The New Jersey State Bar Association recently met to discuss, among other things, our favorite topic: Cybersecurity. (Perhaps our esteemed Privacy, e-Communication and Data Security Practice Group chair was there….) We wanted to briefly mention two critical points discussed:
Critical Point #1: The biggest risk out there is employees. We employees click on all sorts of attractive nuisances (we love those W-2 phishing scams), share our passwords with our colleagues, lose thumb drives, and leave our laptops in our cars, ripe for theft. We (generally) mean well – we just need training! Training is a critical element of an information security plan, so be sure to train your employees. But don’t just train them once – as is evident from the fact that employees are consistently at the top of the list of cybersecurity risk factors, we need to have security details reinforced (perhaps repeatedly). Therefore, it is important to periodically refresh that training. (Yes, we can help you with that – here is information on the resources our practice group offers.)
Critical Point #2: As noted in a blog post from earlier this year, employers can have vicarious liability for data breaches by employees. When that breach occurs, companies should be sure to have appropriate insurance in place to cover the resulting expenses. Talk to your insurance agent and be sure your company has insurance to cover the potential incidents that may arise in connection with your operations, and which provides the company with assistance with the different costs it may incur, such as investigation, mitigation, public relations, breach reporting and compliance, and possible business interruption.
Oh, one more thing….Rapid7 issued its Quarterly Threat Report earlier this week. While health care has always been among the top threat sectors, this Quarterly Threat Report indicates that health care is now bumping up to the top spot, eclipsing the financial industry as a cybersecurity target. This is due to both the rich nature of the data that health care entities maintain, and to the vulnerable nature of their systems. The Report notes that “healthcare organizations often have a complex, distributed IT infrastructure with difficult-to-patch legacy systems and proprietary medical devices, making them challenging to secure quickly. They also rely on system availability to keep operations running when lives are on the line, and adversaries have frequently targeted that availability using tactics such as ransomware or telephonic denial of service attacks (TDoS) to overwhelm critical phone lines.