By Robbin Hutton and Frank Day
Most organizations are utterly unprepared for a cyber-attack, but even those that prepare remain vulnerable. It is not a question of whether your business will be attacked; indeed, it is a question of when the attack will occur. In June 2017, a logistics company in Europe had its communications and daily delivery service interrupted by a cyber-attack that swept around the world. Even though they had a robust approach to counting cyber threats, the attackers found a vulnerability within the system. The company estimated that the financial impact of the attack was three hundred million dollars. This attack, however, did not result in any loss of any data.
The attack on Equifax took a different form. Equifax is in the business of collecting and aggregating credit history data for hundreds of millions of consumers. It is one of the three major credit-reporting agencies in the United States. From May through July 2017, hackers gained access to Equifax’s data files, stealing the personal data, including social security numbers, addresses, birth dates, and other sensitive data for roughly 150 million people in the United States. This attack represents the largest known data breach in history. Indeed, the Equifax breach affected more than 40% of the U.S. population.
Avoiding malicious attacks and securing sensitive information becomes more and more difficult as technology continues to evolve. Attacks occur in many different ways, and the number of attacks directed at small to mid-sized businesses are on the rise. In fact, small to medium sized companies are now frequently targeted because they have fewer security measures in place and because they do not train their employees about how to avoid cyber-attacks.
One of the more popular means by which attacks are advanced is with ransomware, which is malicious software that prevents or limits users from accessing their system. The system remains locked until the company pays a ransom to the attackers, and, frequently, such companies are unable to regain access to their data even if they pay the ransom. These attacks are particularly devastating to smaller businesses that do not have a robust backup strategy. A ransomware attack is generally triggered when an employee clicks on a malicious link contained within a phishing email. When the e-mail attachment is opened, the malicious program encrypts all of the data on the computer and the network drives attached to the computer. Subsequently, the attacker demands a ransom.
As this threat continues to grow and threats continue to evolve, all businesses should have in place an incident response plan that will enable the business to recover all of its data so that business can continue even in the event that all data is lost. Furthermore, many states have responded to the wave of cyber attacks by adopting legislation that requires companies to take certain steps in the event of an attack.
In Tennessee, businesses are required to give notice of such an attack immediately, but no less than 45-days from the discovery that a breach has occurred that compromised the security, confidentiality or integrity of personal information maintained by the holder. For the purposes of Tennessee law, personal information is defined as follows:
An individual’s first name or first initial and last name plus, one or more of the following data elements: (i) Social Security number, (ii) driver’s license number or state issued ID card number, (iii) account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access an account and generally applies to computerized data that includes personal information.
Personal information does not include: publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Unlike many states, Tennessee does not require companies to notify the State Attorney General when a specific data breach occurs. Nonetheless, it is possible that such data breaches could lead to lawsuits brought under the Tennessee Consumer Protection Act, which establishes a private cause of action.
Organizations should have a Data Breach or Cyber Response Plan that will allow a prompt and effective response. When developing a cyber incident response plan, organizations must first account for all applicable laws. In short, businesses must ensure that their response plan includes each step that the organization is required to take. The plan should designate an information security coordinator and define the duties associated with that position. When an incident occurs, it is important to know who should take the lead in managing the response. Also, the plan should authorize information technology experts to develop proactive defensive counter measures to both prevent and identify intrusions/attacks. A properly developed plan will include guidelines on preserving evidence, post-incident review procedures, address planning and training, and other related topics.