Technology and Cybersecurity Tort Practice Group
The Lamber Goodnow Team: At the Intersection of Legal and Technological Innovation
A company’s classified data is one of their most important assets, housing intellectual property, trade secrets, and customer account information. And with the advancement of highly networked computer technology, most companies have turned their data into electronic data, which has allowed companies to become much more efficient, but has left them open to both internal and external threats.
These threats are not, however, limited to a certain type of business platform. They have affected both private and public companies in areas ranging from the government, finance, energy and utilities, defense and aerospace, communication, transportation, retail, technology, education and healthcare.1 And with many companies moving their sensitive data to the cloud, where all the information may be found in one space, instead of small amounts of individual databases, external and internal dangers become even more threatening. Electronic data theft can cost American companies hundreds of billions of dollars each year.2 Some of the costs include notifying consumers of the breach, legal fees, public relations damage control, handling potential fraud, and establishing defense layers to prevent future breaches.3 However, data theft damages are not limited to direct costs, the company’s reputation as well as consumer loyalty may also contribute to loss of profits. An example is Target’s security breach, which created a 46% loss in profits from their previous holiday season.4
The most obvious threats come from sophisticated hackers stealing consumer information and intellectual property. In fact, a report from the Identity Theft Resource Center stated that more than 85 million personal records were exposed in 2014.5 The ITRC reported that 783 breaches occurred in 2014, which calculates to one and four U.S. residents who were potentially exposed to identity theft.6 Some of the examples of major hacking breaches in 2015 include:
- In May of 2015 hackers gained access to 1.1 million customer names, birthdates and email addresses at CareFirst BlueCross Blue Shield.7
- In June 2015 a cyber attack on Kaspersky Lab, which compromised information on world power meetings as well as negotiations for an Iran nuclear deal.8
- In February of 2015 a cyberheist affecting 100 banks around the world in which the cybercriminal ring called Carbanak funneled more than a billion dollars into their own pockets.9
- In June of 2015 China-based hackers twice breached the Office of Personnel Management affecting 25.7 million federal workers.
However, the less obvious, and potentially more pernicious threat may come from employees within the company. A report from Forrester Research noted that 25% of data theft in North America and Europe resulted from information abuse by malicious employees.11
One of the most well known cases of employee theft was Edward Snowden, who copied thousands of classified National Security Agency documents without prior authorization, exposing the NSA’s surveillance tactics resulting in worldwide chaos. The ‘Snowden effect’ has created a snowball of employee data theft (as well as outside hacking) that has companies making drastic changes in the safeguards of their electronic data. Some examples of employee theft include:
- In January of 2014 a computer contractor stole 27 million records from the Korea Credit Bureau, which affected 40% of the South Korean population.12
- In February of 2014 Barclays Bank, one of the 10 largest banks in the world, had employees allegedly take over 27,000 customer files which included their passport, insurance information, and personal information worth millions on the black market.13
- In February of 2014 a heating and air-conditioning contractor of Target stole 40 million-customer credit and debit card numbers and 70 million records containing customer contact information.14
- In March 2014 a contractor working for DuPont sold a proprietary formula to a Chinese company for 28 million in contracts.
- In June 2014 an AT&T employee accessed 1,600 customer accounts showing social security numbers and drivers license numbers.16
- In September of 2014 UMB Bank lost more than $650, 000 to an employee who generated 377 fraudulent checks.
- In July of 2015 a contract employee improperly handled the data transfer exposing the Social Security numbers, names and addresses of 850,000 current and former National Guard Members.
Although there is no ‘one-size-fits-all’ solution, companies of all sizes can implement strategies for prevention through layers of security.
Layer 1: Before a system administrator is granted access to protected data, the employer should conduct a rigorous background check.18 Companies should then focus on the information that needs the most protection, this way they will get the most return on their cybersecurity investment.19 Once the system administrator is granted access, and the most important information is identified, the employee should only have access to the system that correlates with their job responsibilities.20 Oracle Corp. and SailPoint Technologies offer access control and management software.21
Layer 2: With employees having access to cellphones, tablets and flash drives it is important for companies to conduct continuous monitoring of their databases. Data loss software such as International Business Machines Corp.’s InfoSphere Guardium Data Activity Monitor and SpectorSoft Corp.’s Spector 360 will help companies track who is accessing certain databases.22 The software can track when certain files are open and flag any unusual level of activity.
Layer 3: Employ a Chief Information Security Officer so that other employees may have a person to ask questions and voice concerns. The CISO should also conduct employee security training. This will allow employees and contractors to know the company’s expectations in terms of data access. Additionally, a formal policy for data sharing, use of personal email, copying data to personal devices and confidentiality requirements should be carefully implemented and communicated to employees.23
Layer 4: Companies should purchase cybersecurity insurance. This insurance will specifically cover losses related to data theft.24 Policies may cover costs of lawsuits, public relations work, notification responses, credit monitoring, investigation expenses and crisis management.25
Layer 5: Once the company has narrowed down the employee that is responsible for the theft they must conduct an electronic forensics investigation.26 This investigation will determine the cause of the breach and programs like Guidance Software Inc.’s EnCase can backtrack the activity to see who had access to the data.27
Companies can no longer ignore the dangers of cybercrime, whether caused by outside hacking or by a trusted company employee. However, recognizing the issue, along with implementing a layered security approach, will help keep your information safe and your business successful.
2 Megan Evans, In-House Defense Quarterly, Avoiding Corporate Theft and Protecting Electronic Data, (2015), http://www.rinconlawgroup.com/wp-content/uploads/2015/03/CyberSecurityMeganEvans1.pdf.
5 Identity Theft Resource Center, Data Bre$ch Reports, (Dec. 31, 2014), http://www.idtheftcenter.org/images/breach/DataBreachReports_2014.pdf.
7 Sarah Kuranda, CRN, The 10 Biggest Data Breaches Of 2015 (So Far), (Jul. 27, 2015), http://www.crn.com/slide-shows/security/300077563/the-10-biggest-data-breaches-of-2015-so-far.htm/pgno/0/1.
11 Heidi Shay, FORRESTER, Understand The State Of Data Security and Privacy: 2013 To 2014, http://www.mobility-sp.com/images/gallery/FORRESTER-Understand-The-State-Of-Data-Security-And-Privacy-2013-To-2014.pdf.
12 Chris Preimesberger, eWeek, The Seven Largest Insider-Caused Data Breaches of 2014, (Dec. 14, 2014), http://www.eweek.com/security/slideshows/the-seven-largest-insider-caused-data-breaches-of-2014.html.
17 Sarah Kuranda, CRN, The 10 Biggest Data Breaches Of 2015 (So Far), (Jul. 27, 2015), http://www.crn.com/slide-shows/security/300077563/the-10-biggest-data-breaches-of-2015-so-far.htm/pgno/0/1.
18 Siobhan Gorman, The Wall Street Journal, How to Stop the In-House Data Thief, (Sept. 15, 2013), http://www.wsj.com/articles/SB10001424127887324577304579054772813919980.
19 Megan Evans, In-House Defense Quarterly, Avoiding Corporate Theft and Protecting Electronic Data, (2015), http://www.rinconlawgroup.com/wp-content/uploads/2015/03/CyberSecurityMeganEvans1.pdf.
20 Siobhan Gorman, The Wall Street Journal, How to Stop the In-House Data Thief, (Sept. 15, 2013), http://www.wsj.com/articles/SB10001424127887324577304579054772813919980.
24 Megan Evans, In-House Defense Quarterly, Avoiding Corporate Theft and Protecting Electronic Data, (2015), http://www.rinconlawgroup.com/wp-content/uploads/2015/03/CyberSecurityMeganEvans1.pdf.
27 Siobhan Gorman, The Wall Street Journal, How to Stop the In-House Data Thief, (Sept. 15, 2013), http://www.wsj.com/articles/SB10001424127887324577304579054772813919980.