By Craig S. Horbus & Hanne-Lore M. Gambrell on July 24, 2019
In the past few years, we have witnessed a significant increase in cyberattacks and data breaches around the world. For example, on June 6, 2019, Quest Diagnostics, a diagnostic testing provider, confirmed in a filing with securities regulators that up to 12 million patients may be affected by a recent data breach at the American Medical Collection Agency. In addition to the patients’ personal medical information, the company reported that the data subjects’ social security numbers and financial information were breached, leaving patients vulnerable to financial fraud, identity theft, and a variety of other issues.
In light of this data breach and other breaches reported over the past several years, the attorneys at Brouse McDowell have compiled a list of preventative measures to take in order to reduce the risk of a data breach.
1. Keep Security Software Up-to-Date
Just like one should always keep their insurance current, we recommend keeping security patches for computers up-to-date. Check software vendors’ websites regularly for any updates related to security vulnerabilities and associated patches.
2. Be Wary of Emails, Link Locations, and Attachments
Many cyberattacks start with simple phishing emails. Email communication is great until it is used to steal personal information. Always check the sender’s email address, even if the contact looks like a trusted contact, to ensure that the person is who you think they are. Also, never click links from unknown email addresses. Hackers oftentimes use these links to mimic legitimate websites or infect servers with malware. Finally, similar to unknown links, never open attachments unless you are 100% sure of where they came from. It is easy for hackers to download malware onto victims’ devices by sending emails with virus-ridden files.
3. Use Two-Factor Authentication Whenever Possible
Two-factor authentication requires users to enter a password and also confirm their identity through another source like a phone call or text. This is a great tool to prevent data breaches because hackers would not be able to access accounts unless they have another personal item belonging to the data user, like a cell phone or other device. Even if a hacker is able to obtain a data user’s password, the user will be alerted that someone is trying to access an account through the second identification source and take measures to mitigate the damage.
4. Use Sophisticated Passwords
Using sophisticated passwords and using different passwords for each account that a user owns is probably the easiest, most overlooked tip to prevent, or at least to mitigate data breaches. Once a hacker is able to obtain login information for one site, for example, an email username and password, they will scan bank and credit card websites, and other websites using the same information to obtain any information they can on a data user. A strong password should use uppercase, lowercase, numbers, punctuation, and random words. Try not to make the password a personal reference, and do not store a list of passwords in a saved file. Also, it is important to change passwords frequently especially for vulnerable accounts like email and banking.
5. Educate Employees on Data Safety Issues
Employee error is one of the leading causes of data breaches. By creating internal guidelines to raise employee awareness of how to safely handle data and establishing standard procedures for transmitting data within an organization, businesses can significantly reduce one of the largest data breach risks.
6. Always Revoke Employee Data Access Upon Termination
Resentful ex-employees can be a data breach nightmare for employers. Ex-employees with access to company computers and systems can bypass many of the security measures implemented to prevent external attacks. Even when a business relationship has ended amicably, employers should immediately revoke an employee’s access to sensitive business systems and databases. By doing so, employers can prevent past employees from being able to easily access sensitive documents and systems that can be used to damage business operations.
7. Keep Only What You Need
It is very easy to underestimate the risk of holding on to obsolete equipment. Unused assets can still hold personally identifiable information (PII) of customers and employees, as well as other sensitive information. When a business upgrades its system, ensuring destruction of any data and PII on the memory of devices being taken out of circulation, or old equipment, is imperative. If an unencrypted copy of a database on an old hard drive finds itself in the wrong hands, the results could be catastrophic. Controlling mobile data used by employees is also important. Smartphones and laptops are stolen more and more often, so ensuring the security of these devices, including software that can remotely wipe the drive, can be very useful.
How Brouse Can Help
Brouse McDowell offers legal services related to data privacy and cybersecurity, including pre-breach and cybersecurity planning services, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Contact us for more information.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2022 Brouse McDowell. All rights reserved.