by David Bohm
If You Store Customers’ Personal Information on Your Computer System, You Should!
MAD Magazine’s Alfred E. Nuemann would famously say, “What, Me Worry?” If you store personal information about your clients or customers on your computer, you should worry that it is properly secured.
Hackers and other malevolent individuals on the World Wide Web are constantly trying to compromise or steal data from your computer system to sell on the dark web. They particularly target names combined with (1) social security numbers, (2) credit or debit card numbers or other account information, (3) security or access codes or passwords, and (4) medical or health insurance information.
Another common form of cyberattack is to plant ransomware on a target’s computer system. Ransomware encrypts the data on the system making it inaccessible to the system’s owner, leaving a ransom note as the only thing readable on the affected system. The note promises that the system will be restored if a ransom is paid in bitcoin. However, hackers often do not restore the affected system, even if a ransom has been paid. Further, hackers are often first stealing data before encrypting it, and then selling the stolen data on the dark web. Such data breaches have happened to companies both large and small, many of which have undertaken substantial efforts to protect the data on their systems. We have recently seen perhaps the most egregious hack yet, with (apparently) Russian agents infiltrating government computer systems and systems of some of the U.S.’s largest corporations. The public does not yet know the exact amount of data that has been exfiltrated from these systems, but it is likely to be significant in terms of both amount and substance.
To reduce the chances of falling victim to a ransomware attack or other hack, have your system audited regularly by a cybersecurity expert. It is also important to install patches to your firewall and other software as soon as these fixes become available to reduce system vulnerabilities.
In addition to having your system audited, determine whether your insurance covers you against a ransomware attack or other cybersecurity breach and whether the amount of coverage is sufficient. Approximately 60% of small to mid-size companies that suffer a cyberattack do not survive. The law in most states requires a company to notify customers if their information has been compromised, or potentially compromised, by a cybersecurity breach. The required notification and other required elements of responding to a data breach (including offering credit monitoring to customers) can be quite expensive.
Should you have the unfortunate experience of suffering a cyberattack, it is important to engage a cybersecurity firm to conduct an investigation to determine the extent of any breach (i.e., what data may have been compromised and how).
You should also consider hiring an experienced law firm to advise you of any breach notification requirements. (Generally, you must comply with the law in each state where you have customers whose data have been compromised, and these laws have significant differences.) Some of these costs are likely to be paid for if you have cybersecurity insurance.
David R. Bohm is Principal at Danna McKitrick, P.C. Bohm is an experienced litigator working with health care, government, and business clientele. He handles matters involving employment, trademark, copyright, trade secret, cybersecurity and data protection, and complex contracts. He represents clients before various administrative agencies and is skilled in mediation and arbitration techniques as an alternative to litigation. He can be reached at 314.889.7135 or email@example.com.