BUFFALO, N.Y. (WIVB) – What are the chances of your personal data being hacked?
“It’s very high. It’s probably already out there somewhere,” said Arun Vishwanath, University at Buffalo professor and cyber security expert.
Consider this: In 2016, the New York State Attorney General’s received 1,300 data breach notifications which represents a 60 percent increase over the previous year.
Attorney General Eric Schneiderman is now proposing legislation that’s designed to comprehensively protect the personal information of New Yorkers.
“It’s clear that New York’s data security laws are weak and outdated, “Schneiderman said in a statement. “The SHIELD Act would help ensure these hacks never happen in the first place.”
Look no further than the Equifax breach in which hackers gained access to the credit reporting agency’s data, and potentially compromised the personal information of as many as 145 million American consumers.
“This is social security information. This is your financial history,” Vishwanath said. “This is the worst-case scenario. They got it all and we don’t even know who they are.”
“Equifax infuriates me,” said Sen. Charles Schumer, D-NY. “They have an extra obligation to protect it, and they didn’t. They were hacked several times and they didn’t.”
Data breaches are a serious threat that’s been exploding over the years.
Breaches exposed about 23 million personal records of New Yorkers between 2006 and 2013, according to a report by Schneiderman’s office.
Over the same time, data breach reports tripled, with hacking attacks making up over 40 percent of those breaches.
“Everybody is at risk,” said William Palisano, president of Lincoln Archives, a data security company in Buffalo.
And if you think this only happens to big companies.
“A lot of people think that just because they’re not a big company they’re not on the radar. That’s absolutely false,” Palisano said.
Palisano says the best defense for businesses and organizations is having a good backup system.
“You have to be very proactive and really understand where your risks are. And then secondly, plan on a strategy to secure those risks,” he said.
Arun Vishwanath says companies big and small should not skimp on data security.
“We got to take this very seriously. Today, an I-T breach can destroy a company. It’s no longer just a support function that we just add on. But it’s actually an essential function that we got to take seriously,” said Vishwanath.
“I don’t care who you are. What size company you are, and where you’re located, presume you’re being attacked,” he added.
With data hacks on the rise, companies are increasingly becoming targets of class-action litigation.
Maryland-based CareFirst is asking the U.S. Supreme Court to review a case that stems from a 2014 data breach that potentially exposed 1.1 million patient records.
This follows a U.S. Court of Appeals ruling that gave customers the right to pursue a class-action lawsuit against CareFirst.
“This is a new frontier. Not just a new legal frontier. It’s a new frontier for companies and how they handle the privacy of their business. How they handle the security of what they take in the digital age,” said News 4 Legal Analyst Terry Connors. “It’s important, and it is something that has come to the attention of a lot of companies by virtue of litigation which is a terrible way to encounter this problem.”
Connors says right now there’s no federal standard that companies can follow, and that the whole concept of cyber security is relatively new to the legal field.
He says there’s been a split on federal rulings when it comes whether data breach victims have standing to go forward with a class-action case.
Referring to the CareFirst case, Connors said, “The appeal to the Supreme Court will be, we need to resolve this dilemma. What exactly is standing, and what constitutes standing in this type of a case.”
“It’s evolving as you can see from the fact that there are differences of opinion among the various circuits. That’s something that’s going to have to be ultimately decided by the United States Supreme Court,” Connors added.
Data breaches can be especially tough on the bottom-line of small businesses, according to Reggie Dejean, director of Specialty Insurance at Lawley Insurance in Buffalo.
“You just don’t know what’s at stake,” said Dejean.
He says the cost of dealing with a breach can quickly add up, even before a lawsuit is settled.
“You can run into hundreds of thousands of dollars for the credit monitoring, the notification costs, the public relations. All those costs that a small business can incur that may put them out of business,” Dejean said.
There’s even insurance for this sort of thing — privacy liability, designed to protect a company in the event of a data breach.
Generally speaking, Dejean says for about $1,000 a year, small businesses and nonprofits can get up to a million dollars of coverage.
“You think about a small business. A million, two million, three million of revenue or less. When you start looking at the credit monitoring, the legal costs, the forensic, you can easily be in the $200,000 range,” Dejean said. “How many businesses doing a million dollars revenue a year. How many businesses can afford, bottom-line $200,000? They can’t.”
Now more than ever, businesses and organizations should be asking these questions, according to the experts.
• What information are you handling?
• Where is it located?
• Who has access to it?
• What protections are in place?
• What kind of training do employees receive?
• What’s your plan if a breach happens?
Arun Vishwanath thinks there needs to be some sort of mandate that enforces cyber security discipline in companies that handle personal information.
For example, he cites the need to conduct regular checks for technical and human vulnerabilities.
“Presume the worst is better, and protect yourself by presuming the worst. That’s the strategy. That’s the world we live in. If you look at the data out there, you can see that there are hacks happening as we speak. The next big hack has probably already happened,” Vishwanath said.
Under Attorney General Schneiderman’s proposed legislation, companies would have a legal responsibility to adopt “reasonable” administrative, technical, and physical safeguards for sensitive data.
Bill Palisano of Lincoln Archives says companies that are well-prepared are proactively having systems and processes in place to get ready for an attack.
“Those companies are more or less easier to recover. Companies that are not prepared, it might be impossible to recover them,” Palisano said.