Articles Posted in Data Breach

Agreeing to ransom terms is a losing proposition; spend your time and energy preparing for an attack.

Ransomware attacks are on the rise, partly because of the ease and anonymity of crypto-currencies. In a typical ransomware attack, cyber criminals invade a computer system and encrypt key data, then threaten to destroy the data unless the victim pays the criminal a relatively minor sum (ranging from hundreds to thousands, or in rare cases, tens of thousands of dollars). Schemes go by the teasing names of CryptoLocker and WannaCry, but there’s nothing playful about finding that you are a target. Ransoms are priced at a level that encourage compliance with the criminal demand. Yet there’s nothing that ensures a payment will actually free up your data and the utility of your system – in many cases, it’s clear that the criminals never intended to unencrypt the data.  Moreover, once a system has been compromised, there can be little doubt that the hackers accessed sensitive data and left behind malware allowing them to create more mischief.

There is fierce debate over how to respond to attacks; even the FBI at one point seemed to advocate paying ransom to reclaim stolen data, though it clarified its position in 2016 and no longer recommends payment.  At the same time, for many firms, spending a relatively modest sum to recover mission-critical data sounds better than spending a far greater sum to recover only a portion of that data.  The latter approach is, however, a poor use of resources; rather than trying to determine whether to agree to ransom terms, spend your time and energy preparing for an attack. Companies should consider a ransomware attack as you would any other cybersecurity breach. That is, it is going to happen, the only question is when. Sound preparation boils down to several key considerations.

1. Back Up Data and Store It Properly

Any system is vulnerable when there is only one copy of data, or when backups are stored on tied or companion systems. If cyber criminals encrypt data on your main system, it’s important to be able to access the original data, and that means copying and storing it on a separate, secondary system that is untethered from the main system, and where it is possible to extract uninfected data. This is sound practice no matter what the threat; ransomware has only highlighted its importance. Whether its financial data, health records, or city citations, having multiple ways to access data is key. Moreover, simply having a backup is not sufficient; unless the backup is tested, one can never determine whether it is effective, how long it will take to implement, and other key issues. Continue reading

The stakes have been raised as the EU’s new General Data Protection Regulation, or GDPR, mandates notification within 72 hours. Once that happens, social media and public opinion give you only hours to get it right.

It’s often said that one can do something well, or quickly, but not both.  Corporate America is facing a world where the public demands both speed and accuracy; companies have one chance to get it right, and get it right at once.

Consider the two most recent examples: on April 12, two black men were arrested at a Philadelphia Starbucks after they entered the store and failed to place an order as they waited for a friend to arrive. The arrest was videotaped and posted on Twitter, where it immediately went viral. Within two days, CEO Kevin Johnson was apologizing for “a disheartening situation” that led to a “reprehensible outcome.” On May 29, Starbucks closed all its stores in order to train employees on racial sensitivity and implicit bias. Six weeks later, ABC reacted to an inflammatory, early morning tweet by Roseanne Barr within hours, calling it “abhorrent, repugnant and inconsistent with our values,” and cancelled her top-ranked TV show.

The lesson here is that the initial corporate emergency response time to a public relations calamity shrank from two days to several hours in just over a month.

What does this have to do with cybersecurity? Everything.

Cybersecurity and data breach response plans are all about dealing with a fast-moving and soon-to-be public crisis. Notifications, and therefore publicity, are mandatory. The stakes have been raised as the EU’s new General Data Protection Regulation, or GDPR, mandates notification within 72 hours. Once that happens, social media and public opinion give you only hours to get it right. And as we know so painfully from the Equifax breach, that needs to be done correctly the first time round. Equifax notified the public of its data breach – covering more than 143 million people and attacking its core business – a month after it discovered the breach, and when it did, its reaction was widely criticized. Continue reading

padlock-cybersecurity-300x203

 

Welcome to the third article in our series of blogs about blockchain technology and its impact on business practices, corporate governance and cybersecurity.

 

 

In Robert Braun’s article, Blockchain: The good, the bad, and how to tell the difference published by FinTech Weekly, he explores two issues about blockchain that trouble many in the business community: “How secure is blockchain, really?” and “Is it too good for criminals”? He also explains the connection between blockchain and climate change, and offers up some guidelines for adopting blockchain (or investing in its technology). He writes:

“Blockchain has been touted as a disruptive technology that can be used to benefit virtually any transaction, ranging from money transmission to supply chain management, to restaurant reservations.  With its promise of highly secure, private and instantaneous transactions, blockchain would seem to enhance any transfer or transaction. But while blockchain technology has caught the imagination of the public, it is based on an extension of existing technologies, not on something truly new.  It is disruptive, but not in the sense that the creation of mortgage-backed securities or the Internet was disruptive.  Those changes created entirely new opportunities and markets; blockchain is a technique that allows for new ways of doing the same thing.  At the same time, cryptocurrencies – by far, the most popular of blockchain applications – has shown the shortcomings in the technology or, at least, in how it has been adopted.”

To read the full article, see Blockchain: The good, the bad, and how to tell the difference

To read the first article in this series, see So, What is This Blockchain Thing?
To read the second article in this series, see The Four Horsemen of Cryptocurrencies: Volatility, criminal activity, security issues and human error

 

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

padlock-cybersecurity-300x203

 

Welcome to the second article in our series of blogs about blockchain technology and its impact on business practices, corporate governance and cybersecurity.

 

 

In Robert Braun’s article, Cryptocurrencies – Does the Next Big Thing have Staying Power?, published by FinTech Weekly, he describes four challenges that arise in the use of cryptocurrencies, and potentially in other blockchain applications: volatility, criminal activity, security issues, and human error.  He writes:

“Cryptocurrencies – not just bitcoin, but any of the hundreds of different currencies that have been created using blockchain technology – have caught the imagination of the public.  There are, seemingly, daily articles that predict either the demise of all traditional currencies in favor of cryptocurrencies, and just as many articles predicting the demise of cryptocurrencies.  While cryptocurrencies are just one of the many uses of blockchain technology, the challenges cryptocurrencies face may reflect hurdles for other uses of bitcoin. With that in mind, four challenges arise in the use of cryptocurrencies, and potentially in other blockchain applications.”

To read the full article, see Cryptocurrencies – Does the Next Big Thing have Staying Power?

To read the first blog in this series on blockchain technology, see So, What is This Blockchain Thing?

 

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

This article was originally published by Hotel Business Review and is reprinted with permission from www.hotelexecutive.com.

Almost as soon as there were data breaches, hotels became a prime target of hackers, and the hospitality industry has consistently been one of the most commonly targeted businesses. Since 2010, hotel properties ranging from major multinational corporations to single location hotels have been impacted.

The recent report that Hyatt Hotels was a victim for the second time in as many years has raised more concerns about the industry’s ability to address cybersecurity. While consumers are so used to receiving breach notices that “breach fatigue” has set in, the second successful attack on Hyatt is sure to raise the eyebrows of regulators, plaintiffs’ lawyers, and guests. The data breach will affect the loyalty, trust and consumer perception of all Hyatt Hotels guests. So how can hotels prove to guests that they are safe and trustworthy?

“While the company claims that it has implemented additional security measures to strengthen the security of its systems, no explanation was given as to why these additional measures were not implemented after the first attack,” said Robert Cattanach of Dorsey & Whitney. “Estimates of actual harm have yet to be provided, which is typically the weak spot of any attempted class action, but the liability exposure seems problematic regardless.”

Hyatt is in no way alone. On November 2, 2017, the BBC reported that Hilton was fined $700,000 for “mishandling” two data breaches in 2014 and 2015. The attorneys general of New York and Vermont said Hilton took too long to inform their guests about the breaches and the hotels “lacked adequate security measures.” Hilton discovered the first of the two breaches in February 2015 and the second in July 2015, according to the article, but the company only went public with the breaches in November 2015. The company has said there is no evidence any of the data accessed was stolen, but the attorneys general said the tools used in the data breaches made it impossible to determine what was done. Continue reading

The cybersecurity breaches this month of Equifax and Deloitte—both firms that tout the value of their data and security acumen—show that no company is immune to hacking.

But there is one thing that smart companies can do, both before and during a breach, and that is to develop and deploy an appropriate narrative when a security disaster strikes. That narrative needs to hew to the facts, take into account the known unknowns, and appeal not to shareholders or the press but to customers and regulators. Done right, these statements can differentiate between a recoverable data breach and a cybersecurity-related corporate disaster.

What makes this so difficult for companies and CEOs is that the right response often goes against all they’ve learned about positioning the company. Let’s dissect those impulses.

  1. Shareholder value is intact. A company sees shareholders as its most important constituency and wants to reassure them. Actually, you have no idea the impact on shareholder value, because you have no idea the full extent of the breach, how the market will receive it, and how customers and regulators will react. Incorporating this concept into any narrative is ill-advised at best.
  2. We have this under control. Company leaders do not want to exhibit weakness. However, as part of an initial statement, there is only a remote chance that the situation is under control. It takes time to learn the extent of a breach, both its breath, duration, and ultimate impact. Far better to say you are working with experts, regulators and consumer advocates to understand the extent of what may have been compromised, and that you are pushing forward diligently in this regard.
  3. We are doing all we can to mitigate the effects. Company executives often have a bias toward action. You may want to do that, but that’s impossible until you discover the scope of the data loss. Regulators are not interested in immediate solutions. They want to know that you are doing all you can to learn about the situation, not the specifics about the Band-Aids or tourniquets. They want to know your long-haul commitment.

Continue reading

There may be much more missing than the headlines suggest.

Some 30 million people watched the Season 7 premiere of “Game of Thrones,” according to its creator, HBO. It’s one of the hottest media properties in years.

The popularity of the show, and HBO’s other properties, made HBO the perfect target for attention-hungry hackers who breached HBO’s systems this summer and made off with a script for a future episode and a reported 1.5 terabytes of other information–an astounding amount of data. By comparison, the 2014 Sony hack, which disclosed troves of embarrassing corporate emails and led to the departure of the company’s co-chair, was 200 gigabytes. The HBO breach is roughly seven times larger.

The size of the breach made us question – is this incident more than a spoiler for Game of Thrones and unreleased episodes of several other HBO shows?  Or did the hackers have something else in mind?  And it points out a sobering fact about many cybersecurity breaches: despite the best forensics, it can be hard to quantify their scope and know the true boundaries of what data has been taken or otherwise compromised.

The question was answered a few days later when the hackers demanded a multi-million dollar ransom to prevent the disclosure of more episodes of more shows and damaging emails and other information – and, to prove their point, released personal phone numbers of Game of Thrones actors, emails and scripts.  HBO and the hackers are now in negotiations, with the hackers demanding “our six-month salary in bitcoin”, claiming they earn $12 to $15 million  a year from blackmailing organizations whose networks they have breached. Continue reading

padlock-cybersecurity-300x203

It’s ironic: when global threats are in the news every day, their ubiquity makes them easy to ignore. Whether they be political threats, climate threats, or data security threats, we can become numb to ever-present risk. Add in the chorus of advice from the growing number of providers, and even those who want to act become paralyzed by choice and complexity.  Cybersecurity is no exception – the daily deluge of breach notices and press reports of massive attacks has made us less, not more, sensitive to the threat.

Crisis fatigue can be compounded with defeatist thinking, believing that no matter what you do, you will still be hacked and have your data compromised.  So it is no surprise that while companies know data security should be a top priority, in reality, it’s easy to focus on more urgent – but less essential – items.

Cybersecurity faces additional hurdles that make it even challenging to address.  By identifying those hurdles, however, firms may be able to overcome these barriers and move forward on the path to minimizing one of the greatest risks your company faces.

Data Security Is Expensive – But Not as Expensive as the Alternative

Implementing a cybersecure environment requires a commitment in technology, training, and adapting to the constant rate of change and upgrading processes. The extra steps needed for the simplest of tasks, such as logging in, add to the daily cost of doing business.

Gartner estimates that worldwide spending on data security this year will hit $90 billion. It’s understandable that a CEO would see that as money lost from corporate value. But these expenditures should be seen  as an investment to preserve corporate value. Breaches are much more expensive and disruptive than the budgeted, planned improvements to systems, which can be controlled and implemented over time.

Intelligent and consistent technology upgrades, combined with regular training for all employees, are, in the end, better for a company’s bottom line than crisis management and costly technology remediation after the fact. Creative corporate leaders reframe the expense question and find budget for what’s vital.

Data Security Seems Really Complicated

For most of us, data security is complicated. We aren’t IT professionals, and venturing into the cybersecurity world is a challenge. Those who suffer any amount of technophobia may assume that they don’t know it and, more dangerously, that they can’t learn it. The technology community can reinforce this fear by speaking a foreign language and using unfamiliar terminology, all of which creates another barrier for non-technical executives and managers who need to understand the issues sufficiently enough to make intelligent decisions. Non-technical company management often feel that they are at the mercy of the IT experts. Even those who master important concepts in data and cybersecurity may doubt that knowledge, as there can be a tendency on the tech side to stress just how complicated things really are, reinforcing the need for their expertise. Continue reading

cursor-clicks-red-VIRUS-button-300x225

Ever since California adopted the nation’s first breach notification law in 2002, companies that have suffered a data breach have focused on whether and how to notify their customers, employees and others of the nature and extent of the breach.  California’s law has been amended multiple times, and has been followed by breach notification laws in almost every state, as well as the notification requirements under the Health Insurance Portability and Accountability Act (“HIPPA”).  As these laws developed, a tandem requirement has emerged:  the obligation to take reasonable steps to protect data, and companies are, increasingly focused on taking steps to ensure the security of their data.

Recent breaches, however, have made it clear that these efforts do not address what might be the most pressing problem facing businesses:  how to recover from a malicious attack.  As data security attacks have evolved, firms must recognize an entirely different set of risks.

In the past, most hackers have focused on obtaining financial or personal information for profit.  Thus, the most publicized data breaches – Wyndham and Target, as examples – were directed at obtaining credit card information which could be sold on the dark web.  While these incidents can be expensive, they rarely threaten the existence of a firm; indeed, most consumers are so inured to the likelihood that their credit card information may be stolen that they take a blasé attitude and assume, correctly, that their personal losses will be small, typically limited to the inconvenience of getting a new credit or debit card.  Similarly, as more and more companies recognize the likelihood of a loss and, in response, adopt breach notification policies backed by cybersecurity insurance, the impact has become incorporated into the cost of doing business.

This attitude began to change with the increased incidence of ransomware.  Rather than seek financial or personal data, ransomware exploits technical or, more often, human vulnerabilities to encrypt data and hold it hostage in return for payment of ransom.  There have been highly publicized incidents, including hospitals, hotels, law enforcement agencies and other entities, that paid ransom in return for access to their data.  While paying ransom has been almost universally criticized, many firms felt they had no choice; they did not have adequate backups, and the only possible means of continuing business was to pay a relatively modest payment.

With the recent Petya virus attacks, however, that calculus has changed.  It has become more and more apparent that this virus, while claiming to be ransomware, was actually much more destructive; researchers increasingly believe that the malware was “wiperware” with the objective of permanently destroying data, and the perpetrators of the virus had no intention of freeing the data.  The researchers analyzing Petya (sometimes called PetyaWrap, NotPetya, and ExPetr) have speculated the ransom note left behind in the attack was a hoax intended to capitalize on media interest sparked by the May Wannacry ransomware attack. Continue reading

Web analytics concept - Multicolor version

Middle-market companies have cultures, goals and business needs that are distinct from larger firms, and nowhere is that more true than with cybersecurity.

Fortune 500 companies and brands with household names are much more likely to recover their reputations following a data breach.  While breaches are costly in financial terms to all companies, the damage to the brand of a middle-market company may not be survivable.  Large companies can weather the storm of negative publicity and loss of reputation, but mid-markets often cannot:  60% of middle-market companies that are hacked are out of business within one year.

This presents a near-paralyzing scenario to middle-market managers – the mere spectre of a data breach presents business risks that are difficult for them to fathom.

In our work with middle-market companies, we’ve developed effective strategies to help companies respond to the risk and protect their vital digital assets.  In fact, when the process is managed well, middle-market companies can respond to cybersecurity threats more quickly and effectively than larger businesses. Continue reading