Computer Security Laws Put Increased Pressure on Businesses to Adopt Stronger Cybersecurity Measures1/29/2018 | By: Jay L. Hack, Esq. | GDB 2018 Winter Newsletter
Computer hacking, cybersecurity and selling social security numbers on the “Dark Web” are front page topics almost every day. Computer hackers are not just concerns of political parties, Equifax and Target. Does your company have customer personal data, like social security or driver’s license numbers? Do you do business with any state-licensed company in the banking, insurance or mortgage lending business so that you have access to its computerized data?
If you answer “yes” to the first question, then you must tell your customers if your computer system is penetrated and their data may have been compromised. If you answer “yes” to the second question, then the bank, insurance company, mortgage lender or other related business may force you to choose between maintaining procedures designed to protect the data from wrongful intrusion or lose the ability to do business with it.
New York and almost every other state have security breach notification laws which generally require businesses to notify customers if a computer system has been breached and customer personal information has been accessed without authority.
In addition, New York’s Department of Financial Services (“DFS”) has recently adopted regulations that require banks, insurance companies, and other regulated financial services institutions to have vendor-management programs so that not only the regulated institution, but anyone else that it does business with, will have to adopt stringent cybersecurity programs to protect against intrusions. Even if you are not one of these regulated businesses, but rather you merely provide services to one of them, you can expect that you will have to adopt strict cybersecurity measures to satisfy their vendor management program. DFS may not be able to regulate you directly, but DFS can tell the banks and insurance licensees not to do business with you unless you implement cyber controls that protect any data you get from them.
Here are some steps we recommend to protect against running afoul of these laws:
- Adopt a formal information security plan that limits the amount of protected information that you maintain. If you manage a building, do you really need to keep an electronic copy of every tenant’s driver’s license on your computer? And if you do, think about blotting out the license number and the date of birth on the copy you keep. You can’t be sued for wrongfully releasing data you don’t have.
- Perform a risk assessment of your business and know all possible intrusion risks. Some are obvious - like outside hackers trying to break through a computer firewall. Others may be less so - like having computers without strong password protections.
- Review your risk assessment with your in-house or outside information technology staff. Ask them to supplement the risk assessment with any items you may have missed, and then work with them to protect against identified risks.
- Arrange for a penetration test of your system. This is not hiring a hacker to break into your system, but it is a reasonable attempt to identify Internet intrusion points that could be exploited by a hacker. In many cases, shutting down an intrusion point is easy and painless.
- Train your employees to be alert and smart when using any electronic device. Make sure that everyone attends a training session and have them sign an attendance sheet. Senior executives should not be exempt. They may need the training even more than younger employees, because they may have even less familiarity with electronic systems than younger employees. Remember that training is not fool proof. It is a start, but vigilance must continue after the training class is over.
- Consider instituting access limitations for electronic data. Does every employee really need to have access to every document on your system for every client? Does your document management system have the ability to limit access? If so, use it.
- The National Institute of Standards and Technology (NIST) has recently changed its recommendation regarding password changing and now recommends against periodic changes. I doubt that following this recommendation will withstand a strong cross examination from an attorney for an aggrieved person who was injured because someone was using the same password for 5 years and a hacker found it. You should consider what password protection policy best suits your firm – but make sure that yellow stickies with passwords on computer monitors are forbidden.
- Establish policies and procedures for portable devices such as laptops, cell phones, tablets, etc. Do the same for remote access from home computers. Make sure that you can disable access for any remote device that is lost or stolen.
- Review your employee termination procedures. Immediately cut off their access to data and materials, and change their passwords.
- Wash, rinse, repeat. Repeat your risk assessment every year and every time you have a significant change in business or technology. Train all new employees and refresh the training of existing employees annually.