Just last week, Yahoo confirmed a security breach resulting in the theft of 450,000 passwords. According to CNET, Mashable and various other news websites, the hack was by a group called D33D Company, which stated it hoped the attack would serve as a “wake-up call” to those managing Yahoo’s security. 
In the past few months, hackers claimed to have posted 6.5 million passwords of LinkedIn users on a Russian Web forum, and a hacker gang called “Doomsday Preppers” posted more than 1.5 million eHarmony passwords online. According to a Verizon report, 2011 had the highest recorded data loss since 2004, and it looks like 2012 may be on a similar track. Besides the high number of records being stolen, what concerns many in the security industry and should concern you, is that more than half of all data theft and more than 80 percent of all security breaches in 2011 involved “hacktivism.” Hacktivists want to make political or social statements by targeting large volumes of records from organizations that will make headlines, rather than focusing on targeted cybercrime for financial gain. For example, one such group called “Anonymous” has breached the database of Biotech giant Monsanto to exact vengeance for “crimes against humanity” and temporarily took down the Department of Justice’s and FBI’s websites in response to the shutdown of the file sharing service Megaupload during congressional discussions regarding new privacy legislation. Clearly, these security breaches are a big risk for companies. Reports indicate that the total monetary cost of a single data breach can range from $750,000 to over $31 million, which includes the costs of detecting and containing the breach, notifying affected individuals, implementing post-breach responses and lost business due to reputational damage. In addition, companies experiencing security breaches have also experienced drops in stock price, having to pay government fines and penalties to entities such as the FTC and state attorneys general, and defending against lawsuits brought by private plaintiffs. As a business owner, you need to be prepared on the security and compliance fronts for security breaches, whether due to human error (such as a lost laptop or smartphone), financially motivated crimes or hacktivism. Here are some things you should be doing to manage your risk:
- Develop (with legal counsel) and implement a written data security response plan setting out procedures to follow in the event of a security breach;
- Form a response team to handle potential data/security breaches, which might include legal, security, information technology, human resources, audit and PR representatives;
- Establish a notification plan in advance of a breach, including templates of notices that can be tailored to the specific incident and referencing applicable laws and regulations; and
- Have a system in place to address questions from the public after a security breach, such as an email address or toll-free number.
Compliance can be difficult because the U.S. does not have one comprehensive federal law regulating privacy and the collection, use and security of personal information. Instead, when a company faces a security breach, it may have to address a patchwork of federal and state laws and regulations and common law principles, as well as industry guidelines. In addition, businesses may be required to provide costly and time-consuming notification of a breach, even in cases where there is minimal risk to consumers. For example, in Florida, if an entity fails to provide notice to affected individuals within a specified 45 day time period, the entity can be fined between $1,000 to $500,000 per breach, depending on the notification delay. As an individual, security experts state that you can protect yourself by using tough passwords, not storing passwords, using different passwords for every account and not responding to suspicious emails, among other things. However, you are ultimately relying on the companies you do business with to protect your information.
