Defense Law Articles
By: Jason McLean, Esq.
Grogan Graffam, P.C.
“There are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
Robert S. Mueller, III
Former Director, FBI
With the ever escalating pace of development in technology, and our ever increasing dependence on that technology, the amount and types of information stored electronically is staggering. The convenience and increased efficiency gained from leveraging technology and electronic storage media has allowed developments and productivity considered unfathomable only 10-15 years ago. Yet, convenience and efficiency do not come without risks.
A decade or so ago, the term “hacker” would have more likely been used to describe my golf game instead of a real-world business risk. Terms like “encryption,” “data breach,” and “cybersecurity” were things the NSA or CIA worried about. While “hacker” would still be an apt description for my golf game, the term has been thrust onto the list of concerns that modern businesses (both large and small) must address. Data breach, and protection therefrom, is now as much a cost of doing business as are slip and falls or auto accidents. It can cripple a company that is unprepared. To be prepared, a business must first understand what information hackers are after, and, just as importantly, what information the law says must be protected from breach. With that understanding, a business can map its data and appreciate what sensitive data it possesses, protect its and its customers/clients/patients’ information, and be confident it can continue to be a successful 21st century business.
CYBERSECURITY AND DATA BREACH BASICS
What data are hackers after?
Before jumping into what constitutes a data breach and the methods businesses can employ to prevent them, it is important to understand exactly what data should, and needs to be, protected. Succinctly stated, hackers are after “personal information.” In response, 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring governmental and private entities to notify individuals when a security breach involving personal information occurs, and these laws are typically aimed at, and define, what is considered “Personal Information.”
For instance, Pennsylvania’s Breach of Personal Information Notification Act, 73 P.S. 2301 (“Pennsylvania Breach Law”), defines “Personal Information” as
An individual’s first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted:
- Social Security Number
- Driver’s license number or a State identification card number issued in lieu of a driver’s license
- Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.
In addition to the state specific definitions of Personal Information, certain industries are also regulated, often by federal laws, that define what information must be protected from breach. The two most common examples are the Health Insurance Portability and Accountability Act (“HIPAA”) (applicable to health plans and medical providers) and the Ghram-Leach-Bliley Act (applicable to financial institutions). These laws provide that certain types of records (medical and financial) must be protected from disclosure. These laws will be discussed in more detail below as well.
Beyond the legal determination of what information a business must protect, the practical reality is that hackers are after any information that will allow them to perpetrate a fraud such as identity theft, fraudulent medical billing, etc. There is a very real black market for individualized personal information. Individuals, companies, and even some rogue governments pay good money for such information. But what, exactly, are they after? The non-exhaustive list includes:
- Mobile phone numbers
- email addresses
- online shopping credentials
- online gaming account credentials
- landline phone number
- IM account credentials
- credit card information
- debit card information
- social media credentials
- social security numbers
- bank account numbers
- first and last name
- home address
- Medical records or health information
- Vehicle Registration Information
- Driver’s License Number
- Proprietary Business Information
Of the black markets in operation for the exchange of this information, those in Russia, China, and Brazil are the most active, and the types of information listed above are commoditized on these markets. Specifically, a stolen credit card number can fetch anywhere between $1-$20, and a criminal could buy all the information necessary to steal an individual's identity for roughly $30. Stolen medical records or health credentials can be obtained for $10, which fraudsters use to purchase drugs or submit fraudulent medical claims with insurers. Suffice it to say that the information sought by hackers has a very real value. The more of this personal information hackers can obtain, the more money they make on the black market.
In sum, hackers are potentially after any personal information they can get their hands on. The law provides certain definitions of Personal Information and mandates that certain records be protected. Just about any business will have some of this information, even if only information about its employees.
What is a Data Breach?
So how do we know when a data breach has occurred and what the law requires? With the patchwork of state laws and federal regulations, the precise definition of a “breach” varies from jurisdiction to jurisdiction and industry to industry. As a general proposition though, a data breach occurs when that sensitive personal information is released to or accessed by unauthorized individuals. The concept involves “released to or accessed by” and therefore a data breach does not only occur when data is stolen or is actually taken or copied, but includes when data is “accessed”. The Pennsylvania Breach Law provides that a breach occurs when “unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person.” 43 P.S. 2303. Thus, the Pennsylvania Breach Law does not require that data actually be taken for a breach to occur; It is enough if there is a reasonable belief that unauthorized access occurred.
Similarly, HIPAA defines a breach as an impermissible use or disclosure that compromises the security or privacy of protected health information. If an unauthorized hacker gains access to a medical provider’s records, that constitutes an impermissible disclosure under HIPAA, and is classified as a data breach. Most other laws and regulations contain similar broad definitions of data breaches.
As these definitions demonstrate, a data breach is not limited to when a perpetrator actively hacks into a network and downloads Personal Information without authority. A data breach can occur where there is a reasonable likelihood of unauthorized access or disclosure of protected information. This means, for example, that a data breach occurs when a business is actively hacked, when information is lost during shipping, and when a forgetful employee leaves the client file in a Starbucks. According to the NetDiligence 2014 study on Cyber Claims, while active hacking is responsible for roughly 40% of all data breaches, various forms of employee error or action make up roughly 50% of all data breaches. Thus, various forms of protection are necessary to secure personal information.
How do hackers do it?
The methods employed by today’s hackers are often complex and sophisticated. Yet, sensitive personal information can also be obtained through the most basic of flaws in a security system. For instance, hackers can employ what are called Advanced Persistent Threats, which is a directly targeted hack on a business’s network that can take various forms. Hackers can employ spear phishing, email scams, malware, viruses, worms, or Trojans, simply by putting those programs on the Internet and tempting you or your employees to download the programs. One of the more recent and creative schemes is to leave a USB flash drive behind at a coffee shop or some other public place. When an unsuspecting business employee on a coffee break finds what they think is a free flash drive and plugs it into his computer, the flash drive automatically runs a program that gives the hacker complete access and control over the entire computer. Before the unsuspecting employee even knows that something is wrong, the hacker could access personal information or may have already accessed the employer’s network through the infected laptop.
Hackers can also obtain information in basic, non-tech ways. Improper deletion of data off a prior work computer before disposal can result in that hardware, with data intact, winding up in the wrong hands. An employee's carelessness can result in the accidental publication or dissemination of personal data, such as losing a laptop, smartphone, tablet, or flash drive with personal information. Very recently, the Houston Astros baseball team was “hacked” by individuals who work for the St. Louis Cardinals organization. Access was obtained simply enough because the former manager of the Cardinals was hired by the Astros and used the same passwords to protect his database of player information.
An even more likely cause of a data breach is a former employee who takes data with him/her to go to work for a competitor. While these people are not “hackers” in a traditional sense, former employees pose a very real threat for data breach, as these individuals often have “authorized” access to sensitive company information and, without proper protections in place, could easily download company information for themselves or for their new employer.
To protect against these threats, it takes robust security measures that are not just technological, but also practical.
Effects of a Data Breach
When a business is hacked or suffers a data loss, the consequences can be dire, and in some cases, fatal to the operation. The cost of responding to a data breach alone (apart from any litigation) can put a business under. With a “patchwork” of state and federal laws requiring notification, and in some instances payment of credit monitoring service for all those individuals whose personal information was accessed, the costs can add up quickly. The costs can mount even more rapidly without adequate preparation and safeguards, and a business can struggle to respond to a data breach without a proper response plan in place in advance.
In 2014, First Data Corporation released a study estimating that the cost of a small business responding to a data breach could exceed $50,000 per breach. By way of example, First Data notes that in 2013, the University of North Carolina suffered a data breach of just 6,000 records, but it cost the school nearly $80,000. Some of the consequences of suffering a data breach can include:
Mandatory forensic investigation - some governmental agencies may require such investigation. Credit Card companies, pursuant to the Payment Card Industry Data Security Standard (“PCI DSS”), may also require the hacked business to perform a forensic IT investigation in order to be able to process card payments after the breach. This examination could cost tens of thousands of dollars.
Compliance with State and Federal Notification Laws – Various state and federal laws may apply to single data breach event. Providing the mandated written notification to all affected customers/clients/patients can cost thousands or tens of thousands of dollars.
PCI assessment - A PCI Assessment by a Qualified Security Assessor may be necessary in order to accept card payments again following a breach.
PCI fines - if the forensic investigation shows that the business was not in compliance with PCI DSS, the card associations and/or banks may levy fines against the business for noncompliance or withdraw the ability for the business to accept card payments.
Debit/Credit card replacement costs - Some card issuers may require the business to pay the cost of reissuing cards to affected customers.
Upgrade to Point-of-Sale system - It is possible that a business with an outdated Point-of-Sale system will need to upgrade to prevent further incidents and also to comply with PCI DSS.
Damage to reputation - According to a study performed by the Ponemon Institute, 75% of company executives surveyed indicated that a data breach event had a significant or moderate negative impact on the business’s reputation.
Down time - During the period of days or weeks while the business evaluates the breach, the business may be down completely, or may be significantly hampered in its operations.
Loss of Competitive Advantage - If a former employee takes information to a competing business, the business may lose any competitive advantage it had with that confidential information.
These costs of a data breach do not even take into consideration the possible governmental investigation or private litigation that may result from a breach. Preparation for, and quick effective response to, a data breach is crucial to mitigating the risk of a data breach, and minimizing these consequences.
How can Businesses Mitigate this Risk?
The challenge for businesses both large and small is to protect against all forms of data breach in the first instance. Focusing only on having the strongest firewall ignores a large cause of data breach - employee error. Focusing only on making sure employees do not erroneously disseminate data ignores hackers who are infiltrating your network. Focusing on both of these but ignoring the need for a strong and regular system backup is short-sighted. The fight against data breach must be fought on multiple fronts.
Lest you think that this is a fight carried on only by Fortune 500 companies, the idea that only large corporations need concern themselves with data breach is being put to rest. Small does not equal immune. The National Small Business Association conducted a study of small businesses in 2013, and found that nearly half of those businesses surveyed said they had been the victim of a data breach via hacking, malware, virus, etc. In fact, hackers may see small and medium sized businesses as prime targets, as those businesses typically invest less in cybersecurity than larger businesses, but may still collect and store important (and valuable) personal information.
To mitigate cyber risks, businesses must evaluate their current infrastructure and ensure proper policies and security measures are in place. They can develop breach response plans so the management of the business knows what to do in the event of a breach. And the business can inform itself and understand the actions that are necessary when a breach does occur, and what obligations the law imposes. There are also steps that can be taken before, during, and after a breach that can position the business well in the event of litigation or government agency investigation.
Cybersecurity and protection from data breaches are issues that today’s businesses must address, both because the law requires it and because the practical consequences of suffering such a security event can be catastrophic. No data protection system is 100% foolproof, and thus instituting updated security measures and engaging in proper planning for breach response is crucial. Effective cyber counsel can work with a business’s management and IT professionals to ensure the business is as prepared as possible for a data breach event, and can respond effectively in compliance with the applicable laws.
For more information about Grogan Graffam, P.C., please visit the International Society of Primerus Law Firms.
 Dell, Secure Works, Underground Hacker Markets, December 2014.
 Reuters, Your medical record is worth more to hackers than your credit card, September 24, 2014.
 NetDiligence 2014 Cyber Claims Study.
 First Data, Small Businesses: The Cost of a Data Breach Is Higher Than You Think, 2014.
 Ponemon Institute, Reputation Impact of a Data Breach, November 2011.