Learn from the 2013 holidays: Avoid cyber crimes - WTRF 7 News Sports Weather - Wheeling Steubenville

Learn from the 2013 holidays: Avoid cyber crimes

Posted: Updated:
Capece Capece
Hoblitzell Hoblitzell
Smith Smith

Christian M. Capece, John D. "Jack" Hoblitzell and Shannon P. Smith are attorneys in the Litigation Practice Group of Kay Casto & Chaney PLLC.

While most people associate the holidays with religious revelation, the 2013 holiday shopping season also brought revelations of a more nefarious nature. 

Cyber criminals stole information from nearly 40 million credit and debit cards used by customers of the retail giant Target. More recently, Neiman Marcus announced it, too, had been hacked. Days after the Target breach, data from the compromised cards appeared on black market websites where, for a fee, the stolen information could be purchased, cloned by criminals and used to purchase goods and services. 

If large and sophisticated corporations like Target and Neiman Marcus can successfully be attacked by cyber criminals, what does the future hold for small businesses responsible for storing and handling their customers', clients' and patients' private and sensitive data?

Securing personal data

The data stored on computer systems has grown exponentially. We carry them with us every day, everywhere we go — the powerful, pocket-sized computers we call smartphones. It is now routine practice to conduct sensitive business online, on the go. 

As a consequence of transacting so much of our lives online, you and your employees maintain sensitive and private information about your company and your clients. Typically, the information includes confidential financial information, such as account numbers, and personal information, like Social Security numbers. As the Target breach shows, it is becoming increasingly important to protect that information. There are two important components to data protection: from whom should it be protected and how should it be protected. 

First, it should be protected from everyone who does not fall within some cone of confidentiality, which is typically regulated by rule, statute or custom. It also should be protected from those who once fell within that cone of confidentiality but now do not, such as a disgruntled former employee. 

Second, it should be protected in every possible way — through firewalls, security systems (both network-related security and tangible security) and privacy agreements that actually give bite to a violation. As someone whose information needs to be protected, you want it to stay protected. As someone whose responsibility is securing the information, you want to be protected from liability, both criminal and civil.

Costs of a breach

The cost to businesses for data breaches can be enormous. In 2012, according to a Ponemon Institute study done in conjunction with the data management company Symantec, the average number of breached records per incident was 28,765 with an average cost of $188 per record — approximately $5.4 million. By industry sector, the report found that heavily regulated industries like transportation and health care have the highest per-record data breach costs. 

Legal defense costs are an increasingly large component of post-breach costs. The Ponemon Institute study found that post-breach costs more than doubled to 15 percent in a six-year period. In addition to legal costs, under West Virginia law, businesses that suffer data breaches may be subject to costly (and reputation-damaging) notice requirements. The West Virginia Consumer Credit and Protection Act requires individuals and entities that experience a data breach to provide notice to customers whose unencrypted and unredacted personal information were lost in the breach and could be used by an unauthorized person for fraudulent purposes. 

Many insurance companies now provide comprehensive cyber liability insurance packages. This may include coverage for data privacy liability, network security liability, business interruptions caused by data breaches, crisis management expenses and investigative expenses to determine the source or cause of breaches. As our digital world expands, managing cyber risks becomes more important to the safety and success of businesses.

Cyber crime

The Computer Fraud and Abuse Act of 1984 is the federal prosecutor's weapon of choice in the digital age. It also provides for civil relief, including compensatory damages and injunctive relief, for victims who suffer certain types of loss or damage from violations of the Act. 

A similar cyber-crime statute — the West Virginia Computer Crime and Abuse Act — also provides for civil relief and damages, including punitive damages and injunctive relief.

Given the extravagant costs of cyber crime, it is no surprise that an emphasis toward prosecuting computer crimes is emerging. Last year, the U.S. Attorney's Office for the Southern District of West Virginia brought charges against a former employee of an energy company for allegedly accessing the company's computer systems, causing more than $1 million in losses. Another case involved a county sheriff who pled guilty to unlawfully accessing and installing a keystroke logger onto a computer owned and maintained by the West Virginia Supreme Court of Appeals. This trend will likely continue as more and more criminals use computers to commit crimes. 

Protective measures

Be active, not reactive. First and foremost, protect your data — ensuring that your data is secure must be a business priority. Develop procedures and policies and train employees to handle data safely and securely. Protect your company. Consult with insurance, legal and communication professionals to establish coverage protection, and develop an action plan for your business. 

In the event a data breach occurs, do not hesitate to seek professional counsel to guide your company's responses, minimize the costs and consequences and to help get your company back in business. Do not be the company to make headlines.

Powered by Frankly