Category Archives: Data Breaches – What to do When One is Discovered

Guest Blog: 4 Ways To Keep Your Business Secure During The COVID-19 Pandemic

Cyber security concept businessman Lock on digital screen, contrast, virtual screen with a consultant doing presentation in the background Closed Padlock on digital, cyber security, key WannaCrypt

On Wednesday, March 11, 2020, the World Health Organization declared the outbreak of the coronavirus to be a pandemic. This is significant for several reasons. The first is that the way we interact has drastically, and must necessarily, change because of the contagiousness of the coronavirus and its effect on public health. Secondly, a public health scare such as this can adversely affect the health of a business’s cybersecurity and data privacy. Hackers and other cyber threat actors are capitalizing on the global concern over COVID-19. For example, Check Point researchers found that coronavirus-themed domains are over fifty (50) times more likely to be malicious than other domains and over 4,000 coronavirus-related domains have been registered since January 2020. In fact, a malicious website purporting to be the live map for COVID-19 global cases run by Johns Hopkins has been found to be circulating.

What does all of this mean? It means that your business, including your employees and clients, could be in danger if you don’t take precautionary measures to prevent the risk of a data breach.

How can small and mid-size businesses adapt quickly to ensure effective cybersecurity and data privacy protection right now? If your workforce has gone largely remote, you should focus your cybersecurity and data privacy efforts mainly on the following four areas most susceptible to a breach. This may help to mitigate the risk of a breach actually happening and limit any potential liability.

Below are four ways to keep your business safe from hackers and data breaches during this tumultuous time:

  1. Email Security
    • Make sure you and your staff know how to keep your email secure. Avoid opening emails, downloading attachments, or clicking on suspicious links sent from unknown or untrusted sources.
    • Verify unexpected attachments or links from people you know by contacting them through another method of communication like a phone call or text message.
    • Do not provide personal information to unknown sources like passwords, birthdates, and especially, social security numbers.
    • Be especially cognizant of emails with poor design, grammar, or spelling as this can be a sign of a phishing attempt.
  2. Password Protection and Multi-Factor Authentication
    • Use strong passwords on all of your accounts, and encourage your staff to do the same.
    • Avoid easy-to-guess words like names of pets, children, and spouses as well as common dates like birthdays.
  3. Web Safety
    • As noted above, there has been a massive influx of fake websites, whose creators are looking to take advantage of the fear surrounding the coronavirus.
    • Make sure that any websites that require the insertion of account credentials like usernames and passwords, along with those used to conduct financial transactions, are encrypted with a valid digital certificate to ensure your data is secure. Secure websites like these will typically have a green padlock located in the URL field and will begin with “https.”
    • While your workforce is working remotely, ensure that they are not using public computers and/or logging into public Wi-Fi connections to log into accounts and access sensitive information.
    • You may want to connect with an IT company or your in-house IT department to implement ad-blocking, script-blocking, and coin-blocking browser extensions to protect systems against malicious advertising attacks and scripts designed to launch malware.
    • Sign out of accounts and shut down computers and mobile devices when not in use.
  4. Device Maintenance 
    • Keep all hardware and software updated with the latest, patched version.
    • Run reputable antivirus or anti-malware applications on all devices and keep them updated with the latest version.
    • Create multiple, redundant backups of all critical and sensitive data and keep them stored off the network in the event of a ransomware infection or other destructive malware incident. This will allow you to recover lost files, if needed.

Lastly, if your business is not already protected by a cyber-insurance policy, now may be the time to consider obtaining coverage.

Small and mid-size businesses in the Delaware Valley should consider implementing the above cybersecurity and data privacy measures while adapting to a shifting health and security landscape in the wake of the coronavirus.

Stay safe, everyone!


corporate attorney philadelphia law firm

Krishna A. Jani
 is a member of Flaster Greenberg’s Litigation Department focusing her practice on complex commercial litigation. She is also a member of the firm’s cybersecurity and data privacy law practice groups. She can be reached at 215.279.9907 or

First things first: What to do when a potential breach has been discovered

8Just like you are going to find water before you find you have a leaking pipe, before a business discovers its data has been breached it is going to discover evidence that suggests there has been a breach. This is a critical time frame to “shut off the valve” because the decisions a business makes while the breach is being investigated will shape the risks, liability, and costs the business will face in the event the breach is confirmed. Businesses that fail to take the appropriate steps upon discovery of a breach only exacerbate the damages and create additional avenues of potential liability. Now that you know that, how are you going to know how to react unless you have a plan in place first? The answer is that you are not going to know how to react and, short of blind luck, you are going to make the problem worse. Plan now so you don’t regret it looking through binoculars

If there is any suggestion that your data has been compromised, take steps to secure ALL of your data. Depending on how it is configured, this may mean moving data or employing a host of increasingly sophisticated ways to lock it down. If you cannot immediately identify the source of the alleged breach, just shut it down, or at least, shutdown as much as you can and as much seems reasonable?

Are you really saying I should “stop the presses” when I cannot even be sure is there’s been a breach? You bet I am, at least, sometimes. For some businesses, the reputational and legal risks of exposing additional data outweigh the costs of a temporary shutdown. According to the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost to a company to investigate, notify customers/employees, and respond to a data breach was $3.5 million, and that figure is rising every year in most countries. The extent of a business’s loss often turns on when the business “knew or should have known” of a breach and what it did from that point forward. The key point is: you need to be sure you know of a breach at the time that the law says you should have known.

This does not mean you have to sound the alarm bell before you know or should have known of a breach. Businesses have a right, and a duty, to investigate circumstances that suggest their data has been exposed before the duty to serve notice arises, BUT the savvy business can mitigate risks and liability by, at least, closing suspect valves while it looks for the leak.

Questions? Let me know.

%d bloggers like this: