Buckle Up For CyberSecurity

Remember when cars didn't have seat belts and we as kids piled into the backseat? Today that could be considered child abuse.

Our attitudes about wearing seat belts changed.  We are now seeing a similar transformation in the area of cyber-security.   New Cyber-security laws, regulations, and lawsuits are going to make Cyber-security considerations for computer networks as common place using seat belts for protection against cyber-crime.    

We really don't have a choice but to change our attitudes. Cyber-crime is the fastest growing criminal enterprise on the planet.   Last year, over two billion records were lost or stolen amounting to a global cost of $500 billion.   That number is expected to quadruple in the next three years.   The ultra-sophisticated criminal enterprises and nation states behind the crimes have been reaping profits in excess of the global drug trade.  Surprisingly, small businesses with less than 200 employees have been the hardest hit.

Being the victim of a cyber-crime may be only the start of your woes.  When the department store Target suffered a well publicized data breach, it was then hit by over 140 lawsuits filed by consumers and banks whose personal and financial data was compromised.  And it is not just large retailers or financial institutions who are potentially liable to customers:  it is any company or business that possesses or safeguards confidential client information or customer data.  

The Chicago law-firm of Johnson & Bell was recently sued by what was believed to be the nation's first data security class action against a law firm brought by its clients.  The lawsuit alleged that Johnson & Bell's internal VPN (virtual private network) and email systems were prone to a "man-in-the middle" or "DROWN" cyber-attacks which could allow hackers to eavesdrop and steal confidential client information.  Interestingly, the Johnson & Bell lawsuit did not allege that any actual data breach occurred.

In response to this threat, the state of New York just enacted unprecedented requirements for financial firms and insurance companies to protect their networks and customer data from hackers and to disclose data breaches to state regulators.  Other states are expected to follow suit.

Last year, Illinois passed the "Personal Information Protection Act," 815 ILCS 530.   This statute placed requirements on "data collectors"--broadly defined to encompass corporations, financial institutions and retail operators to use "reasonable security measures" to protect record information from disclosure.   The failure to do so could constitute "an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act."  

Depending on the nature of your business there are already industry self-regulating and Governmental Cyber-Security guidelines in a number of areas:   Financial Services (Financial Industry Regulation Authority—FIRA); Retail (Payment Card Industry Data Security Standard); Health care (JCAHO, HIPAA and HITECH); Banking (Federal Financial Institutions Examinations Counsel--FFIEC); Insurance (NAIC—Model Cyber-Security Law), just to name a few.

Indeed, compliance with the myriad of overlapping industry, state and federal statutes and regulations present a daunting task for any business going forward.  But make no mistake, it’s only a matter of time before we all are “buckled up” with Cyber-security.