While retailer Target and financial companies get the cybercrime headlines when customer data is lost, Main Street and mom-and-pop businesses are also at risk, speakers stressed at a digital-security conference Thursday in Omaha.
“Small companies have the same level of responsibility to report as larger ones,” said James O’Connor, an attorney at Omaha’s Baird Holm firm. “No matter your size, you may have to do a breach notification.”
Nebraska law requires companies to notify customers and to work with law enforcement officials when sensitive data that has a probability of being misused is lost to hackers. The average cost of fixing a cyberattack that leads to loss of sensitive data is $7.2 million, O’Connor said.
The Nebraska Attorney General’s Office investigated 25 digital data breaches last year that affected about 730,000 Nebraskans, said Attorney General Jon Bruning, the headline speaker of the conference, hosted by the Omaha office of Des Moines-based insurance broker Holmes Murphy & Associates.
“That’s nearly 40 percent of the population,” Bruning said. “No business owner wants to face these challenges.”
Bruning and a panel of insurance and legal experts said data breaches such as the one that struck Target in December are a persistent problem facing Nebraska businesses.
And businesses face legal obligations when such crimes happen. Under state law, companies that lose Social Security numbers, driver’s license information, account numbers or biometric data such as fingerprints are required to notify the Attorney General’s Office if there is a chance the information will be used for illegal purposes.
“You must notify,” Bruning said. “It is expensive and embarrassing, but you have to do it.”
Bruning said his office hasn’t prosecuted any Nebraska businesses under the laws that require companies to report and notify customer data breaches. “It is not our role to play gotcha. The only way that would change is if someone refused to cooperate or tried to hide facts.”
The problem of insecure data is not just within computers, according to conference speakers. Even digital printers contain information long after they have been discarded, using hard drives similar to those used in computers, which remain full of data even after being unplugged.
Trouble can lurk anywhere, said Chris Hoke, owner of Omaha digital security consultant Continuum Security Solutions. The website of musician Paul McCartney was recently found to have been harboring a pernicious piece of malware that specialized in finding bank account numbers and passwords on the computers of unsuspecting fans who clicked on the former Beatle’s Internet page.
“You don’t have to have any particular expertise anymore to do this,” Hoke said.. “You can download packs from the Internet for free that make you a hacker at the push of a button.”
At Target, Hoke said, the hacker virus that targeted point-of-sale terminals entered via the retailer’s heating and air conditioning company, whose own system was first compromised and served as a bridge to the sensitive data.
Companies can acquire insurance to protect themselves against cyberattacks. But general business insurance policies such as those for liability, property and crime have very limited or nonexistent benefits when it comes to cyberattacks, according to Lisa Hughes of insurance broker Ryan Turner Specialty.
Insurance policies can be purchased that will cover the costs of hiring investigators to define the extent of the breach, sending out notices to customers and paying for free credit monitoring for them. Rates depend on how much information is being stored in computers, how sensitive the information is and how effectively it is encrypted.
“If you have portable devices and they are not encrypted, they aren’t going to cover that,” said Mickey Estey, also of Ryan Turner Specialty.
Encryption and digital security aside, a significant percentage of data breaches involve some form of person-to-person subterfuge, O’Connor said. In a notable case, he said, sensitive information about a new cellphone’s digital guts that was of enormous value to hackers was obtained when a cybercriminal simply called the developer and wheedled it out of a secretary under false pretenses.
“Does our Midwest desire to be helpful override proper security protocols?” the attorney asked.
In any case, he said, businesses large and small need to take breaches seriously. Lawsuits are common in such situations, and there are deadlines related to legal responsibilities and law enforcement notifications. Experienced legal representation would be a good idea, O’Connor said, adding:
“And you might want to get public relations involved if it affects the reputation of your company.”