What the World Needs Now....
What the world needs now is for every organization to commit to a culture of security. The Equifax cyberattack is being touted as the largest and most concerning in the history of the United States. The company is reporting that at least 143 million Americans are affected by this breach, which includes the names, addresses, social security numbers and possibly credit card numbers of those people. For those of you keeping count, that is almost half of the American population. As an attorney who focuses solely on cybersecurity, this type of attack is hardly a surprise. Anyone who “lives” in this world is keenly aware that cyberattacks are becoming more frequent with hackers getting better and better at their craft.
Since I started this blog, only 4 months ago, I have wrote on WannaCry and Petya. WannaCry affected, among others, the national health system in the United Kingdom. Petya affected DLA Piper, a large global law firm, and shipping giant Maersk. Before that it was the DNC, Target and the Department of Defense. It seems that every other month we are facing another catastrophic cyberattack. And now, Equifax has been breached.
Cyber experts almost universally agree that the best thing that the government and companies can do to combat these daunting cyber issues is to be proactive when it comes to security. Legislators on both sides of the aisle are once again raising the issue of a federal statute governing cyber breaches. Right now, 47 states plus the District of Columbia, have their own unique breach reporting statutes which makes navigating a breach very difficult for any company, and consumers have varying rights to know what has actually happened. The purpose of the new federal dialogue following the Equifax breach is that we need national uniformity in breach reporting. Let me say, I totally agree. Having a uniform federal statute makes sense. Most breaches implicate multiple jurisdictions which have different definitions of what constitutes a breach and different reporting obligations in the event of a breach. However, I am disappointed in the response because once again it is reactionary and not proactive.
I speak with companies everyday who put their head in the sand and act like a breach cannot happen to them, so why spend the time and money to make cybersecurity part of their corporate culture? According to Forbes magazine, the Equifax breach was caused by hackers exploiting a vulnerability on one of the company's U.S.-based web servers. At this point, it seems that the reality could be that Equifax was breached by a relatively unsophisticated attack. Often, companies employ legacy code in network systems, leaving these companies exposed to simplistic attacks; and this seems to be the case with Equifax (although investigation into the cause of the breach is still on-going). The old vulnerabilities in these legacy systems are easily exploited by hackers.
So, while it is imperative that the Federal government create a more uniform approach to cybersecurity, including breaches, application and software design, and data storage (just to name a few), that only solves about one-quarter of the problem. The real issue here is that companies of all sizes need to take cybersecurity seriously. It needs to account for a larger portion of the operating budget and they need to be proactive not just reactive. If I say it once a day I say it a million times, you would not leave your front door open and unlocked when you leave the house everyday, so why would you not take similar measures for your cybersecurity?
What do I mean by a “culture of security?” Security needs to be part of the everyday conversation. From on-boarding, to regular employee training, cybersecurity needs to be discussed early and often. Part of this means creating policies and guidelines so your employees know and understand what you expect of them AND YOU. Remember, culture starts from the top down. There needs to be “buy in” at the C-suite level. Also, keep in mind that expectations mean little without audit and enforcement: audit your systems and how your employees are using those systems. And create accountability mechanisms. If there are deviations from the policies, there needs to be consequences that are universally enforced across the board.
Finally all companies should create a breach response plan. In this day and age, even with all of the safeguards, a breach is an inevitable part of doing business. You should minimize this risk as much as possible, but you also need to be prepared when the worst does happen.
Regardless of whether the Federal government creates regulations that require businesses to take certain steps in cybersecurity, each business needs to take this seriously. And, there are resources available to any sized business to make this process seem less daunting. XPAN is one option: we can guide you through this process, draft the necessary documentation, and train your employees. The Federal Trade Commission issued its Security Guidelines in 2015, providing another good resource. And, eventually, the Federal government will catch up to this huge risk to individuals, but don’t wait. If you take nothing else away from the Equifax breach, take a few minutes this week to think about your security and then start taking action. Because, as I have said before, when dealing with issues of cybersecurity: Luck Favors the Prepared!
* * * * * *
Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.