As the target of a corporate cyber breach, are you a victim – along with your customers and personnel – or are you a “willing” accomplice to the crime?

This week, a U.K. bank was fined in excess of $21 million dollars for failing to protect its systems and customers against a “foreseeable” cyber-attack that occurred in 2016.

The bad actors exploited deficiencies in the design of the bank’s debit cards. In the year preceding the attack, Visa, Inc. had issued a warning to lenders, including this bank, about this weakness. As such, the regulator found that the bank was on notice of the potential for the attack, and nevertheless failed to take action to prevent its occurrence.

Those of you based in the U.S. reading this post may say, “well that is the U.K.”…

However, earlier this year, a Federal District Court in North Carolina found that a U.S.-based company that failed to train its personnel about a “known” phishing scam had acted “intentionally” when one of its (untrained) employees released the company’s employees’ W-2s in response to such a phish.  In this case, the IRS had issued warnings in prior years about this type of scam.  However, the U.S. company did not train its personnel to be aware of such an attack, nor did they have protocols in place to guide personnel in such instances.  In finding that the company acted “intentionally,” the court ruled that the company, in effect, willfully exposed the social security numbers of its personnel.  Under North Carolina law, having been found to have acted intentionally, the company was subject to treble damages.

Given these rulings, and with more and more states adopting proactive legislation requiring businesses to have written policies, procedures and protocols in place to prevent, detect and mitigate cyber-attacks, companies may not be able to argue that they were “innocent” victims, too.

Having written policies and procedures, supporting technology and educated personnel will go a long way toward protecting the company, its customers and its personnel;  and when (not if) an attack occurs, the company will be prepared to respond effectively.

I am sure you have read about the latest breach this time, hitting Facebook.  Facebook confirmed that the access codes for 50 million accounts were compromised.  Facebook is still investigating the impact of the breach, and has not yet reported whether any personal information was gathered or misused from those accounts.

For those of you that use Facebook, err on the side of caution and assume your information was compromised.  If you have not already done so, change your login credentials for your Facebook account.  If you use the same credentials for other accounts (which you should not do), then those account credentials should be changed, too.  If you link your Facebook account to other social media accounts, you should check those accounts and change the credentials on those accounts, too.

I noted in a prior post that birthdays should not be posted on LinkedIn.  Similarly, such personally identifiable data points should not be posted on your Facebook or other social media accounts.

While Facebook may be a wonderful way to stay in touch with friends and family, living out loud online puts you at risk.

Do not feel compelled to share future plans for travel, or other personal data/information, on social media. Be smart and be safe!

Many businesses and individuals dispose of aging equipment, laptops, desktops, servers and more by monetizing those items. Disposal may be by sale at auction or donation to charity. Some companies now lease equipment, and turn over such items at lease end. However, many businesses and individuals forget – or do not realize – that their equipment used to process data store the data. This could include such items as computers, fax machines, photocopiers, cellphones or other similar devices. When you return, sell or donate that equipment, you may be unwittingly causing a data breach.

NCIX, a recently failed Canadian company, did just that. The company, strapped for cash, sold off servers without first wiping the data. The devices in question stored data in plain text and contained decades of customer information, including names, addresses and payment information.

Whether you are returning leased equipment or selling or donating old items, and even if the data is encrypted, always have the data wiped from the device. For leased equipment, do not assume the leasing company will do this for you absent an express contractual undertaking to do so.

I recently had a death in the family. One of the things we addressed while making arrangements was to freeze the credit of my stepfather. I would like to say, as a cyber attorney, that this was my idea, but I confess in mourning the loss of a wonderful man, I was thinking like a daughter and not like an attorney. The credit freeze was one of the services the funeral home offered.

Sadly, this is one of the more important things that a family should do after losing a loved one. Criminals comb obituaries to find homes they can break into, and identities they can steal. Freezing the credit of a lost loved one does not impede the settlement of the estate, and ensures that a grieving family does not have the added heartache of a stolen identity and stolen assets. Consideration should also be given to social media profiles and accounts, along with credit cards. While it is a unfortunate statement about our society that a family in mourning must address such matters, it is essential that this be undertaken quickly.

NJCCIC shared today that as of 9/21/18, Equifax, Experian and TransUnion will be required to offer free credit freezes. NJCCIC further reported that “[a]s part of the new Economic Growth, Regulatory Relief and Consumer Protection Act, parents will also be able to request free credit freezes for children under the age of 16 and free crediting monitoring services will be offered to all active duty military personnel.” More information is available on the Federal Trade Commission Consumer Information blog.

Keep in mind, however, that if you are in the process of buying or financing a major purchase (car or home), or undertaking any other venture for which a third party would look to run a credit check, you will need to allow for those parties to access your credit report. Further, if you do freeze your credit, and then misplace your access credentials with the particular credit agency, it is not a small undertaking to prove you are really you to unfreeze your credit. And, of course, be careful how you select your access credentials, respond to security questions, and keep credentials in a secure location.

The American Bar Association’s recent cybersecurity webinar reminded us all that the largest source of cyber loss is still people. And for businesses, it is their employees who continue to click on suspicious links and respond to phishing and other scams.

If you think this does not apply to you or your business, think back to the recent Federal District Court ruling in which the court found the defendant intentionally negligent due to a failure to train its employees regarding a known scam that sought to dupe key personnel into releasing employees’ W-2s.

While annual training is certainly a step in the right direction, the fact is that the “bad guys” do not wait 365 days to launch their next scam. As such, for businesses across the board, continuous cybersecurity training is critical and warrants more than a “one and done” approach. Between formal training programs, interim tips and reminders are crucial in keeping personnel vigilant.

As with any initiative, corporate commitment to cyber-mindfulness must begin at the top and if the C-suite is not engaged, management and staff will follow suit.

It is always nice when your social media connections remember your birthday, anniversary or other special occasions.

However, that does not mean you should make it easy for someone you do not know, and who may actually be looking for identities to steal, to capture your personal information. Posting your birthday (month and date) on Facebook or LinkedIn may seem innocuous enough, but if you also have posted the year you graduate high school or college on your profile, it is easy for someone to then put together your full birthdate.

While the content we put forward on social media does a fabulous job of keeping us connected, it also provides hackers and their researchers a treasure trove of data that can then be used to impersonate you, determine your password or dupe you into sharing information.

Be smart and never overshare – those who should know your special days already do!

As a prudent (read: paranoid) cybersecurity attorney, I am not on Facebook. However, Facebook serves a noble purpose of connecting its users. The problem is that the platform continues to be fertile ground for scammers and hackers looking to take advantage of the unwary.

To help those of you grappling with how to best secure your online profiles and avoid being duped, there are two tremendously valuable resources available online:

There are certainly ways to secure your profile, but you should never assume that an application or site’s default settings are the most secure. In fact, you should expect the opposite: default settings will generally allow for the broadest volume of sharing, access and use – including by the application provider and other, potentially malicious, users.

Our instinct is to assume that most things are real or legitimate.

A manager or client requests reports, our “worker-bee” mentality kicks in and we deliver the reports without question. Hackers count on us to react without first verifying whether the message – let alone the demand – is what it appears to be.

The New Jersey Cybersecurity and Communications Integration Cell (“NJCCIC”) reported today that “Emotet” malware campaigns are doing just this. According to the NJCCIC, the suspect emails “reference a nondescript invoice or overdue payment in the subject and body, and contain a URL link or attachment that leads to a Microsoft Word document hosted on a remote server.” If you open the document, Emotet then installs itself onto your system. The emails may appear to come from someone within your company or another trusted source. NJCCIC further advises that this malware is detected by current antivirus products less than 50% of the time.

The message is clear: if you are not expecting an invoice, or happen to receive another odd request, pick up the phone and call your known contact to verify prior to clicking on a link or providing information.

Be polite, be helpful – but verify first!

The California Privacy Act of 2018 (the “Act”) was passed by both chambers of the California Legislature unanimously and signed by Gov. Jerry Brown on Thursday, June 29, 2018. The new law is one of the toughest data privacy laws to be enacted in the country and comes at a time when data privacy is under much scrutiny. The law, which is set to take effect in 2020, will apply to any business (and their subsidiaries which share a name, service mark, or trademark) doing business in California (either with a physical or online presence) which (i) has annual gross revenue in excess of $25,000,000; (ii) collects data of 50,000 or more consumers annually; or (iii) derives 50% of its annual revenue from selling consumers’ personal information.

The Act provides protections similar to the EU’s General Data Protection Regulation (“GDPR”), providing that a consumer[i] has a right to request that a business disclose:

  • Categories of specific pieces of personal information that it collects about the consumer,
  • Categories of sources from which that information is collected,
  • Business purposes for collecting or selling the information,
  • Categories of third parties with which the information is shared, and
  • Specific pieces of personal information which the business has collected.

Disclosure and delivery of personal information records, when requested, are to be made by the business within 45 days of the verifiable request.

The Act also provides that a consumer may request that a business delete his/her personal information, akin to the GDPR’s “right of erasure” or the right to be forgotten. The Act further allows a consumer to opt out of the sale of their personal information and would prohibit a business from discriminating against a consumer for doing so – including by denying services to the consumer or charging different rates to that consumer, except under limited circumstances. In complying with the “opt-out” right, a business must provide a clear and conspicuous link on the business’s internet home page titled “Do Not Sell My Personal Information,” allowing for the opt-out of the sale of the consumer’s personal information. The Act also prohibits a business from selling the personal information of consumers under the age of 16 – unless the consumer (for those between age 13 and 16) or their guardian (for those under 13) – has specifically authorized, or opted-in for, the sale of the minors personal information.

The Act also expands the definition of “personal information” to include a broad list of characteristics and behaviors, as well as inferences from the information collected. The Act provides that businesses must make available to consumers at least two methods for submitting information requests, including at a minimum, a toll-free number and a web site address. Finally, the Act provides for enforcement by the Attorney General, and in certain situations, allows for a private cause of action. In the case of an intentional violation of the Act, a civil penalty of up to $7,500 is provided for each violation under the Act – which could be per record in the database.

Before this Act was adopted, California already had stringent data protection and privacy laws in place – including “opt-in” (vs. opt-out) required for sending consumers solicitations. As we have previously observed, at least 15 states have already adopted some level of proactive (versus reactive breach response) data protection legislation. Absent federal action on this matter, we expect to see more states adopt either additional sectoral laws (as Colorado, New York, and Vermont have in the financial industry), or move toward, at a minimum, an “opt-in” approach as currently mandated by California and the GDPR.

Please contact either of this post’s authors to better understand the impact of the Act and other state, federal or extraterritorial legislation on your business.

 

[i]The Act applies to any “consumer,” defined as a “natural person who is a California resident,” defined as “(1) every individual who is in [California] for other than a temporary or transitory purpose, and (2) every individual who is domiciled in [California] who is outside [California] for a temporary or transitory purpose.”