At the Republican National Convention in Cleveland last year, a security company set up several public Wi-Fi hotspots around Quicken Loans Arena to see exactly how people behaved online. Thousands of users accessed these Wi-Fi hotspots; more than two-thirds had their identities exposed, 10 percent shopped on Amazon or another site and 1 percent accessed banking records.
The company did not keep any of the records. But imagine if a hacker did this.
This test proved the need for good information security, whether for your business or for you as an individual.
Below, I have listed five cyber hygiene tips for both businesses and individuals.
Businesses are primarily concerned with protecting data they store, including vital proprietary information as well as customer data.
For individuals, the primary concern is protecting one’s privacy from hackers.
For the best “cyber hygiene” practices and legal updates on relevant privacy and data protection topics, you can follow Thomas on twitter at twitter.com/cybersecureatty.
By Thomas Ritter
Here are two words that should scare any business: business interruption.
The thought of losing control of your business for a day or a week is enough to keep any executive awake at night.
Business interruption is almost a guarantee when a company experiences a data breach or other cybersecurity problem. Every interruption comes with significant mitigation costs, including hiring experts to alleviate problems, lost productivity, the threat of lawsuits and much more.
Helping businesses, especially smaller businesses, manage their cybersecurity risks is why I have started a dedicated cybersecurity practice at Thompson Burton.
The practice includes three primary services:
The first two services fall under what I would call “preventative medicine.” For any business in possession of sensitive customer information and data, preparation is instrumental to prevention. The last service is the triage, or crisis response, for when a cybersecurity problem occurs.
The two biggest issues in cybersecurity are data protection and privacy.
There is no single legal framework for businesses to follow. Rather, businesses must comply with a complex and often overlapping set of cybersecurity-related laws and regulations. Whether it’s HIPAA for healthcare companies, GLBA for financial institutions, the FTC Act, or some other law, there is a lot to wrap your head around.
For example, most companies affected by a data breach assume that the applicable state law arises out of the location of its headquarters. Instead, the more important question is: Where are the company’s affected consumers located? If a company’s breached, the company must follow the notification laws of every state where an affected individual resides.
At Thompson Burton, we make this confusing and arduous process of understanding and sorting through the applicable laws and regulations easier.
Once you understand the regulatory requirements, it’s important for a business to have a security policy in place. This security policy memorializes the business’ modus operandi of information security procedures and the plan for any incident response.
As an attorney, I’m always assessing potential liability. In any context, a business saying it will do something and then failing to adhere to its own standards can implicate significant liability if caught. Security policies are no exception.
The challenges with cybersecurity will only increase. It’s impossible to watch or read the news without some daily reference to a data breach or hack. For companies, it’s not a matter of if a cybersecurity breach will happen, but when.
Oftentimes, the biggest misconception by businesses is the “I’m too small to be a target” mindset. This is categorically false for several reasons. Most hackers don’t coordinate an attack based upon a specific target, but instead check to see which businesses’ doors remain unlocked. Of arguably greater concern, the actions of employees oftentimes allow a hacker to stroll right through the proverbial front door. Thompson Burton can help small businesses identify weaknesses and train employees to practice good “cyber hygiene.” (I will publish a blog post about this topic soon.)
The biggest benefit of having an attorney on-call who understands your business is the preservation of privilege in the event of a data-breach investigation. Through things like attorney-client privilege and work-product doctrine, an attorney can help coordinate and protect a company’s remedial efforts from potential discovery.
About The Author
Thomas Ritter is an associate attorney at Thompson Burton PLLC. He assists a variety of businesses, from well-established to new start-ups, on meeting regulatory compliance. Follow him on Twitter at twitter.com/cybersecureatty for the best practices and legal updates on relevant privacy and data protection topics.
I’m proud to share that Thompson Burton has been named a finalist for the 2017 Nashville Business Journal’s “Best in Business” awards. The firm is one of seven finalists in the category for businesses with 1-25 employees.
The NBJ determined the finalists after taking nominations from the public and having a judging panel of past winners choose finalists based on profitability, community involvement and other metrics.
I want to congratulate the other finalists. It’s wonderful to be in the company of many great Middle Tennessee businesses.
Thompson Burton is also proud to be the only law firm among the 29 finalists in all categories. Walt and I shared a common vision for a different type of law firm when we founded Thompson Burton five years ago. This recognition reinforces that the firm is doing the right things.
Most importantly, I want to recognize the entire Thompson Burton team. Everyone has embraced our vision and helped make the firm the success it is today. They are the reason that we enjoy coming to work every day and have a bright future ahead.
The winners in each category will be announced at an awards luncheon on March 7. Wish us luck.