Criminal syndicates are constantly changing their weapons of choice, and international cyberattacks perpetuated using leaked nation-state cyber tools shaped many security discussions in 2018, but a new year consistently brings forth new challenges and lessons to learn.
With the recent implementation of GDPR (General Data Protection Regulation) in the European Union and the looming threat of action in the wake of the California Consumer Protection Act (CCPA), many businesses are scrambling to stay on top of recent trends in cybersecurity and information security requirements.
In assessing the risk that companies will face in the coming year, lawyers should be aware of the following developments:
Personal Liability of Directors and Officers
Corporate Board members and officers are now in the legal crosshairs after cyberattacks:
- Plaintiff’s attorneys are attempting to hold corporate boards personally responsible by filing management liability lawsuits after high-profile data breaches, regardless of the cybersecurity expertise of board members. A securities class action lawsuit and a shareholder consolidated derivative complaint were filed against Yahoo’s directors and officers after the company disclosed that it suffered a major data breach. The directors and officers settled for $80 million and $29 million, respectively.
- The Securities and Exchange Commission responded to the never ending cyberattacks affecting publicly traded companies by releasing its amended guidance on Public Company Cybersecurity Disclosures, requiring that companies inform investors about material cybersecurity risks. This cannot be sufficiently accomplished without appropriate controls and procedures as well as protocols to determine materiality of cyber risks. The Commission emphasized that “development of effective disclosure controls and procedures is best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face.”
What you can do:
- Corporate boards and directors must be informed, and prepared to act, on information security policies and threats. Cybersecurity literacy is no longer an IT-managed issue; rather, it is an enterprise-wide affair requiring board members and directors to comprehend not only the legal and regulatory implications of cyber risks, but also be aware of developing threats and vulnerabilities.
- Business management must develop, and commit to, board member education and awareness of cybersecurity policies and guidelines that demonstrate reasonable information security procedures and implementation of data protection standards. This should include keeping board members and senior leadership apprised of recent trends and incidents as well as the company’s specific risks and vulnerabilities.
URGENT: Business E-mail Compromise (“BEC”)
Also known as CEO fraud, BECs are the recent weapon of choice for malicious keyboard warriors. After compromising a legitimate company’s email accounts, the scammer monitors the business communications to fully understand the well-established business to business (or employee/er) relationships.
The scammer will then utilize this knowledge to represent him/herself as a known individual and request an illegitimate transfer of funds. Multiple variations of this scam currently focus on the real estate sector and often lead to stolen sensitive and confidential information as well as money. To take advantage of employees with mobile and/or hectic work schedules, BEC operators often stress the urgency of immediate response to their requests.
Generally, any request to change payment method, bypass normal approval channels, or provide unusual, private, or sensitive information should raise concerns and be reported to the Company’s security team. BECs are indiscriminate in their victim selection, targeting both small businesses and major corporations.
Loss of financial revenue aside, BEC’s can lead to a reportable data breach event triggering legal and regulatory obligations, particularly where unstructured email data is accessed, as well as initiate scrutiny of a company’s security and data protection practices by regulators.
What you can do:
- Aside from conducting regular employee security awareness training, businesses should ensure their email service provider implements email authentication technology to protect against spoofing and phishing attacks.
- Businesses should establish a protocol for reporting unverified attachments and links and provide for prompt analysis by the security team.
- Businesses should establish controls to address vendor emails that deviate from standard operating procedures.
- Businesses should ensure that every employee is instructed to remain alert to cyber threats and knows how to report any unusual internal or external communications or conduct.
Becoming Smarter on Smartphones
Our phones are fast becoming the master keys to our entire identity, so ensuring that small device is physically safe and secure should be our number one priority. Nevertheless, even the most prolific and sophisticated mobile users may not be adept at securing their information, and businesses may pay the price of inadvertent (or even intentional) missteps that allow a criminal to take over an employee’s or customer’s mobile device.
Some common vulnerabilities include:
- “Port-Out” scams that allow hackers to take over an individual’s phone number and all accounts linked to that phone number, enabling bad actors to bypass even two-factor authentication (2FA) designed to protect information and transactions.
- “SIM Hijacking” occurs when a hacker convinces a customer service rep to provide a new SIM card for the cell phone account, allowing the criminal to take control of a legitimate user’s number. Cryptocurrency investors are particularly vulnerable since the tokens or the secure key upon which such transactions rely, if tied to the phone, can be transferred out after the SIM swap. AT&T learned this lesson the hard way. The telecommunications company fell victim to the scam, which resulted in the transfer of $24 million in cryptocurrency from a customer’s account via his hijacked AT&T phone number.
What you can do:
- Compose a Mobile Security Policy requiring employees who use mobile devices for business to establish a security PIN, so any changes to the account must be PIN Verified.
- Employers that provide mobile devices, or extend multi-factor authentication options to their customers, should avoid relying solely on two-factor authentication embedded in a mobile. After taking over a customer’s or employee’s number, the hacker can easily bypass two-factor authentication since he/she can now receive security codes via SMS on the device. Instead of linking account access to a cell phone, encourage employees and customers to use a two-factor authentication service application or other, beefier security measures.
Credential Stuffing and the Ghosts of Passwords Past
Hundreds of large-scale breaches have generated a vast repository of personally identifiable information that can be bought, sold and traded for pennies. This trove of previously stolen credentials has inspired hackers to accomplish account takeovers by rapidly applying, or “stuffing,” customer credentials through list validation attacks.
This type of attack is frequently successful as individuals often reuse and recycle old login credentials. The subsequent use of accounts compromised with use of recycled credentials can lead to a data breach, despite an institution’s best efforts to maintain reasonable cybersecurity practices.
What you can do:
- Businesses should require users to periodically change, and never recycle, login credentials.
- Businesses should require multi-factor authentication where feasible.
- Businesses should not permit email addresses to be utilized as user IDs.
About the Authors:
Svetlana McManus is an associate in the Washington office of Davis Wright Tremaine LLP. Her practice focuses on privacy and cybersecurity matters, including risk management, incident response, policy development, and corporate governance. Svetlana assists clients in understanding the current threat landscape while also addressing the unique cyber threats they face. She has represented media companies, non-profits, financial institutions, and large corporations.
Christopher A. Ott, CIPP/US, is a partner in the firm’s Washington office. He advises companies on where data security and privacy issues intersect with traditional regulatory and white-collar risks. Chris has worked on multi-agency governmental investigations that combine established risks with data security and privacy issues, including Foreign Corrupt Practice Act (FCPA), Anti-Money Laundering (AML), Bank Secrecy Act (BSA), defense contracting fraud, securities fraud, insider trading, accounting fraud, and market manipulation.
Rachel R. Marmor, CIPP/E, is a counsel at Davis Wright Tremaine in New York. She focuses her practice on the assessment of legal obligations and risks throughout the information life cycle, including retention requirements, privacy, cybersecurity, defensible disposal, and use of electronic data in litigations and investigations. As a former litigator, Rachel has a wealth of knowledge regarding what can go wrong with clients’ data, which she uses to advise on contractual requirements and vendor-management programs to mitigate risk. Leveraging her deep expertise in the EU General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”), Rachel advises clients on the foundational policies and consumer-facing procedures required for effective information management.