According to the Verizon 2013 Data Breach Investigations Report, a document assembled by law enforcement agencies from around the globe, there were nearly 47,000 data security incidents reported during the past year, with 621 of them classified as verified data breaches. While this figure is astonishing in itself, what aren’t included in the report are the cases that never make the headlines or ever get investigated by law enforcement. During the past three months our cyber investigation agency has investigated a number of significant data breaches.
One case involved a group of well-known actors who appear on a popular reality TV show. Their personal information was taken by criminals who hacked into their computers and cell phones and then used that information to harass and blackmail them.
We investigated a case in Miami in which a hacker stole over $300,000 via wire transfer. Unbeknownst to the client, his email account had been hacked. The hacker intercepted his communications with a major stock brokerage firm and then negotiated the issuance of several wire transfers that appeared to be on the client’s behalf,
In another case over $250,000 was stolen by a hacker who hijacked an overseas supplier’s email account. The hacker negotiated several transactions, including the purchase of manufacturing materials, using the supplier’s letterhead and transaction processes. Money was then wired to a bank account provided by the intruder.
Finally, a successful New York attorney’s office found itself involved in a transaction in which an organized hacking group had hacked its email account and used the firm’s letterhead and real estate closing protocols to hijack over $150,000 from one of their clients in a closing transaction.
The Changing Legal Landscape
In today’s world of electronic communications and data exchange, corporate and professional vulnerabilities continue to increase. There is a growing proliferation of organized crime and unscrupulous competitors who use sophisticated hacking methods to gain unlawful access to data and financial transactions.
What is perhaps most disturbing about this trend is the fact that small-to-medium-sized companies have become prime targets due to ease of access and their financial value to cyber criminals.
What about the clients of the victimized companies? What rights do they have? Should they sue the hacked business? Should they seek legal help when their data or money is stolen?
A recent study by Ipsos Reid for the Shred-It Company showed that 69% of small business owners think that data breaches won’t impact their reputation and that therefore they aren’t something they need to worry about. In another study The Ponemon Institute showed that 55 percent of responding small businesses had experienced a data breach, almost all them involving electronic records, and 53 percent had experienced multiple breaches. Only 33 percent of the breached businesses notified people whose records had been breached, despite the fact that 46 states require that individuals be contacted when their private information is exposed.
What these studies illustrate is that small businesses are under increasing attack by a combination of organized crime, unscrupulous competitors, disgruntled employees and unhappy customers, yet 69% of them still don’t believe attacks will hurt their reputation. We believe that these business owners and their attorneys are not giving adequate consideration to the financial and legal liability that they potentially face for not taking adequate steps to protect their customers from financial or data loss.
Standing Is The Key
Standing is a legal term that refers to a plaintiff’s ability to demonstrate sufficient connection to and harm from the law or action challenged in order to support their participation in a case.
While this is an ever changing and hotly debated subject, federal courts have ruled that in order to have standing a plaintiff must have:
- A concrete injury-in-fact.
- The ability to demonstrate a relationship between the conduct complained about and the injury itself.
- A likelihood that a favorable ruling will provide the relief sought.
What the Supreme Court has made abundantly clear is that plaintiffs must show that the actual injury is traceable to the defendant’s unlawful conduct or irresponsibility.
Our review of hundreds of businesses shows that the ability to obtain standing would be pretty easy to prove: all it takes is a cyber security professional working in combination with a competent privacy attorney.
Proving The Case
If you are the client of a business that suffered a data breach, in order to prove the business itself negligent in the breach a skilled attorney must show that you have standing in the case and that certain actions by the business did not “prudently” protect you from harm. On the other hand, if you are a business owner reading this article there are steps that you can take to show that you took “reasonable” precautions to protect your clients from harm’s way.
Cyber Investigation Services, a cyber investigation and security firm, reviews several thousand cyber cases a year. We have developed a number of best practices for businesses that are designed to help attorneys and businesses evaluate their cyber security posture in protecting clients’ financial and confidential data.
Cyber Security Best Practices:
- Data Segregation – Every organization has information critical to its operations, as well as critical client and vendor information that is sensitive and private. It is important in developing a security architecture plan for your organization that you identify what those critical information points are, who should be able to access them, how they should be accessed and what applications and security measures need to be in place.
- Access and Information Flow – Not everyone in an organization should have access to all information, yet in many cases this is how small businesses structure themselves. Access control procedures should be put in place for password protection, logon authentications, session terminations, logon monitoring, document monitoring and wireless access, as well as mobile device access to both control and monitor access to key information.
- Security Awareness and Training – Most data breaches occur because of simple mistakes such as employees visiting malicious sites, falling prey to spear phishing attempts or malicious documents, and social engineering. Organizations should have security awareness training at least once a year, and should also consider conducting an outside test against their organization to determine their vulnerability to social engineering.
- Audit and Accountability – One of the missing factors in most businesses is active monitoring and auditing for key events and indicators that are early warning signs. Utilizing tools such as event log monitoring, web application monitoring, IDPS and firewall monitoring, or TCP/UDP traffic monitoring with predetermined alerts set up to roll up to the business owner or IT manager can go a long way towards seeing early warning signs of an incident BEFORE it actually happens.
- Configuration and Patch Management – In most organizations that we review we see little effort spent on simple things like keeping computers and software up to date with the latest security patches, the establishment of group policies, or firewall configurations. While doing these precautions may seem elementary, failing to do them shows a lack of attention to the security of your network, and leaves your systems vulnerable.
- Encryption – Encryption is the process of encoding communication in a manner that third parties can’t read. Many states exempt data breach reporting if the data obtained was encrypted. This is a task that can be accomplished by most businesses using pretty simple processes. Typical steps for data at rest are full disk encryption, file/folder encryption and virtual disk encryption. Other measures must be taken for data in transit in order to encrypt that traffic.
- Media Protection – Skilled hackers and white hat penetration testers understand how easy it is to get unsuspecting victims to pick up a jump drive they find on the floor, plug it in, and infect an entire system. In the same way, malicious insiders can cause great harm in organizations that lack policies involving the uploading and downloading of executables. These actions can be easily blocked by both polices and firewalls that protect the organization, as well as by blocking auto-run functions in DVD/CDR and USB ports.
- Web Application Protection – Small businesses typically rely upon website designers to design their website, shopping carts and point of sale application connections. Unfortunately, many web designers are focused on the aesthetics and functionality of a website and not on providing security from SQL injections, Cross Site Scripting, Cross Site Request Forgeries and web application vulnerabilities. As a result, you may unknowingly be providing an open door to unwanted intruders, giving them access to your entire system and critical data.
- Cloud Risk Assessments – Over the past few years we have seen more and more businesses moving their key data and information into cloud-based storage such as Google Docs, Dropbox, and the like. While at face value this seems to be a way to transfer liability to a cloud provider, in actuality you are just adding another party to a potential lawsuit. Cloud-based providers need to be evaluated for their physical security, application security, backup and storage policies, security policies, and security testing policies in the same way as if you were housing the data yourself. Otherwise you haven’t really alleviated the risk, you’ve simply spread it around.
- Risk Evaluations –It’s wise to hire a cyber security specialist to test the security of your network perimeters, critical data and vulnerabilities on at least an annual basis. Taking this action in conjunction with a privacy attorney who specializes in electronic privacy and data breach law is highly recommended.