Large security breaches against Target, Home Depot, eBay, J.P. Morgan Chase, Twitter and Gmail generate headlines, but every business, entity and organization is at risk, according to a Aug. 5 panel at the American Bar Association Annual Meeting sponsored by the ABA Tort, Trial and Insurance Practice Section.
“Everyone is vulnerable,” said Jeff Birnbach, partner and managing director of Sylint Group Inc., a cyber security firm based in Sarasota, Florida.
Birnbach, along with John Stephens and Nora Wetzell, attorneys with Sedgewick LLC, and Michelle Worrall Tilton of Media Risk Consultants, LLC, examined data breaches from a variety of perspectives during the program, “Dealing with Data Breach: Not ‘If” but ‘When?’”
Data breaches are frequent and costly. Cyber attacks costs corporations more than $315 billion over a 12-month period, according to a 2015 Grant Thornton report.
The panel covered various methods of attack used by hackers: malware, email, phishing, ransomware, password theft and losses due to carelessness and employee theft of security data or computers.
In California, Wetzell said that in in 2015, malware and hacking accounted for 58 percent of the security breaches; 17 percent of breaches occurred through loss or theft, such as a misplaced computer or stolen thumb drive; and another 17 percent of breaches were due to errors, such as users posting their passwords in public places.
Nearly half of these breaches focused on Social Security numbers, and the rest on medical and retail information. Panelists said that Social Security numbers will become more frequent targets as retailers transition to secure chip payment cards for retail business.
Protection against cyber attacks begins with top-notch network security, said Tilton.
Unfortunately, law firms generally spend less on network security than other industries.
“Network security is 101,” Tilton said, otherwise insurers won’t insure. “Have a risk management plan in place or you won’t get this coverage.”
The impact of a cyber breach can be extensive, far more than from a fire or destruction of a physical entity. The fallout from such attacks makes the insurance for them so complex that the panelists recommended bringing in outside counsel with cyber breach expertise as a breach coach.
Cyber attacks can lead to extortion, damage or loss of brand reputation, lawsuits and regulatory sanctions.
In January, Hollywood Presbyterian Hospital, paid a $17,000 ransom to regain access to its files locked by ransomware.
Breaches to small- and medium-size businesses and organizations can be fatal. Sixty percent of businesses that sustain an attack are out of business within six months, panelists said.
There is no 100 percent way to prevent breaches—simply losing a thumb drive, password or computer can be the key to breach a network. Encrypting networks is primary, but so, too, are simple fixes such as sealing and shutting down USB ports.
Prevention begins with monitoring the network system, its usage and limiting access privileges.
Having a well-rehearsed incident response plan is critical.
Once a breach is detected, panelists said to quickly assess what happened, determine what is affected, stop the “bleeding” through containment and control communications to the public.
Regarding regulatory compliance, Stephens said that “state laws vary a lot,” and reporting time can be short, five to 15 days.
“Oh, my God, this just happened,” is the typical response to a data breach, said Birnbach, but on average, breaches occur 195 days before detection.
By that time, said Birnbach, the data could be logged “in a tennis shoe factory in Chechnya.”