0
Small BusinessData Breach Risks for Small & Medium Sized Businesses

Data Breach Risks for Small & Medium Sized Businesses

Today, small and medium sized businesses (SMBs) are sometimes at a greater risk of cyber-attacks and security breaches than large enterprises and corporations. Seventy-one percent of cyber-attacks happen at businesses with less than one hundred employees due to less secure networks, lack of time, budget constraints, and limited resources for proper security. Other factors, such as not having an IT network specialist, being unaware of risks associated with cyber security, lack of employee training on cyber security practices and protocols, failure to update security programs, outsourcing security, and failure to secure endpoints may play a role in the increased cyber-attacks on SMBs.

Common Cyber Attacks on SMBs:

  1. Advanced Persistent Threats. These are passive cyberattacks in which a hacker gains access to a computer or network over a long period of time with the intent to gather information.
  • Phishing. Criminals utilize phishing, via email or other communication methods, to induce users to perform a certain task. Once the target user completes the task, such as opening a link or giving personal information, the hacker can gain access to private systems or information.
  • Denial of Service Attacks (DoS, DDoS). Hackers will deny service to a legitimate user through specially crafted data that causes an error within the system or flooding that involves overloading a system so that it no longer functions. The hacker forces the user to pay a fee in order to regain working order of the system.
  • Insider Attacks. An insider attack may occur when employees do not practice good cyber safety resulting in stolen and/or compromised data.
  • Malware. Malware may be downloaded to the computer without the user knowing, causing serious data or security breaches.
  • Password Attacks. Hackers may use automated systems to input various passwords in an attempt to access a network. If successful in gaining network access, hackers can easily move laterally, gaining access to even more systems.
  • Ransomware. Ransomware is a specific malware that gathers and encrypts data in a network, preventing user access. User access is only restored if the hacker’s demands are met.

To help ensure your business is protected, it is important to know and understand the different ways hackers can gain access to a network and pose a threat to the data security of the business.

Some Ways SMEs Can Help Avoid Being a Victim of Cyber-Attacks

  1. Understand Legal Requirements

Often, SMBs are unaware of cybersecurity best practices, so they rely on vendors without first determining what their legal obligation is to have certain cybersecurity and data privacy practices in place. Some laws dictate what steps an organization are required to take. Thus, it is prudent for a company to develop a plan with legal counsel and then identify the ideal vendors to help execute that plan.

  • Use a Firewall

Firewalls are used to prevent unauthorized access to or from a private network and prevent unauthorized users from accessing private networks connected to the internet, especially intranets. The Federal Communications Commission (FCC) recommends all SMBs set up a firewall, both externally and internally, to provide a barrier between your data and cybercriminals.

  • Document Cybersecurity Policies

It is critical as a business to document your cybersecurity protocols. As discussed above, there may even be legal obligations to do so. There are many sources available that provide information on how to document your cybersecurity. The Small Business Administration (SBA) Cybersecurity portal provides online training, checklists, and information specific to protecting small businesses. The FCC’s Cyberplanner 2.0 provides a starting point for security documents and the C3 Voluntary Program for Small Businesses contains a detailed toolkit for determining and documenting the cybersecurity practices and policies best suited for your business.

  • Plan for Mobile Devices

With technology advancing and companies allowing employees to bring their own devices to work, it is crucial for SMBs to have a documented written policy that focuses on security precautions and protocols surrounding smart devices, including fitness trackers and smart watches. Employees should be required to install automatic security updates and businesses should implement (and enforce) a company password policy to apply to all mobile devices accessing the network.

  • Educate Employees on Legal Obligations and Threats

One of the biggest threats to data security is a company’s employees, but they also can help be the best defense. It is important to train employees on the company’s cybersecurity best practices and security policies. Provide employees with regular updates on protocols and have each employee sign a document stating they have been informed of the business’ procedures and understand they will be held accountable if they do not follow the security policies. Also, employees must understand the legal obligations on companies to maintain certain practices, including how to respond to inquiries the business may receive from customers about their data.

  • Enforce Safe Password Practices

Lost, stolen, or weak passwords account for over half of all data breaches. It is essential that SMB password policies are enforced and that all employee devices accessing the company network are password protected. Passwords should meet certain requirements such as using upper and lower-case letters, numbers, and symbols. All passwords should be changed every sixty to ninety days.

  • Regularly Back Up Data

It is recommended to regularly back up word processing documents, electronic spreadsheets, databases, financial files, human resource files, and accounts receivable/payable files, as well as all data stored on the cloud. Make sure backups are stored in a separate location not connected to your network and check regularly to help ensure that backup is functioning correctly.

  • Install Anti-Malware Software

It is vital to have anti-malware software installed on all devices and the networks. Anti-malware software can help protect your business from phishing attacks that install malware on an employee’s computer if a malicious link is clicked.

  • Use Multifactor Identification

Regardless of precautions and training, your employees will likely make security mistakes that may put data at risk. Using multifactor identification provides an extra layer of protection.

Both technology and cybercriminals are becoming more advanced every day. Cyber security should be a top priority for your SMB. The right technology experts can help identify and implement the necessary policies, procedures, and technology to protect your company data and networks.

Beckage is a law firm focused on technology, data security, and privacy. Beckage has an experienced team of attorneys, who are also technologists, who can help educate your company on the best practices for data security that will help protect you from any future cyber-attacks and data security threats.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

BIPABIPA Suits Against Third Parties: An Emerging Trend

BIPA Suits Against Third Parties: An Emerging Trend

Companies should take note of the recent expansion of biometric privacy laws, that could have significant impact on their businesses, changing how they collect and process biometric data and how third party vendors handle such data.

Background on BIPA

The Illinois Biometric Information Privacy Act (BIPA) was passed on October 3, 2008, and regulates how “private entities” collect, use, and share biometric information and biometric identifiers, collectively known as biometric data.  BIPA imposes certain security requirements including:

1. Developing a publicly available written policy regarding the retention and destruction of biometric data in an entity’s possession.

2. Providing required disclosures and obtaining written releases prior to obtaining biometric data.

3. Prohibiting the sale of biometric data.

4. Prohibiting the disclosure of biometric data without obtaining prior consent.

Expansion of BIPA to Third Party Vendors

In a significant turn of events, courts in Illinois are applying BIPA to third party vendors who do not have direct relationships with plaintiffs, but whose products are used by plaintiff’s employees or in other settings to collect plaintiff’s biometric data.

This is an alarming expansion of BIPA’s scope of which all third-party providers should be aware.  Under this caselaw, putting a biometric-collecting product into the stream of commerce does not immunize the manufacturer of that product from suit in Illinois.

Since the passing of BIPA, numerous class actions suits have been filed against those alleged to have collected plaintiffs’ biometric data, but claims brought up against vendors that sell the biometric equipment are exponentially growing.  These claims allege not that plaintiffs have had direct contact with the vendor defendants, but that the defendants obtained the plaintiff’s biometric data through timekeeping equipment without complying to BIPA’s requirements.

Recently, the U.S. District Court for the Northern District of Illinois held that a biometric time clock vendor could be liable for violations of BIPA in the context of employment, extending the liability to people who “collect” biometric information.  

Another recent decision, Figueroa et al v. Kronos, held that the plaintiffs sufficiently alleged that the collection function extended to the company, Kronos, and was responsible, along with the employer, for obtaining required employee consent.

These cases, among others, signify that third-party vendors are becoming defendants in BIPA consent cases and broaden third party contribution claims brought by employers against the vendors of Biometric clocks for failure to obtain required consent.  These decisions also allow insured employers to seek contributions from clock vendors for any judgement assessed against an insured employer under the Employment Practices Liability (EPL).

However, BIPA’s Section 15(a), which requires publicly available policies for the retention and destruction of biometric data, makes it difficult for plaintiffs to make claims against third parties in federal court.  BIPA Section 15(a) creates an issue of standing.  A state federal court could exercise jurisdiction over a vendor in connection with a BIPA claim if the vendor maintained continuous and systematic contacts with Illinois.  If the vendor is located in the forum state, then there is no jurisdictional dispute, but since many vendors sell their equipment nationally, the issue of whether the court has specific personal jurisdiction of the vendor must be addressed.

For example, in Bray v. Lathem Time Co., the US District Court for the Central District of Illinois alleged that the defendant sold a facial-recognition time keeping product to the plaintiff’s employer and violated BIPA because they failed to notify employees and obtain their consent.  The plaintiffs had no dealing with the defendant, who was located in Georgia but was sued in Illinois.  The court found no contacts between the defendant and the state of Illinois and concluded that the time keeping equipment was sold to an affiliate of the plaintiff’s employer and then transferred to Illinois by the employer.  The court concluded that it lacked jurisdiction over the defendant vendor.

Expansion of BIPA Outside Illinois?

Vendors being located in states outside of Illinois raises the question of whether BIPA is applicable to conduct in other states.  But while BIPA is applied to violations in Illinois, upcoming class suits may address the issue of BIPA having an extraterritorial effect when bringing claims against out of state vendors.  The extraterritorial application of BIPA is fact-dependent and courts acknowledge that decertifying extraterritoriality as being evaluated on an individual basis may be appropriate.  Companies collecting, using, and storing biometric information will face an increased risk in BIPA lawsuits.

Take-A-Ways

All companies should assess whether they are collecting biometric data, directly or through third parties.  Next is to evaluate the legal requirements regarding the handling of such data.  Note, many state data breach laws include biometric data as protected personally identifiable information (PII).  Companies should take steps to comply with applicable laws, including developing policies and practices around handling biometric data.  Also, contracts with third party vendors should be reviewed to help protect the business if there is mishandling of biometric data.

About Beckage

At Beckage, we have a team of skilled attorneys that can assist your company in developing BIPA compliant policies that will help mitigate the risks associated with collecting biometric information.  Our team of lawyers are also technologists who can help you better understand the legal implications surrounding BIPA and the legal repercussions that follow suit.

Subscribe to our newsletter.

*Attorney Advertising.  Prior results do not guarantee future outcomes. *

Disinformation and Deep FakesThe Risks Associated with Disinformation and Deep Fakes

The Risks Associated with Disinformation and Deep Fakes

Disinformation is the deliberate spreading of false information about individuals or businesses to influence public perceptions about people and entities.  Computers that manipulate the media, known as deep fakes, advance the dangers of influenced perceptions.  Deep fakes can be photos, videos, audio, and text manipulated by artificial intelligence (AI) to portray known persons acting or speaking in an embarrassing or incriminating way.  With the advancements of deep fakes becoming more believable and easier to produce, disinformation is spreading at alarming rates.  Some risks that arise with disinformation include:

·       Damage to Reputation

Reputational damage targets companies of all sizes with rumors, exaggerations, and lies that harm the reputation of the business for economic strategy and gain. Remedying reputational damage may require large sums of money, time, and other resources to prove the media was forged.

·       Blackmail and Harassment

Photos, audio, and text manipulated by AI can be used to embarrass or extort business leaders, politicians, or public figures through the media.

·       Social Engineering and Fraud

Deep fakes can be used to impersonate corporate executives’ identities and facilitate fraudulent wire transfers.  These tactics are a new variation of Business E-mail Compromise (BEC), traditionally considered access to an employee or business associate’s email account by an impersonator with the intent to trick companies, employees, or partners into sending money to the infiltrator.

·       Credential Theft and Cybersecurity Attacks

Hackers can also use sophisticated impersonation and social engineering to gain informational technology credentials through unknowing employees.  After gaining access, the hacker can steal company data and personally identifiable information or infect the company’s system with malware or ransomware.

·       Fraudulent Insurance Claims

Insurance companies rely on digital graphics to settle claims, but photographs are becoming less reliable as evidence because they are easy to manipulate with AI.  Insurance companies will need to modify policies, training, practices, and compliance programs to mitigate risk and avoid fraud.

·       Market Manipulation

Another way scammers seek to profit from disinformation is through the use of fake news reports and social media schemes using phony text and graphics to impact financial markets.  Traders who use social post and headline-driven algorithms to make market decisions may find themselves prey to these types of schemes.  As accessibility to realistic but manipulated video and audio increases, these misperceptions and disinformation will become substantially more believable and difficult to correct.

·     Falsified Court Evidence

Deep fakes also pose a threat to the authenticity of media evidence presented to the court.  If falsified video and audio files are entered as evidence, they have the potential to trick jurors and impact case outcomes.  Moving forward, courts will need to be trained to scrutinize potentially manipulated media.

·     Cybersecurity Insurance

Cybersecurity insurance helps cover businesses from financial ruin but has not historically covered damages due to disinformation.  Private brands, businesses, and corporations should consider supplementing their current insurance policies to address disinformation to help protect themselves from risk.

Legal Options

There are legal avenues that can be pursued in responding to disinformation.  Deep fakes that falsely depict individuals in a demeaning or embarrassing way are subject to laws regarding defamation, trade libel, false light, violation of right of publicity, or intentional infliction of emotional distress if the deep fake contains the image, voice, or likeness of a public figure.  

Preventative Steps

Apart from understanding the risks associated with disinformation, companies can work to protect themselves from disinformation and deep fakes by:

1. Engaging in social listening to understand how a company’s brand is viewed by the public.

2. Assessing the risks associated with the business’ employed practices.

3. Registering the business trademark to have the protection of federal laws.

4. Having an effective incident response plan in the event of disinformation, deep fakes, or data breach to mitigate costs and prevent further loss or damage.

5. Communicating with social media platforms in which disinformation is being spread.

6. Speaking directly to the public, the media, and their customers via social media or other means.

7. Bringing a lawsuit into court if a business is being defamed or the market is manipulated.

What To Do When Facing Disinformation

If a business is facing disinformation, sophisticated tech lawyers can assist in determining rights and technological solutions to mitigate harm.  Businesses are not defenseless in the face of disinformation and deep fakes but should expand their protective measures to mitigate the risks associated.  

About Beckage

Beckage is a team of skillful technology attorneys who can help you protect your company from cyber attacks and defamation cause by disinformation and deep fakes. Our team of certified privacy professionals and lawyers can help you navigate the legal scope of the expanding field of disinformation.

*Attorney Advertising.  Prior results do not guarantee similar outcomes.*

Subscribe to our newsletter.

CoronavirusDigital Transformation in the Time of COVID-19

Digital Transformation in the Time of COVID-19

In response to the COVID-19 pandemic, businesses around the globe have made a major pivot to online or virtual operations, hitting fast forward on digital transformations that usually take time and careful planning. Everything from university classes to corporate board meetings to wine tasting at your local bar have jumped online, opening a whole new world of possibilities—and potential data security and privacy risks that should not be overlooked. With privacy and data security concerns more important than ever before, it is important to remember that even emergency digital transformations must use a “measure twice cut once” strategy that factors in Privacy by Design at the outset.

Why Privacy Considerations Can’t Wait Until Later

In the rush to move business online, it may seem like a necessity to gloss over privacy risks and deal with them later. However this approach is inefficient at best and can be disastrous if there’s a security breach. Digital transformation has to start without an intentional focus on data protection and a solid understanding of the regulatory landscape.

This understanding is becoming increasingly important as privacy laws like the GDPR and CCPA, along with a host of new regulations on the horizon, highlight Privacy by Design principles in their consumer privacy guidelines. That means in many cases, putting consumer privacy first isn’t just good business—it’s a legal requirement. In fact, article 25 of the GDPR demands that organizations practice “privacy by design and by default,” meaning organizations must integrate data protection up front in any design or business practice and maintain those protections throughout the data lifecycle.

How to Make Privacy a Cornerstone of Digital Transformation

A good digital transformation strategy will define goals, identify appropriate technologies, establish leadership and educate staff on the new technologies and protocols. But each of those steps should be driven by data privacy and security considerations.

Therefore even if the digital transformation needs to happen quickly, it’s critical to make sure privacy is the cornerstone of the plan. At Beckage our experienced team of attorneys can work with you to assess potential privacy pitfalls and blind spots, especially in this ever-shifting legal landscape. Beckage attorneys provide on-site and around-the-clock counsel to clients on data protection and information security practices required under state or federal law, for example, or advise on security risks and responsibilities. Taking the time to employ Privacy by Design is an upfront investment that will help ensure your digital transformation strategy is built on solid ground.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

WorkplaceLegal Strategies When Executing a Distributed Workforce Strategy

Legal Strategies When Executing a Distributed Workforce Strategy

In a short period there has been a monumental push for remote working arrangements by almost every existing organization. As a result of the Coronavirus outbreak, our calendar has been filled with appointments to discuss the practical considerations and steps that every leadership team is facing, from executive to technology, including application and business stakeholders. This incident has brought on evaluations of an organization’s readiness through the lens of business continuity, incident response, and more expansive administrative, technical, and physical safeguards.

While not exhaustive, below is a list of some areas to consider in executing a distributed workforce strategy:

Principle of Least Privilege – Has the organization operationalized a principle of least privilege? Does this extend to your remote access management? Opening the floodgates to all end users at once is neither practical nor safe. Discuss a tiered approach and where preventative controls are not possible or practical, implement detective controls. This would look like automated log management, reviews, and analytics to identify anomalous behavior on networks or systems that are classified as mission critical or that handle the most critical data. Take a risk based approach to identity access management and consider a more restrictive policy, you can remind your user base this is a temporary measure. From a security perspective, your objective is to narrow the threat surface; remember the security triad -Confidentiality, Integrity and Availability.  

Remote Desktop Protocol –  Now is the time to check your remote access configurations. We are sure to see a significant uptick in cyber incidents exploiting enabled ports that are commonly used for remote access, this is the point that is frequently the way of entry for ransomware attacks. Audit your network and if you haven’t already, identify servers and devices with ports 22 (SSH), 23 (Telnet), and 3389 (RDP) enabled. Once identified, and where permitted based on your unique circumstances, immediately close port 23 on all systems as well as any unnecessary SSH and RDP ports. It was only a year ago we witnessed Bluekeep, the security vulnerability that allowed for remote code execution through RDP.  

Data in Transit and At-Rest – Revisit your organization’s encryption standards as they apply to data in transit and at rest. With an expanded workforce now remote and handling sensitive and non-public data, an encrypted data at rest conversation should be at the top of your discussion list. The NY SHIELD Act, which became effective March 21st, expands upon the definition of private information to include personal information in combination with various listed data elements (refer to NY Senate Bill S5575B) that “were not encrypted” or “was encrypted with an encryption key that was accessed or acquired.” For financial institutions the FFIEC, which prescribes uniform principles and standards, states that institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit.

Password Strength and Two-Factor Authentication – Replace any default or weak login credentials with passphrases. Roughly two years ago the National Institute of Standards and Technology (NIST) published a guidance on this and organizations have been slow to adopt passphrases in place of their typical 8 character passwords. Now is a good time to implement passphrases and communicate this as a necessary response to the recent distributed workforce requirement. Similarly, you should also consider revisiting screensaver and session lockout times, remember, this is about narrowing the threat surface. If you can shorten these times by 5 minutes, the compounding effect across say, 1,000 employees, could be 5,000 minutes of time or 83 hours. That’s 83 hours less time a bad actor has to compromise your devices. In addition, consider looking at failed login attempt configurations, you can adjust this setting to lock an account on less attempts than usual. This can be a temporary measure until your workforce return to the office setting.

Communication – The question which has come up the most has been regarding communication while working remote. Workforce will need to be informed as they transition to remote. Organizations will need to remind their workforce of what is expected of them as it pertains to policies such as acceptable use, BYOD, information security, business continuity, disaster recovery, and incident response. Similarly, the workforce should also be reminded of safe security practices in the home (for example, when was the last time they updated their router firmware?) While company-wide communications will be necessary, tailored communications to various departments may be equally important. For example, the Incident Response Team leader should communicate regularly with all stakeholders. They will need to review the Incidence Response Plan to evaluate whether the procedures have limitations based on physical proximity of all parties with responsibilities. Likewise, physical security may have unique requirements since the offices will largely be empty.  

The push to remote work has forced organizations to revisit their control environments, operational workflows, and technical capabilities. This is an exercise that requires input and coordination across the organization and highlights the importance of a policy governance structure.  

Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to the Beckage Blog and Newsletter

1 2