Data breaches are all over the news right now. Here's what you want to know.
Businesses of all kinds have been struck ranging from CVS and Costco — which last week had to take down site features amid investigations into whether consumer data was taken — to local entities like OhioHealth, which this week announced information on some patients was on a flash drive that went missing.
No one is above risk, cyber security professionals say, but what can be done to keep you out of hot water? I asked Dayton-area experts for their advice.
1. Make sure employees have rules
Employees need to know not to open suspicious e-mails and fall for scams via telephone, said Jon Gauder, president of Volo Technologies. Security policies in place often help keep employees from letting information fall into the wrong hands.
Lindsay Johnson, an attorney with Freund, Freeze & Arnold specializing in cyber security, said as employees use personal devices for more work purposes, they open up the company to risk. But it's easy to avoid.
"If you let employees have emails on their iPads and laptops, someones can get a hold of that and extrapolate data," Johnson said. "That data has to be encrypted and that can be done with minimal effort."
2. Keep your tech up to date
To protect internal assets, you want to have routers and firewalls put in place and configured to prevent intrusion attacks, Gauder said.
“Sometimes it’s a matter of having the right equipment in place, antivirus and updated security patches,” Gauder said. “There’s no 100 percent foolproof way, but sometimes it’s more responsive than preventative, but your programs have to be up to date.”
Network security audits help companies test security measures. For a Web site: if you don’t need to have data on the website, don’t store payment information on the site, Gauder said. You want to make sure you host the website with a trusted host that is respected and have a good security policy in place.
A lot of people use open source software to develop Web sites. That code is available to hackers but also means a patch to prevent piracy is going to come quicker.
"Open source software often have quick patches because more companies work off of them," Gauder said. "But people who have access to source code can still find things. Response time can be faster than proprietary software. Make sure software is up to date."
Because of that, he recommended monthly or quarterly updates to software.
3. Know who you need to tell
Reporting requirements can vary by industry, In a regulatory industry like banking and finance, reporting requirements are handled by federal law, Johnson said. For general businesses with no reporting requirements, the first thing is to make sure you know the extent of the breach and what was accessed.
Businesses are hesitant to report to legal authorities, but “it gives you credibility that you reported something to authorities right away, and they can take the efforts the need.”
Experts in law enforcement encourage businesses to report details, but businesses can be hesitant to do so. But if the safeguards are in place, you can save face to clients by having them know you reported the details right away.
Companies have had mixed reactions to breaches. Retailers like P.F. Chang's and Michael's gave the public specifics about potential data breaches, while others did not.
Johnson said it's ultimately a PR decision whether or not to make a breach public. But not doing so can risk your reputation. You should report to your clients right away and let them know the details.
"The more detail you give illustrates you are organized," Johnson said. "You’re able to identify quickly what happened, who was affected, how entry was achieved etc. If you don’t have a plan in place it will take you three times as long"
4. The law will want to know how you responded
If a lawsuit happens, it's going scrutinize what you knew about the breach and how you sought to prevent it.
The most high profile breaches, including Home Depot, have led to costly lawsuits, Johnson said. What makes a data breach potentially harmful — is if you've tried to stop it.
"In the event there was a breach, and a lawsuit, what we have seen is the courts are saying ‘you did not act commercially reasonable. You did not consider the information you let employees have on these devices.'" Johnson said. "You have to assume a data breach will happen. How they use emails, how they send data over email is an encrypted."
If the courts become involved, the big question will be what you know and when, if you acted reasonably.
When companies get sued, litigators make the case that they knew a data breach was a possibility and ignored it, and didn’t have policies and procedures to minimize attacks.
Cyber security insurance is becoming an industry standard. Companies are writing cyber security policies, Johnson said, adding it could soon be considered a standard of care.