liability for
other hazards. Indeed, many insurance carriers offer cybercrime insurance
as a rider to their general liability policies. Insurance can provide
coverage for the costs of investigation and notification in the event of
data breach or cybercrime. But employers should read policy language
carefully and think about the risks and exposures that they are trying to
cover through an insurance contract. The insurance industry also is
grappling with the nature of cybercrime and data breach risks and how to
assess premiums based on those risks. A careful reading of any policy
exclusions is important. Many policies do not cover certain types of
negligence incidents, attacks that can be linked to nation states, data
breach events affecting your information at third-party vendors, or
expenses imposed by government enforcement agencies, such as a requirement
to provide identity-theft protection to everyone affected by the breach.
Some policies also exclude coverage for devices that are not employing
encryption at the time that they were lost or stolen. In such cases, your
insurance coverage may depend upon whether you have an encryption solution
in place and your employees trained to use it. All three defensive elements
must be in place.
Conclusion
This article only serves as a primer for the myriad issues that arise with
data breach and other cybercrimes. Unfortunately, the problems have become
so pervasive that significant time and resources must be devoted to them
regardless of your profession or industry. Employers must remain vigilant
about their weak points and regularly check on the defenses they employ,
whether technical solutions, employee training, or through insurance to
ensure that they remain current in this constantly evolving and hostile
environment. Additional resources for cybersecurity information are
abundant, but among the most prominent is the National Institute of
Standards and Technology’s (NIST) Framework for Improving Critical
Infrastructure Cybersecurity, published in 2014. NIST has a web site with
documents and webinar materials about its framework that will help you
start thinking about managing the risks of cybersecurity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170405/6d1da2f1/attachment.html>
More information about the BreachExchange
mailing list