Lenovo class action highlights the way in which a single weakness in cyber security can have devastating effects

Weakness in Cyber Security March 17, 2015 Leave a comment

weakest linkA class action lawsuit filed in California against computer manufacturer Lenovo highlights how a weak link in the cyber security chain can lead to disaster effects.

In the suit, the plaintiffs allege Lenovo preinstalled Superfish bloatware/adware developed by a Chinese tech firm, for a fee, on the Lenovo PCs it sold, mainly to businesses, and that the pre-installed Superfish adware created a cybersecurity vulnerability. Ostensibly, the Superfish software was only meant to display advertisements targeted to the user based on images the viewer clicked on with a mouse. However, the plaintiffs allege the Superfish software had a vulnerability whereby it could be modified and hacked to extract user data.

Lenovo has worked with Microsoft, McAfee, and others to eliminate any risk from the Superfish software but, of course, remediation requires users to install updates, which industry data suggests only one-third of users do on a timely basis. In the meantime, businesses that are running machines with this vulnerability risk allowing outside sources to access otherwise secure data.

Lessons learned: cyber security requires vigilance at every level because superfluous adware and other background processes can create significant liability for businesses.

Questions? Let me know.

Oops! Nearly a third of data breaches can be blamed on human error

Data Breach Studies March 14, 2015 Leave a comment

Confused Businessman With Computer

Although we often think of the malicious data hacker as the “boogey man” of data breaches, more breaches can be attributed to benign sources than to criminal activity. According to the 2014 Cost of a Data Breach Study: Global Analysis, from the Ponemon Institute, (sponsored by IBM) the second largest source of data breaches (30)% is human error, meaning contractors and employees whose errors resulted in exposure of confidential information.

How do businesses guard against this: like everything else, they plan. This is includes training (obviously) and also creating systems infrastructures that limit the damage a single employee or group can do. Employees can’t compromise what they can’t access, yet, businesses that fail to plan often give employees broader access than they need to do their jobs and risk exacerbating exposure.

Questions? Let me know.

The very least every lawyer needs to know about data breach liability

Data Breach Liability March 12, 2015 Leave a comment

calling counsel 2When a business experience’s a data breach, after calling the CIO, its second call is going to be to its counsel, as it should be. Inevitably the business wants to know two things: what have you done to protect me from this exposure and what is my total exposure. Counsel better be prepared with a good answer to both, and I do not mean the standard lawyer response; “it depends.”

First, Counsel should have instituted policies and procedures to mitigate this exposure and should be in a position to reassure the victimized business. These policies include: (i) retaining only the most essential customer/employee information to minimize the risk of exposure; (ii) encrypting data; (iii) using outside vendors who are insured and can provide some cover; (iv) instituting policies to limit employee’s access to confidential information; and (v) instituting state-of-the-art data protection procedures. If counsel has done this, counsel can paint a picture of exposure that is favorable and limited.

Second, counsel must assess and, even more importantly, limit the total exposure. This means analyzing the type of data compromised and taking the appropriate steps to report the breach. Were customer account numbers stolen? If so, and the business is not a bank, the effect of the breach may be minimal and manageable. Did the hackers access highly confidential information like social security numbers, health data, trade secrets, sales data, bank account/credit card numbers, or other personal identifiers? If so, the business needs to act accordingly. Is the data from foreign entities? If so, counsel needs to have a plan to address foreign compliance.

Of course, unless you are a lawyer practicing in this area, you may not know the answers or solutions off the top of your head, but, at minimum you need to know the questions to ask:

  1. What type of data was compromised?
  2. How many accounts/people are effected?
  3. Is the data in a form that it cannot be readily accessed (e.g., encrypted)?
  4. What is the source of the data?
  5. What states’ and/or countries’ laws might apply?

Questions? Let me know.

You cannot predict when you are going to have a data breach

Uncategorized March 9, 2015 Leave a comment

ask again later

A pattern I see repeated in all kinds of business disputes is that when a business fails to calculate the risk of something going wrong, it makes it even harder to repair it when does go wrong. Notice, the title of this post refers to “when” you will have a data breach, not “if.” This is not to be alarmist. In fact, many data breaches are harmless. Surprised to hear that? What about an employee using internal records to locate a co-worker’s home address to send a gift? Is that a date breach? Well, it depends on your policies and authorizations, but, even if it is a “breach” it may not be one that causes damages.

The question is what can you do to prepare for the one that does cause damage? Do you segregate data so that any breach will reach a more limited segment of your employees or customers? Do you encrypt data? According to recent reports, Anthem did not encrypt its data and that will cost it. How can you avoid this, plan, plan, oh yeah, and plan.

Your first line of defense should be to gather your crisis response team and open the crisis response playbook? You don’t have a team? You don’t have a playbook? If that’s the case, you aren’t ready to be in the game. Here’s what you need to know to get started:

Assembling a crisis response team:

  1. Identify key information holders within your organization (who will manage customer relationships, public relations, legal compliance, technology compliance, data security, and restoration of business functions?).
  2. Identify outside resources that will be needed (who has the knowledge of applicable laws in each state/country you operate or can coordinate counsel, who has the expertise to identify and stop leaks, who has the media relations that will help get your message out?)
  3. Establish a chain of command and a division of duties so everyone knows their role and who is coordinating the response.

Creating a response playbook:

  1. Develop a set of compliance procedures.
  2. Identify contingency plans to using backup data or otherwise accessing key information.
  3. Develop an exhaustive checklist to ensure you do not overlook potentially crippling problems.

When you create a crisis response plan, focus on the short term, so you know what to do right away. In the months following a data breach there will be time for information gathering and refinement and a good crisis response plan will put you in the best position to confront those medium term problems in due course.

Questions? Let me know.

You cannot ensure you will not have a data breach, but can you insure against it?

Insurance March 5, 2015 Leave a comment

Business InsuranceFor insurance companies, each large scale data breach news story is like free advertising for data breach protection policies. Due to the increased awareness, more business are purchasing policies to protect against the risks of insurance, according to a recent story in the Boston Globe and reports from insurer Liberty Mutual.

These policies can cover the costs of a data loss, from hiring investigators to find the source of the breach to providing credit monitoring for customers to enlisting public relations experts to help salvage the company’s reputation, but there are many different types of policies available and businesses would be well advised to consult with their legal counsel for advise as to what risks and costs should be covered for their specific business.

Additionally, some general liability policies may provide additional coverage, but, as the risks of data breaches increase so do the number of policies that exclude this coverage, or, at least, provide only nominal coverage that is not sufficient to protect a business. In fact, insurance industry insiders have identified the trend that insurance companies are starting to specifically exclude electronic data losses from traditional corporate policies, forcing businesses to buy additional coverage. For instance, since October 2014, the Chubb Group of New Jersey has excluded privacy and data breaches from its standard insurance for directors and officers of health care companies.

Are you covered? Should you be? Now is the time to answer those questions.

Questions? Let me know.

First things first: What to do when a potential breach has been discovered

Data Breaches - What to do When One is Discovered February 28, 2015 Leave a comment

8Just like you are going to find water before you find you have a leaking pipe, before a business discovers its data has been breached it is going to discover evidence that suggests there has been a breach. This is a critical time frame to “shut off the valve” because the decisions a business makes while the breach is being investigated will shape the risks, liability, and costs the business will face in the event the breach is confirmed. Businesses that fail to take the appropriate steps upon discovery of a breach only exacerbate the damages and create additional avenues of potential liability. Now that you know that, how are you going to know how to react unless you have a plan in place first? The answer is that you are not going to know how to react and, short of blind luck, you are going to make the problem worse. Plan now so you don’t regret it later.dog looking through binoculars

If there is any suggestion that your data has been compromised, take steps to secure ALL of your data. Depending on how it is configured, this may mean moving data or employing a host of increasingly sophisticated ways to lock it down. If you cannot immediately identify the source of the alleged breach, just shut it down, or at least, shutdown as much as you can and as much seems reasonable?

Are you really saying I should “stop the presses” when I cannot even be sure is there’s been a breach? You bet I am, at least, sometimes. For some businesses, the reputational and legal risks of exposing additional data outweigh the costs of a temporary shutdown. According to the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost to a company to investigate, notify customers/employees, and respond to a data breach was $3.5 million, and that figure is rising every year in most countries. The extent of a business’s loss often turns on when the business “knew or should have known” of a breach and what it did from that point forward. The key point is: you need to be sure you know of a breach at the time that the law says you should have known.

This does not mean you have to sound the alarm bell before you know or should have known of a breach. Businesses have a right, and a duty, to investigate circumstances that suggest their data has been exposed before the duty to serve notice arises, BUT the savvy business can mitigate risks and liability by, at least, closing suspect valves while it looks for the leak.

Questions? Let me know.