Cybercrime and Data Breach a Rising Threat to All Employers

by Conn Maciel Carey LLP
Contact

Over the past six months, we have observed a significant uptick in inquiries about data breach and other cyberthreats from area businesses.  We are asked about pursuing claims for recovery of funds lost due to fraud by hacking, state notification procedures in the event of a data breach affecting employees, and general questions about how to prepare or respond to other IT security problems. The whole subject area is a complex mix of technical and legal issues and it touches nearly every aspect of the current business environment. Moreover, the costs to companies that are the victims of cybercrime and data breach are significant and, unfortunately, it is no longer uncommon for the costs to bankrupt small and medium-sized businesses within a short time after the breach is discovered.

Types of cybercrime incidents                                                           

Data breach and other cyberthreats come from all quarters and they affect individuals and organizations of all sizes. Given the recent news about the Central Intelligence Agency and the National Security Agency being the subject of now infamous data thefts, including the CIA losing control of its own toolbox of hacking tricks, many employers are likely to think that there is little that can be done when the government agencies tasked to defend our country’s cybersecurity and armed with a government-sized budget have proven vulnerable. But the size and scope of cyberthreats are not exaggerated and require vigilance and defenses regardless of your organization’s size.

So-called “Black Hat” hackers and cybercriminals are after all types of information that are useful to further a hacking scheme or that can be monetized easily and anonymously, making it an attractive crime. Phishing attacks, which prey on human psychology, are attempts to get a victim unwittingly to click on a link in an email or otherwise provide information that can be used to unleash malware in an organization’s network or to provide an entryway for theft of critical or confidential information. Ransomware attacks steal access to business data by encrypting the content of company-owned devices preventing users from accessing it until a ransom is paid. The advent of Bitcoin and other cyber-currencies, which allow for anonymous transactions over the Internet, have only emboldened ransomware schemes by making them very difficult to trace. Both types of attacks are designed to exploit weaknesses in human psychology more than technical weaknesses in software or hardware. Simple theft or loss also can be a source of data breach. Employees now carry around huge troves of business data in their mobile phones, laptops, and other devices. The theft of a mobile phone or the loss of a laptop by leaving it behind at airport security can be an event that causes all kinds of headaches for an employer.

Data breach incidents have a panoply of repercussions for businesses that suffer them. Not only is there the threat of liability for the damage, but also the reputational harm with client relationships and in the marketplace. Retailer Target Corporation, which was the subject of a 2013 data breach, reported $61 million in losses from the breach and received only $44 million in insurance coverage for the fourth quarter of 2013, when the breach was announced. Those figures do not include the costs of litigation, fraud claims, and investigation expenses that Target continued to incur well after the breach was announced. In 2015, Target paid a settlement of approximately $10 million to settle a class action suit by consumers affected by the data breach. And the data does not include the lost sales that may have been attributable to the lost confidence in Target’s security.

What information do you have that you need to protect?

Even organizations that are not specifically tasked with handling or protecting sensitive data should carefully consider what kinds of information they possess that requires protection and where it is located. A firm does not need to be a financial services company or a healthcare provider to have sensitive data that may subject it to legal liability if the information is lost or compromised through a data breach incident. Small businesses of all types will have personnel information about their employees, customer lists, and other intellectual property that should be kept from prying eyes either because it is personal information or it contains the trade secrets for the business. Employee and benefits files with information about payroll, tax withholding, insurance, and retirement plans likely will contain personal identifying information that is subject to federal and state law governing protection of data, such as social security numbers, bank account numbers, and dates of birth. The electronic payment systems at retailers large and small can be an avenue for stealing the credit card numbers of customers.

Employers also need to think about where their data is located and how it moves around. Company data is not just on company personal computers and servers. It now moves around on a wide variety of devices and storage locations. Mobile phones, tablets, and laptops all carry company data and files and travel with your employees. Cloud-based services also may hold data. And employees may use their own devices or download company files to their home computers and networks or use their own cloud-service providers such as DropBox, Google Drive, or iCloud. Some of this data may even be replicated or stored in unforeseen ways by data backup systems that move data to other storage formats or locations. Moreover, most businesses rely on many vendors that provide services for which confidential information needs to be passed back and forth and that transmission can be a weak spot that is susceptible to exploitation. Examples of these vendors are banks, payroll processing companies, accountants, bookkeepers, lawyers, IT consultants, or any Internet-services vendors, such as an Internet service provider or a cloud-based software provider.

What are an employers’ responsibilities and potential liabilities around data breach?

Courts and government agencies are constantly evolving their approach to cybercrime and data breach issues. The Federal Trade Commission has taken the lead for the federal government as the enforcement agency for data breach and cybercrime incidents. A 2015 decision from the U.S. Court of Appeals for the Third Circuit  affirmed the FTC’s authority to regulate cybersecurity under its authority to regulate “unfair or deceptive acts or practices in or affecting commerce.” The case involved the Wyndham Hotels and Reports where hackers had successfully accessed Wyndham’s computer systems and stolen personal and financial information of consumers leading to over $10 million in fraudulent credit card charges. The court concluded that the FTC has a broad mandate to hold businesses accountable for not adhering to cybersecurity practices that unreasonably expose personal data to unauthorized access and theft.

The FTC does not limit its enforcement to large hotel chains. From 2013 through the present, it has pursued LabMD, Inc., a small medical testing laboratory in Georgia that exposed the medical information of approximately 10,000 consumers to a peer-to-peer file sharing network called Limewire that had been set up by an employee on a billing department computer. As a result, LabMD’s billing files were exposed to the entire peer-to-peer network. Files from the company were later discovered in California during a criminal investigation. The FTC’s order faulted LabMD for failure to protect its computer network or employ adequate risk assessment tools, failure to provide data security training to its employees, and failure to adequately restrict and monitor computer practices of individuals using its network. LabMD began to wind down its operations in 2014, largely due the fallout from the data beach and FTC enforcement action.

In a more salacious case, the FTC and 13 states and the District of Columbia recently settled with Ruby Corporation, the firm that ran the infamous Ashley Madison site for matching people looking to have extramarital affairs. Millions of subscribers to the site had their usage exposed when hackers attacked the site. Ashley Madison had sold a service for an extra fee that purportedly removed all traces of a user’s usage of the site. But the data was retained and exposed in the hacking incident. The firm settled for $17.5 million, but was only able to pay $1.66 million.

State attorneys general also are taking up the mantel for protection of employees and consumers within their jurisdictions. State statutes requiring notification of employees or consumers in the event of a data breach are now on the books in 47 states and the District of Columbia. These statutes have provisions for the timing and content of a notice of data breach that vary from state to state. Employers faced with a data breach situation involving employee or consumer data may have both a notice obligation to the employees or consumers and an obligation to notify the state attorney general’s office of the breach. Such notice brings with it reputational risks and the attention of law enforcement agencies. In February 2017, Boeing Corporation notified the Attorney General in Washington that personal information, including birth dates and social security numbers for 36,000 employees, was sent to the spouse of an employee who wanted help with formatting a spreadsheet.

While cybercrime and data breach are relatively new subjects for courts, old legal doctrines, such as breach of fiduciary duty and negligence can be used to assign liability to employers or other parties. Companies may also face contractual liability to their clients or customers if their contracts include indemnification provisions for damage or have other contractual requirements that are breached through a cybercrime incident. And the possibility of trebled damages exists if employers are found to have breached unfair trade practices statutes.

Defenses and other protection

Employers should think about their defenses from cybercrime and data breach from three different angles: (1) technical solutions; (2) employee training; and (3) insurance.

With respect to technical solutions, employers should make sure that they are constantly updating their software with the latest updates and patches so that they are protected by their software vendors’ latest efforts at closing known hacking exploits. Employers should purchase and deploy malware and anti-virus software and should consider tools available to filter and prevent employees from using websites that are known to be in the control of hackers and cybercriminals. Password policies should require both a complex password and changing of the password on a periodic basis. Password management software can be employed to ease the burden of these policies on employees and also give employers a way to enforce the policies.

Employee training also is essential. Most technical solutions can be defeated by an employee who unwittingly or carelessly opens the door to a hacker as in the Boeing incident. Insurance industry data shows that one-third of data breach and cyberthreat claims have at their root some form of employee negligence. Training regimens should not only include how to use malware and anti-virus software or password managers, but also should include real-world drills for phishing attacks. IT staff or consultants can test organizational readiness by sending out emails designed to induce an employee into clicking on link or providing their login information for a critical business system such as email. The results can be provided to management. Employees should be trained to identify telltale signs of phishing scheme, such as poor grammar or spelling in the message, strange syntax from a sender you know, a message about an otherwise unknown event, or links that do not look like they go to where you would expect them to go, such as to domains located in foreign countries.

Insurance is the third element of the defense triad. Data protection or cybercrime insurance policies are being marketed aggressively by insurance companies due to the constantly expanding threat. Insurance always should play some role in any strategy to defend against legal liability, just as businesses use general liability insurance to protect against liability for other hazards. Indeed, many insurance carriers offer cybercrime insurance as a rider to their general liability policies. Insurance can provide coverage for the costs of investigation and notification in the event of data breach or cybercrime. But employers should read policy language carefully and think about the risks and exposures that they are trying to cover through an insurance contract. The insurance industry also is grappling with the nature of cybercrime and data breach risks and how to assess premiums based on those risks. A careful reading of any policy exclusions is important. Many policies do not cover certain types of negligence incidents, attacks that can be linked to nation states, data breach events affecting your information at third-party vendors, or expenses imposed by government enforcement agencies, such as a requirement to provide identity-theft protection to everyone affected by the breach. Some policies also exclude coverage for devices that are not employing encryption at the time that they were lost or stolen. In such cases, your insurance coverage may depend upon whether you have an encryption solution in place and your employees trained to use it. All three defensive elements must be in place.

Conclusion

This article only serves as a primer for the myriad issues that arise with data breach and other cybercrimes. Unfortunately, the problems have become so pervasive that significant time and resources must be devoted to them regardless of your profession or industry. Employers must remain vigilant about their weak points and regularly check on the defenses they employ, whether technical solutions, employee training, or through insurance to ensure that they remain current in this constantly evolving and hostile environment. Additional resources for cybersecurity information are abundant, but among the most prominent is the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity, published in 2014. NIST has a web site with documents and webinar materials about its framework that will help you start thinking about managing the risks of cybersecurity.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Conn Maciel Carey LLP | Attorney Advertising

Written by:

Conn Maciel Carey LLP
Contact
more
less

Conn Maciel Carey LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.