By Michael D. Billok, Esq.
As a business owner or operator, there are always a half-dozen items that require your immediate attention, and then the dozens of other items on the “back burner” that you would like to get to when there is time–but there never seems to be time available.
Unless, of course, a back-burner item “blows up” and becomes a front-burner item, now requiring your immediate attention.
For small and mid-sized businesses, cybersecurity routinely is one such back-burner item, not getting the attention it deserves unless something does “blow up,” for example there is a hack, a data breach or some release of employee or customer personal information that now requires immediate attention. This is due to several common misconceptions about cybersecurity, such as:
• I’m small. I won’t be hacked or compromised. False.
Larger organizations have spent the past several years improving their cyber defenses to make it more difficult to access their data. As a result, hackers look to smaller organizations with less resources available to buttress their defenses as a jumping-off point to access larger organizations. Remember the national-news data breach at Target that occurred two years ago? Hackers didn’t directly “target” Target. They first hacked into an HVAC subcontractor’s network, and after compromising the subcontractor’s system they were then able to hack into Target utilizing the subcontractor’s access to Target’s network.
• I'm not a hospital or a bank, so there aren't any cybersecurity laws that apply to me. False.
Granted, hospitals and banks have plenty of state and federal regulations–such as HIPAA and the Gramm-Leach-Bliley Act–to keep them occupied on the cybersecurity front. But all companies have a number of cybersecurity obligations of which they may not be aware. For example, companies have an obligation under the New York General Business Law to keep employees' social security numbers secure.
Beyond that, the Federal Trade Commission takes the position that all companies must take reasonable measures to safeguard customers' personal and financial information–a company that does not do so will find itself defending against an unfair trade practice charge. And a company that issues "privacy notices" to consumers that does not actually adhere to its privacy notice can likewise find itself on the receiving end of a deceptive trade practice charge.
Simply put, every employer has personal information of its employees, and personal (and possibly financial) information of its customers. As a result, every employer has cybersecurity obligations under the law.
• Most of these incidents are caused by skilled hackers. False.
According to numerous surveys, including a recent one conducted by the Association of Corporate Counsel, the top cause of cybersecurity incidents and data breaches is not hackers–it's employees. Your 100-employee company could have an attacker send a "phishing" email that looks legitimate, but has a link with embedded malware. And while you could have a 99 percent success rate of your employees deleting the email and not clicking the link, all it takes is a single employee clicking the link for your organization's systems to be laid open to the world.
There are numerous other scenarios in which employees play prominent roles in data breaches: losing laptops or cell phones with personal information; transmitting personal data over unsecure networks; or continuing to access the company's information after they have departed, if their access rights are not shut off at separation. Employees are the company's first line of defense, and thus a company's largest cybersecurity vulnerability.
• If it's going to happen, it's going to happen. There's not much I can do. False.
While it is true that no system is impregnable, there is a difference between a house with its front door wide open, and a house with doors and windows barricaded and surrounded by a moat. There is no reason to leave the front door open for those who prowl the Internet for open access points, and there are many ways companies leave that front door open, such as not constantly updating firewall and antivirus software (or incredibly, not having it at all), or not tracking who can access their system to ensure that only authorized users have such access.
There are simple, low-cost measures the company can institute that will close the front door, leaving a hacker to wander off to find some other network with an open front door.
• My insurance will cover it. False.
The actual answer is "maybe." Whether your insurance will cover cybersecurity incidents depends on your policy and the particulars of the incident, but would you like to know this fact before or after a data breach occurs?
The reason that "cybersecurity policies" are skyrocketing in number is because many general policies do not cover cybersecurity incidents, or do not cover cybersecurity incidents caused by employee activity such as clicking on the link in the phishing email, or wiring the money to the account that the "CFO"–in reality a hacker with a spoofed email address of the company's CFO–asked the employee to send.
The threat, as they say, is real. Ignoring it, or relying upon probabilities or the law of averages is no longer an option for employers. This issue will move to the front burner sooner rather than later. Now go be safe in the cyberworld.
Billok is an attorney with Bond, Schoeneck & King, who practices labor and employment law, as well as co-chairs the firm's Cybersecurity and Data Privacy practice group.