What, Me Worry? If You Store Customers’ Personal Information on Your Computer System, You Should!

MAD Magazine’s Alfred E. Nuemann would famously say, “What, Me Worry?”  If you store personal information about your clients or customers on your computer, however, you should worry that it is properly secured.

Hackers and other malevolent individuals on the world wide web are constantly trying to compromise or steal data from your computer system to sell on the dark web.  They particularly target names combined with (1) social security numbers, (2) credit or debit card numbers or other account information, (3) security or access codes or passwords,  or (4) medical or health insurance information.

Another common form of cyberattack is to plant ransomware on a target’s computer system.  Ransomware encrypts the data on the system making it inaccessible to the system’s owner, leaving a ransom note as the only thing readable on the affected system. The note promises that system will be restored if a ransom is paid in bitcoin.  However, hackers often do not restore the affected system, even if a ransom has been paid.  Further, hackers are often now first stealing data before encrypting it, and then selling the stolen data on the dark web.  This has happened to companies both large and small, many of which have undertaken substantial efforts to protect the data on their systems.  We have recently seen perhaps the most egregious hack yet, with (apparently) Russian agents infiltrating government computer systems and systems of some of the U.S.’s largest corporations.  The public does not yet know what data has been exfiltrated from these systems, but it is likely to be significant in terms of both amount of data and substance.

To reduce the chances of falling victim to a ransomware attack or other hack, have your system audited regularly by a cybersecurity expert.  It is also important to install patches to your firewall and other software as soon as these become available to reduce system vulnerabilities.

In addition to having your system audited, determine whether your insurance covers you against a ransomware attack or other cybersecurity breach and whether the amount of coverage is sufficient.  Approximately 60% of small to mid-size companies that suffer a cyberattack do not survive.  The law in most states requires a company to notify customers if their information has been compromised, or potentially compromised, by a cybersecurity breach.  The required notification and other required elements of responding to a data breach (including offering credit monitoring to customers) can be quite expensive.

Should you have the unfortunate experience of suffering a cyberattack, it is important to engage a cybersecurity firm to conduct an investigation to determine the extent of any breach (i.e., what data may have been compromised and how).

You should also consider hiring an experienced law firm to advise you of any breach notification requirements (generally, you must comply with the law in each state where you have customers whose data has been breached, and these laws have significant differences).   Some of these costs are likely to be paid for if you have cybersecurity insurance.

Posted by Attorney David R. Bohm. Bohm is an experienced litigator working with health care, government, and business clients on employment, intellectual property, and complex contract issues. He is also skilled in alternative dispute resolution as a means to solve disagreements without litigation.

Published in the February 2021 St. Louis Small Business Monthly.

(c) arrow123 www.fotosearch.com