Cybersecurity & Data Privacy Insights

Lindabury’s Cybersecurity and Data Privacy Practice Group Co-Chair Eric Levine was recently interviewed by NJBIZ regarding the recent security lapse of a South Jersey physicians network which wiped out the password protection on a supposedly secure site.

Eric says, “A company that engages in thorough due diligence may be able to use that as a defense if it’s sued as a result of a third-party provider hack.”

“It’s important to deal with cybersecurity and other issues up front, especially when you’re dealing with a new vendor,” Levine said. “Consider the depth of access to your data that they need, too. If a firm is just providing you with paper products, they don’t need deep access to your data, so a cybersecurity audit may not be very important.

Over the past several months, our firm’s Cybersecurity and Data Privacy Practice team has had ample opportunity to report on a number of high profile security and data breaches. It appears that trend is going to continue as another massive cyber-breach was just reported. This time, it was Uber that had its network breached, and that breach impacted 57 million users of the ride sharing service, as well as 600,000 Uber drivers. Although paling in comparison to other recent breaches like that of Equifax and Yahoo in terms of the quantity of individuals whose data was stolen, the Uber breach is equally important in developing your own awareness of how to respond to data breaches, Uber provides another example of what not to do when a data breach occurs. Uber’s mistakes are numerous and could have long-lasting consequences. Here are a few of those mistakes, followed with some advice on how to avoid them.

Mistake #1: Uber fails to notify victims of the breach: Uber reported that its network was compromised in late 2016, yet Uber did not alert victims of the breach until November 21, 2017. The scope of the breach is apparently international, with data protection agencies in the United Kingdom, Australia and the Philippines looking into possible violations of their respective countries’ privacy laws. In the United States alone, there are forty-eight different state laws governing security breach notifications, many of which require notice to be provided as soon as possible. Waiting almost a year before providing notice to individuals whose information is unlawfully accessed likely exposes Uber to liability in a multitude of states and countries in which Uber can expect to be, and has already been sued. As of November 23, 2017, at least two class action lawsuits have been filed in California claiming that Uber “failed to implement and maintain a responsible security procedures and practices appropriate to the nature and scope of the information compromised in its data breach”. Attorneys General from Illinois, New York, Connecticut and Massachusetts have been reported as opening investigations and it is a practical certainty that dozens of their colleagues will soon follow their lead.

Mistake #2: Uber fails to notify governmental authorities of the breach: To make matters worse, in addition to not notifying individual victims of the data breach, Uber did not provide timely notice to governmental agencies until recently. In doing, Uber has potentially exposed itself to regulatory penalties, including fines and potential lawsuits, as well as likely having to appear at state and federal level inquiries, either voluntarily or through the use of subpoenas. Unfortunately for Uber, its explanation as to why it failed to notify the proper authorities is going to be aired to the public, likely in real time.

By now, everyone has likely been inundated with information about the Equifax data breach.  If you are one of the few who has not heard about what happened, here’s the short version: Equifax suffered an enormous security breach as a result of its poor data privacy hygiene resulting in over 143 million people having their credit information, including their social security numbers, names and addresses, potentially exposed. The impact will be felt for a long time and the consequences if you are affected could be significant.

So what exactly did Equifax do wrong? To be blunt, EVERTYTHING. First, according to industry experts, Equifax failed to install a readily available security update that left it vulnerable to hackers. Second, the lack of security updating was compounded by the fact that Equifax’s administrative passwords were simplistic, certainly for a company that’s primary purpose is to store sensitive information, and was easily decipherable by the cyber-intruder.  Third and what makes matters worse is that the security update was available to Equifax two months before the breach. Fourth, in addition to the lax cyber-hygiene of Equifax was the fact that Equifax waited for months after it knew of the breach before reporting it to the public.  Fifth, when Equifax finally reported the breach, the message it sent was a weak one that left the public feeling exposed and betrayed, especially when it turned out the certain Equifax executives sold large quantities of company stock after the breach was discovered but before it was reported.  It is hard to envision any worse corporate conduct both leading up to the breach and continuing until today.

In the aftermath of such an historic cyber-breach, what lessons can companies and individuals learn and what steps are to be taken to mitigate the damage? On the corporate level, companies need to take cybersecurity and data privacy seriously, invest adequate resources to addressing the issue and partner with professionals versed in all aspects of today’s cybersecurity environment, including legal counsel, technical/forensics experts and insurance professionals. Develop and implement prudent Information Technology practices that include continuous system maintenance, updating/patching of software, mapping, segregating and encrypting data as well as actively being vigilant for intrusions or data loss.  Prepare a plan for how to respond to breaches or data losses. Perform vulnerability assessments under the guidance of counsel, to determine where you need to shore up your defenses while maintaining the confidentiality of the assessment results through attorney-client privilege.  Obtain insurance policies to blunt the impact of data breaches and to obtain resources to assist with specific breaches like ransomware/malware.

By now, most people are familiar with the 2013 data breach reported by Target. Described as one of the largest data breaches in U.S. history, Target acknowledged that hackers gained access to credit card and debit card data from up to 40 million of its customers. In the time since the breach, much attention has been given to its aftermath and what impact it would have on the future of cybersecurity. That future appears to have arrived, at least in part, with the announcement of a record-setting settlement between Target and forty-seven states, as well as the District of Columbia.

Under the settlement agreement, Target will pay $18.5 million to the participating states, which is in addition to $10 million that Target has already paid to consumers in a settlement of a private class action lawsuit and $39 million Target paid to several banks that serviced MasterCards used by Target’s customers. Yet, the settlement is noteworthy for several reasons beyond the staggering financial component, and the implications that are left behind offer some useful guidance for companies hoping to avoid suffering a similar fate to Target’s.

First, anyone looking for direction on how to structure their own company’s internal cybersecurity protocols and defenses in a way that would ostensibly comply with the standards acceptable to their respective state’s Attorney General can now look to the settlement agreement as a model (except if you live in Alabama, which did not participate in the settlement as it lacks a state data breach notification law, or Wisconsin or Wyoming, which chose to not participate in the settlement). While the settlement is not binding on anyone but Target, it represents a joint effort by nearly every state’s Attorneys General to insure future cyber-breaches of the same magnitude as Target’s do not occur. This means that it is likely a strong indicator of what state enforcement agencies are going to look for in future investigations when determining if a company had proper cybersecurity safeguards in place. For instance, the agreement mandates that Target implement corrective measures such as maintaining appropriate encryption policies, implement password rotation policies and two factor authentication and even segmenting cardholder data from the rest of Target’s computer network. Incorporating such protections into your company’s cybersecurity and data privacy protocols is a sound practice and now appears to be one that carries at least some unofficial governmental approval.