Courtesy Whiteman, Osterman & Hanna LLP
By Christopher W. Meyer
President-elect Donald Trump recently observed that no computer is safe from hacking and that the only way to securely convey information is to deliver it by courier. While experts agree that no computer system can be made 100 percent safe, they also have pointed out that “old fashioned” methods of recording information have their own security problems.
Governments and businesses have been working to prevent theft, interception and alteration of private correspondence for thousands of years. The ancient Egyptians encrypted messages nearly 4,000 years ago. Assyrian traders created unique coded signatures more than 3,500 years ago to establish that their communications were genuine. In the more recent past, locked file cabinets and paper shredders provided a first line of defense for protecting business secrets.
Yet, as most businesses have moved virtually all communications and operations to electronic platforms, new and arguably more serious threats have emerged. These threats were on full display in 2016.
Early in the year, Hollywood Presbyterian Medical Center was forced to pay thousands of dollars to hackers who took over its systems with a “ransomware” attack. Later, thousands of stolen emails dominated the news cycle during the closing weeks of the 2016 presidential campaign. Yahoo reported that more than 1 billion customer accounts may have been compromised.
Then, as 2016 came to a close, federal prosecutors announced the indictment of three stock traders who hacked into law firm computers and stole information relating to upcoming mergers and acquisitions.
These and other high profile attacks have led to calls for increased cybersecurity regulation. At the federal level, efforts are being made to encourage businesses in critical industries such as health care, financial services, utilities and telecommunications to increase their cybersecurity efforts. At the state level, the New York Department of Financial Services recently proposed what are being called “first-in-the-nation” regulations set to go into effect on March 1 that will require every business regulated by DFS (banks, insurers, mortgage companies, and others) to adopt “regulatory minimum [cybersecurity] standards.” Efforts to regulate or legislate cybersecurity standards in other industries are almost certain to follow.
The public also has come to expect that companies will work to safeguard sensitive information from hackers. Target, Sony, and other companies that have lost customer information in data breaches have suffered significant lost business and goodwill. These companies also have faced class action lawsuits alleging that they did not take appropriate steps to safeguard their customers’ information.
The increasing threat of cyber attacks, government calls for better and more effective cybersecurity protections, and public expectations all combine to make effective cybersecurity a critical cost of doing business in 2017.
Companies that proactively address their cybersecurity challenges are less likely to experience a cyber attack and may be able to reduce the business impact and cost of any breach. These companies also are more likely to avoid or limit liability by demonstrating that they took reasonable actions to guard against cyber threats.
While some companies—such as those in health care, financial services, and defense contracting—are required to follow specific cyber security guidelines, all companies have simple tools at their disposal to help them reduce their cyber security risk. Steps that companies can take to reduce their risk, include but are not limited to:
• Training employees to recognize common cybersecurity threats, including training to avoid download of malicious software through email and website links.
• Developing policies regarding use of email for transmitting sensitive information.
• Limiting access to sensitive data on a “need to know” basis and storing sensitive data separately from other company systems.
• Collecting only the information you need to conduct business and disposing of data no longer needed for business or legal purposes.
• Installing and updating antivirus and other security software on a regular basis. Regularly backing up computer systems and storing backups on a separate computer or server to guard against ransomware attacks.
• Incorporating cybersecurity provisions into contracts with customers and business partners to allocate cybersecurity risk.
• Preparing a cybersecurity response plan to ensure that you can quickly respond to and recover from a cyber incident.
• Purchasing a cyber insurance policy.
The specific situation of each business and the type of information it maintains will, of course, affect its overall cyber security risk. Before taking any of the above steps, companies should always make sure that their actions are consistent with contractual and legal requirements that apply to their company and industry.
2016 served as a cybersecurity wakeup call. 2017 presents an opportunity for all businesses to take control and proactively minimize their risk.
Meyer is an attorney with Whiteman Osterman & Hanna LLP.