It Can Happen to You
I woke up this morning to a fraud alert from Citibank on my credit card. After going through the Spanish Inquisition to secure my identity, I finally learned what had triggered the alert—a small transaction in Spain. When I attempted to verify that the Citibank people were legitimate and not the hackers, they got indignant. Upon reflection, I realized that putting down a deposit for a flat in London may very well have been the source of the hack.
Lessons Learned
At our recent CEO Brainstorming Conference, my law partner David Rice painstakingly alerted the audience to the realities of cybersecurity. The scary part is that it could happen to any of us as businesspeople or consumers. Obviously, we need to take steps to protect ourselves on both fronts.
Is Enough Being Done?
I doubt it. I get spam credit-card e-mails all the time at work, seeking to “verify” my account information. While the regulators give lip service to this area, I suspect that they are really clueless and helpless to control this rapidly growing monster. Do you honestly think the big, bad Office of the Comptroller of the Currency is going to tell Citibank, Chase, or Bank of America what to do? Unlikely. So even though I am a bank lawyer, I suggest that as consumers and businesspeople, we be proactive and take appropriate steps to protect customers and ourselves.
What Can Be Done?
David Rice suggests doing the following if you are a business/bank:
- Audit—Identify what information you collect and what you do with it. Do you collect personal information of customers, employees, and vendors? Does that data involve financial information? Credit-card information? User-location data from mobile apps? How do you use the data? Where is the data stored?
- Determine how the law requires you to protect that data from unauthorized disclosure. Different laws apply to different types of data.
- Examine your policies. Do you have an information-security policy? A data-breach response plan? Are they consistent with legal requirements? Are your policies consistent with each other and across departments? Do you regularly review and update your policies? Who is responsible for implementing and updating them?
- Scale down. Do not retain information unless you need it. Dispose of data in a secure and legal manner.
- Secure the data you retain in a manner that is consistent with your policies and legal requirements. What are your procedures for preventing unauthorized disclosure of data? Are they appropriate based on the sensitivity of the data you store? Do you encrypt data? Encryption can reduce the loss associated with a breach.
- Train your employees on your policies and data security. Your policies will have no effect unless your employees are aware of them and are implementing them correctly.
Above all, do not wait for a devastating data breach to learn that you could have protected yourself by taking practical steps in advance.
Let’s Not All Be Passive
I urge all of us to take cybersecurity as a personal and business threat. While I am as far as you can get from being a tech geek, I respect the power and risk inherent in today’s growing technology sector. Taking steps to protect ourselves and our businesses just makes common and good business sense. Burying our heads in the sand and denying the threat would be foolish. Sophisticated hackers are out there every minute of the day. They're the modern-day Bonnie and Clyde. Let’s do something to foil them.
