The extent of attempted cyberattacks in our personal and professional lives is staggering. Kaspersky.com reports that there were 6.2 billion malicious attacks on computers and mobile devices in 2014. Symantec calculates that five out of six large companies were targeted in the same year, a 40 percent increase over 2013, and three in five small- and medium-sized companies were targeted.
Every technological advance like cloud computing or the proliferation of smart and mobile devices is a new opportunity for cybersecurity attacks by hackers.
Learn more about cybersecurity prevention and response in the legal field with a white paper from Modern Counsel titled The General Counsel’s Guide to Digital Defense. The Legal Side of Cybersecurity. Click below to download this complimentary industry insight report.
This onslaught has placed legal professionals—typically with minimal technical training—in the middle of the fight. For some, there is a steep learning curve as they attempt to protect their organizations and simultaneously contend with statutory liability and notification obligations.
This was the case for Pam Krop, formerly the general counsel of Intermedix, at the beginning of 2012. That year, the company learned from law enforcement that an employee who processed ambulance service billing records had stolen patient records, some of which may have been used as part of a tax refund fraud scheme.
Working with IT to identify the perpetrator, Krop determined that the employee had acted without using high-tech ingenuity.
“What surprised us was how much damage an employee with malicious intent can do with just paper records and no special access or security clearance,” Krop says. “It demonstrated how vigilant we have to be on every single front.”
“Finance and HR used to be the legal department’s closest allies, but now we spend at least as much time working hand-in-glove with information security and IT.”
Before she left Intermedix to join RevGroup as its general counsel, Krop managed Intermedix’s information security department, which acts as an intermediary to translate legal and compliance requirements into specific actions that can be carried out by the IT group. The legal department’s involvement in this kind of cooperative effort is essential, since every breach carries significant legal and regulatory implications that vary depending on the industry of the affected company.
“Finance and HR used to be the legal department’s closest allies,” Krop explains. “But now we spend at least as much time working hand-in-glove with information security and IT. There’s no other way to be prepared for both low-tech and high-tech attacks. What used to be an afterthought is now at the center of everything we do.”
As she suggests, an attack may begin with “plain old theft,” like picking up documents someone accidentally left in a copy room, or taking pictures of information on a computer screen with a phone camera. But it extends to highly creative and organized cyber-attempts.
Recently, Intermedix’s CFO received a fraudulent e-mail from the CEO asking that $43,000 be transferred to a particular account in connection with a “significant” ongoing business deal. Further investigation revealed that hundreds of similar requests had been sent to several companies, some for millions of dollars, with instructions such as, “This is for a highly confidential SEC matter for which I cannot reveal any further details.” Fortunately, the CFO inquired about the details of the e-mail and was able to derail the attempt.
Aside from the negative public-relations aspects of a data breach, there are obvious economic downsides. Krop characterizes the costs of required customer notification as “enormous.”
Breaches can also result in major penalties. In 2014, New York Presbyterian Hospital and Columbia University were fined $4.8 million for a HIPAA violation, and in 2015, the FCC announced that AT&T agreed to pay $25 million for privacy violations.
As companies work to avoid these kinds of penalties and to protect sensitive data, they face several challenges. First, there is no perfect system, tool, or policy to provide protection. Second, security is never simply solved, but is an ongoing initiative with seemingly limitless potential options and strategies to choose. Third, because many security precautions require additional steps to be added to existing workflows, operational efficiency can be reduced. Finally, as criminals improve their tactics, regulators demand more stringent requirements. As such, continuous improvement is critical.
Intermedix has learned from past attacks. The company has instituted numerous additional layers of security. Each office ensures the implementation and efficacy of security cameras, visitor and entry badges, and shredding policies.
On the technology side, extensive data masking reveals only essential information when employees access electronic records. Network access is tightly controlled, tracked, archived, and flagged if an individual calls up a large number of records. E-mail is electronically monitored and returned to senders if unencrypted protected health information is detected.
“The public has the perception that you can make yourself impervious to attack, but that simply isn’t possible.”
Any organization’s biggest vulnerability is its own people. To address this, Intermedix provides monthly and annual training to ensure best practices and to reinforce awareness. The company follows this training with fake “phishing” e-mails to track the number of employee responses. It also organizes contests that challenge employees to identify security issues, such as passwords taped to the sides of computer monitors.
“All of these efforts, in combination with very highly publicized incidents in a wide range of industries, have helped raise awareness,” Krop points out, “and that makes my job of evangelizing about security easier. When it comes to strengthening policies and practices and approving the necessary budgets, people are now much more responsive.”
As Krop has discovered, lawyers are a critical part of the ongoing struggle between the good guys and the thieves. Attorneys act as the connection between IT, HR, and senior leadership, and they ensure compliance with all applicable security regulations.
However, she has also learned that even after making the most comprehensive efforts, there are always additional improvements that could be incorporated into a security strategy.
“No matter what you do, there will be vulnerabilities in security,” Krop says. “The public has the perception that you can make yourself impervious to attack, but that simply isn’t possible.
“I can tell you from experience that going through reporting and notification is excruciating.”
Asked how Intermedix’s perspectives have evolved during the last two years of improving security by promoting cross-departmental collaboration, she adds, “But acknowledging that a breach has happened is essential so that everyone can share experiences and use them to develop better protective measures.”
Editor’s Note: Pam Krop left Intermedix in January 2016.
for responding to a data breach
1. Form a cross-functional team to investigate. It should include IT, information security, HR, executive leadership, and possibly other strategic leaders.
2. Determine whether law enforcement should be involved. Though many companies are hesitant to attract public attention, this approach sends a powerful message to perpetrators, enhances investigative capabilities, and provides access to information about similar attacks through organizations like the IRS and FBI.
3. Make a quick assessment of what (if any) notification regulations apply. If applicable, be aware of mandatory deadlines.
4. Engage outside counsel and data and security experts. Have them on retainer prior to a breach so that no time is wasted establishing a working relationship after an incident has occurred.
5. Ensure that your organization conducts a “soul-searching” examination of how the breach occurred in order to identify weaknesses and prevent future incidents.