GDPR Fines: Could Cybercriminals Bite Back?

A response from SMP about GDPR and the threat of cybercriminal activity –

In the 14 months since GDPR became enforceable, several high profile global organizations have incurred hefty fines in violation of the regulation. Most recently, this includes Marriott and British Airways.

For Marriott, the $123M fine comes out of the U.K.’s Information Commissioner’s Office (ICO) and stems from a data breach that exposed 500 million customer records. Further complicating the situation is the root of the hack, which originated with Starwood, two years before Marriott acquired the company.

In the case of British Airways, hackers stole the personal data of more than 500,000 airline customers beginning in June 2018. The ICO intends to penalize the carrier some $230M in response.

In the wake of these incidents, security experts, including SMP, warn that GDPR is changing more than just the cost of a breach – it’s impacting the entire security landscape. Companies operating in different countries, especially those in the European Union, face the cost of fines under GDPR and similar legislation like the California Consumer Privacy Act (CCPA), plus the cost of reparations to exposed customers and any associated litigation.

At the same time, SMP believes that cybercriminals could be taking note in hopes of blackmailing companies post-hack. It’s not that far of a stretch to capture customer data and in turn, demand $10M, especially when the company risks a fine upwards of $100M. That’s not a situation any organization wants to happen – and yet, the possibility remains.

To guard against the threat of cybercriminals and protect your organization, we recommend the following:

  1. Stay informed about GDPR and other legislative updates. Understand how and where these regulations apply to your business.

  2. Audit your current cybersecurity infrastructure, shore up any existing weaknesses and update your protocol to ensure compliance.

  3. Actively monitor these systems and information continuously with the support of a qualified team of experts. 

For more information, please contact SMP

Response to Equifax Security Breach

A response from SMP on the recent Equifax security breach - 

Credit bureaus consolidate lots of information about you that can be used to steal your identity, which can turn your life into a nightmare for a long time (average is 7 years).

Equifax, one of the 3 largest consumer credit bureaus in the US, was just hacked. Per their own statement, the data of 143 million individual US consumers is compromised. Equifax is offering free credit monitoring to all US consumers (but no compensation for any consequences of the breach on consumers’ lives). You must enroll before Tuesday, November 21, 2017 to get one year of their credit monitoring service. Be mindful that they have set up a date before which you may not enroll. To find out, go to their special website at https://www.equifaxsecurity2017.com - be sure to read the FAQ.

Equifax allegedly discovered the breach on July 29 (unauthorized access may have started mid-May) and they only made it public on September 7. 

At some point soon, your identity data will be sold for next to nothing (the going rate is about $0.02 per 10,000 records) to all takers and it is very likely that someone will try to use it, possibly to obtain credit cards, buy a car, file fraudulent tax returns or get loans in your name. Once that happens you will be held responsible for the balance of the accounts until you can prove that you were not the person responsible (that can be difficult and quite time-consuming). You will have to fight to defend your good name and...creditworthiness. Yes, that is absurd, but that’s what happens to millions in the US each year.

To protect yourself, we recommend that you do the following:
        1.  Contact Equifax, Experian and Transunion to put a credit freeze on your account.
        2.  Sign up for Equifax’s free credit report monitoring offer (they make it complicated to sign up and there is a deadline on November 21.
        3.  Actively monitor your future credit reports and keep an eye out for abnormal activity (new loans, credit cards, etc.).

This Wikipedia article is a good summary:
https://en.wikipedia.org/wiki/Identity_theft_in_the_United_States

The Federal Trade Commission publishes facts & statistics about identity theft.
https://www.ftc.gov/news-events/media-resources/identity-theft-and-data-security

If you have any questions, please contact SMP

Upcoming - ILTA LegalSec 2017

Security Management Partners will sponsor and exhibit at next week's LegalSec2017 conference in Virginia. Attendees are encouraged to meet with Ed Greenberg, Senior Security Services Account Director of SMP in Booth No. 27. 

"Two Days All About Security For Legal" - The target audience for ILTA’s LegalSEC Summit is legal technology professionals at every level and general counsel who touch legal security in their law firm or law department and want to learn more and connect with peers.

When: Tuesday, June 13-Wednesday, June 14, 2017
Where: Crystal Gateway Marriott, Arlington, VA

Learn more: http://legalsec.iltanet.org/home

NJBIZ Special Report: Cybersecurity

Don't have a good cybersecurity plan in place? Then don't plan on getting a lot of business in the future says this NJBIZ article featuring commentary from SMP's own Peter Bamber. A follow up to a May 17 event, the article explores current cybersecurity trends. 

For more on this topic, as well as what organizations can do to protect their information, join SMP on June 13 for a special cybersecurity panel discussion at the Hyatt Regency in New Brunswick, NJ. Additional details and registration is available here: http://www.smpone.com/june-13-cybersecurity-workshop.

From NJBIZ - Another attack is coming — here's the No. 1 thing to do (and not to do)

AR-170519888.jpg

The worldwide ransomware attack over the weekend was halted before it could cause the global shutdown many feared.

The biggest question in the aftermath: Did the U.S. simply dodge a bullet?

Peter Bamber, the vice president at Security Management Partners, said it doesn’t really matter either way.

“Dodging a bullet?” he asked. “The guns are loaded — they are still shooting; that’s the way I look at it. They are going to come right back at us with this. They’ll just tweak it a bit.”

Read the full article at NJBIZ: http://www.njbiz.com/apps/pbcs.dll/article?AID=/20170515/NJBIZ01/170519888/nj-cyberexperts-another-attack-is-coming--heres-the-no-1-thing-to-do-and-not-to-do