Tag Archives: data breaches

The hacker in the henhouse

hacker-in-a-henhouse- dos

“How do we begin to covet? We begin by coveting what we see every day.”

― Dr. Hannibal Lechter in The Silence of the Lambs

Are you worried about your company’s, employee’s and/or customer’s data being hacked by sophisticated criminals or cyber activists from China, Russia, North Korea, or other far off lands? Does the idea of losing your business’s hard-earned credibility and trust with the stroke of a key or two keep you up at night? You are not alone. An enterprising TV network could get high ratings with a late, late show catering to the business owners, senior management, and general counsel who are restless with thoughts of the class action lawsuits that are hitting Target, Home Depot, Sony, Anthem and others. But, while you have to be ever vigilant to protect your business from the type of all-out-assault that is grabbing headlines, you can’t afford to overlook the threat lurking in the next office.

Did you know a recent study found the most likely threat to information security is not the overseas hackavist, virus or worm, but rather the malicious or careless corporate insider? That’s right, employees caused more data breaches that any other source, 39% of reported breaches according to recent research. Note, I said “reported” breaches, which does not include the breaches employers do not discover or the ones they do not report. All this means it is a matter of when your data will be compromised, not if. Worse yet, when the breach is caused by a defecting employee, the information stolen can be the most crucial to your business’s success and the most harmful to its reputation.

On the one hand, employers who are the victim of malicious data breaches by employees or other insiders have a web of state and federal protections (and, hopefully, contractual rights) to help make them whole, but, on the other hand, the reality of the “unknown unknowns” and costs of recovery virtually assures that winning a lawsuit still means losing, at least, a little. If your employee steals important data to establish a new business, you may well have the legal means to put a stop to it, but you may not be able to recover the customers you lost (or the revenue from the future customers those customers would have sent your way) or succeed in collecting a monetary judgment from a former employee who invested all of his assets into his start up that is sputtering under the weight of litigation.

Breathe deeply. This blog post isn’t a horror show or an existential meditation on futility. Rather, there are key practical steps businesses should take to guard against this growing threat from within, which include:

  • Binding employees to contracts that tightly limit access to and use of key information and provide for strong remedies in the event of breach;
  • Storing only the electronic data needed to run your business and securely archiving data that is not needed on a routine business or that is merely held for contingencies (hackers can’t take what they can’t access);
  • Tightly limiting employee access to data on a need-to-know basis so that the entire organization does not have access to it (does your east coast sales manager really need access to the west coast’s prospect list?);
  • Using the latest cyber tools to protect from infiltration and detect potential hacks;
  • Enforcing security protocols and controls, including requiring regular updating of passwords;
  • Locking in protections and allocating the risk with agreements with vendors who are given access to data;
  • Establishing appropriate insurance coverage;
  • Developing a data breach plan to designate a crisis response team and identify a process for addressing the breach in hours, not days; and
  • Working with counsel to understand the scope of your liability and how to mitigate it in anticipation of a possible breach.

In sum, the ways in which the information age allows data collection and access that drives efficiency in business are the same ways it creates vulnerabilities. Employers cannot afford to overlook the likelihood of a data breach from within. By anticipating it and planning for it, employers can mitigate their damages.

Questions? Let me know.

You cannot predict when you are going to have a data breach

ask again later

A pattern I see repeated in all kinds of business disputes is that when a business fails to calculate the risk of something going wrong, it makes it even harder to repair it when does go wrong. Notice, the title of this post refers to “when” you will have a data breach, not “if.” This is not to be alarmist. In fact, many data breaches are harmless. Surprised to hear that? What about an employee using internal records to locate a co-worker’s home address to send a gift? Is that a date breach? Well, it depends on your policies and authorizations, but, even if it is a “breach” it may not be one that causes damages.

The question is what can you do to prepare for the one that does cause damage? Do you segregate data so that any breach will reach a more limited segment of your employees or customers? Do you encrypt data? According to recent reports, Anthem did not encrypt its data and that will cost it. How can you avoid this, plan, plan, oh yeah, and plan.

Your first line of defense should be to gather your crisis response team and open the crisis response playbook? You don’t have a team? You don’t have a playbook? If that’s the case, you aren’t ready to be in the game. Here’s what you need to know to get started:

Assembling a crisis response team:

  1. Identify key information holders within your organization (who will manage customer relationships, public relations, legal compliance, technology compliance, data security, and restoration of business functions?).
  2. Identify outside resources that will be needed (who has the knowledge of applicable laws in each state/country you operate or can coordinate counsel, who has the expertise to identify and stop leaks, who has the media relations that will help get your message out?)
  3. Establish a chain of command and a division of duties so everyone knows their role and who is coordinating the response.

Creating a response playbook:

  1. Develop a set of compliance procedures.
  2. Identify contingency plans to using backup data or otherwise accessing key information.
  3. Develop an exhaustive checklist to ensure you do not overlook potentially crippling problems.

When you create a crisis response plan, focus on the short term, so you know what to do right away. In the months following a data breach there will be time for information gathering and refinement and a good crisis response plan will put you in the best position to confront those medium term problems in due course.

Questions? Let me know.

First things first: What to do when a potential breach has been discovered

8Just like you are going to find water before you find you have a leaking pipe, before a business discovers its data has been breached it is going to discover evidence that suggests there has been a breach. This is a critical time frame to “shut off the valve” because the decisions a business makes while the breach is being investigated will shape the risks, liability, and costs the business will face in the event the breach is confirmed. Businesses that fail to take the appropriate steps upon discovery of a breach only exacerbate the damages and create additional avenues of potential liability. Now that you know that, how are you going to know how to react unless you have a plan in place first? The answer is that you are not going to know how to react and, short of blind luck, you are going to make the problem worse. Plan now so you don’t regret it later.dog looking through binoculars

If there is any suggestion that your data has been compromised, take steps to secure ALL of your data. Depending on how it is configured, this may mean moving data or employing a host of increasingly sophisticated ways to lock it down. If you cannot immediately identify the source of the alleged breach, just shut it down, or at least, shutdown as much as you can and as much seems reasonable?

Are you really saying I should “stop the presses” when I cannot even be sure is there’s been a breach? You bet I am, at least, sometimes. For some businesses, the reputational and legal risks of exposing additional data outweigh the costs of a temporary shutdown. According to the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost to a company to investigate, notify customers/employees, and respond to a data breach was $3.5 million, and that figure is rising every year in most countries. The extent of a business’s loss often turns on when the business “knew or should have known” of a breach and what it did from that point forward. The key point is: you need to be sure you know of a breach at the time that the law says you should have known.

This does not mean you have to sound the alarm bell before you know or should have known of a breach. Businesses have a right, and a duty, to investigate circumstances that suggest their data has been exposed before the duty to serve notice arises, BUT the savvy business can mitigate risks and liability by, at least, closing suspect valves while it looks for the leak.

Questions? Let me know.

%d bloggers like this: