Legal Matters

Don’t be the next Target

RSS

Table of Contents:

In the wake of the massive data breach at Target, government and private enterprises should take necessary steps to ensure the security of their own information. 

Everyone has heard about the massive data breach at Target. If you’ve been a Target customer (and who hasn’t?), by now you’ve likely taken steps to make sure that your own information is secure.

But what about your business or your agency? What steps have you taken to make sure that you’re compliant with state law and to make sure that you’re the next Target?  Please don’t think that, because you’re not as big as Target or Neiman Marcus, you’re not going to be hacked. Nothing could be further from the truth.

The fact is, every company or agency that is connected to the internet has already been a target of some level of hack attempt and will be subject to even more sophisticated attacks in the future. There isn’t a cyber expert anywhere that will tell you differently. Here at our law firm, we were getting dozens of hack attempts per week, which were greatly reduced when we kept all foreign IP addresses from being able to get in the front door.

There are various forms of hack attempts. There are those that want to grab “personally identifiable information” (“PII”) for identity theft. There are those that want competitively sensitive data. There are others that want to disable a network for “ethical” reasons. And there are those just having a good time.

How vulnerable are you? Do your employees have cell phones? Do those cell phones have access to your system (e-mails, etc.)? If yes, are those cell phones password protected (hopefully with double authentication)? If not, you’re vulnerable.

Do your employees have laptops or tablets with access to your system? Are those units password protected and encrypted? They better be. How about when they go into Starbucks, or Panera? Do they use the free Wi-Fi there or at an airport or hotel?

I’m on the board of trustees at Capitol College, a technical college in Maryland that offered the nation’s first full degree program in network security. I asked one of the deans how long it would take one of the students to hack one of these free Wi-Fi systems. I expected him to say 15 minutes. He said five minutes. What would they be able to see? Any transaction (if the register or credit card machine was wireless and not encrypted) and anything on any customer’s logged on unit. Be careful out there!

If you really want to get scared, take a look at Nextgov.com’s Threatwatch. It gives a list of ongoing threats and breaches.  http://www.nextgov.com/cybersecurity/threatwatch/?oref=TW_article_module

Because the problem is growing, there are multiple ongoing efforts to address the effort, technically and legally. The National Institute of Standard and Technology (“NIST”) has issued some guidelines for users, and Congress is struggling with laws designed to protect customers and to coordinate anti-cyber attack efforts between government and businesses.

While these efforts continue, it is urgent that you make attempts to determine whether you are compliant with existing law and whether your defenses are secure enough to defeat determined hackers.

Initially, it is important to determine whether you have in your company or agency’s possession PII. While various statutes define PII differently, it generally encompasses an individual’s name in combination with a: Social Security number; driver’s license number; financial-account number; taxpayer-identification number; or user ID and password or other specified credentials permitting access to online accounts. If you do have this information, you need to determine current law in your state, as well as cyber law in any other applicable state. You might have PII from folks nationwide, in which case you’ll need to know every state’s rules, and you’ll want to comply with the most stringent of those rules.

Discuss this Blog Entry 2

Jerry Wanger (not verified)
on Jan 21, 2014

Solution is easy. Do not have any sensitive information attached to the internet or to a network that connects to the internet.

Anonymous (not verified)
on Jan 22, 2014

IT vendors don't like this inexpensive and relatively bullet-proof solution of eliminating any ties between critical networks and the internet. They would rather lull us into the idea that we can achieve security with sufficient IT spending. This article indicates how effective the IT spending option is. Retailers often cannot isolate their networks from the web . Usually, public safety can!!

Post new comment
or to use your Urgent Communications ID
What's Legal Matters?

Alan Tilles' expert analysis on the policy, legislative and regulatory events that are shaping our industry.

Contributors

Alan Tilles

Alan Tilles is counsel to numerous entities in the private radio and Internet industries. He is a partner in the law firm of Shulman Rogers Gandal Pordy & Ecker and can be reached at atilles@...
Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×