Thanks to a recent string of high-profile cyberattacks, data breaches have never been as hot a topic as they are now. Few of the more recent ones, however, have been more egregious or controversial as the recent Equifax data breach, which exposed the personally identifiable information of roughly 143 million Americans. What is particularly striking about this, however, was how easily preventable it might have been. In testimony at a congressional hearing, Equifax’s former CEO explained that the breach occurred solely as the result of a single employee’s failure to patch a simple Apache flaw—one that the software provider had actually provided a patch for in advance, which the Equifax employee never installed. This wasn’t the only major gaffe Equifax committed either. It also stored thousands upon thousands of personally identifiable information on an Argentinian server that had its username and password set to “admin.” Then, in the wake of the breach, its Twitter account instructed affected users to visit website links that turned out to be fake on their own.
Although its size and significance may have been especially noteworthy, the Equifax breach underscores a more general theme that is becoming ever more urgent: how companies and firms should be embracing, in the words of Microsoft attorney Dennis Garcia, a “culture of cybersecurity.” Nonetheless, we’ve been seeing countless examples of how carelessness have gotten in the way, notably when Wells Fargo accidentally turned over 1.4 GB of sensitive client data to an ex-employee’s attorney in response to a routine discovery request.
While the stakes of a data breach rise, the margin of error companies have with this issue is steadily shrinking—even more so for multinational companies that will be impacted by the European Union’s upcoming GDPR. Companies that fail to take corrective measures immediately, therefore, could very well be hit with capital-killing consequences down the road.
Poor Cybersecurity Safeguards Can Cost You
Companies and law firms need to comply with a number of state, federal and international data security standards depending on what types of personally identifiable information (PII) they store and what countries, states and territories in which they do business.
All of these standards require companies and firms to enact some form of data security safeguards to protect consumer and client data. The Graham-Leach Bliley Act in the U.S., for example, requires financial institutions and certain law firms and other businesses to take steps such as using secure socket layer (SSL) or other secure connections when transmitting consumer credit card and other personal data, installing patches and other updates to ensure full protection, and conducting regular auditing procedures such as looking over user activity logs on IT systems and using dummy accounts in customer lists as a way to track suspicious changes. PIPEDA, which applies to companies that store Canadian citizens’ sensitive information, similarly requires companies to consider effective offline and online protection strategies that are appropriately tailored to the sensitivity of the information stored. Many of these laws also require companies to engage in employee training and auditing procedures to ensure this data is safely protected.
Companies that fail to implement these protocols can face staggering fines, or—in some cases—even criminal charges. HIPAA violations related to data security, for example, can cost companies over $1.6 million per year for violations that were due to willful neglect and left unresolved, while companies that ignore core GDPR rules could find themselves facing maximum fines of up to 4% of the company’s global annual revenue in the previous fiscal year.
These are only just a few examples of the various fines and other penalties your company or law firm could face if hackers successfully mine customer PII data as a result slipshod and ineffectual compliance with data security standards. Be sure to check the laws of the various jurisdictions and industries that govern the specific types of data you or your clients collect to learn more about how ineffectual compliance could set your company up for liability.
How to Know if Your Clients’ PII Have Been Compromised
Fortunately, law firms and companies have a number of avenues to explore for determining whether any collected customer PII data has been compromised, whether they've confirmed a breach or simply want to investigate the possibility. Many of these options, however, would require an in-depth investigation into your company or firm’s IT databases. Unusual administrative user activity, edited user privileges, and altered core system files can all point to some level of hacking or outside tampering. Analyzing log files—which track specific events that occurred while specific software, websites or other programs were actively running—can also produce potential red flags for your IT support personnel to investigate. Slowed network performance and suspicious outbound traffic activity can also indicate the presence of malicious scripts or indicate that hackers entered through potential backdoors.
While the ABA and a growing number of state bar associations are instructing attorneys to keep abreast of the latest technological advances and how they can impact their legal practice on a day-to-day basis, you don’t necessarily need to become CISSP-certified to meet these requirements. Retaining experts and agencies that specialize in IT forensics, pen testing, and cybersecurity can help with diagnosing potential issues in your existing safeguards and help you take steps you need to improve your data security practices. There are some immediate steps that you can take on your own to start, however. These steps can include moving your data to an encrypted cloud hosting provider, making sure the sensitive data in your eDiscovery process is secure, and encrypting your communications with customers and clients.
As the Equifax breach has shown, careless compliance with data security standards can leave a trail of code-laden hints that hackers can exploit to break into your company or firm’s computers and IT systems to commit identity theft. Proactively taking action to update and improve your clients’ data security safeguards is one way you can avoid the risks your company or firm could face—and, in the end, reduce the likelihood that your company or firm becomes the next high-profile data breach scapegoat.
This post was authored by Eric Pesale, an attorney who writes about eDiscovery, cybersecurity and other legal topics for law firms, publications, and companies. He is the founder of Write For Law, and is a graduate of New York Law School and the University of North Carolina at Chapel Hill. Eric can be reached at firstname.lastname@example.org or on Twitter at @writeforlaw.