Executing an Response Plan
This blog post is the third installment of a six-part series discussing the best practices relating to cyber security. The first two blog posts discussed the best practices for preparing a business in case of a cyberattack. This post will discuss the initial steps that a business should take after a cyberattack occurs.
Once an employee discovers a cyber incident, the business should immediately assess the nature and range of the situation. It is important to determine whether the disruption is a purposeful cyberattack or a system accident. This determination will assist a business in executing the appropriate Response Plan. If the incident is a malicious cyberattack, the business may need to disengage its entire system and shut down its technological operations. If the incident is a product of faulty software, the business may be able to take less extreme measures.
Gathering the correct information as quickly as possible will not only help defend the system from additional attacks, but also provide law enforcement with information to begin its investigation. The system administrator should survey the network to determine which computer systems were impacted, where the incident originated, and what malware may have been installed on the network. Additional information concerning which users were logged onto the network and which programs were running on the network is also useful in determining the source of the attack.
During the initial assessment it is important to determine if data was exported from the system. The data trail may illustrate the possible motive behind the attack and where it could strike next. If a business can identify other networks that are impacted by the attack it should alert those networks’ administrators. This may help to weaken the attack and increase the chance of retrieving stolen data.
After the initial assessment is complete, the business may need to employ preventative measures in order to stop the loss of data. Common approaches to prevent additional attacks include (1) redirecting network traffic, (2) segregating all or part of a network, or (3) filtering all messages and communications on the network. If a specific user or network terminal is identified as being the root of the attack, it should be blocked and disabled immediately. In more extreme cases, an entire network may need to be shut down if an attack persists. A business should store backup copies of critical data if its Response Plan calls for the network to be shut down. This allows the business to continue some operations from a remote network while its main network is disabled.
It is important that all steps taken to gather information and diminish damages are recorded accurately. This information will be useful in law enforcement’s efforts to bring criminal charges and for a business’ insurance claims.
The following blog post will discuss the next steps for a business to take once these initial steps are complete.
On July 20, 2015, in Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (7th Cir. 2015), the Seventh Circuit held that the United States District Court for the Northern District of Illinois wrongfully dismissed a class action suit brought against Neiman Marcus after hackers stole their customers’ data and debit card information. The District Court originally dismissed the plaintiffs’ claims because they had not alleged sufficient injury to establish standing. The District Court based its ruling on a United States Supreme Court decision, Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138 (2013), which held that to establish Article III standing, an injury must be “concrete, particularized, and actual or imminent.”
However, the Seventh Circuit clarified that Clapper “does not, as the district court thought, foreclose any use whatsoever of future injuries to support Article III standing.” Rather, “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” are sufficient to confer standing.
In Remijas, the Seventh Circuit explained that there is a reasonable likelihood that the hackers will use the plaintiffs’ information to commit identity theft or credit card fraud. “Why else would hackers break into a store’s database and steal consumers’ private information?” – the Seventh Circuit asked. The Seventh Circuit held that the plaintiffs should not have to wait until the hackers commit these crimes to file suit.
The Seventh Circuit also considered that some of the plaintiffs have already paid for credit monitoring services to protect their data, which it held is a concrete injury. Neiman Marcus also offered one year of credit monitoring services to its customers affected by the breach, which the Seventh Circuit considered an acknowledgment by the company that there was a likelihood that their customers’ information would be used for fraudulent purposes.
Ultimately, this decision may serve to soften the blow dealt by Clapper to data breach plaintiffs. Specifically, based on this ruling, plaintiffs who have not incurred any fraudulent charges, but have purchased credit monitoring services, or have spent time and money protecting themselves against potential fraud may argue that they have standing.
PREVENTING A CYBERATTACK (Part 2)
This is the second installment in a six-part discussion on the best practices to prevent a cyberattack. The first part discussed four critical steps to prepare a business in the case of a cyberattack. These included: (1) identifying the crucial assets and functions a business, (2) creating an Response Plan, (3) installing the appropriate technology, and (4) obtaining authority for network monitoring. This article builds on those steps by suggesting further best practices in order to prevent a cyberattack.
5. Align Business Policies with the Response Plan
When an organization creates an Response Plan in the event of a cyberattack, it must ensure that the plan is cohesive with preexisting business policies within the organization. In order for the Response Plan to be implemented effectively, it cannot clash with any of the business’ standard operating procedures. For example, if the Response Plan states that whoever discovers the cyberattack must alert the entire organization, but the organization’s policy prevents an employee from emailing the entire company, there is a problem. By testing the Response Plan, organizations can locate these potential problems before a credible cyberattack occurs. Another important practice is to suspend the network access of former employees as soon as they are terminated. This practice guards against the liability of an angry employee seeking revenge via a cyberattack.
6. Ensure Legal Counsel Understands the Legal Response to Cyber Incidents
Cyberattacks create unique legal situations that may be unfamiliar to a business’ legal counsel. An organization should rely on its legal counsel for assistance in creating its Response Plan. A legal counsel’s understanding of its client’s Response Plan can save valuable time and resources in the event of a cyberattack. Legal counsel can instruct a business on its obligations to report breaches to customers, its ability to terminate employees based on cyber incidents, and its privacy concerns associated with network monitoring. A business should also ensure that its legal counsel understands possible legal action that it can take, both in the short term and the long term, in the event of a cyberattack. Legal counsels that are familiar with cyber security laws will be better equipped to immediately assist clients if a cyberattack occurs.
7. Cultivate Relationships with Cyber Incident Information Centers
Access to a network of cyber intrusion news and information can be a valuable resource for a business in order to keep ahead of the latest threats. Organizations that collect and disseminate cyber security information exist in every market sector and are commonly referred to as ISACs (Information Sharing and Analysis Centers). A business that is committed to maintaining a strong cyber security network should subscribe to the appropriate ISACs for its market sector. This will enable the business to prepare for possible threats and share helpful information. Businesses in niche sectors can rely on government created ISAOs (Information Sharing and Analysis Organizations) for their cyber security information.
8. Establish Connections with the Appropriate Authorities
Businesses should establish a working relationship with local law enforcement and cybercrime units before a cyberattack occurs. Familiarity between law enforcement and a business will allow for a more accurate and efficient response in the event of a cyberattack. On the federal level, the Federal Bureau of Investigation and the U.S. Secret Service frequently deal with cyberattacks. Each agency has a department that conducts outreach to private businesses. The departments are the FBI’s Cyber Task Force and the Secret Service’s Electronic Crimes Task Force. A business should contact these agencies to review its Response Plan and seek support prior to a cyberattack.
PREVENTING A CYBER ATTACK (Part 1)
Cyber-attacks can impact any business regardless of size, sector, or level of cyber security. The best way to minimize damages from a cyber-attack is to plan ahead and prepare for a possible attack. Forward thinking can minimize damages and shorten the process of recovery from a cyber-attack. The following suggestions are important steps that every business should take to prepare for a cyber-attack.
1. Identify the Crucial Assets and Functions
When determining how to secure a business against cyber-attacks it is important to first identify what parts of a business’s operation are most vital to its success. These components should receive the most attention to ensure that the business is able to function as close to normal as possible during an attack. For example, if communication with clients is the key component of a business’s operation, its ability to send and receive email would be the most important segment for protection. Additionally, if a business’s core strength is its ability to store and retrieve data, the security surrounding the business’s data storage system should receive the most attention. Once the business’s core operations have been identified, attention can be focused accordingly.
2. Create an Response Plan
A business should plan the steps that it will take once a cyber-attack occurs on its system. By creating an Response Plan before an attack occurs organizational leaders are able to address all possible responses and discuss different options without the external pressure of an existing cyber security threat. It should provide clear directions and action items for each individual involved with the plan. The Response Plan should be discussed and explained to any employee who may be impacted by it. It is important that the plan be routinely modified and updated as business assets and key personal change. Testing the plan by using a fake cyber-attack will allow the deficiencies in the plan to be exposed and corrected before a credible threat occurs. The Response Plan should include the following items:
- • the responsibilities of each individual involved with the Response Plan;
- • how individual involved with the Response Plan should be contacted;
- • which business operations should receive the most attention during an attack;
- • the procedures to determine if clients should be notified of the attack;
- • the procedures for notifying law enforcement or cyber security support; and
- • the ways to preserve evidence of the cyber-crime for law enforcement.
3. Install Appropriate Technologies and Services
Businesses should purchase and install the appropriate level of defense systems that fit its needs and supports its Response Plan. These systems may include off-site data backup, data loss prevention systems, devices for traffic filtering, and programs to detect intrusions. These technologies should be routinely tested as part of the Response Plan.
4. Obtain Authority for Network Monitoring
A business is typically allowed to monitor its own network if it has obtained prior approval from the network users. This can be accomplished by a “banner” or warning message when users log onto the network stating that it is being monitored. Consent can also be obtained during employee training programs and disclosures in the organization’s Employee Manual. Once a business has the authority to monitor its own network, it is more equipped to detect and respond to cyber incidents in real time.
This is part one of a six-part series discussing the best practices to prevent cyber-attacks.
Jeffrey M. Friedman, Andrew M. Halbert and Joseph Superstein write:
What has generally been common practice for thousands of companies may present an opportunity for identity thieves. When a company takes steps to “administratively dissolve” by failing to comply with certain legal or fiduciary duties such as filing timely annual reports, following certain procedural requirements, or paying its taxes, the state in which the company is incorporated may revoke or dissolve the noncompliant company. This approach opens the possibility of a number of problems, including (but not limited to) identity theft.
With proper guidance and advice, the practice of administratively dissolving a company may eliminate several potential vulnerabilities. One of the most overlooked and growing areas of concern is that thieves are targeting “dormant” entities at an increasing rate. Criminals realize that these entities may be vulnerable because they are less likely to be monitored for any business registration activity. The risks associated with not properly dissolving a state registered company may quickly amount to hundreds of thousands of dollars.
Identity theft trends indicate that criminals are looking to exploit state filing systems and business registration websites for financial gain. By filing bogus reports with Secretary of State offices or altering online business records, these criminals have been able to steal considerable amounts of cash and property using fraudulently obtained lines of credit. By altering business records, criminals may appear to have the authority to act on behalf of a victim entity, which in turn, enables them to apply for credit accounts with various lenders, retailers, and suppliers. In one case, according to an Atlanta TV news segment, a Georgia-based music company became the victim of a corporate identity theft scheme similar to that described above in which the thieves ran up nearly $300,000 in fraudulent credit card transactions. Creditors attempting to verify application information may face difficulties immediately detecting fraudulent activity because the business records on file with the state have been altered to match the fraudulent credit application.
To avoid the unnecessary exposure and risk of identity theft, we are now advising our clients to take the appropriate affirmative steps in order to voluntarily and safely dissolve their business without being left vulnerable to such criminal activity.
Jeffrey M. Friedman is a partner, Andrew M. Halbert is an associate and Joseph Superstein is a summer associate in Fox Rothschild’s Chicago, IL office.
Guest Blogger: Violetta Abinaked, Summer Associate
As noted in Dittman et al. v. The University of Pittsburgh Medical Center, Case No. GD-14-003285, previously reported on here, Pennsylvania has firmly adopted the approach that the Risk of Harm is Not Enough in Data Breach Actions. Still, data breaches have become some of the most noteworthy headlines in recent news. An increase in litigation has brought with it efforts to shrink the case load through the Article III requirement of standing. This means that courts are finding that the plaintiffs have not sufficiently established a concrete injury in order to seek remedies from the court. One of the main issues with data breaches is that once the data has been extracted or accessed, it is not necessarily always true that tangible harm will follow. Due to that nature, the Third Circuit established that when it comes to data breach actions, simply the risk of future harm does not suffice to save the claim. The seminal case of Reilly v. Ceridian Corp. held that where no actual misuse is alleged, “allegations of hypothetical, future injury do not establish standing under Article III.” 664 F. 3d 38 at 41 (3rd Circuit 2011).
The courts are making it tougher to carry out a data breach claim if the plaintiff can’t show actual or certainly impending misuse of the information. Reilly’s narrow definition of standing is leading the courts’ decisions in dismissing cases. A defendant will likely have a higher chance of getting a dismissal in a data breach action if the plaintiff is not able to provide any actual misuse of the information—at least in the Third Circuit. As a company which may be at risk for a data breach, this heightened need for tangible damage from the plaintiff may be a saving grace if future litigation arises.
On June 30, 2015, Connecticut Governor Dannel Malloy signed into law Senate Bill 949, “An Act Improving Data Security and Agency Effectiveness”, a data privacy and security bill that creates stricter data breach response requirements. S.B. 949 specifies that an entity that experiences a data breach must give notice to those affected no “later than  days after discovery of such breach, unless a shorter time is required under federal law.” Previously, Connecticut law only required entities to provide notice of a data privacy breach to affected individuals “without unreasonable delay.”
During a press conference on June 2, 2015, Attorney General George Jepsen clarified that 90 days is the floor – not the ceiling. He stated that “[t]here may be circumstances under which it is unreasonable to delay notification for 90 days.” Projected to become effective October 1, 2015, S.B. 949 also requires entities affected by breaches to provide at least one year of free identity theft prevention services for breaches involving the resident’s name and Social Security number.
Guest Blogger: Violetta Abinaked, Summer Associate
With data breaches being the quickly trending “flavor of the month” criminal activity, it’s no shock that on June 4, 2015 yet another system was hit. This time though, it may be one of the largest cyberattacks in U.S. history—compromising as many as 4 million current and former federal employees’ information. The U.S. Office of Personnel Management (OPM) handles security clearances and background checks and although many would assume that its security is top-notch, the facts on the ground reveal that every place taking in sensitive information—including the government—must update its privacy infrastructure.
In his press statement on Thursday, Rep. Adam Schiff, the ranking member of the House Permanent Select Committee on Intelligence echoed that sentiment and stated that “Americans may expect that federal computer networks are maintained with state of the art defenses [but] it’s clear a substantial improvement in our cyber-databases defenses is perilously overdue. This does not only apply to systems of this magnitude.
Any business that maintains data bases with private information must invest in the proper privacy infrastructure necessary to protect that information. Cyberattacks do not discriminate. From major retailers to well-respected state universities, data breaches run the gamut and from the looks of Thursday’s attack, they are getting more sophisticated. OPM is now working closely with the FBI and the U.S. Department of Homeland Security’s U.S. Computer Emergency Readiness Team to attempt to identify the extent of the harm on federal personnel. But not everyone has the luxury of the entire U.S. government as a “crisis manager” so preventive measures for businesses will make a difference.
At this time, one of the most troubling facts of cyberattacks is that the source is difficult to locate. Sen. Susan Collins, a member of the Senate Intelligence Committee, said the hack was “extremely sophisticated,” and “that points to a nation state” as the responsible party, likely China. No conclusive source has been discovered yet but the lesson here is clear—with private information being involved in almost every aspect of business, measures must be taken to protect it.
For more information on data security click here.
Guest Blogger: Kevin P. Demody, Summer Associate
Cyberattacks are not reserved for science fiction or corporate America; they can also impact professional sports. An example of cybercrime is currently unfolding in Major League Baseball, where the St. Louis Cardinals are under investigation for cyberattacks. The F.B.I. and Justice Department prosecutors are investigating whether the Cardinals hacked into the Houston Astros’ computer systems to obtain confidential baseball data.
Investigators have discovered evidence suggesting that Cardinals’ front office employees hacked the Astros’ computer systems containing information regarding possible trades, injury reports, and scouting evaluations. If the allegations prove to be accurate, the attack would be the first known instance of corporate cyber warfare between professional sporting organizations. The Cardinals organization, one of the most successful baseball clubs over the past two decades, has been served with subpoenas to obtain electronic correspondence that may have been related to the attacks.
In a written statement from Major League Baseball, the organization assured the public that it “has been aware of and has fully cooperated with the federal investigation into the illegal breach of the Astros’ baseball operations database.” The League also promised to “evaluate the next steps” and “make decisions promptly” after the federal investigation concludes.
The cyberattacks may have been a revenge tactic by Cardinals’ employees against former Cardinals executive and current Astros’ general manager, Jeff Luhnow. Mr. Luhnow, a scouting and player development executive with the Cardinals, was instrumental in the team’s World Series success by developing a unique way to evaluate players and manage talent. Much of Luhnow’s success with the Cardinals was attributed to a computer system, named “Redbird,” which contained the organization’s collective baseball knowledge. When Mr. Luhnow’s polarizing tenure with the Cardinals came to an end after the 2011 season, he left to become the general manger of the Astros. Once with the Astros, he used his computer expertise to create an electronic baseball knowledge system similar to the Cardinals’ “Redbird.”
The Astros’ system, known as “Ground Control,” was a collection of the team’s baseball data that weighted information based on the opinions of the team’s physicians, scouts, statisticians, and coaches. Investigators believe that members of the Cardinals organization used Luhnow’s old passwords to hack into the team’s system and steal data. This is a common practice among cybercriminals who attempt to use previous passwords to gain access to other restricted networks. The investigation initially began last year when the Astros believed that the cyberattacks had originated from rouge outside hackers. It was only after further investigation that the F.B.I. determined the source of the cyberattacks to be a home occupied by a Cardinals’ employee.
At this point the investigation is ongoing and federal officials would not comment on which Cardinals’ employees were involved in the matter or if the front office executives had any knowledge of the cyberattacks. No Cardinals’ employees have been suspended or put on leave yet.
In response to a data breach in 2014, employees of University of Pittsburgh Medical Center filed a two-count class action complaint against UPMC for (1) negligence and (2) breach of an implied contract for failing to protect their personal data. The employee plaintiffs alleged that their Social Security numbers, names, addresses, birthdates, W2 information and salaries were stolen and used to file fraudulent tax returns and open fraudulent bank accounts.
In dismissing the class action, Judge R. Stanton Wettick Jr. ruled that Pennsylvania law does not recognize a private right of action to recover actual damages as a result of a data breach. Judge Wettick stated that creating such a cause of action in the context of a data breach would overwhelm the state courts and require businesses – who are also victims in criminal activity – to spend substantial resources to respond to these claims. Judge Wettick noted that, to date, the only obligation imposed upon businesses by the Pennsylvania General Assembly is to provide notification of a data breach. Judge Wettick refused to interfere with the legislature’s direction in this area of the law.
This decision confirms that, under Pennsylvania law, plaintiffs will continue to have difficulty bringing claims against businesses who suffer data breaches.
The case is Dittman et al. v. The University of Pittsburgh Medical Center, Case No. GD-14-003285 in the Court of Common Pleas of Alleghany County, Pennsylvania.