Gibson Dunn & Crutcher LLP just published a very sobering article on this topic. The article is entitled “Cyber-security and Data Privacy Outlook and Review: 2013,” and it is probably one of the most comprehensive reviews on the status of lawsuits, regulatory changes, and breaches I’ve read to date. It’s guaranteed to make you wince. The good news — maybe I should say the only good news– is that this arena has the potential to create lots of opportunities for lawyers. Work abounds in class actions, defense, regulatory compliance, security audits and policies, trade secret protection, and white collar crime, to name but a few.
Just to give you an idea of how bad a year 2012 was in terms of security, here is a brief excerpt:
Data breaches continue to grow in both number and scale. This past year saw major hacks at Zappos (24M customer accounts), Statfor (private U.S. intelligence firm; 5M e-mails), Global Payments (1.5M credit card numbers), LinkedIn (6.5M passwords), eHarmony (1.5M passwords), Yahoo (0.5M passwords), Nationwide Mutual (1.1M customer accounts), and Wyndham Worldwide (600K credit card numbers). According to industry reports, this past year saw a sharp increase in browser-related exploits, such as luring an individual to a trusted website that has been infected with malicious code. Using browser vulnerabilities, attackers can install malware on the target system. In addition, the rise of “bring your own device” policies in the corporate world have led to security challenges for organizations. For example, many large organizations reported that security breaches were caused by their own staff, most commonly through ignorance of security practices.
This past year saw a dramatic increase in the number of breaches from state and local governments. Leading the pack was the South Carolina Department of Revenue, where an employee fell for a phishing e-mail that allowed hackers to steal 75GB of data containing the social security numbers, credit cards, and bank account information for 3.8M residents. The data also contained information about 700,000 businesses. The governor faulted outdated IRS standards, which did not require social security numbers to be encrypted. Another major hack affected the New York State Electric & Gas Company, in which 1.8M customer files were stolen that included social security numbers and some financial information. Investigations of the hack faulted out-of-date data security standards. Other notable breaches occurred at the California Department of Social Services (700K employees’ payroll information), Utah Department of Health (780K citizens’ health information), and the California Department of Child Support Services (800K health and financial records). Many of these attacks could have been prevented by following up-to-date security standards.
No wonder President Obama signed an executive order on February 12, 2013, seeking to strengthen the cyber security of critical infrastructure, by directing the development of a public-private sector cyber security framework, and increasing information sharing between the public and private sector. If you’ve been following my blog, you’re read my previous posts “Another Cyberattack on a Major U.S. Bank;” “Cyberattacks on U.S. Banks — Are You Safe?;” “Beware Email Messages from Facebook Friends;” and “Trojan Infects 260,000 Android Devices” to name just a few.
It’s a very dangerous computing world. That means you have to keep up to date on developments. You need to keep your software updated to plug security holes as they’re discovered. You need to actually use your shredder. You need to avoid using public WiFi for accessing confidential information. You have to train your employees not to click on links or email attachments which are unexpected, regardless of the source. You should encrypt your laptop hard drive, and use a boot password too. You should be sure you have enabled the ability to remotely wipe the data from your Smartphone before you put anything on there. This is just a start off the top of my head. If you’re not already doing all these things, or if you don’t even know about some of these things, perhaps your starting point should be a simple security audit by a qualified vendor.