Don’t be the next Target

Everyone has heard about the massive data breach at Target. If you’ve been a Target customer (and who hasn’t?), by now you’ve likely taken steps to make sure that your own information is secure.

But what about your business or your agency? What steps have you taken to make sure that you’re compliant with state law and to make sure that you’re the next Target?  Please don’t think that, because you’re not as big as Target or Neiman Marcus, you’re not going to be hacked. Nothing could be further from the truth.

The fact is, every company or agency that is connected to the internet has already been a target of some level of hack attempt and will be subject to even more sophisticated attacks in the future. There isn’t a cyber expert anywhere that will tell you differently. Here at our law firm, we were getting dozens of hack attempts per week, which were greatly reduced when we kept all foreign IP addresses from being able to get in the front door.

There are various forms of hack attempts. There are those that want to grab “personally identifiable information” (“PII”) for identity theft. There are those that want competitively sensitive data. There are others that want to disable a network for “ethical” reasons. And there are those just having a good time.

How vulnerable are you? Do your employees have cell phones? Do those cell phones have access to your system (e-mails, etc.)? If yes, are those cell phones password protected (hopefully with double authentication)? If not, you’re vulnerable.

Do your employees have laptops or tablets with access to your system? Are those units password protected and encrypted? They better be. How about when they go into Starbucks, or Panera? Do they use the free Wi-Fi there or at an airport or hotel?

I’m on the board of trustees at Capitol College, a technical college in Maryland that offered the nation’s first full degree program in network security. I asked one of the deans how long it would take one of the students to hack one of these free Wi-Fi systems. I expected him to say 15 minutes. He said five minutes. What would they be able to see? Any transaction (if the register or credit card machine was wireless and not encrypted) and anything on any customer’s logged on unit. Be careful out there!

If you really want to get scared, take a look at Nextgov.com’s Threatwatch. It gives a list of ongoing threats and breaches.  http://www.nextgov.com/cybersecurity/threatwatch/?oref=TW_article_module

Because the problem is growing, there are multiple ongoing efforts to address the effort, technically and legally. The National Institute of Standard and Technology (“NIST”) has issued some guidelines for users, and Congress is struggling with laws designed to protect customers and to coordinate anti-cyber attack efforts between government and businesses.

While these efforts continue, it is urgent that you make attempts to determine whether you are compliant with existing law and whether your defenses are secure enough to defeat determined hackers.

Initially, it is important to determine whether you have in your company or agency’s possession PII. While various statutes define PII differently, it generally encompasses an individual’s name in combination with a: Social Security number; driver’s license number; financial-account number; taxpayer-identification number; or user ID and password or other specified credentials permitting access to online accounts. If you do have this information, you need to determine current law in your state, as well as cyber law in any other applicable state. You might have PII from folks nationwide, in which case you’ll need to know every state’s rules, and you’ll want to comply with the most stringent of those rules.