If Big Brother can’t stop a hack attack, what hope is there for the rest of us? The truth: even if your clients implement all best practices and precautions, maybe not much. As BakerHostetler’s Melinda McLellan and Judy Selby pointed out in a recent Lawline Retail Industry event, it’s not a matter of if your system is breached, but when. Nonetheless, McLellan offered the latest on how to best avoid, and then respond to, a data breach. Though specifically geared toward the Targets and Gaps of the world, Data Breaches in the Retail Industry is a great primer for all your clients, especially in its breakdown of the anatomy of a typical breach.
Although most breaches come from the outside, McLellan reports that up to 37% of breaches are caused by internal negligence with regard to things like phishing emails and failure to completely shut down laptops and mobile devices that are then stolen or lost. Sheer employee ignorance can also lead to data breaches, particularly when it comes to disposal of personal information, especially paper copies that include personal data. And then there is the odd, malicious employee, selling a password or, having accepted a fee, sneaking into the office and exporting data in the middle of the night. Of course, retail has its own unique external threats, the most widely known of which are so-called “skimming” devices—credit card swipe machines that appear real but that send data to an outside source.
Interestingly enough, McLellann suggests that “the safest company is the company that just had a breach.” This results from the safeguards put into place afterward. The obvious answer is to put an appropriate risk prevention plan into place before a breach occurs. In doing so, companies need to beef up their “internal detection systems,” the weakness of which are a prime reason why the average data breach continues for 229 days before discovery.
Other keys include “vetting your vendors” to ensure they are aware of best practices. The infamous breach of Target Corporation occurred because the credentials of one HVAC vendor were stolen and used to access the retailer’s servers. McLellan suggests the adoption of two-factor authorization to avoid password thievery. And employee education is critical - even after years and years of publicity about phishing, these emails present problems because they often look like they come from the company itself. One click amongst thousands of employees can result in disaster. Put your employees through the wringer on this because, as the BakerHosteteler team pointed out, there’s nothing worse than having investigators discover, after a breach due to employee negligence, that there was no employee education program in place. This raises the liability potential immeasurably.
Education on how to discern phishing emails is a must. A good periodic exercise is testing staff by sending out a fake phishing email to see if employees click on it. McLellan cautions that the response to employees who do click erroneously on the test emails should not be punishment, but more education—the idea is to raise awareness, not add pressure. Another interesting suggestion is to block employees’ ability to open certain kinds of attachments or adopt warning steps before certain kinds of attachments can be opened. This is one step beyond the spam box.
All of these suggestions aim toward reducing the risk of breach, not eliminating it. If the worst should occur, Selby and McLellan offer a fantastic approach to addressing the breach. Their Security Breach Response Plan is a step-by-step guide from forensics to law enforcement investigations, from communicating and remediating the breach through civil and even securities litigation. Any lawyer who has clients with a computer—that would be everyone—would do well to check out this important presentation.
Sigalle Barness is the Vice President of Content and a member of Lawline.com’s Executive Team.
Sigalle provides business strategy and leadership to the company and directly manages Lawline’s accreditation, programming and production operations.
Sigalle also analyzes market trends and applies insights to develop and execute written and video content including online educational programming, email marketing, social media campaigns, press releases, blog articles and large scale live events.
Sigalle graduated summa cum laude from Rutgers University and holds a B.A. in English. She received her J.D. in 2010 from Benjamin N. Cardozo School of Law in New York, NY. Sigalle is admitted to practice in both New York and New Jersey. She is also an active member of the Association for Continuing Legal Education (ACLEA), and is the former Chair of ACLEA’s Programming Special Interest Group (2013 – 2015) and National Provider Special Interest Group (2015 - 2017).
Before joining Lawline in March 2012, Sigalle litigated civil claims in areas such as landlord tenant, breach of contract and tax lien and mortgage foreclosures actions. She also handled transactional matters such as drafting residential and commercial leases, demand letters, and client conflict waivers. Sigalle is an avid lover of music, video games, blogging, asking questions and all things food. She is also fluent in Hebrew and enjoys writing fiction, traveling and scuba diving.