Pratum Blog

Guidelines for a Tangled Legal Landscape

When you discover that a hacker has penetrated your system, the scramble is on to respond properly. And nobody is going to be the first to suggest, “Let’s tell all our customers what just happened!” But as tempting as it is to bury a breach deeper than a political scandal, that move has a couple of drawbacks:

1. Any good public relations consultant will tell you that the best way to manage bad news is to get out ahead of it and drive the narrative.

2. Burying news of the breach is probably illegal.

But even when you genuinely want to follow your legal obligations for reporting breaches, the law doesn’t make it easy. All 50 states have their own codes in this area. You can look up your state’s notification laws on a site like this one. After you’ve waded through all the statutes, however, the way forward will almost certainly remain murky.

Matthew McKinney, an attorney with BrownWinick in Des Moines, Iowa, says, “What’s commonly misunderstood about breach notification? Almost everything. It’s still the Wild West. There’s no universal standard. The biggest thing is the uncertainty and the lack of uniformity.”

In many states, lawmakers and industry associations are working to pass codes built on frameworks that offer uniform standards across state lines. In Iowa, for example, McKinney is working with the Iowa Insurance Division on a new act the Division crafted that proposes to implement standards for insurance companies and that follows a model developed by the National Association of Insurance Commissioners.

In the meantime, answers to breach notification questions almost always start with, “Well, it depends…” But the following guidelines address some common questions.

Which industries are subject to breach notification requirements?

As with most data privacy laws, the healthcare and financial services industries face the heaviest breach notification frequency given they often hold the most sensitive and valuable personal data. HIPAA, for example, established some of the earliest requirements for notifications of compromised data. But at this point, nearly every business has notification responsibilities to follow.

What are my first steps regarding notification when a breach happens?

Ideally, you have a solid incident response plan in place, so no one has to figure out next steps under the pressure of a crisis. As part of that plan, make sure you’re building a relationship in advance with a digital forensics team, qualified attorneys and a cyber insurance firm.

As we’ll discuss below, the forensics team can help clarify your notification requirements based on what data was actually affected.

McKinney says it’s also important to have legal counsel available as soon as you discover the breach due to potential liability considerations, the benefit of privileged communications, and compliance with some strict breach notification requirements that, in some cases, have windows as short as 72 hours.

What events trigger a notification requirement?

This is where things start getting fuzzy.

One thing that generally doesn’t matter is the number of customers affected. So thinking, “We’re not Facebook, so our little breach doesn’t really matter” won’t get you off the hook. The key factor, McKinney says, is whether the breached data is protected by the law.

That means it’s time to contact your digital forensics firm. McKinney says the difference between accessible and accessed information can determine whether a notification is required in some states. Bad actors may not even realize the treasure trove they’ve found, so they can leave protected data untouched. It’s like a burglar who walks right past a folder full of classified information laying on someone’s desk. A digital forensics team can track the hackers’ steps and help a company determine exactly what was compromised and whether notification may be required.

That information will help you understand your notification requirements based largely on two factors: Was the compromised data encrypted and is the data protected by the law, such as PII (personally identifiable information)?

“Every state is so different, but a generalized theme is that if it’s encrypted, then you have some pretty good protections against having to do a notification in many states,” McKinney says.

Your legal obligations will also depend on whether hackers could link up two pieces of PII using what they stole. “We’re not going to require notification if the compromised information only reveals the type or color of a car,” McKinney says. “But we’re looking for whether bad actors can marry up two concepts, such as your name and date of birth. If you have that situation, and it’s unencrypted, you’re mostly likely going to be navigating the breach notification maze.”

What laws apply to my situation?

“We do a lot of ‘conflict of laws’ analysis” to untangle all the relevant jurisdictions, McKinney says. Key questions an attorney will guide a company through include:

  • In what state(s) is the data located?
  • In what state(s) are the affected customers located?
  • In what state did the “harm” occur?
  • Who owns or is responsible for the data?

It’s easy to see the thicket of statues in play in a situation like this one: A company headquartered in Illinois, has offices in five other states, and stores data on servers owned by a third party in Nevada. The business serves customers in 30 states. When a breach occurs, which state’s notification laws are in effect?

Specific contract details also affect which law is relevant and who might be responsible. “If I give you a hard drive, do you own it and hold all responsibility for the data stored on it?” McKinney asks. “Alternatively, if you just possess the hard drive temporarily, for service purposes, what responsibilities do you have? Importantly, your master services agreement or statement of work may address who owns the data and could very well play into which state law applies.”

What constitutes a notification?

By now, you know the answer depends on your state and the individual facts of each incident. Notification requirements have varying rules covering timing, messaging and whether a company must provide credit monitoring.

For regulated industries, one best practice McKinney recommends is to let any pertinent regulatory agencies know about a breach right away. “You don’t want your state insurance regulator or banking superintendent to learn through the newspaper that you had a breach,” he says.

What happens if I fail to provide the required notification?

McKinney points to several potential penalties:

  • Civil penalties – The state attorney general could bring an action and seek significant fines for failure to follow requirements.
  • Federal penalties – The Federal Trade Commission may take action against companies it concludes have made false or misleading statements related to security and privacy or those who violated trade practices and seek fines.
  • Private lawsuits – McKinney describes this potential scenario that could generate a suit: A company is breached and fails to notify customers as required by law, leading to customers having their identity stolen and eventually financial harm. A customer could bring a suit claiming that they would have changed their username and password if the company had notified them of the breach.

Clearly, the best responses to data breaches are put in place months before the breach occurs. By creating a solid incident response plan, taking steps such as segmenting access to your system and properly patching all your software, you can prepare for and possibly stop breaches altogether. To talk with one of our experts about starting your plan, contact us today.

The extra step that could make all the difference

Here are the stories of three dangerous—and common—information security incidents. The common thread? One relatively simple security control could have stopped each one.

1. A bank discovers that someone has emptied a customer’s checking account without their knowledge. Upon investigation, the bank discovers that the customer’s username and password, which the customer reused for numerous other websites, were stolen from a hacked WordPress site for the customer’s book club. Then hackers included the customer’s information in a credential stuffing attack. (In credential stuffing, hackers throw thousands of stolen usernames/passwords at many websites, hoping that some will unlock accounts.)

2. An organization discovers its confidential intellectual property (IP) available for sale on the internet. An investigation reveals a phishing attack as the culprit. Hackers acquired an employee’s VPN account credentials via a fraudulent e-mail, then downloaded the data from an internal server to an IP address overseas.

3. On the Friday before a long weekend, a company gets hit with a ransomware attack. Its internal production server with customers’ personally identifiable information (PII) has been encrypted, and attackers are demanding a payment to unlock it. After several sleepless nights of incident response and investigation, company IT leaders discover that a hacker initially compromised a poorly patched Windows server in the DMZ and then installed keystroke logging malware to harvest credentials from an administrator logging in to the server. The hacker then reused these administrator credentials to establish a Remote Desktop Protocol session to the internal production server and install ransomware.

Each of these stories highlights everyday dangers rooted in the fact that the traditional approach of authenticating a user’s identity and system access with a username/password has mostly broken down. It has fallen victim to an explosion in the huge numbers of account usernames and passwords that the average individual must keep track of to function in modern life. (My personal password vault currently has 492 unique accounts). That leads to most people using easy-to-remember passwords or reusing a handful of passwords across many accounts. One report says that 73% of all online accounts use duplicated passwords.

In this environment, businesses and organizations must provide their users with tools to simplify good security practices. The answer is not requiring ever-longer and more complex passwords, but to implement additional or different factors to authenticate users to systems beyond just passwords and PINs.

Each of the attacks described above would’ve been stopped in its tracks by multifactor authentication (MFA). This tool (sometimes called two-factor authentication or 2FA) provides a powerful defense against most attacks—especially those involving access or passwords. In fact, Microsoft, which is spending more than $1 billion on security annually, is on record as saying that MFA can block more than 99.9 percent of account compromise attacks.

In a recent Pratum webinar, cybersecurity expert Terry McGraw of PC Matic said, “The one thing I would do today if I hadn’t already done it is implement MFA. I need to make sure everyone touching my environment is authenticated from the system they’re working on.” (For all the tips from the webinar, click here.)

Three Key Factors of MFA

A secure system incorporates at least two of the following factors when authenticating users:

  • Something you know - A password or passphrase.
  • Something you have - Generally based on some form of encryption to validate authenticity such as a USB key, common access card (the CAC used by the Defense Department), digital certificate, phone app that generates or receives one-time passwords (OTPs), or hardware/software token.
  • Something you are - Retina (retina scan), fingerprint (fingerprint reader), face (facial recognition).

Each factor has pros and cons, but, in general, using any of these in addition to passwords improves the security of the system or application in question and provides an additional layer of defense desperately needed in today’s environment.

At particular risk are systems, applications, and users that are exposed to the Internet, as well as privileged users and users of sensitive systems/applications. These types of systems should be the priority for MFA/2FA implementations because they are at the highest risk of attack.

How MFA Stopped the Attacks

Returning to our initial three examples, let’s explore how some form of MFA could have prevented or lowered the impact of these incidents.

1. A bank account hacked through credential stuffing - Even if the hacker stole the username/password, they wouldn’t get very far. The web banking system could be configured to require the user to enter a one-time password or code from an app before providing access to the online account. In this model, the user would have been notified of the unauthorized access attempt when they received an unexpected code. The attacker could get into the account only if they also compromised the user’s phone so they could receive the code.

2. IP stolen through a VPN - Even if the phishing attack successfully harvested the username and password from the employee working at home, the company could stop the hacker by requiring the entry of a code from a hardware token before allowing access to the VPN. In this setup, the user gets the code from a device such as a fob specifically set up to deliver unique codes for logins.

3. A ransomware attack carried out via password logging - Even if an attacker successfully compromised the DMZ server and captured the administrator’s credentials, MFA or 2FA can stop the attack. Without the unique code sent to the administrator, the attacker would not be able to successfully log into the production server in order to install malware.

MFA Best Practices

When considering your MFA setup, remember this key concept: Authentication factors should be separated from the system the user is authenticating from. For instance, a user should not receive an e-mail with a one-time password (OTP) as an MFA factor for accessing a VPN through the same e-mail account they use to access the VPN. A hacker who compromises that e-mail account has access to both the MFA factor (the e-mail delivering the OTP) and the user’s password. This bypasses the additional level of defense that the MFA implementation was intended to provide.

Moreover, the added security provided by MFA is only as good as the secrecy of the additional factor being used. For example, consider the rise in cell phone SIM swap attacks, where a malicious hacker uses a victim’s personal information to take control of a victim’s mobile phone number. A successful SIM swap allows an attacker to masquerade as their victim for any account tied to the victim’s phone number. This also subverts the security of any systems sending SMS OTPs to the victim’s phone as an additional authentication factor.

The increase in SIM swap attacks in recent years highlights the risk of using SMS-based OTPs as an additional authentication factor. While SMS OTPs are probably still sufficient for some individuals and organizations, those with a low risk tolerance will probably want to invest in a more robust MFA implementation to secure systems or data. (For a deeper drive into MFA guidelines from NIST, see this article.)

Obviously, no security control is a silver bullet. But if you are looking to make a big impact on risk reduction for your organization, MFA is a great place to consider investing. To talk with one of our experts on how you can implement MFA in your organization, contact us today.

Cybersecurity is a business advantage

Executives tend to fall into three camps when it comes to understanding cybersecurity’s strategic advantages.

  • Leaders who see information security as a discretionary cost. This mindset may last for a while, but it always turns out to be temporary. That’s because hackers attack small companies, too, along with companies that think no one would want the information they have. When “if a hacker attacks us” turns into “when,” the leaders move into the next category…
  • Leaders who see information security as a cost they pay grudgingly. To this group, securing their data may feel like upgrading the building’s heating system. Paying the bill just preserves the status quo rather than getting you anywhere. This mindset at least protects the company, but it’s still a limited view that leads to missed opportunities.
  • Leaders who see information security as an investment in future growth. Motivational speakers love to quote Wayne Gretzky’s observation that he skated to where the puck was going to be, not where it has been. Make no mistake: For businesses, the puck is undoubtedly going to be waiting on the other side of a strong cybersecurity game.

Right now, the third category remains a fairly small club. It’s not quite a first-mover advantage anymore, but activating a proactive information security strategy as a marketing tool certainly puts you ahead of much of the pack. So forward-thinking leaders still have a window for using cybersecurity as a business advantage.

Pratum’s consultants help clients do exactly that. Jim Sixta, a senior information security consultant, advises clients to ask themselves: “If you’re in your future clients’ shoes, what are they going to require of you? When that client comes knocking on your door, you won’t be able to say yes unless you start working on it now. Customers won’t give you time to comply. They want to get a quote and go.”

Here are five areas where information security plays a central role in planning for your business’ growth:

1. Industry-specific requirements – Longstanding regulations like HIPAA may already be part of your business operations. But as the cybersecurity industry matures, sweeping new standards are on the way. Beginning in late 2020, for example, the Department of Defense will begin adding CMMC compliance to its contracts, with every contract including this requirement by 2025. In all, that means about 300,000 companies must earn this certification through a third-party assessor in order to win or renew work with the DoD.

2. Government privacy standards – We may be nearing Peak Outrage over how titans like Facebook and Google have been handling all of our personal data. In response, multiple countries and states are passing new laws controlling how companies collect, store and use personal data. If you’re not already clarifying how laws such as the EU’s General Data Protection Regulation and the California Consumer Privacy Act affect your operations, Wayne Gretzky’s puck is likely to hit you in the face soon in the form of mandated operational changes and fines for those who fail to comply. (For an overview of recent changes in this area, see our blog on privacy laws.)

3. Current client requirements –Even if you’re taking a “let’s see what the government makes us do” approach, many of your best clients aren’t waiting around.

Throughout the private sector, detailed information security questionnaires and grids have become standard due diligence components for many companies selecting vendors.

Pratum CEO Dave Nelson says, “Wal-Mart, for example, has been pushing aggressive security requirements onto its direct suppliers, which are being pushed down through the supply chain. Wal-Mart wants to know that if they accidentally send out a confidential file, they have one response, not 50 different responses in each state. You can be three customers away from Wal-Mart and still be part of the ripple effect.”

Nimble companies can respond quickly to requests from potential customers because they keep updated statements about their cybersecurity posture and workflows. Imagine how it affects your chances of winning a deal if it takes you two weeks to fill out a security information matrix and your competitor sends theirs back on the day it’s requested.

Customer requirements may include elements such as earning a SOC 2 certification, which can take up to 18 months if you’ve never done it. If a competitor coming after your customers already has that certification and you haven’t even started on yours, you may quickly find out just how loyal your key clients are.

4. Dream client requirements – This is where another favorite motivational slogan comes into play: Luck favors the well prepared. If a client appears on your Big Hairy Audacious Goals list, they’re almost certainly on the front edge of information security. When your dream customer reaches out with the opportunity of a lifetime, will you have the security game to close the deal? Multiple Pratum clients brought us into the picture only after they had to turn down work from clients like giant national retailers because they couldn’t meet the security requirements. Next time, they’ll be ready for the deal that transforms their company.

5. A new selling point – Based on all the points above, if your information security stance is ahead of the pack, you have a marketing advantage. You can take that into all of your pitches with the message that you’re ready for secure business on Day One, which also speaks to your company’s overall position as a savvy market leader.

One of Pratum’s industry partners, Baker Group in Iowa, has identified a robust cybersecurity stance as a key way to separate from other building services contractors when it bids on new work. “We’re engaging Pratum to create a competitive edge,” says Daryld Karloff, Baker Group’s executive vice president of building services.

How to Prepare for the Future

Upgrading your information security posture needs to start immediately. If you haven’t focused on creating a future-ready information security plan, you may have already lost opportunities that you won’t even know about for a few months. But the good news is that this world is still young enough that you can turn your company into a leader.

To start creating an information security plan that positions your company for growth, contact a Pratum consultant.

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.