Written By: Leeza Garber and Sandy Goldstein
As Halloween approaches we’d like to emphasize the often scary reality of cyber-attacks. There are three important things every business person needs to understand:
- A cyber-attack is likely going to happen to you.
- It’s possible that a cyber-attack already has occurred, and you just haven’t realized it yet. (Home Depot only recently learned that malicious software, or “malware,” had been on its system for the past six months, skimming credit card data and JP Morgan has likely been under attack for upwards of a year.)
- More internet-connected devices are likely to mean more attacks.
What is a Cyber Attack?
A cyber-attack is an action taken to undermine the functions of a computer or network, and affect the critical infrastructure of technology-dependent data, programs and communications. Cyber-attacks may be carried out by hackers and others for a variety of reasons, but the consequences are deliberately disruptive and may include denial-of-service, system infiltration, intellectual property theft, phishing, spamming, spyware, identity theft, and website defacement.
Where Do Cyber-Attacks Come From?
According to their Q2 2014 “State of the Internet” report, Akamai observed attack traffic originating from 161 unique countries/regions, down from 194 in the first quarter.
China originated 43% of observed attacks, or nearly 3x as much as Indonesia, which saw observed attack volume more than double quarter-over-quarter.
The U.S. accounted for 13% of attacks. The overall concentration of observed attack traffic increased in the second quarter, with the top 10 countries/regions originating 84% of observed attacks, up from 75% in the first quarter.
Regulations Struggle To Keep Up
What are “reasonable” security standards? How should these vary by sector? The rapid evolution of technology makes it difficult for effective regulations to keep pace. In short, it is – and is likely to remain – a moving target.
State data security laws are still completely separate entities dependent upon specific state requirements. While a united, federal regulatory system is on the horizon, for now attorneys must continue to be well-versed on the state-specific stipulations if a data breach occurs. The variety of state data security breach notification statutes apply to individuals, business entities, and/or state agencies, and a review of the requirements suggests that where a fifty-state response is required, the attorney must evaluate how to address laws that may potentially conflict with one another.
Generally, the notification aspect of the state data breach laws compel disclosure of the (sometimes only alleged) breach, either based on the risk that a breach did occur, or because of the risk of potential adverse consequences flowing from such a breach. Private causes of action are also a subject of concern, and a few states expressly authorize them (including but not limited to California, the District of Columbia, and South Carolina). Notably, Florida recently amended its own data breach law to require the provision of forensic reports and breach policies to the Florida attorney general upon request, an uncommon stipulation.
Clearly, a uniform federal law that could pre-empt these state variations would be a welcome development, especially for efficiency purposes. Currently, there are several bills on the issue that have been introduced - including the Personal Data Protection and Breach Accountability Act of 2011, the Data Security and Breach Notification Act of 2014, and the Personal Data Privacy and Security Act of 2014.
There are many other regulations that fill out this regulatory landscape, related to health information (the Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health Act), financial information (the Gramm-Leach-Bliley Financial Modernization Act, the Fair Credit Reporting Act), and data sharing provisions (the European Union Safe Harbor program), just to name a few. At this point in time, new threats, malware, and hacking capabilities are uncovered at an alarming rate, and the only constant in the field of cyber-security is change. Security regulations cannot chase a moving target, but instead must work to define best practices, duties of care, and reactive measures. For an in-depth overview of all of the legal requirements, visit:
Case Law: Still Evolving
Courts around the world are still struggling with the question of how to address the variety of inherent legal concepts that are continually arising. There are a variety of ways in which these legal issues can be addressed.
- Plaintiff class action law suits are complicated, as a typical hurdle is an inability to prove actual harm (see, e.g., Bobbi Polanco v. Omnicell, Inc., Civ. No. 13-1417 (NLH/KMW) (Dec. 26, 2013))
- State Attorney General investigations continue to grow in intensity, as the recent JP Morgan data breach exemplifies. While the hack has not yet produced fraud, the Federal Bureau of Investigation stated that it is looking into the matter, alongside the Attorneys General of Connecticut and Illinois (and other states may also be following suit).
- The Federal Trade Commission (FTC) issued a joint statement with the Department of Justice in April of this year, regarding their ability to work together to promote data security and prevent and prosecute cybercrime. (See -http://www.ftc.gov/news-events/press-releases/2014/04/ftc-doj-issue-antitrust-policy-statement-sharing-cyber-security). The FTC in particular has demonstrated that it is carving out an extensive role for itself regarding data- and cyber-security issues, and recently marked the pursuit of its fiftieth data security enforcement case. One of the FTC’s most significant and ongoing cases is FTC v. Wyndham Worldwide Corp., No. 2:13-cv-01887-ES-JAD (D.N.J. Apr. 07, 2014), which has illustrated how the FTC plans to assert itself as what the Washington Post called “Washington’s most powerful technology cop.” (See http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/25/the-ftc-was-built-100-years-ago-to-fight-monopolists-now-its-washingtons-most-powerful-technology-cop/).
How To Prepare
Work with your CTO, CSO and Risk Management Group to make sure your CEO and management team are aware of the risks, and are prepared to invest in securing data and related systems – especially if your firm is subject to regulations including HIPAA, SOX, FERPA and more.
Remind them that firms who already may have stronger security in place than your firm have been recent targets. At JPMorgan Chase, 83 million accounts were compromised. At Home Depot, the issue affected 56 million payment cards. And at Target, breaches affected some 110 million shoppers. The repercussions of these acts include loss of customer loyalty, dips in stock prices, removal of executives and management, negative public relations, requirement to pay for credit checks for customers, and lost sales.
Although there is hope, businesses must diligently review all technologies, processes, procedures, organization controls and should consider putting in place a proactive Cyber Defense function. Create, test and continually update an emergency plan for intrusions, including clear steps about what to do, who must be notified in the event of a breach and what regulations apply to your company. Contract with third party vendors for regular penetration tests, control reviews and cyber audits. A Cyber Defense function is no longer a futuristic idea. Being prepared to battle cyber-thieves through the use of advanced technologies and skilled personnel is no longer an act in the movie War Games.
Cyber-security is not something that you can turn your attention to briefly and “fix”. Rather, for now and in the foreseeable future, it will require careful daily habits and regularly-scheduled checkups and oversight.
To find out how to better prepare yourself for a cyber-security breach, contact Capsicum Group, LLC.