Cybersecurity and data forensic firms are sending a loud and clear message: no one is safe. Theoretically, anyone could become the target of a state-sponsored hacking group working in shifts and around the clock whose single purpose is to break into your computers to steal or wreak havoc. When you become such a target, your fate is sealed and it is only a matter of time until you become the victim of a cyber-breach.
One consequence of becoming a victim is business disruption. Another is that your organization may become the target of state or federal law enforcement actions (e.g., FTC v. Wyndham) or of lawsuits brought by consumers whose data was compromised (e.g., Chambliss v. CareFirst). The legal liability exposure of a breach is difficult to predict, especially as plaintiffs appear to be on a quest to find creative causes of actions that go beyond the traditional claims of negligence or of violations of consumer privacy statutes (i.e., often to overcome dismissal because of the inability to allege direct economic injury).
The reports on data breaches seem to be ever more frequent and ever more disheartening. The goals of the criminals are many – to steal credit card information (e.g., Target and Home Depot breaches), to stockpile information on the workings of the U.S. government (e.g., U.S. Office of Personnel Management and United Airlines breaches), to obtain confidential files from law firms to be used in litigation (e.g., the recent California lawsuit against major workers’ compensation insurer and their attorneys), to manipulate penny-stock prices (e.g., JPMorgan Chase breach), to engage in insider trading (e.g., recent SEC investigations into breaches), or to gain a competitive edge in sports (e.g., St. Louis Cardinals hacking the Houston Astros).
The perpetrators are both foreign and domestic. They are outsiders and insiders of companies. Some apply for jobs with the ultimate purpose of getting into an organization and stealing data. Others steal data when their employment is terminated. Trusted individuals may destroy evidence to hide breaches. Other times, evidence of a breach is destroyed without knowing that preservation could have mitigated damages.
It can all be very discouraging.
Not all hope is lost, however. Most companies will never become direct targets of foreign state- sponsored hackers. Rather, companies are likely to be exposed to more pedestrian threats. These are caused by human error – clicking on a link in a phishing email, losing laptops or cellphones, mistakenly sending data to the wrong addressees, not following basic security company policies, carelessly handling of company data on personal computers, not password-protecting devices, or not encrypting data. Many of these threats are preventable. Human error is part of life, however, and therefore so are cyber breaches. The silver lining is that with careful pre-breach preparation, the aftermath of a breach can be much less costly.
The first step in preparing for a breach is to acknowledge the need for education on and a heightened awareness of cybersecurity issues. Accept that cybersecurity must become part of your organization’s culture.
The next steps involve everything a victim company wishes, often too late, that it had done before it was breached. These measures will focus on prevention by training of personnel and by implementing data security policies. They will also focus on reducing the time and cost to respond to a breach. Generally, they include:
- adopting security practices that are reasonable and appropriate for the size of the organization and the industry in which it operates (pay attention to the data security guidelines issued by the state and federal agencies relevant to your industry);
- including cyber professionals in management and at the board level of the organization;
- retaining outside data security lawyers before the breach occurs to avoid scrambling to find counsel at the very intense time when you learn of the breach;
- retaining forensic cyber professionals before the breach occurs to avoid wasting precious time and paying “emergency basis” fees when the breach occurs;
- investing the money to test your organization’s vulnerability level and to identify weak links;
- creating a breach-response team with a response plan;
- doing at least one test-run to see how the response plan plays out; and
- starting a relationship early on with the local FBI and Secret Service field offices to learn how and when they can help.
Finally, take a deep breath and exhale slowly. There is insurance to cover cybersecurity breach incidents. And if you go through the steps above, you will also be in a position to judge how much cyber insurance you need.
Good luck, and do not forget, encryption is your friend!
An earlier version of this article was published on August 3, 2015 as a guest post in the Generation J.D. blog of The Daily Record.