by ·0 Comments
Lock It Up (Encrypt)

In honor of National Cybersecurity Awareness Month, we’re sharing our top practical tips for small businesses to keep their data secure.  Tip #1 is encryption.  The National Institute of Standards and Technology (NIST) defines encryption as “the process of transforming plaintext into ciphertext using a cryptographic algorithm and key.”  In plain terms, encryption is the process of securing data by using a digital lock and key. 

The premise behind encryption is pretty simple.  If you want to keep private papers from prying eyes, how would you do it?  You could put the papers in a safe.  Only someone who knows the combination to the safe can open it and access the papers inside.  Encryption does the same thing to data, except using digital methods.  Encryption essentially “locks” data by scrambling it so it becomes unintelligible to anyone who doesn’t have the “key” necessary to unscramble it.  The idea is that scrambled data is useless to anyone who can’t unscramble it.  It doesn’t matter if the encrypted data falls into the hands of a hacker or is released to the public due to a data security breach.  Data that looks like gibberish isn’t very useful.

Understanding this principle is the key to minimizing legal liability under data privacy laws.  Take Hawaii’s data breach notification law, for example.  The breach notification requirements of Hawaii Revised Statutes chapter 487N-2 apply when a “security breach” has occurred.  The term “security breach” refers to “an incident of unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person.”  Did you catch the reference to “unencrypted” records?  If data that is the subject of a breach incident acquisition is encrypted, then a “security breach” did not happen for purposes of HRS 487N-2, and compliance with the breach notification requirements of the statute is unnecessary.

The California Consumer Privacy Act (CCPA) that will take effect on January 1, 2020 is another example.  A business can be sued by a consumer whose “nonencrypted or nonredacted personal information” is subject to unauthorized access and is copied, transferred, stolen, or disclosed due to the business’s failure to use reasonable security procedures.   Want to reduce exposure to private lawsuits under the CCPA?  Encrypt consumer data.

The General Data Protection Regulation (GDPR) isn’t quite as black-and-white in carving out liability for encrypted data, but the law certainly incentivizes encryption.  For example, Article 34 of the GDPR provides a safe harbor from the data breach notifications where “the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.”  (Emphasis added.)  While encryption won’t guarantee exemption from the GDPR’s data breach notification requirements, failure to encrypt data almost certainly would trigger the requirements.

It should be fairly obvious by now that encrypting sensitive data is a highly recommended, if not mandatory, cybersecurity measure.  How encryption fits into your cybersecurity program depends on your organization’s IT system, the type of data at issue, operational needs, and cost, among other factors.  Encryption can deployed at different stages of the data lifecycle.  Encryption can also be paired with other data security practices such as pseudonymization and anonymization.  Consult a cybersecurity expert and privacy lawyer to determine how best to use encryption to secure your data and minimize legal liability.

by ·0 Comments
National Cybersecurity Awareness Month

Beefing up cybersecurity controls could seem intimidating and costly, but it doesn’t have to be.  Although the appropriate cybersecurity controls vary depending on a number of factors including the amount and type of data being handled and how the data is stored, there are best practices every organization should implement.  In honor of National Cybersecurity Awareness Month (NCSAM), we’re going to share our top practical tips for securing your data.  Whether you’re a mom-and-pop store or a retail chain, these “common sense” practices are fundamental to cybersecurity program of all sizes.  The tips cover issues we see come up again and again in our practice of advising businesses on compliance with data privacy laws.  Addressing these issues up front goes a long way toward enhancing cybersecurity, but ignoring them makes compliance more difficult.    

Each day this week, we’ll share a tip that will help you keep unauthorized eyes and hands off your data.  In the meantime, check out these cybersecurity resources for small businesses:

by ·0 Comments

High-profile data breaches have become common in the headlines, but it’s not just big businesses that are the targets of hackers.  According to the 2018 Hiscox Small Business Cyber Risk Report, 47% of small businesses had at least one cyber attack in the past year.  Yet, barely 52% of small businesses have a clearly defined strategy for cybersecurity.   Even more alarming is the fact that 65% of small businesses failed to act after experiencing a cybersecurity incident.

Cyberattacks are costly.  The Ponemon Institute reported that average costs in 2017 related to a malware attack on small and medium-sized businesses  were $1.03 million due to damage or theft of IT assets, and $1.21 million due to disruption of business operations. 

The good news is that free resources are available to small and medium-sized businesses to beef up their cybersecurity.  The Global Cybersecurity Alliance (GCA), a non-profit organization backed by the New York City District Attorney’s Office and the City of London Police, recently released a free cybersecurity toolkit.  The toolkit is great for business owners who want to reduce common cyber risks. 

The GCA Cybersecurity Toolkit is built around the Center for Internet Security Controls framework.  GCA claims that addressing just the first five CIS Controls can reduce the risk of cyberattack by 85%.  Geared toward a nontechnical audience, the GCA Cybersecurity Toolkit takes users through six “toolboxes,” each one designed to address an aspect of cybersecurity:

  1. Know what you have – take inventory of hardware and software
  2. Update your defenses – updating systems, applications, and security settings, and securing your website
  3. Beyond simple passwords –selecting strong passwords and implementing two-factor authorization
  4. Prevent phishing and viruses – preventing malware and phishing attacks
  5. Defend against ransomware – using backup tools to guard against ransomware infection
  6. Protect your brand – preventing others from spoofing your brand name and email addresses

If you’re a business owner looking for a user-friendly way to begin building a cybersecurity program, the GCA Cybersecurity Toolkit is a good starting point.

by ·0 Comments

Tax season is miserable for many because it means having to cut a check to the IRS.  But it’s not just Uncle Sam who’s interested in your money.  Scammers are also looking to get paid, and they’ll do it by stealing personal information.  Employees tasked with preparing tax forms, like human resources (HR) professionals, are prime targets of scams.  Using various forms of subterfuge, scammers convince HR to hand over private information about an employee, which they’ll then use to file false tax refund claims.  The surge in tax scams has prompted the IRS to issue multiple alerts and host National Tax Security Awareness Week last December to educate the public about tax-related cybercriminal activity.

What’s the scam?

Scammers impersonate people whom the victim is likely to trust, like a well-known service provider (e.g., FedEx) or a person with a legitimate need for access to sensitive information (e.g., an IRS agent).  This is known as “spoofing.”  Sometimes a “spoofed” email tries to get the recipient to open an attachment containing a virus or click on a link to a malicious site (which might look legitimate).  A specific type of spoofing attack known as “phishing” aims to convince the victim to divulge personal or financial information.  For example, a phisher posing as an employee might email the HR department for a copy of his W-2 form.  Even more targeted is a “spear phishing” attack aimed at a specific individual.  The IRS has warned of spear phishing schemes involving emails to an HR professional sent from the spoofed email address of a C-suite executive.  The email will ask the HR professional to send a tax form or to provide information about an employee supposedly for a tax filing. Once the scammer has the information, he or she will file a tax refund under the employee’s name.

Protective measures

The best way to avoid being a victim of a phishing attack is to raise awareness.  Employees should be regularly trained to practice the following defensive measures:

  • Be suspicious of all email requests for confidential information, even if they come from high-level personnel within the company. Tell-tale signs are spelling or grammatical errors or language that the sender doesn’t typically use.
  • Confirm requests for confidential information by calling the requester.
  • Avoid sending confidential information electronically. Hand deliver the information or send it by mail to a verified address.
  • If confidential information has to be transmitted electronically, encrypt it before sending.
  • Never send confidential information by hitting the “reply” button. If an email is spoofed, the reply email will go to the imposter.  Instead, compose a new email and manually type in the email addresses of the recipient.
  • Apply extreme caution when opening attachments. Never open an attachment with the .exe extension.  Note that an attachment might be altered to look like an ordinary word processing document, spreadsheet, or PDF.  When in doubt, send your IT department a screenshot of the email and consult with them on what to do next.

Responding to a security breach

In the unfortunate event that a company falls victim to a phishing attack, it should immediately gather facts about the incident including the number of employees involved, where the affected employees are located, what information was stolen, and whether the stolen information has been put to use.  Consult with a lawyer to determine next steps.  In Hawaii (as in many states), a business is legally obligated to provide notice to victims of a security breach.  Experienced counsel can navigate the company through data breach notification laws and advise on liability and remedial measures to take.

Related articles

by ·0 Comments

safeWhether it’s the secret recipe for your gourmet cupcakes or a unique process for manufacturing your best-selling product, trade secrets are valuable company assets.  When an employee leaves, there’s a risk they will take your trade secrets with them to a competitor or to start their own business.  So what relief is available if you’re a victim of trade secret theft?  Hawai‘i companies already can seek relief from the Hawaii Uniform Trade Secrets Act, but now there’s another tool to combat trade secret theft.  On May 11, 2016, President Obama signed the Defend Trade Secrets Act (DTSA) into law, which adds a federal layer of protection for trade secrets.

Here are the highlights of the new law:

What does DTSA do?  The DTSA creates a new federal remedy for trade secret misappropriation.  Prior federal trade secrets law only criminalized certain misappropriations of trade secrets.  The DTSA allows victims of trade secret misappropriation to sue in federal court.

Is the DTSA my exclusive remedy?  No.  The DTSA creates a national standard of trade secret law and gives you more options for seeking relief, but it doesn’t pre-empt state law.  You may still take advantage of trade secret protections under state laws like the Hawaii Uniform Trade Secrets Act.

What’s so special about the DTSA?  One feature of the DTSA is that it allows a court to grant an “ex parte seizure order.”  This new remedy lets trade secret owners seek a court order to seize allegedly stolen trade secret items in the accused wrongdoer’s possession without first giving them notice.  Seizure orders are granted only in “extraordinary circumstances.”  To safeguard against abuse of seizure orders, the DTSA entitles victims of wrongful seizure to damages, punitive damages in cases of bad faith, and attorneys’ fees.  It remains to be seen how courts will apply the ex parte seizure provisions of the DTSA and how often the remedy will be used.

What do employers need to know about the DTSA?  Injunctive relief granted under the DTSA may not “prevent a person from entering into an employment relationship” and must be consistent with state law “prohibiting restraints on the practice of a lawful profession, trade, or business.”  In other words, the DTSA does not override state law governing non-compete covenants.  Claims under state law may need to be included in the lawsuit to enforce non-compete provisions in an employment agreement.

The DTSA also provides immunity for whistleblower employees (which the DTSA defines broadly to include independent contractors and consultants) who disclose trade secrets to any government official solely for the purpose of reporting or investigating a suspected violation of law or in a court filing made under seal.  Notice of the whistleblower immunity provisions must be given in every agreement entered into after May 11, 2016 that restricts the employee’s use of a trade secret or other confidential information.  The notice requirement may be satisfied by referencing the immunity provisions in a policy document (like an employee manual) rather than inserting the provisions into each employment agreement.

For more specific information on how the DTSA affects you, consult experienced legal counsel.

Related articles