Posted In: Cybersecurity & Data Privacy & Cybersecurity & Data Privacy
By Craig S. Horbus on January 22, 2020
No matter what business you’re in, one of your top priorities this year must be cybersecurity. There are a number of factors that cause this issue to remain at the top of everyone’s lists of business concerns. With the passage of the most restrictive consumer privacy laws in the United States since GDPR was enacted, the California Consumer Privacy Act (CCPA), which went into effect January 2020, and the continuation of major data breaches occurring across financial, social media, retail, and even the legal industries, most businesses are starting to recognize that no business is out of reach.
Here are five predictions that we believe will be the focus this year:
1. Privacy Awareness Shifting
Consumer privacy is no longer just a concern for big companies like Facebook, Google, and Amazon. The recent passage of state laws such as the CCPA in California, the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) in New York and other similar state laws that are putting the squeeze on businesses that control personal information, are forcing businesses to take a close look at their internal policies and processes.
The value of personal information is becoming clear, and the definition seems to broaden each day. Social media and the way that most consumers conduct personal business on the internet, the likes of shopping, banking and more, has made personal email addresses and IP addresses (the unique technical address assigned to computers and mobile devices) very valuable. No longer are they private; rather, an email address has become the equivalent to a street address. Communication by email continues to be a high value target for many hackers who look to gain access to corporate email accounts and compromise data by gaining access via an email address.
2. Ransomware Attacks to Increase
Sophisticated hackers have begun randomly scanning networks looking for open networks or weaknesses with easily penetrable firewalls. Hackers are also evolving their strategies with every attack based on the victims’ responses. When victims pay a ransom to get data back, hackers monitor trends among those in that industry to determine repeatable attacks. Based on surges in recent attacks, those in the health care industry and government/municipalities may become targeted more frequently this year. Industry trends should be considered “warnings”, and companies and agencies should have a renewed sense of urgency to ensure their data is protected as hackers begin to focus their efforts.
Email spoofing also continues to evolve and become increasingly difficult to defend against. Hackers copy and only slightly modify email sender information in an attempt to gain access to a company’s accounts by requesting urgent wire transfers and other financial transactions that do not seem unusual to that company. One hacker used simulation software to create a voice recording that sounded like an executive leader in the company to demand that an employee follow through on a previous email request to wire funds. These types of clever schemes will routinely test the policies of any company to ensure that the wrong people are not gaining access.
3. Facial Recognition Technology Laws Will Become Stricter
While it may be convenient that your iPhone recognizes your face and you have one less passcode to remember, that same technology is being used all over the world with or without your knowledge. This year, we would expect that laws restricting the use of facial recognition will become more prevalent as regulatory bodies attempt to protect consumer rights. Facial characteristics are considered biometric data, human body measurements and characteristics, and are explicitly part of most states’ privacy laws in the definition of personal information. Look for states to pass more legislation addressing the use of this data.
4. Cyber Liability Insurance Companies Will Push Back
Cyber liability insurance is a relatively new type of business liability insurance coverage offered to businesses to cover losses inflicted by cyber-attacks. Without much of a track record on payouts, the premiums, to date, have been relatively low. However, the increase in the number of cyber-attacks and the number of claims related to a company’s cyber insurance coverage will begin to impact premiums. We expect insurance companies to use the carve-outs in their policy language to deny more claims.
Also, when a regulatory body approaches a company post-incident to find out what happened, they are more likely to consider whether the company took reasonable precautions to protect the data. If the company did, then the enforcer would be more likely not to find any fault on behalf of the company.
5. Nation-State Actors Play a Role
As the US engages in conflict overseas, warnings about the heightened Iranian hacking threat have put US banks, telecoms, and other businesses on notice that they need to move quickly to ensure basic cybersecurity measures are in place to reduce the chance of being held liable in any attacks.
The warnings place companies on notice that they can’t skirt liability in response to a cyber-attack by Iran or any other state actor. Should companies face such an incident and it is discovered that the company failed to ensure basic cybersecurity protocols were in place, and the nation-state hackers had simply exploited a known vulnerability that could have been addressed, then a regulatory body, insurance carrier, or court of law may be more inclined to assess liability to the company.
These warnings provide the perfect chance for companies to address or revisit the strength of their network infrastructure and cybersecurity policies to limit exposure from external threats. If a company has not been prioritizing cybersecurity, now would be a good time to take those steps.
No company is safe from today’s sophisticated cyber threats. Stay tuned for more information as it develops. In the meantime, as we enter into 2020, be sure your internal IT infrastructure is secure and your business is making every effort to create a standard platform with policies to keep data secure.
Brouse McDowell’s Cybersecurity and Data Privacy attorneys can assist your business with an assessment of your internal policies, advise you as to your risk, and work with you to provide your business with tools to help you become secure and compliant. Contact us for more information.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2023 Brouse McDowell. All rights reserved.