Cybersecurity & Data Privacy Insights

The United States does not currently have a single comprehensive federal law regulating data privacy and cybersecurity matters. Instead, there is a patchwork of laws which at times overlap, and in other cases may even potentially contradict one another. This patchwork, together with the growth in interstate and international data flow, heightens the risk of privacy violations and can create significant compliance challenges. Failure to meet these challenges, however, can result in government imposed civil and criminal sanctions (including fines and penalties), private lawsuits and class actions, as well as damage to a company’s reputation and customer trust.

The following is a brief summary of some of the most significant Federal legislation impacting data privacy and cybersecurity matters.

Federal Trade Commission Act (the “FTC Act”)

Identity theft is an area of major concern for consumers and businesses alike. Roughly nine million individuals in the U.S. can expect to have their identity stolen each year. With just a few items of personal information (such as the name, social security number, and the date of birth of an individual) a cyber-criminal can potentially drain existing accounts or open new credit card accounts with devastating consequences for the unwitting consumer’s credit ratings and future path in life. If your business has been lax in protecting the privacy of such personal information in its possession, you may be inviting your own devastating consequences: lawsuits by individuals experiencing identity theft as a result of your lax procedures, regulatory enforcement actions, and damage to your business reputation and loss of trust by your customers.

The Red Flags Rule, issued by the Federal Trade Commission (“FTC”), requires financial institutions and creditors with covered accounts (as defined in the Red Flag Rule) to develop a written program that identifies and detects the relevant warning signs, or red flags, of identity theft.

Red flags can include, for example:

It is a day that virtually every business owner fears, when you receive word from your IT department that your company’s computer system has been hacked.  A million thoughts rush through your head, but they all come back to one question: what do I do right now to protect my company, my employees and my customers? The answer may seem daunting, but an answer does exist. This article attempts to provide you with a few of the basics on how to respond to a cyber-attack, focusing on the first step: Establishing your cyber-response team.

The first step to be taken upon learning of a cyber-breach is to understand what happened and what type of breach occurred.  For example, is your system being held hostage by Ransomware, or did an employee mistakenly release confidential information? There are a number of common circumstances for cyber-breaches, such as: employee negligence like losing a laptop or flash drive containing personally identifiable information (“PII”) or protected health information (“PHI”); malicious insider behavior, such as the disgruntled or dishonest employee who steals company information to use for some nefarious purpose against the company; and perhaps the most wildly publicized breach as of late, hacking and cybercriminal activity.

In order to understand what happened and how best to react, the initial step is to assemble a team of cybersecurity  professionals who can assist with all facets of the cyber-breach.  In a perfect world, your company has already established its own cyber-breach response team, but if you have not done so, you will need to hire professionals as soon as possible after learning of the cyber-attack.  This means engaging individuals who possess expertise in Information Technology and are experienced in evaluating the severity and scope of a cyber-breach. The cyber-breach needs to be quickly identified, affected systems need to be isolated, defenses to future breaches need to be put in place and steps to retrieve data need to be taken.

Published on:
Updated:

A successful New Jersey business recently retained a cyber expert to evaluate the effectiveness of its network’s cybersecurity. The expert upgraded the company’s systems and educated its employees on how to recognize, prevent and respond to a cyber-attack. The expert then tested the defenses and was unable, despite multiple attempts, to hack into the company’s network. Satisfied that the network was reasonably secure, he decided to try one last trick. Posing as a friendly client who had an upcoming meeting, he called a receptionist and was given a Wi-Fi password which gave him access to the company’s network and sensitive information.

The good news for the company is that the breach was not real. The bad news is that, despite spending thousands of dollars to bolster its network security, the company’s network was compromised with a simple phone call. This is social engineering at its best.

WHAT IS SOCIAL ENGINEERING?

Contact Information