In honor of Data Privacy Day, we provide the “Top 10 for 2018.” While the list is by no means exhaustive, it provides key issues organizations should consider in 2018.
5. Ransomware and Phishing Attacks Continue
Ransomware. Ransomware erupted into a billion-dollar industry in 2016. Attacks increased in 2017 by up to 250-percent, according to some estimates, and damage costs estimated to top $5 billion. Forecasters anticipate these numbers to continue to rise in the coming years. Ransomware attacks are becoming more widespread — infiltrating companies globally and across multiple sectors. At the start of 2017, ransom payouts averaged approximately $15,000. Over the last few months, demands of $250,000 to $500,000 became a weekly occurrence, according to Kivu Consulting and Navigant Consulting, a third-party specialist that facilitates cryptocurrency payments and investigates perpetrators.
Accordingly to McAfee:
The profitability of traditional ransomware campaigns will continue to decline as vendor defenses, user education, and industry strategies improve to counter them. Attackers will adjust to target less traditional, more profitable ransomware targets, including high net-worth individuals, connected devices, and businesses.
The 2017 “WannaCry” ransomware attack brought ransomware international attention. On May 12, 2017, some hospitals in the UK’s National Health Service reported being locked out of their computer systems until they complied with ransomware demands. The attack on 300,000 computers across 150 countries exploited a vulnerability in Microsoft’s file-sharing mechanism. Microsoft discovered the vulnerability and issued a patch weeks before, but companies affected had not installed the patch in time. The White House concluded that North Korea was responsible for the WannaCry attack. This is even more worrisome, as, unlike other cybercriminals, nation-states have economic and political backing.
In addition, while many organizations trust and rely on cloud service providers to store their data, believing, in part, that the providers can better safeguard their data, Computer Weekly recently reportedthe Massachusetts Institute of Technology’s prediction that cloud services may turn out to be ransomware’s favorite targets in 2018. For these reasons, organizations should continue to develop and refine their plans to be prepared to effectively respond to an attack.
Phishing Attacks. HR professionals can expect constant, surreptitious attacks from hackers seeking employee tax information, particularly Forms W-2, in January and February. Watch for spearfishing emails targeting HR and payroll personnel likely to have access to this information and who are apt to respond to requests from management for that information. Of course, the emails are not from management, but are artfully disguised as such. The results of successful attacks are that fraudulent tax returns are filed in employees’ names and employers must provide breach notifications to affected employees and, possibly, state agencies. Trust but verify. Employees should be advised to trust the source, but call to confirm the request verbally.
Phishing attacks also have spiked in the healthcare industry. Malware easily can be distributed with a link or infected attachment and delivered to healthcare employees by email. Hackers then can access a healthcare provider’s database containing hundreds, if not thousands, of patient records.
6. Insider Threats
Ransomware, phishing, and other cyberattacks by external hackers often are the main focus of a cybersecurity plan. However, malicious insiders, such as disgruntled employees, with access to areas of the employer’s system external hackers cannot easily reach often result in the most costly data breaches.
Examples of situations in which internal threats can arise include:
- An employee leaving a company and taking customer, patient, or client data that includes personal information. The information is used by the former employee or the former employee’s new company to solicit business from those individuals (see our blog post, Healthcare Worker Gives New Employer Patient Records, Old Employer Pays $15,000 to NY Attorney General for HIPAA Violation);
- Fearing of losing his or her job, an employee removes files with personal information about customers, patients, or clients in preparation for challenging the termination and related litigation; and
- A former employee hacks the payroll system to inflate his pay, accesses proprietary files, and hijacks the company website (see our blog post, Company Awarded Damages after Former Employee Hacks Its Systems and Hijacks Its Website).
More innocent, but equally concerning, are threats such as inadvertent loss of credentials due to clicking spam links with malicious viruses attached, losing a laptop, unknowingly bringing an infected device to work, sending sensitive files to the wrong address, and the like.
According to a 2017 Insider Threat Report by ipswitch, 53 percent of companies estimate remediation costs of at least $100,000, with 12 percent of companies estimating a cost of more than $1 million. The same report suggests that 74 percent of security breaches originate from within the extended global enterprise, including a current or former employee, contractor, or business partner with access to company data.
7. Privacy and Data Breach Class Actions
In May 2016, the U.S. Supreme Court held in Spokeo v. Robins that plaintiffs must allege a tangible or intangible concrete injury to establish Article III standing to sue. This confused the lower courts. How are they to apply this standard in a range of data breach and statutory privacy class actions (such as under the Telephone Consumer Protection Act, Fair and Accurate Credit Transaction Act, and Video Privacy Protection Act)? Different standards have developed and, even within the same circuit, separate panels have reached conflicting conclusions. For example, paying for data security protections he did not receive was sufficient to confer standing on a customer, a panel in the U.S. Court of Appeals for the Eighth Circuit had ruled. However, a separate Eighth Circuit panel ruled the threat of future identity theft from a data breach was insufficient for standing.
The company in Spokeo has re-petitioned the U.S. Supreme Court to review the panel decision finding standing in its case. If the Court provides clarity on this issue in 2018, organizations can better navigate class action suits following a data breach or a statutory privacy violation.
8. Data Breach Readiness
In 2017, a surge of massive data breaches affected more than one-half of the U.S. population. Cyberthreats in the coming year are expected to affect even more people, as hackers develop new attack methods (while IT departments charged with protecting a company’s sensitive information try to keep up). Many hope that advanced machine learning and artificial intelligence technologies can help organizations become better at detecting and remediating attacks. However, hackers also have access to these tools, and they will use them to strengthen their attacks to overcome organizations’ defenses. The battle will continue.
Companies of all sizes and in all industries are expanding their cybersecurity programs and incident response plans. It is important for cybersecurity programs to be flexible, improving and evolving with the shifting tactics of hackers.
9. Increased Data Privacy and Security Legislation
Following massive data breaches in 2017, data privacy and security legislative proposals were introduced at the federal and state level. Senate Democrats introduced the Consumer Privacy Protection Act of 2017, geared toward protecting Americans’ personal information against cyberattacks and ensuring timely notification and protection when data is breached. Subsequently, three Democratic Senators introduced the Data Security and Breach Notification Act, which would require companies to report a breach within 30 days of becoming aware of it and any person may face a penalty of up to five years in prison for concealing a breach.
New York Attorney General Eric T. Schneiderman proposed the SHIELD Act, which would heighten data security requirements for companies and better protect New York residents from data breaches of their personal information. Similar legislation have been proposed in Ohio and Vermont and are being contemplated in other states. State data breach notification laws also continue to develop. Maryland amended its Personal Information Protection Act to expand the definition of personal information, modify the definition of security breach, and provide a 45-day timeframe for notification, among other changes. New Mexico enacted the Data Breach Notification Act, becoming the 48th state with a data breach notification law.
10. Vendor Management
Virtually all businesses interact with third-party vendors for a variety of reasons that involve all kinds of confidential company information. Increasingly, to derive efficiencies and control costs, vendors are linked directly to their customers’ information systems. Cloud service providers, benefits brokers, medical billing services, debt collection companies, consultants, accountants, law firms, staffing services, shredding/data destruction services, cleaning service providers, and other businesses utilize third-party vendors to provide an array of services. In the course of providing their services, vendors, like their clients, use technologies and devices (such as mobile devices, wireless networks, and flash drives) that pose risks to information they handle. Moreover, there may be legal obligations associated with a company’s use of vendors, such as requirements in third-party service provider contracts.
In certain states (including California, Illinois, Maryland, Massachusetts, Nevada, Oregon, and Texas), companies must obtain a written agreement with all third-party vendors handling personal information of state residents in order to provide services to the company. Similar requirements exist elsewhere. For instance, HIPAA imposes expansive requirements for any “business associate” or “subcontractor” that handles protected health information. The Payment Card Industry (PCI) standards have similar requirements, and law firms in many states (e.g., Maine, Missouri, New Jersey, New York, Oregon, Vermont, and Wisconsin) are subject to specific state ethical mandates to have written assurances from vendors handling client data. Finally, a company that must adhere to the looming EU GDPR will have to reassess its relationship with any third-party vendor that processes personal data. Vendor management should be part of an overall strategy to safeguard company and personal information.
Bonus: Be Vigilant and Watch for Changes
Organizations constantly should be assessing their privacy and data security risks and implementing policies and procedures to protect the personal information and data they maintain. This is particularly important as the law and industry guidance change and evolve to keep up with technological advancements. Organizations need to be vigilant to remain compliant and competitive. MORE