Articles Posted in Data Breach

The cybersecurity breaches this month of Equifax and Deloitte—both firms that tout the value of their data and security acumen—show that no company is immune to hacking.

But there is one thing that smart companies can do, both before and during a breach, and that is to develop and deploy an appropriate narrative when a security disaster strikes. That narrative needs to hew to the facts, take into account the known unknowns, and appeal not to shareholders or the press but to customers and regulators. Done right, these statements can differentiate between a recoverable data breach and a cybersecurity-related corporate disaster.

What makes this so difficult for companies and CEOs is that the right response often goes against all they’ve learned about positioning the company. Let’s dissect those impulses.

  1. Shareholder value is intact. A company sees shareholders as its most important constituency and wants to reassure them. Actually, you have no idea the impact on shareholder value, because you have no idea the full extent of the breach, how the market will receive it, and how customers and regulators will react. Incorporating this concept into any narrative is ill-advised at best.
  2. We have this under control. Company leaders do not want to exhibit weakness. However, as part of an initial statement, there is only a remote chance that the situation is under control. It takes time to learn the extent of a breach, both its breath, duration, and ultimate impact. Far better to say you are working with experts, regulators and consumer advocates to understand the extent of what may have been compromised, and that you are pushing forward diligently in this regard.
  3. We are doing all we can to mitigate the effects. Company executives often have a bias toward action. You may want to do that, but that’s impossible until you discover the scope of the data loss. Regulators are not interested in immediate solutions. They want to know that you are doing all you can to learn about the situation, not the specifics about the Band-Aids or tourniquets. They want to know your long-haul commitment.

Continue reading

There may be much more missing than the headlines suggest.

Some 30 million people watched the Season 7 premiere of “Game of Thrones,” according to its creator, HBO. It’s one of the hottest media properties in years.

The popularity of the show, and HBO’s other properties, made HBO the perfect target for attention-hungry hackers who breached HBO’s systems this summer and made off with a script for a future episode and a reported 1.5 terabytes of other information–an astounding amount of data. By comparison, the 2014 Sony hack, which disclosed troves of embarrassing corporate emails and led to the departure of the company’s co-chair, was 200 gigabytes. The HBO breach is roughly seven times larger.

The size of the breach made us question – is this incident more than a spoiler for Game of Thrones and unreleased episodes of several other HBO shows?  Or did the hackers have something else in mind?  And it points out a sobering fact about many cybersecurity breaches: despite the best forensics, it can be hard to quantify their scope and know the true boundaries of what data has been taken or otherwise compromised.

The question was answered a few days later when the hackers demanded a multi-million dollar ransom to prevent the disclosure of more episodes of more shows and damaging emails and other information – and, to prove their point, released personal phone numbers of Game of Thrones actors, emails and scripts.  HBO and the hackers are now in negotiations, with the hackers demanding “our six-month salary in bitcoin”, claiming they earn $12 to $15 million  a year from blackmailing organizations whose networks they have breached. Continue reading

padlock-cybersecurity-300x203

It’s ironic: when global threats are in the news every day, their ubiquity makes them easy to ignore. Whether they be political threats, climate threats, or data security threats, we can become numb to ever-present risk. Add in the chorus of advice from the growing number of providers, and even those who want to act become paralyzed by choice and complexity.  Cybersecurity is no exception – the daily deluge of breach notices and press reports of massive attacks has made us less, not more, sensitive to the threat.

Crisis fatigue can be compounded with defeatist thinking, believing that no matter what you do, you will still be hacked and have your data compromised.  So it is no surprise that while companies know data security should be a top priority, in reality, it’s easy to focus on more urgent – but less essential – items.

Cybersecurity faces additional hurdles that make it even challenging to address.  By identifying those hurdles, however, firms may be able to overcome these barriers and move forward on the path to minimizing one of the greatest risks your company faces.

Data Security Is Expensive – But Not as Expensive as the Alternative

Implementing a cybersecure environment requires a commitment in technology, training, and adapting to the constant rate of change and upgrading processes. The extra steps needed for the simplest of tasks, such as logging in, add to the daily cost of doing business.

Gartner estimates that worldwide spending on data security this year will hit $90 billion. It’s understandable that a CEO would see that as money lost from corporate value. But these expenditures should be seen  as an investment to preserve corporate value. Breaches are much more expensive and disruptive than the budgeted, planned improvements to systems, which can be controlled and implemented over time.

Intelligent and consistent technology upgrades, combined with regular training for all employees, are, in the end, better for a company’s bottom line than crisis management and costly technology remediation after the fact. Creative corporate leaders reframe the expense question and find budget for what’s vital.

Data Security Seems Really Complicated

For most of us, data security is complicated. We aren’t IT professionals, and venturing into the cybersecurity world is a challenge. Those who suffer any amount of technophobia may assume that they don’t know it and, more dangerously, that they can’t learn it. The technology community can reinforce this fear by speaking a foreign language and using unfamiliar terminology, all of which creates another barrier for non-technical executives and managers who need to understand the issues sufficiently enough to make intelligent decisions. Non-technical company management often feel that they are at the mercy of the IT experts. Even those who master important concepts in data and cybersecurity may doubt that knowledge, as there can be a tendency on the tech side to stress just how complicated things really are, reinforcing the need for their expertise. Continue reading

cursor-clicks-red-VIRUS-button-300x225

Ever since California adopted the nation’s first breach notification law in 2002, companies that have suffered a data breach have focused on whether and how to notify their customers, employees and others of the nature and extent of the breach.  California’s law has been amended multiple times, and has been followed by breach notification laws in almost every state, as well as the notification requirements under the Health Insurance Portability and Accountability Act (“HIPPA”).  As these laws developed, a tandem requirement has emerged:  the obligation to take reasonable steps to protect data, and companies are, increasingly focused on taking steps to ensure the security of their data.

Recent breaches, however, have made it clear that these efforts do not address what might be the most pressing problem facing businesses:  how to recover from a malicious attack.  As data security attacks have evolved, firms must recognize an entirely different set of risks.

In the past, most hackers have focused on obtaining financial or personal information for profit.  Thus, the most publicized data breaches – Wyndham and Target, as examples – were directed at obtaining credit card information which could be sold on the dark web.  While these incidents can be expensive, they rarely threaten the existence of a firm; indeed, most consumers are so inured to the likelihood that their credit card information may be stolen that they take a blasé attitude and assume, correctly, that their personal losses will be small, typically limited to the inconvenience of getting a new credit or debit card.  Similarly, as more and more companies recognize the likelihood of a loss and, in response, adopt breach notification policies backed by cybersecurity insurance, the impact has become incorporated into the cost of doing business.

This attitude began to change with the increased incidence of ransomware.  Rather than seek financial or personal data, ransomware exploits technical or, more often, human vulnerabilities to encrypt data and hold it hostage in return for payment of ransom.  There have been highly publicized incidents, including hospitals, hotels, law enforcement agencies and other entities, that paid ransom in return for access to their data.  While paying ransom has been almost universally criticized, many firms felt they had no choice; they did not have adequate backups, and the only possible means of continuing business was to pay a relatively modest payment.

With the recent Petya virus attacks, however, that calculus has changed.  It has become more and more apparent that this virus, while claiming to be ransomware, was actually much more destructive; researchers increasingly believe that the malware was “wiperware” with the objective of permanently destroying data, and the perpetrators of the virus had no intention of freeing the data.  The researchers analyzing Petya (sometimes called PetyaWrap, NotPetya, and ExPetr) have speculated the ransom note left behind in the attack was a hoax intended to capitalize on media interest sparked by the May Wannacry ransomware attack. Continue reading

Web analytics concept - Multicolor version

Middle-market companies have cultures, goals and business needs that are distinct from larger firms, and nowhere is that more true than with cybersecurity.

Fortune 500 companies and brands with household names are much more likely to recover their reputations following a data breach.  While breaches are costly in financial terms to all companies, the damage to the brand of a middle-market company may not be survivable.  Large companies can weather the storm of negative publicity and loss of reputation, but mid-markets often cannot:  60% of middle-market companies that are hacked are out of business within one year.

This presents a near-paralyzing scenario to middle-market managers – the mere spectre of a data breach presents business risks that are difficult for them to fathom.

In our work with middle-market companies, we’ve developed effective strategies to help companies respond to the risk and protect their vital digital assets.  In fact, when the process is managed well, middle-market companies can respond to cybersecurity threats more quickly and effectively than larger businesses. Continue reading

padlock-cybersecurity-300x203

You spent valuable time and resources crafting a cybersecurity breach action plan. You’ve assembled a multidisciplinary response team. You’ve identified who is responsible for what, and what decision-tree will go into effect. The plan has been circulated. You’ve even engaged a separate law firm that will be on call in the event of a breach. You’ve done the same with a PR firm, a private investigator and data breach hit squad.

But if the action plan stays put on a shelf, it isn’t really of much value. Smart companies run a tabletop exercise, where first responders sit at a conference table and run through what will happen in the event of a breach. But really smart companies do something more – they take their efforts out of the conference room and into the real world. Breaches involve stress, panic and urgency. It’s not the time to be opening a binder and flipping through tabs for instructions. All those with responsibility for securing the breach need to be battle tested.

Just as fire drills are mandated safety requirements, breach drills should be mandatory training for your team. These exercises bring to light the weaknesses, if any, inherent in your breach response plan. These drills take a good plan and refine it into a great plan.

The key to testing the plan is making your drill as realistic as possible. Notify responders there will be a drill, but not when it will happen. Then, perhaps on a weekend, unleash a hypothetical and set things in motion. Designate several observers to follow the drill to see how closely actions hew to the plan. Document what went right and what went wrong so adjustments can be made later. Continue reading

Last year, SEC Chair Mary Jo White named cybersecurity as the biggest risk facing financial markets. But the risk isn’t limited to the financial industry – even a casual review of breach reports in the mainstream press shows that cybersecurity is a risk common to all companies in any industry.  The challenge facing companies is how to prepare for what seems to be inevitable, and how to do it in an efficient and economical basis.

The key element in preparing for a data breach is less a technical matter than a traditional evaluation of business risk.  Companies regularly analyze the risks of business decisions, and just as regularly, recognize that risk analysis requires legal advice.  Evaluating cybersecurity risk is no different – it requires that a company understands the risks it takes, which risks it is willing to assume as part of its business and which risks need to be eliminated or shifted (through insurance, contractual arrangements or otherwise).  Understanding this, obtaining competent legal advice before a breach is a critical aspect of any cybersecurity plan.

Despite this fact, many companies focus their data protection programs in IT, and only bring in their lawyers late in the game to bless their cybersecurity measures. While legal expenses are always a concern, companies will reap a greater return on their overall cybersecurity investment by soliciting advice early on, and stand better odds a breach will be handled correctly and efficiently.

What can cybersecurity lawyers bring to the table?

Hand-in-Glove Collaboration

Perhaps most importantly, legal counsel commonly work with a variety of corporate players and are in a unique position to work hand-in-glove with IT, HR, and other functions to assess and reduce cybersecurity risk while still permitting a company to function efficiently. An experienced lawyer is often the best person to lead a team that establishes key protocols to avoid a breach, including policies and procedures for privacy, confidentiality, mobile device usage, record retention, and breach protocol.  Lawyers are particularly able to address the key elements of an effective cybersecurity plan. Continue reading

Cyber risk affects businesses of every size and industry. A data breach can lead to negative publicity, loss of customer confidence and potential lawsuits. There can be a variety of unanticipated – and costly – business disruptions.

Just ask the owners of the Romantik Seehotel Jaegerwirt hotel, in the Austrian Alps, which recently had their systems frozen by hackers, resulting in the complete shutdown of hotel computers. The hackers breached the hotel’s key card system, making it impossible for guests to enter their rooms and preventing the hotel from reprogramming the cards.

The hackers did not scrape guests’ credit card data, as has happened with other hotel data breaches, but instead demanded a ransom payable in Bitcoin. The Romantik Seehotel Jaegerwirt – which was fully occupied at the beginning of ski season – paid the ransom, at which time control of the key card system was restored.

While highly disruptive, it’s easy to imagine how it could have been worse. Fortunately, the hotel located and fixed the backdoor left by the hackers (which the hackers tried to exploit almost immediately) and secured their systems.

Vulnerability to hackers seeking to take control of a building’s system is a very real threat to organizations of all kinds: hospitals, hotels, law firms, research facilities, banks, retailers – virtually any kind of business that is housed in a “smart” building. Continue reading

December is the month for predictions.  During this month, commentators of all sorts and in all areas predict the trends and actions that will impact us during the coming year.  While speculating the future is a questionable pursuit, we at the Cybersecurity Lawyer Forum would hate to be left out of the fun.   With that in mind, a few thoughts on what we might expect in the year to come.

National Cybersecurity Legislation

Legislation in the United States is less an exercise in establishing comprehensive systems than in reacting to events; much legislation tends to be anecdotal and designed to fit the day’s headlines.  Moreover, legislation is a curious process, and even with the Congress and White House held by the same party, legislation is hard to pass.

Cybersecurity legislation faces additional hurdles.  It is not always the highest priority for lawmakers, especially during a year when an entirely new administration must be established, and when the campaign promises of the last year did not include cybersecurity as a priority. Continue reading

 

Over the past several years, the Federal Trade Commission has emerged as the de facto national regulator of online security and privacy. While banking and health regulators hold sway over their specific industries, the FTC has used its authority, granted under Section 5 of the Federal Trade Commission Act to address unfair or deceptive acts or practices, the FTC has pursued companies that it believes have misleading privacy statements, or fail to secure personal customer information, and brought actions and entered into settlements with a variety of companies, including hotels, data service providers, retailers and others. In most cases, the defendants have settled to avoid expensive and damaging litigation.

One of the few companies that chose not to settle was LabMD. LabMD was a medical testing company that specialized in cancer detection. Between 2005 and 2008, one of LabMD’s administrative employees ran LimeWire, a peer-to-peer file sharing application, on her computer. The configuration of the application allowed (unintentionally) sensitive files on her computer to be shared on the LimeWire network and made public. This vulernerability was discovered by an independent security consulting company, Tiversa, whose business model is to search for possible security breaches and offer to fix them for a fee. Tiversa, upon discovering the vulnerability, stole a file containing insurance records for approximately 9,300 patients as evidence of the vulnerability and sought to have LabMD hire them. After LabMD refused to engage Tiversa,  Tiversa reported LabMD’s vulnerability to the FTC. Continue reading