October is National Cybersecurity Awareness Month - Why It Matters
Recognizing the importance of cybersecurity to the United States, President Obama has designated October as National Cyber Security Awareness Month. Designed to engage and educate the public and private sectors to raise awareness about cybersecurity, the Department of Homeland Security and the National Cyber Security Alliance have partnered to designate each week with a different theme:
Week 1: October 1 - 2 | Marking the fifth anniversary of the Stop. Think. Connect. Campaign
Week 2: October 5 - 9 | Creating a Culture of Cybersecurity at Work
Week 3: October 12 - 16 | Connected Communities: Staying Protected While Always Connected
Week 4: October 19 - 23 | Your Evolving Digital Life
Week 5: October 26 - 30 | Building the Next Generation of Cyber Professionals
While these weeks serve to remind us of the importance of cybersecurity, there is no dispute that 2015 has already shown itself to be a critical year for cybersecurity, bearing witness to both significant data breaches and a strong reaction by government and businesses to strengthen cybersecurity. According to the Identity Theft Resource Center (ITRC), as of September 8, 2015, there were 541 data breaches in the United States resulting in the exposure of at least 140,092,146 records. In comparison, 783 data breaches were reported in 2014 with approximately 85,611,528 records exposed. On September 9, 2015, one day after the ITRC released its report, BlueCross BlueShield health insurer, Excellus, announced that the personal information of more than 10 million customers had been exposed because of a large and sophisticated data breach.
In 2015, we have seen mobilization by businesses and the federal government in an effort to respond to the rising tide of data breaches and cyber threats. In this alert, we identify five significant data breaches to occur this year, discuss a federal court decision expanding the ability of government agencies to enforce cybersecurity measures, and briefly discuss proposed legislation.
- Premera BlueCross - On January 29, 2015, Premera BlueCross revealed that an intrusion into its network might have resulted in the breach of 11 million financial and medical records.
- Anthem Health Insurance Company - In February, Anthem Inc., one of the nation’s largest health insurers, revealed that the personal information of approximately 80 million customers and employees had been exposed in a “very sophisticated attack” by hackers. Putative class actions were filed in California and Alabama federal courts against Anthem for its alleged failure to encrypt its data or heed warning that it was at risk to hackers.
- UCLA Health System - In July, UCLA Health announced that it was the victim of a cyber attack that exposed the data of about 4.5 million people. UCLA has been named in a proposed class action for allegedly failing to protect the personal information of the people affected and for waiting too long to disclose the breach.
- U.S. Office of Personnel Management - The Office of Personnel Management of the U.S. Government announced in July that hackers stole the personal information of 21.5 million current, former and prospective employees. The attack began in late 2013, when hackers allegedly infiltrated the systems of a government contractor.
- Ashley Madison - In August 2015, Ashley Madison, a website that connects married people looking to cheat on their spouses, disclosed that the personal information of its 37 million members was accessed by hackers.
Third Circuit Decision
FTC v. Wyndham Worldwide Corp -In a decision issued on August 25, 2015, the Third Circuit Court of Appeals held that the Federal Trade Commission has the authority to regulate cybersecurity practices under Section 5 of the Federal Trade Commission Act. The FTC filed suit in 2012 against Wyndham after hackers repeatedly gained access to Wyndham’s computer systems and fraudulently charged consumers millions of dollars. The FTC alleged that Wyndham engaged in unfair and deceptive trade practice by failing to use appropriate measures of data security to protect customer’s information. Wyndham challenged the FTC’s authority to regulate cybersecurity practices by U.S. companies. However, the Third Circuit confirmed the FTC’s authority to enforce cybersecurity standards under its general authority to target “unfair” trade practices.
Cybersecurity Information Sharing Act - In March 2015, the U.S. House of Representatives reintroduced the Cybersecurity Information Sharing Act. The bill is intended to help companies share cybersecurity information with federal agencies to improve the security of private and public computer networks and increase awareness of possible threats. The bill has been criticized by some companies and privacy advocacy groups for failing to protect the personal information of individuals while providing sweeping legal immunity to companies sharing information.
Collectively, these events demonstrate that cybersecurity is a pervasive issue that large and small companies face across various industries. Additionally, data breaches do not always involve sophisticated and anonymous hackers siphoning personal information in a dark room far away, and occasionally occur because electronic hardware, such as laptops and hard drives, are lost or stolen. During October, officially designated National Cyber Security Awareness Month, businesses should take the opportunity to learn more about cyber threats and cybersecurity, and also review their cyber response plans and cybersecurity insurance policies.
For further information on any of the matters, please contact Jay Shapiro (212.714.3063; firstname.lastname@example.org); Sedgwick Jeanite (212.631.4413; email@example.com); Laura Schmidt (215.864.6333; firstname.lastname@example.org) or another member of the Cyber Law and Data Protection Group.