As you may have heard by now, LinkedIn notified its users last week that it had been hacked. Out of about 150 million users, approximate 6 million had their passwords stolen and posted on a hacker web site. The breach of the social networking giant should come as no surprise – cyber criminals are sophisticated and the potential payoff of a successful heist is huge.
But there are several salient lessons we can learn from the attack and LinkedIn’s subsequent response.
First, if your company’s network is compromised (and the odds are it will be at some point), you need to take the breach seriously. Your company’s reputation is on the line, and how you respond will say volumes about how you care for your customers. In LinkedIn’s case, Reuters reported that users were still being notified of the attack days after LinkedIn first discovered the breach. That’s a move that could ultimately hurt LinkedIn’s credibility.
Once an attacked company determines that personal records and data have been compromised, victims need to be told as quickly as possible, and not just for good public relations. The vast majority of states require a breached firm to notify its clients if their data has been stolen, and many states require this as soon as possible after the breach.
While the public does not necessarily expect your business to be immune to cyber attacks, people do expect you to practice a high standard of care when in possession of their data. This speaks to the second lesson, which is to utilize adequate security measures so that a hacker will find it difficult or impossible to decipher stolen data.
LinkedIn did nothing of the sort. According to the Wall Street Journal, the passwords were only “hashed”, which means they were converted from plain text using a mathematical algorithm. But this measure alone provides little protection. The New York Times described LinkedIn’s security protocol as “lax”.
Experts say that several other basic practices should have been applied to the hashed passwords, including encryption.
If your company stores sensitive information of any sort – employee records, customer credit card numbers or other financial data, health records, intellectual property, contracts, etc. – you need to take reasonable security steps to safeguard the data.
Another lesson we can glean from the LinkedIn mess is that often times it is difficult to know immediately the extent of the damage. LinkedIn was unsure, as of last week, if other data besides passwords had been stolen, and was still investigating.
Cyber liability experts advise that if your company falls prey to cyber crooks, inform your clients who have been affected of (1) what you know about the breach, (2) what you do not yet know about the breach, and (3) what you are doing to find out what you do not yet know.
You will almost certainly need to hire a computer forensics firm to help you figure out how the hackers broke in, what data they have viewed and potentially stolen, and close the network “door” they entered through.
Remember, even if a cyber criminal has already stolen your data, you may not know it. It could take weeks for the hacker to auction off your data, or decide to use it himself. Employing robust logging applications on your network is one way that you can keep track of activity on your servers, to better detect unauthorized access.
If you are hacked, Internet insurance (also known as cyber liability insurance) can offer you some peace of mind by covering a wide range of first and third-party risks, including notification costs. This kind of information insurance is a good low-cost solution to data breach problems, which cannot be completely prevented.
Many owners and managers believe they are already covered for cyber risks. But because commonplace commercial general liability (CGL) policies rarely protect against data theft or other electronic crimes, a policy specifically protecting against cyber liability is necessary.