Over the past six months, we have observed a significant uptick in inquiries about data breach and other cyberthreats from area businesses. We are asked about pursuing claims for recovery of funds lost due to fraud by hacking, state notification procedures in the event of a data breach affecting employees, and general questions about how to prepare or respond to other IT security problems. The whole subject area is a complex mix of technical and legal issues and it touches nearly every aspect of the current business environment. Moreover, the costs to companies that are the victims of cybercrime and data breach are significant and, unfortunately, it is no longer uncommon for the costs to bankrupt small and medium-sized businesses within a short time after the breach is discovered.
Types of cybercrime incidents
Data breach and other cyberthreats come from all quarters and they affect individuals and organizations of all sizes. Given the recent news about the Central Intelligence Agency and the National Security Agency being the subject of now infamous data thefts, including the CIA losing control of its own toolbox of hacking tricks, many employers are likely to think that there is little that can be done when the government agencies tasked to defend our country’s cybersecurity and armed with a government-sized budget have proven vulnerable. But the size and scope of cyberthreats are not exaggerated and require vigilance and defenses regardless of your organization’s size.
So-called “Black Hat” hackers and cybercriminals are after all types of information that are useful to further a hacking scheme or that can be monetized easily and anonymously, making it an attractive crime. Phishing attacks, which prey on human psychology, are attempts to get a victim unwittingly to click on a link in an email or otherwise provide information that can be used to unleash malware in an organization’s network or to provide an entryway for theft of critical or confidential information. Ransomware attacks steal access to business data by encrypting the content of company-owned devices preventing users from accessing it until a ransom is paid. The advent of Bitcoin and other cyber-currencies, which allow for anonymous transactions over the Internet, have only emboldened ransomware schemes by making them very difficult to trace. Both types of attacks are designed to exploit weaknesses in human psychology more than technical weaknesses in software or hardware. Simple theft or loss also can be a source of data breach. Employees now carry around huge troves of business data in their mobile phones, laptops, and other devices. The theft of a mobile phone or the loss of a laptop by leaving it behind at airport security can be an event that causes all kinds of headaches for an employer.
Data breach incidents have a panoply of repercussions for businesses that suffer them. Not only is there the threat of liability for the damage, but also the reputational harm with client relationships and in the marketplace. Retailer Target Corporation, which was the subject of a 2013 data breach, reported $61 million in losses from the breach and received only $44 million in insurance coverage for the fourth quarter of 2013, when the breach was announced. Those figures do not include the costs of litigation, fraud claims, and investigation expenses that Target continued to incur well after the breach was announced. In 2015, Target paid a settlement of approximately $10 million to settle a class action suit by consumers affected by the data breach. And the data does not include the lost sales that may have been attributable to the lost confidence in Target’s security.
What information do you have that you need to protect?
Even organizations that are not specifically tasked with handling or protecting sensitive data should carefully consider what kinds of information they possess that requires protection and where it is located. A firm does not need to be a financial services company or a healthcare provider to have sensitive data that may subject it to legal liability if the information is lost or compromised through a data breach incident. Small businesses of all types will have personnel information about their employees, customer lists, and other intellectual property that should be kept from prying eyes either because it is personal information or it contains the trade secrets for the business. Employee and benefits files with information about payroll, tax withholding, insurance, and retirement plans likely will contain personal identifying information that is subject to federal and state law governing protection of data, such as social security numbers, bank account numbers, and dates of birth. The electronic payment systems at retailers large and small can be an avenue for stealing the credit card numbers of customers.
Employers also need to think about where their data is located and how it moves around. Company data is not just on company personal computers and servers. It now moves around on a wide variety of devices and storage locations. Mobile phones, tablets, and laptops all carry company data and files and travel with your employees. Cloud-based services also may hold data. And employees may use their own devices or download company files to their home computers and networks or use their own cloud-service providers such as DropBox, Google Drive, or iCloud. Some of this data may even be replicated or stored in unforeseen ways by data backup systems that move data to other storage formats or locations. Moreover, most businesses rely on many vendors that provide services for which confidential information needs to be passed back and forth and that transmission can be a weak spot that is susceptible to exploitation. Examples of these vendors are banks, payroll processing companies, accountants, bookkeepers, lawyers, IT consultants, or any Internet-services vendors, such as an Internet service provider or a cloud-based software provider.