Both Russia and the Ukraine have effectively declared a cyberwar on each other in addition to the catastrophic physical war we see on the news each day. While the rest of the world has so far avoided getting embroiled physically in the war in Ukraine, with the US and most of Europe (among other nations) taking a hard line on Russia, and China (a nation from which a high volume of cybercrime emanates) seeming to side with Russia, the likelihood of the US getting dragged into a cyberwar and being hit by cybercrimes has increased dramatically. To be clear, such activities are not only aimed at governmental activities, but typically target softer financial targets such as private businesses. Cybercrime is often one which expands over time when virus and malware are let loose and gradually spread throughout the world, imposing their damage months or years after first being introduced. Even without regard to what is going on in Ukraine, one only need pick up a newspaper or watch the news to know that cybercrime and data breaches (most often due to internal mistakes) continue to dramatically rise.
All of this raises the questions of what you can do about it, how you can protect your business, and does the financial investment in legal compliance and sound practices make fiscal sense? The short answers are: (1) minimize your risk; (2) be pro-active; and (3) absolutely.
Minimizing Risk and Being Pro-Active:
You can minimize your risk by pro-actively doing the following:
- Develop and implement a comprehensive written Information Security Policy, updating at least annually.
- Conduct annual (or more frequent and upon hiring) Information Security Training.
- Determine data privacy laws applicable to your business and implement a plan for compliance.
- Determine data privacy legal obligations imposed by third-parties (i.e., by contract).
- Engage in data mapping so you can determine what confidential/sensitive data you have, so you can then properly protect it.
- Implement a data retention/destruction policy.
- Develop and implement a data breach plan so you are prepared in advance.
- Analyze risk from your vendors/service providers and implement procedures and agreements to minimize risk and insulate from liability.
- Implement website privacy policy (and related terms and conditions of use).
- Think privacy. Think security.
Finances of Doing Things Right:
Data breaches and harm from data breaches (including cyber-attacks) increased dramatically in 2020, and again in 2021. 2022 is no different. As more data is collected, more data protection laws are passed and imposed by contract, and more technology is implemented, the risk and cost of data breaches continues to increase dramatically with no end in sight. Here are some telling statistics: only approximately 5% of company data is properly protected; approximately 80% of senior IT leaders believe their organizations lack sufficient protection against cyberattacks; there were 1.4 million reports of identity theft in the US in 2020; the cost of a data breach (avg. almost $4 million) has increased every year for at least the last 5 years, and is predicted to dramatically increase in the future; cybercrime will cost the world $10.5 trillion annually by 2025; malware and ransomware attacks are increasing approximately 400% a year; and all of this is getting much worse with the work-from-home environment. While you may be inclined to wait to do the right thing, the cost of implementing appropriate policies and procedures, coupled with the risk and cost of harm, only increases over time – and this does not even take into account your potential contractual obligations.
Always be vigilant! Please contact Michael J. Feldman, Esq., CIPP at or 908-964-2486 with any questions.
