October marks the seventeenth annual National Cybersecurity Awareness month in the United States and provides an opportune moment to take stock of an extraordinary year. The past year has seen a rise in high-profile data incidents, an increase in enforcement actions, and an overall intensification in efforts to confront these threats. This alert highlights three significant developments in 2020:
First, cybercriminals have grown more conspicuous—and more purposeful—in their attacks. In April, hundreds of thousands of Zoom login credentials were found for sale in online criminal marketplaces, causing a rash of “Zoom bombing” that plagued the online video conferencing provider. Zoom responded with a crash investment in security that has substantially reduced the problem. In July, Twitter’s internal administrator tools were compromised, allowing a hacker access to high-profile accounts belonging to the likes of Bill Gates, Joe Biden, and others. In August, Massachusetts-based research firm Moderna, which is leading efforts to develop a COVID-19 vaccine, announced it had been targeted by hackers linked to foreign governments. In September, Universal Health Services, a large national hospital chain, was forced to rely on paper records after its network was breached during a ransomware attack that forced it to take its systems for digital medical records, laboratories, and pharmacies offline in approximately 250 facilities. Cybercrime often made for front-page news in 2020; look for this trend to continue.
Second, enforcement efforts are increasing. In July, the New York Department of Financial Services (NYDFS) filed suit against First American Title Company alleging the company’s lax data security practices led to the exposure of more than 800 million documents containing sensitive information. This suit marks the first cybersecurity enforcement action brought by the regulator under the NYDFS Cybersecurity Regulation. Other state authorities are also getting more active. The California Attorney General has made clear that it will use its new authority under the California Consumer Protection Act (CCPA) to enforce the law’s provision. Here in Massachusetts, Attorney General Maura Healey announced that Assistant Attorney General Sara Cable would oversee the Commonwealth’s efforts to protect consumers from the surge of threats to their privacy and security as Chief of the newly created Data Privacy and Security Division of the Attorney General’s Office. More broadly, federal agencies, including the Securities and Exchange Commission, the Department of Justice, and the Treasury Department have also announced or threatened additional enforcement actions.
Third, companies nationwide are increasing their cybersecurity spending. Despite the hardships wrought by the pandemic, security and risk management spending has marched on nearly unabated and is expected to top $3.4 trillion worldwide in 2020. Realizing that the business case is self-evident for such spending, many see that an ounce of prevention is worth a pound of cure. Yet, for all the macroeconomic focus on cybersecurity, many small and medium sized businesses still haven’t adopted basic defenses or instituted recommended practices.