Cybersecurity & Data Privacy Insights

By now, most people are familiar with the 2013 data breach reported by Target. Described as one of the largest data breaches in U.S. history, Target acknowledged that hackers gained access to credit card and debit card data from up to 40 million of its customers. In the time since the breach, much attention has been given to its aftermath and what impact it would have on the future of cybersecurity. That future appears to have arrived, at least in part, with the announcement of a record-setting settlement between Target and forty-seven states, as well as the District of Columbia.

Under the settlement agreement, Target will pay $18.5 million to the participating states, which is in addition to $10 million that Target has already paid to consumers in a settlement of a private class action lawsuit and $39 million Target paid to several banks that serviced MasterCards used by Target’s customers. Yet, the settlement is noteworthy for several reasons beyond the staggering financial component, and the implications that are left behind offer some useful guidance for companies hoping to avoid suffering a similar fate to Target’s.

First, anyone looking for direction on how to structure their own company’s internal cybersecurity protocols and defenses in a way that would ostensibly comply with the standards acceptable to their respective state’s Attorney General can now look to the settlement agreement as a model (except if you live in Alabama, which did not participate in the settlement as it lacks a state data breach notification law, or Wisconsin or Wyoming, which chose to not participate in the settlement). While the settlement is not binding on anyone but Target, it represents a joint effort by nearly every state’s Attorneys General to insure future cyber-breaches of the same magnitude as Target’s do not occur. This means that it is likely a strong indicator of what state enforcement agencies are going to look for in future investigations when determining if a company had proper cybersecurity safeguards in place. For instance, the agreement mandates that Target implement corrective measures such as maintaining appropriate encryption policies, implement password rotation policies and two factor authentication and even segmenting cardholder data from the rest of Target’s computer network. Incorporating such protections into your company’s cybersecurity and data privacy protocols is a sound practice and now appears to be one that carries at least some unofficial governmental approval.

Published on:
Updated:

On June 1, 2017, New Jersey Governor Chris Christie signed Executive Order 225 directing NJ’s Chief Technology Officer to set in motion actions to deliver a more secure, efficient, and reliable information technology platform and services across the Executive Branch.

Previously, each state department and agency oversaw its own information technology services, software and hardware integration. Under the new Executive Order, the Chief Technology Officer of the State of New Jersey is granted broad authority to oversee and integrate the hardware, software, and other information technologies used by departments and agencies within the Executive Branch. In speaking to the Chief Technology Officer at the signing of the Executive Order, Chris Christie stated:

“This is a big day in changing state government. To take away that authority and personnel from every one of the state departments and agencies and put it in your hands is a sea change in the way government is managed given how integral information technology is to the everyday operation of government. This is about a common-sense approach to taking us to a new level in terms of our information technology, and what we know is our customers, the 8.9 million people of the State of New Jersey are going to demand we do it.”

Lindabury’s Cybersecurity and Data Privacy Practice Group Co-Chair Eric Levine spoke at the NJBIZ Cybersecurity conference on May 17th at the Raritan Valley Country Club in Bridgewater, explaining how companies can get hurt by doing the right thing when it comes to cybersecurity.

“To protect any small business, you need to have legal involved, if for no other reasons than to cloak what you are doing with privilege or confidentiality — by that, I mean communications with your attorney that nobody else can get to,” he said.

“Think about it,” he told the audience. ‘You hire (an expert) who comes in and does a vulnerability assessment and they find out you have a gaping hole in your security. That’s great. You fix it.

Published on:
Updated:

Eric Levine, Lindabury’s Cybersecurity and Data Privacy Group‘s Co-Chair was recently interviewed by NJBIZ’s Brett Johnson regarding a business’s first line of defense against a cyberattack. Levine says the approach exploits features inherent to human nature. “It’s preying on people’s inquisitive side,” Levine said. “And you can’t buy a firewall for that.”

“Yes, there are hackers who are out there who are trying to break through firewalls through different approaches, including state-sponsors actors, and there are many technologies to protect against that,” Levine said. “But it’s the social engineering — (stuff like) phishing scams — that capitalizes on mistakes people make that are the easiest tools to utilize.”

To read the full article as published online click here.

Published on:
Updated:

Lindabury’s Bob Anderson, shareholder and co-chair of the Cybersecurity and Data Privacy Group, was interviewed by NJBIZ‘s Tom Bergeron in response to the worldwide ransomware attack over the weekend. Bob said the attacks last weekend were not a surprise at all to the people in the industry.

“It was just a matter of time before something like this happened,” he said. “We’ve seen ransomware attacks pick up at an incredible level the past few years. It was just going to happen at some point that somebody was going to launch something that was going to travel from computer to computer and spread to every country in the world.”

Lindabury will be represented at the NJBIZ Cybersecurity panel discussion on May 18th at Raritan Valley Country Club in Bridgewater, where the Cybersecurity and Data Privacy Group’s co-chair Eric Levine is participating as a panelist.

May 3, 2017 was a bad day for Google as a major phishing attack spread like internet wildfire, targeting users of Google docs. However, as bad as it was for Google, it provided us with a real-life example of how the first line of defense to a cyber-attack is none other than you and me. People, not breached firewalls or lack of encryption, are often the cause of a major cyber incident, but with a little diligence, we can present a formidable front-line defense.

What occurred on May 3, 2017 has been described as a widespread phishing scheme through which people received an email, apparently originating from a trusted source, that asked the recipient to open a Google document that was embedded within the email. If the recipient of the email opened the Google document, they would have granted the sender access to the recipient’s email account and contacts. Once the Google document read the recipient’s contacts, it in turn sent more phishing attempts to the recipient’s contacts. The cycle repeated itself rapidly, and Google estimated that the attack spread so quickly that at the peak of the attack, Google’s customer base saw about 150 messages sent per minute. It was estimated that the attack may have affected at least one million people.

Phishing is a form of social engineering that involves sending emails that appear to come from a trusted source or someone the recipient knows in an effort to obtain the computer credentials of the recipient of the email, to hack in the recipient’s private accounts and obtain their personal information or to infect the recipient’s computer systems. It is a common method of cyber-attack today and one, as Google can attest, that can quickly cause widespread havoc.

Published on:
Updated:

Cybersecurity experts have observed that hackers and cybercriminals are increasingly targeting small and medium-sized businesses and that these efforts account for 60% of all cyberattacks. One expert described these companies as the “soft underbelly” of cybersecurity. Companies of all sizes face potentially significant costs in responding to a data breach and losses including business disruption, lost revenue and loss of reputation. The average time to resolve a cyberattack has been estimated at 46 days and costs can increase if the damage is not resolved quickly.

Such expenses could be catastrophic for small or medium-sized businesses so it is important for such companies to understand the insurance implications and select the appropriate coverage to protect against losses from a cyberattack.

TRADITIONAL INSURANCE

Businesses have a major need to assess their own cybersecurity risks, and to openly exchange internal information within the company to effectively address and mitigate an actual breach situation. Yet a company’s internal assessments of its own weaknesses and the holes in its cybersecurity protections can, ironically, actually expose the company to even greater danger in future security breach litigation. A company’s good faith internal report of its cybersecurity weaknesses can potentially serve as almost an admission that it has found its cybersecurity protections for personal and confidential data to be inadequate.

Similarly it is of extreme importance that in the midst of dealing with a cyber breach event, that the company’s personnel freely exchange information related to the breach crisis situation quickly and without undue worries about how the disclosure of that information might look in a future litigation discovery proceeding.

The involvement of the company’s legal counsel in all important aspects of a cybersecurity risk assessment and breach response is crucial because of the protections that involvement can potentially provide the company under the doctrines of (i) attorney-client privilege, and (ii) work product protection.

The United States does not currently have a single comprehensive federal law regulating data privacy and cybersecurity matters. Instead, there is a patchwork of laws which at times overlap, and in other cases may even potentially contradict one another. This patchwork, together with the growth in interstate and international data flow, heightens the risk of privacy violations and can create significant compliance challenges. Failure to meet these challenges, however, can result in government imposed civil and criminal sanctions (including fines and penalties), private lawsuits and class actions, as well as damage to a company’s reputation and customer trust.

The following is a brief summary of some of the most significant Federal legislation impacting data privacy and cybersecurity matters.

Federal Trade Commission Act (the “FTC Act”)

Identity theft is an area of major concern for consumers and businesses alike. Roughly nine million individuals in the U.S. can expect to have their identity stolen each year. With just a few items of personal information (such as the name, social security number, and the date of birth of an individual) a cyber-criminal can potentially drain existing accounts or open new credit card accounts with devastating consequences for the unwitting consumer’s credit ratings and future path in life. If your business has been lax in protecting the privacy of such personal information in its possession, you may be inviting your own devastating consequences: lawsuits by individuals experiencing identity theft as a result of your lax procedures, regulatory enforcement actions, and damage to your business reputation and loss of trust by your customers.

The Red Flags Rule, issued by the Federal Trade Commission (“FTC”), requires financial institutions and creditors with covered accounts (as defined in the Red Flag Rule) to develop a written program that identifies and detects the relevant warning signs, or red flags, of identity theft.

Red flags can include, for example:

Contact Information