Skip to content
Articles
Sep 18, 2015

The Basics of Cybersecurity Risks

By: Maryssa Simpson

We are all aware of the data breaches that have become synonymous with internet use, endangering our personal information. The latest revelation of a cyber-attack on a health insurer - this time Excellus BlueCross BlueShield - illustrates why it's so important for organizations to frequently scrutinize systems for intrusions.[1] Data breaches can take many forms. Most commonly, a company suffers a data breach, where “hackers, [ ] current or former employees, or others steal or otherwise gain access to personally identifiable information.”[2]

Almost any employee can expose a business to cyber-risks. Furthermore, if you own a website, engage in direct or indirect internet sales, use clouding, linking, framing, solicit business via electronic communication, conduct financial transactions on the internet, exchange information via the internet, or store information through an internet server, your company is at risk.  While large businesses may have sophisticated network security measures in place, small to mid-size businesses may not be able to afford them, or may not even be aware of the potential security risks.

Increased productivity is certainly a positive feature of the cyber-workspace. However, managing hazards can be tricky, and requires a working knowledge of cybersecurity language.

Cybersecurity Language and Tips for Protection

1.         Email Scams:

The United States Computer Emergency Readiness Team (US-CERT) provides information for recognizing and avoiding email scams.[3] Simple tips include filtering spam, treating email attachments and unsolicited mail with caution, not clicking links in email messages, and installing antivirus software and personal firewalls.

2.         Malware

Malware, short for malicious software, is software designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems. The US-CERT also provides helpful information about viruses, such as, keeping your security software updated. At a minimum, your computers should have anti-virus and anti-spyware software, and a firewall. Make sure your browser security setting is high enough to detect unauthorized downloads. For Internet Explorer, for example, use the “medium” setting, at a minimum.

3.         Mobile Security

Employees should be made explicitly aware of the risks associated with working while traveling or at home. Importantly, employees should be instructed to enable encryption on their smartphone, always use a passcode in case their device falls into the wrong hands, and disable the “automatically connect to Wi-Fi” setting on their device. Installing a phone locator and remote erase application will offer protection to misplaced devices. Finally, careful disposal of mobile devices will ensure that sensitive information is wiped from a device. For information on how to accomplish this, check the website of the mobile provider or device manufacturer.

4.         Wi-Fi Security?

Wi-Fi Security is a more specific aspect of “mobile security,” and it is applicable whether you are at work, at home, or using a mobile wi-fi hotspot. It is wise to instruct employees not to use public wi-fi. Furthermore, employees should not log into accounts or conduct sensitive transactions while using public Wi-Fi. The Federal Communication Commission (FCC) provides important information on Wi-Fi security.[4] The FCC’s main tips are:

  • Turn on your encryption.
  • WPA2 is the most effective encryption standard for Wi-Fi.
  • Active the router firewall.
  • Change your router default password.
  • Be aware that you are at risk when you transmit sensitive information – such as credit card numbers and passwords – over public Wi-Fi networks.

Legal Risks

The risks inherent to internet use should not be lightly considered – it is imperative that businesses evaluate cybersecurity. Cybersecurity risks may even be subject to disclosure. The SEC provides disclosure guidelines for publicly traded companies recommending the disclosure of “the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.”[5]  According to the SEC, “disclosure” includes a “[d]escription of the relevant insurance coverage.”[6]

Even companies not subject to disclosure are at risk. Lawsuits filed by employees, clients, or customers expose businesses to liability—just one example being the class-action suit filed by former employees of Sony Pictures Entertainment in the wake of the 2014 hack attack against Sony and accompanying data breach.[7] The lawsuit filed against Sony asserts that 47,000 Social Security numbers and personally identifiable information (“PII”) for at least 15,000 current and former employees - some of whom had not worked for the studio since 1955 - were stolen by attackers.[8] Plaintiffs alleged that Sony breached two separate duties: (1) the duty to implement and maintain adequate security measure to safeguard its employees' PII; and (2) the duty to timely notify Plaintiffs that their PII had been compromised.[9] Importantly, the suit cited a September 2014 audit by PricewatershouseCoopers, which warned that Sony's information security and monitoring practices fell below "prudent industry standards."[10]

Finally, businesses may not even be protected by their current insurance policy. The coverage typically afforded under a CGL policy for liability claims resulting from an unauthorized intrusion may be insufficient.[11] Businesses should consider insurance, technological, and legal measures to protect against cybersecurity risk.

 


[1] Marianne Kolbasuk McGee, Attacks on Insurers: Lessons Learned,” Data Breach Today, http://www.databreachtoday.com/attacks-on-insurers-lessons-learned-a-8530, September 10, 2015.

[2]  Scott Gods & Jennifer Smith, Insurance Coverage for Cyber Risks:  Coverage Under CGL and “Cyber” Policies, ABA Section of Litigation 2012 Insurance Coverage Litigation Committee CLE Seminar (March 1-3, 2012).

[3]  For tips on reducing spam in your email in-box, see US-CERT Cyber Security Tip ST04-007, “Reducing Spam”: http://www.us-cert.gov/cas/tips/ST04-007.html.

[4]FCC Consumer Tip Sheet: Wi-Fi Networks and Consumer Privacy, http://www.its.ms.gov/Services/Documents/Security/WiFi-Tips _2_.pdf.

[5] U.S. Securities and Exchange Commission Division of Corporate Finance, CF Disclosure Guidance:  Topic No. 2 – Cybersecurity, (Oct. 13, 2011).  Topic No. 2 states that:  “In determining whether risk factor disclosure is required, we expect registrants to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents. As part of this evaluation, registrants should consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption. In evaluating whether risk factor disclosure should be provided, registrants should also consider the adequacy of a  preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.”

[6]  Id.

[7] See Corona v. Sony Pictures Entm't, Inc., 14-CV-09600 RGK EX, 2015 WL 3916744 (C.D. Cal. June 15, 2015).

[8] Id.

[9] Id. at *3.

[10] Id., see also Matthew J. Schwartz, “Sony Agrees to Settle Cyber-Attach Lawsuit,” September 3, 2015, http://www.databreachtoday.com/sony-agrees-to-settle-cyber-attack-lawsuit-a-8520.

[11] See State Auto Property and Cas. Ins. Co. v. Midwest Computers & More, 147 F.Supp.2d 1113 (W.D. Ok. 2001); America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89 (4th Cir. 2003); Recall Total Information Management, 2012 WL 46988 (Ct. Super, January 17, 2012), on why information is not “tangible property” within the meaning of a CGL policy for purposes of data losses. However, see Norfold & Dedham Mut. Fire Ins. Co. v. Clearly Consultants, Inc., 81 Mass.App.Ct. 40 (Dec. 16, 2011) on why theft of customer data may be “publication of material that violates a person’s right of privacy. Other Courts, however, have disagreed, leaving an uncertain gap as to whether or not a CGL policy would cover such an event. See Creative Host. Ventures, Inc. v. E.T. Ltd., Inc., 2011 U.S. App. 19990 (Sept. 30, 2011).