There is so much in the news about cyber-security. Much of the focus is on cyber war as a new and inevitable weapon, Stuxnet and the vulnerability of our national infrastructure. Some of the news is about use of computers to steal US technology and trade secrets, with culprits—if traceable—often located in China or Russia. It is definitely scary stuff, we all fear the prospect of several weeks without power, or endless gas lines should the oil pipeline infrastructure take a hit.
However, companies face a much more mundane and growing risk: personal information in their possession is being stolen by cyberattacks much more frequently than before. This is a form of cybercrime, not a new method of waging war, and the goal is generally identity theft, often an attempt to obtain credit (and debit) card numbers. All companies are vulnerable, but in the absence of required corporate standards, except in certain sectors (e.g., financial services/banking), some companies have done little to protect their personnel and customers from such hacker attacks. Moreover, these crimes are very difficult to prosecute; most originate from users in other countries. In the realm of data breaches and identity theft, we are truly One World.
Over the past two months, an important client of mine, a music technology manufacturer, called with a problem: part of its customer database had been hacked. The names of approximately 1,000 individual customers from its mailing list had been posted on a website in an Asian country. The database itself has nearly 1 million names. It seemed that only name and address/contact information, but no credit card information or social security numbers, had been obtained and posted. Indeed, the database did not contain personally sensitive information. Still, the customer database is password protected, and obviously this hacker succeeded in breaching its security.
My client wanted to be proactive and do the right thing. They acted quickly. I helped them identify the apparent owner of the website where the illegally obtained personal information had been posted, through a Whois search. Once that was established, we were able to find the webhost in that Asian country (a local GoDaddy or Hostgator), which ultimately took the website down at my client’s request. So the problem was mitigated. But what about all the customers whose personal information was hacked?
First, I reviewed California’s very recent law governing security breach notification, which just took effect in January, and requires that any business or entity conducting business in California notify California residents whose unencrypted “personal information” was or is believed to have been acquired by an unauthorized person through a security breach. California led the nation with its original data breach law, but our legislators thought it needed updating. The new law, which amends California Civil Code Sections 1798.29 and 1798.82, sets out when a notice to a business’ victims must be sent, what form the notice must take (physical notice or email) and what the notice must contain. The incident must be described, the timing of the incident disclosed, and contact information given for the business/entity. The type of personal information hacked must be disclosed, and if the breach exposed a social security number or driver’s license number, toll free numbers of the major credit-reporting agencies must be provided. If the breach affects 500 or more California residents, the state attorney general must be notified (with an exception for certain health information/HIPPA-compliant companies).
Fortunately, the California law did NOT apply to the information hacked from my client’s website, precisely because no personally sensitive information was compromised: no social security number, driver’s license number, account number or credit or debit card number, medical information or health insurance information. However, I also reviewed the new SEC Guidance on cyber incidents and FTC guidelines. The latter urge any business that has been the victim of a data security breach to inform law enforcement immediately, whether local police or the local FBI office.
My client’s instincts to be proactive coincided with my advice based on my review of various federal Guidelines. We agreed on the need to inform all of the mailing list victims about what had happened. This was done very quickly. After giving the matter due consideration, my client also decided to incur the expense of informing all of the other nearly 1 million members of the mailing list about what had transpired. At a minimum, we wanted them to change their passwords, and consider changing their passwords on other websites if they used the same password. I also advised my client that to the extent possible, despite the absence of national standards outside certain financial, health and credit card sectors, it is best to encrypt personal database data going forward.
The incident ended without any apparent harm having been done, but was a good preparedness exercise for a more serious cyberattack or data security breach, should it occur in the future.