Cybersecurity & Data Privacy Articles by Eric B. Levine

Lindabury’s Cybersecurity and Data Privacy Practice Group Co-Chair Eric Levine was recently interviewed by NJBIZ regarding the recent security lapse of a South Jersey physicians network which wiped out the password protection on a supposedly secure site.

Eric says, “A company that engages in thorough due diligence may be able to use that as a defense if it’s sued as a result of a third-party provider hack.”

“It’s important to deal with cybersecurity and other issues up front, especially when you’re dealing with a new vendor,” Levine said. “Consider the depth of access to your data that they need, too. If a firm is just providing you with paper products, they don’t need deep access to your data, so a cybersecurity audit may not be very important.

Over the past several months, our firm’s Cybersecurity and Data Privacy Practice team has had ample opportunity to report on a number of high profile security and data breaches. It appears that trend is going to continue as another massive cyber-breach was just reported. This time, it was Uber that had its network breached, and that breach impacted 57 million users of the ride sharing service, as well as 600,000 Uber drivers. Although paling in comparison to other recent breaches like that of Equifax and Yahoo in terms of the quantity of individuals whose data was stolen, the Uber breach is equally important in developing your own awareness of how to respond to data breaches, Uber provides another example of what not to do when a data breach occurs. Uber’s mistakes are numerous and could have long-lasting consequences. Here are a few of those mistakes, followed with some advice on how to avoid them.

Mistake #1: Uber fails to notify victims of the breach: Uber reported that its network was compromised in late 2016, yet Uber did not alert victims of the breach until November 21, 2017. The scope of the breach is apparently international, with data protection agencies in the United Kingdom, Australia and the Philippines looking into possible violations of their respective countries’ privacy laws. In the United States alone, there are forty-eight different state laws governing security breach notifications, many of which require notice to be provided as soon as possible. Waiting almost a year before providing notice to individuals whose information is unlawfully accessed likely exposes Uber to liability in a multitude of states and countries in which Uber can expect to be, and has already been sued. As of November 23, 2017, at least two class action lawsuits have been filed in California claiming that Uber “failed to implement and maintain a responsible security procedures and practices appropriate to the nature and scope of the information compromised in its data breach”. Attorneys General from Illinois, New York, Connecticut and Massachusetts have been reported as opening investigations and it is a practical certainty that dozens of their colleagues will soon follow their lead.

Mistake #2: Uber fails to notify governmental authorities of the breach: To make matters worse, in addition to not notifying individual victims of the data breach, Uber did not provide timely notice to governmental agencies until recently. In doing, Uber has potentially exposed itself to regulatory penalties, including fines and potential lawsuits, as well as likely having to appear at state and federal level inquiries, either voluntarily or through the use of subpoenas. Unfortunately for Uber, its explanation as to why it failed to notify the proper authorities is going to be aired to the public, likely in real time.

By now, everyone has likely been inundated with information about the Equifax data breach.  If you are one of the few who has not heard about what happened, here’s the short version: Equifax suffered an enormous security breach as a result of its poor data privacy hygiene resulting in over 143 million people having their credit information, including their social security numbers, names and addresses, potentially exposed. The impact will be felt for a long time and the consequences if you are affected could be significant.

So what exactly did Equifax do wrong? To be blunt, EVERTYTHING. First, according to industry experts, Equifax failed to install a readily available security update that left it vulnerable to hackers. Second, the lack of security updating was compounded by the fact that Equifax’s administrative passwords were simplistic, certainly for a company that’s primary purpose is to store sensitive information, and was easily decipherable by the cyber-intruder.  Third and what makes matters worse is that the security update was available to Equifax two months before the breach. Fourth, in addition to the lax cyber-hygiene of Equifax was the fact that Equifax waited for months after it knew of the breach before reporting it to the public.  Fifth, when Equifax finally reported the breach, the message it sent was a weak one that left the public feeling exposed and betrayed, especially when it turned out the certain Equifax executives sold large quantities of company stock after the breach was discovered but before it was reported.  It is hard to envision any worse corporate conduct both leading up to the breach and continuing until today.

In the aftermath of such an historic cyber-breach, what lessons can companies and individuals learn and what steps are to be taken to mitigate the damage? On the corporate level, companies need to take cybersecurity and data privacy seriously, invest adequate resources to addressing the issue and partner with professionals versed in all aspects of today’s cybersecurity environment, including legal counsel, technical/forensics experts and insurance professionals. Develop and implement prudent Information Technology practices that include continuous system maintenance, updating/patching of software, mapping, segregating and encrypting data as well as actively being vigilant for intrusions or data loss.  Prepare a plan for how to respond to breaches or data losses. Perform vulnerability assessments under the guidance of counsel, to determine where you need to shore up your defenses while maintaining the confidentiality of the assessment results through attorney-client privilege.  Obtain insurance policies to blunt the impact of data breaches and to obtain resources to assist with specific breaches like ransomware/malware.

By now, most people are familiar with the 2013 data breach reported by Target. Described as one of the largest data breaches in U.S. history, Target acknowledged that hackers gained access to credit card and debit card data from up to 40 million of its customers. In the time since the breach, much attention has been given to its aftermath and what impact it would have on the future of cybersecurity. That future appears to have arrived, at least in part, with the announcement of a record-setting settlement between Target and forty-seven states, as well as the District of Columbia.

Under the settlement agreement, Target will pay $18.5 million to the participating states, which is in addition to $10 million that Target has already paid to consumers in a settlement of a private class action lawsuit and $39 million Target paid to several banks that serviced MasterCards used by Target’s customers. Yet, the settlement is noteworthy for several reasons beyond the staggering financial component, and the implications that are left behind offer some useful guidance for companies hoping to avoid suffering a similar fate to Target’s.

First, anyone looking for direction on how to structure their own company’s internal cybersecurity protocols and defenses in a way that would ostensibly comply with the standards acceptable to their respective state’s Attorney General can now look to the settlement agreement as a model (except if you live in Alabama, which did not participate in the settlement as it lacks a state data breach notification law, or Wisconsin or Wyoming, which chose to not participate in the settlement). While the settlement is not binding on anyone but Target, it represents a joint effort by nearly every state’s Attorneys General to insure future cyber-breaches of the same magnitude as Target’s do not occur. This means that it is likely a strong indicator of what state enforcement agencies are going to look for in future investigations when determining if a company had proper cybersecurity safeguards in place. For instance, the agreement mandates that Target implement corrective measures such as maintaining appropriate encryption policies, implement password rotation policies and two factor authentication and even segmenting cardholder data from the rest of Target’s computer network. Incorporating such protections into your company’s cybersecurity and data privacy protocols is a sound practice and now appears to be one that carries at least some unofficial governmental approval.

Lindabury’s Cybersecurity and Data Privacy Practice Group Co-Chair Eric Levine spoke at the NJBIZ Cybersecurity conference on May 17th at the Raritan Valley Country Club in Bridgewater, explaining how companies can get hurt by doing the right thing when it comes to cybersecurity.

“To protect any small business, you need to have legal involved, if for no other reasons than to cloak what you are doing with privilege or confidentiality — by that, I mean communications with your attorney that nobody else can get to,” he said.

“Think about it,” he told the audience. ‘You hire (an expert) who comes in and does a vulnerability assessment and they find out you have a gaping hole in your security. That’s great. You fix it.

Eric Levine, Lindabury’s Cybersecurity and Data Privacy Group‘s Co-Chair was recently interviewed by NJBIZ’s Brett Johnson regarding a business’s first line of defense against a cyberattack. Levine says the approach exploits features inherent to human nature. “It’s preying on people’s inquisitive side,” Levine said. “And you can’t buy a firewall for that.”

“Yes, there are hackers who are out there who are trying to break through firewalls through different approaches, including state-sponsors actors, and there are many technologies to protect against that,” Levine said. “But it’s the social engineering — (stuff like) phishing scams — that capitalizes on mistakes people make that are the easiest tools to utilize.”

To read the full article as published online click here.

May 3, 2017 was a bad day for Google as a major phishing attack spread like internet wildfire, targeting users of Google docs. However, as bad as it was for Google, it provided us with a real-life example of how the first line of defense to a cyber-attack is none other than you and me. People, not breached firewalls or lack of encryption, are often the cause of a major cyber incident, but with a little diligence, we can present a formidable front-line defense.

What occurred on May 3, 2017 has been described as a widespread phishing scheme through which people received an email, apparently originating from a trusted source, that asked the recipient to open a Google document that was embedded within the email. If the recipient of the email opened the Google document, they would have granted the sender access to the recipient’s email account and contacts. Once the Google document read the recipient’s contacts, it in turn sent more phishing attempts to the recipient’s contacts. The cycle repeated itself rapidly, and Google estimated that the attack spread so quickly that at the peak of the attack, Google’s customer base saw about 150 messages sent per minute. It was estimated that the attack may have affected at least one million people.

Phishing is a form of social engineering that involves sending emails that appear to come from a trusted source or someone the recipient knows in an effort to obtain the computer credentials of the recipient of the email, to hack in the recipient’s private accounts and obtain their personal information or to infect the recipient’s computer systems. It is a common method of cyber-attack today and one, as Google can attest, that can quickly cause widespread havoc.

It is a day that virtually every business owner fears, when you receive word from your IT department that your company’s computer system has been hacked.  A million thoughts rush through your head, but they all come back to one question: what do I do right now to protect my company, my employees and my customers? The answer may seem daunting, but an answer does exist. This article attempts to provide you with a few of the basics on how to respond to a cyber-attack, focusing on the first step: Establishing your cyber-response team.

The first step to be taken upon learning of a cyber-breach is to understand what happened and what type of breach occurred.  For example, is your system being held hostage by Ransomware, or did an employee mistakenly release confidential information? There are a number of common circumstances for cyber-breaches, such as: employee negligence like losing a laptop or flash drive containing personally identifiable information (“PII”) or protected health information (“PHI”); malicious insider behavior, such as the disgruntled or dishonest employee who steals company information to use for some nefarious purpose against the company; and perhaps the most wildly publicized breach as of late, hacking and cybercriminal activity.

In order to understand what happened and how best to react, the initial step is to assemble a team of cybersecurity  professionals who can assist with all facets of the cyber-breach.  In a perfect world, your company has already established its own cyber-breach response team, but if you have not done so, you will need to hire professionals as soon as possible after learning of the cyber-attack.  This means engaging individuals who possess expertise in Information Technology and are experienced in evaluating the severity and scope of a cyber-breach. The cyber-breach needs to be quickly identified, affected systems need to be isolated, defenses to future breaches need to be put in place and steps to retrieve data need to be taken.