We just got back from a quick family vacation – running an agency with my wife means we don’t really take a lot of time off, but we love to get away with our girls to the beach even if only for a few days.
We go every year. And every year during the trip or immediately following it, we get a fraudulent charge – we adapt by using cash where we question how secure transactions may be, while monitoring charges to our cards by setting up real-time alerts. So far, this year has been an exception, no alerts (yet).
My point isn’t about the perils of travel, it’s that we basically expect it. As consumers, we are so used to fraud, data breaches, and letters from our creditors letting us know that our data “may have” been leaked, accessed, or compromised.
Equifax, the Credit Reporting Agency (CRA) well-known for maintaining credit histories for consumers, settled with the FTC this week for 575M USD for its infamous 2017 data breach. That same year, in an opinion piece posted to Wired.com, Ron Fein, the legal director of Free Speech for People, explained: “Equifax's entire reason for existence is to collect and maintain private financial data about individuals who are not customers of the company.” If Equifax and other major companies and government organizations can suffer a severe data breach, I think it’s fair to assume that data breaches are frequent and universal – and a major risk to every person and business.
The fine was based on many factors, including a decision by the FTC that actual harm was caused to consumers by Equifax’s actions. New York State Senator Daphne Jordan called Equifax "sloppy" and said the Credit Rating Agency's "poor practices resulted in a massive data breach."
The FTC’s decision ensures Equifax will provide protection to individual consumers who were impacted, allowing a person to claim up to $20,000 if harm can be proven, according to recent reports.
But let’s focus for a moment on why Equifax was targeted. Cybercriminals – or, as I like to call them, criminals – were attracted to the treasure trove of information stored by Equifax. Like the gold stored in Fort Knox in the past, the data was undoubtedly considered valuable- but particularly a prize target for hackers. We’d like to think that the level of cyber security employed by Equifax could only be accessed by hackers the likes of a clever movie-worthy heist gang, or perhaps a group affiliated with or supported by a foreign nation-state, who hatched a mastermind plan to breach Equifax’s defenses.
The reality is sadder and gloomier: the data breach could have easily been perpetrated by a lone crook exploiting a single vulnerability that Equifax chose not to address.
According to reports, the US Department of Homeland Security notified Equifax of a flaw in software installed on its Internet-connected servers early in March 2017, and the cyberattack employed by the criminals took advantage of this flaw four months later. Why wasn’t the flaw addressed sooner? Equifax’s information security department relied on automated tools that determined erroneously that the flaw was not present. As a result, Equifax deemed it unnecessary to make an immediate update on the software. They were lax; they were sloppy, and they have paid for those poor practices with a stained reputation, lost revenue and a humiliating FTC fine.
Major corporations deal with data breaches and plan for threats every day. Handbooks are written full of legal procedures and drafted communications to be customized and issued if and when a breach occurs. In fact, we help write those materials for our clients. Equifax is a top-three credit rating agency with the financial means to weather this situation, but the majority of businesses big and small would collapse under similar circumstances.
How do you measure the value of data? How do you measure the impact of a data breach?
Well, here’s some perspective on data security, by the numbers:
The first 24 hours following the discovery of a cyberattack. An exploit is a previously-unknown flaw in software or hardware that makes it possible for a cyber attack to occur.
Often malware is employed - automated software placed or released throughout the Internet in order to hunt down and take advantage of these flaws. No platform is immune, including our tightly-held smartphones. The number of zero-day threats has grown significantly with the growth of ecommerce and global expansion of social media.
All fifty states in the US have data breach notification laws. Do you know the law in the state or states where you conduct business?
The amount of time small-to-midsized businesses lose to each cybersecurity breach (according to Cisco’s 2018 Security Capabilities Benchmark Study)
The portion of data breach victims that are small businesses (according to the Verizon 2018 Data Breach Investigations Report)
The number of US Consumers who may have been impacted by the Equifax data breach (according to the FTC)
The fine Equifax will pay as part of its settlement with the FTC in the wake of one of the most sensitive consumer data breaches in US history (according to the FTC)
Direct premiums written for both standalone and packaged cyber insurance policies (according to A.M. Best)
Risk to Small Businesses
Small businesses are no less at risk than major global brands and government institutions, but small business owners don’t always recognize the likelihood of a breach. In fact, even insurance brokers aren’t always familiar with the liabilities and insurance options for small businesses as it relates to cyber risk. When I asked our own small business insurance broker and other contacts in the industry about cyber insurance for our agency, I learned that underwriters are looking at cyberattacks differently and the insurance landscape is changing rapidly in relation to these risks. General and professional liability policies have increasingly added exclusions specific to cyber-related risks. With the passage of data breach laws, small businesses now face the threat of penalties for failing to comply.
Small business owners need to educate themselves about the specific risks – paper receipts, electronic databases, lax procedures and high employee turnover all are potential opportunities for a data breach. Cybercriminals target small businesses for these reasons. There are steps small businesses can take to safeguard against attacks, including training employees on legal requirements and proper safeguarding of information, preparing for possible breaches in advance, and even running drills. In addition, look into cyber risk insurance for small businesses. Carriers are willing to help mitigate these risks. If you’re a small business owner, don’t wait until it’s too late!
How much is your business data worth to you?
Cybercriminals try to gauge your own interest in your day-to-day data. They’re looking at whether you notice minor attempts to access your information, or if your employees freely answer questions they shouldn’t or leave information out that should be secured. They are going to try to decide whether you would pay to regain access to your own data if they hold it for ransom. With malware, it is now automatic.
A major threat nowadays to small business and enterprises alike is ransomware, and it has become a global problem. In addition to cyber risk insurance, the response to this threat has created fringe business opportunities such as ransomware negotiation, so it's clear that this is not a problem that can be solved by a silver bullet. It’s important to understand the prospect of dealing with ransomware whether you’re a small business owner or department head.
Ransomware is a new strategy of extortion where cybercriminals essentially access and lock-up business data with nearly unbreakable encryption. In fact, as the encryption industry evolves to better protect business and personal data, the hackers employ the same methods against their victims. Hackers often gain access through the use of zero-day exploits, spend some time inventorying business data and assets, and employ encryption tools to lock the owners out.
Typically this is handled remotely without a way to trace the criminal in a reasonable amount of time. A tight deadline is then imposed on the data’s rightful owner, forcing a decision to pay ransom or accumulate financial losses. Sometimes, access to the data is returned to the business, other times the perpetrator is never heard from again, leaving the business and its customers to pick up the pieces.
A notable recent ransomware attack targeted the City of Baltimore in May 2019. The criminals demanded 75K USD in Bitcoin within four, then 10 additional days for each computer. Ultimately the City of Baltimore decided against paying the ransom while Federal investigators began to analyze the scene of the crime. The city’s offices were not operational for days and city services were in turmoil. Recent reports suggested in June the City of Baltimore lost 8M USD in revenue, and has already spent an additional 10M USD shoring up its defenses and restoring its backup data.
While authorities would recommend that businesses not pay the ransom, that is often a very difficult choice for business owners and executives to face. Putting aside this very difficult decision, all businesses face costs for reporting, safeguarding and eventually contractual obligations to safeguard data. All businesses most know where they stand.
Stepping Up Regulations
This past June, New York’s legislature passed the SHIELD Act regarding individuals and businesses in possession of “private information” – that is, private data owned or licensed with respect to a New Yorker. Currently waiting for the Governor’s signature, the expectation is it will be enacted and will raise the bar for cybersecurity safeguards, legal standards and reporting requirements to the NY Office of Attorney General. New York businesses ought to be on notice. Not following the regulations will have an impact on businesses large and small.
And other states are sure to follow. We’re doing our homework to help our clients prepare for the new requirements. The bottom line is, the risks aren’t going away, the criminals are evolving their methods in lock-step with the security industry’s evolution to protect data, and the fines and regulations are getting more specific and more impactful. Know your risks, evolve your practices to safeguard your data, and investigate the right kind of insurance to safeguard your business and your customers. If you do, you're more likely to enjoy a vacation or two.