[co-author: Namrata Kang]

Data breaches and ransomware attacks are on the rise. On October 7, Oregon Attorney General Rosenblum announced an increase in data breaches reported to his office. The first nine months of 2021 involved 131 reported breaches, exceeding the 2020 total of 110. Financial Crimes Enforcement Network (FinCEN) also announced an increase in ransomware-related activities in the U.S. earlier this year. The first half of 2021 saw $590 million reported ransomware activities, exceeding the 2020 total of $416 million.

The news also follows the recent data breach settlement the Oregon Department of Justice reached with Gustafson & Company LLC (Gustafson), an Oregon-based certified public accounting firm. The first of its kind, the $50,000 settlement involved an Oregon professional services firm and stemmed from a January 2020 data breach when "a scammer gained access to Gustafson's computer network by posing as a client attempting to send a W-2 via a zip file." The malware went undetected for a week and, upon identification, no follow-up investigation occurred to see if any files were accessed — until March 2020, when five clients had fraudulent tax returns filed.

The breach exposed certain personal information, including name and Social Security number of over 1,800 Oregonians, but Gustafson did not notify the residents of the breach until May 2020. Oregon law requires that companies "should give notice of a breach of security in the most expeditious manner, [without unreasonable delay], but no more than 45 days after discovering the breach of security." Gustafson now must develop, implement, and maintain data security practices "designed to strengthen its information security program and safeguard the personal information of consumers," including a breach response and notification plan.

The surge in breaches also means increased regulatory scrutiny. Since 2015, Attorney General Rosenblum has enforced state penalties against multiple violators and vows to continue doing so. Gustafson's data breach serves as the latest cautionary tale for other companies to ensure they (1) have taken steps to understand the security threats and risks posed to their organizations, (2) mitigated such risks through appropriate and commercially reasonable assurances and controls, and (3) have a plan in place (e.g., an IRP) to mitigate the negative impact of an incident if something goes wrong.

October is Cybersecurity Awareness Month and a "good reminder to do a 'cyber security clean-up,'' said Attorney General Rosenblum. "Make sure your passwords are strong and the software on all of your devices is up to date. You should never click a link you are not familiar with, and watch for signs of somebody spoofing a boss, client, or other person in your network. Do not click on a link in an email or a text message if anything does not look — or feel — right."