by Doug Brent and Dana Howard
As it relates to nation state-launched attacks on U.S. industry, our government stopped saying “nation state” about a year ago and started saying China. Earlier this month FBI Director James Comey was interviewed on CBS’ 60 Minutes and said that, among large U.S. companies, there are those that have been hacked by the Chinese and those that just haven’t realized it yet.
And just last week security researchers revealed that Russian hackers exploited a bug in Microsoft Windows to snoop on the recent NATO summit meeting as well as Western governments. One attack vector used in the “Sandworm” hack: PowerPoint files laced with malware. Microsoft addressed the issue in a Security Bulletin on October 14.
Even the largest banking enterprise in the U.S. couldn’t protect its network, resulting in a headline-grabbing breach affecting more than 80 million customers – including seven million businesses.
Some basic assumptions for the next “new normal”
- Cyber intrusions are both sophisticated and pervasive.
- They target vulnerabilities in software that every Internet-connected business is using.
- They aren’t going away, and you are probably naïve if you think you can protect against an intrusion at your business.
- When an intrusion occurs, you may not know whether data was compromised.
Against that cold reality, what do you need to know?
If you are a business, you inevitably have PII (personally identifiable information) stored in company records, and you have a legal obligation to protect it.
If your customers include government agencies in Kentucky, a recent change in Kentucky law requires you to develop a written security information policy and affirm it in your government contracts.
The new law requires you to have a reasonable security and breach investigation procedure to protect and safeguard against breaches.
Finally, the law imposes notification requirements in the event of a security breach, but those obligations may not burden you at all if your business uses a form of encryption consistent with a new legal standard that will apply in Kentucky beginning January 1, 2015.
To learn more about your responsibilities to protect information while developing a security and investigation action plan, contact one of the attorneys in our Privacy and Information Security Practice Group.