Featured Stories

Other Pamplin Media Group sites


CYBERCRIME BECOMING A COMMON MENACE

Cybersecurity is now a large part of corporate governance.

In the movies, hackers are typically portrayed as shadowy figures in dark rooms trying to crash the computer system used by a large corporation.

In reality, the culprit is more likely to be a dishonest employee stealing personal information to sell on the black market or a careless employee allowing an outsider to do so.

And the real damage to the company might be caused by lawsuits filed by those whose information was stolen — or by monetary fines levied by government regulators for not safeguarding the data.

“State and federal regulators will look at the companies as victims, but also the stewards of information that was not protected,” says Christine Arevalo, vice president of health care fraud solutions for ID Experts, a Beaverton-based cyber security firm.

Arevalo was one of three experts who discussed the risks that data breaches pose to business and what they can do to minimize their liabilities at last Wednesday’s monthly Portland Business Alliance breakfast forum. The other two panelists were Gary Githens, the data breach practice leader at Brown & Brown Northwest insurance company, and Kelly Hagan, co-chair of the privacy and data security group of the Schwabe, Williamson & Wyatt law firm.

Before they spoke, Oregon Attorney General Ellen Roseblum addressed the hundreds of business leaders at the forum about the growing size of the privacy and data security problem.

“Cybercrime is a crime, not something we can brush aside. Data breaches are everywhere. They are an increasingly common menace to any organization with valuable personal information,” said Rosenblum, whose agency, the Oregon Department of Justice, was put in charge of pursuing data breach-related charges by the 2015 Oregon Legislature. Lawmakers acted by updating the state Oregon Consumer Identity Theft Protection Act, which was first passed in 2007 — an eternity ago in cyber time, Rosenblum noted.

According to Rosenblum, 606 data breaches involving 175 million records have been reported in the country so far this year. Victims include 15 million T-Mobile customers whose personal data was stolen. Rosenblum admitted she was one of them, along with about 118,000 other Oregonians.

Roseblum said technology is moving so fast that laws are no being passed to protect the security of biometric data like fingerprints and facial figures.

“You can change your password but you can’t changed your fingerprints. This is something we need to learn more about and develop the expertise and resources to deal with,” Rosenblum said.

Hagan defines a data breach as “unauthorized access to information” and reminded those in attendance that paper records are vulnerable, too. He said companies whose information is stolen face huge bills and time consuming investigations from a variety of regulators and law enforcement agencies because of the “complexity of the patchwork quilt of privacy regulations” that are currently in place but changing all the time. For example, out-of-state laws apply to any out-of-state resident whose information was stolen in a data breach.

The number of outright attacks and smaller fish expeditions on both corporate and government computers is large and growing every day. For example, the Pamplin Media Group, which publishes the Portland Tribune, has experienced more than 86,000 attacks so far this year. The company works hard to detect and prevent them.

Regulators are fining both large and small companies for data breaches these days, said Githens. He cited a nonprofit hospice that was fined $50,000 and a county in Washington state that was fined $250,000 by the federal government. According to Githens, around 60 percent of all companies who experience data breaches go out of business within six months, an indication of their potential costs.

Arevalo, Githens and Hagan urged businesses to immediately assess their data breach risks and take steps to minimize them.

“The risk assessment needs to be a soup to nuts look at the security of the entire organization. If you don’t do that, you’re setting yourself up for accusations of corporate negligence,” warned Hagan.

In addition, Hagan advised that businesses buy insurance policies specifically written to cover the costs of data breaches.

“Such policies are available. General liability and umbrella policies do not necessarily cover the costs of notifications, fines and penalties,” said Hagan.

Hagan said “breach response planning” could save time and money if a data theft occurs. He said business owners should talk with their attorneys in advance about appropriate responses, and should ask state and local law enforcement agencies in their areas how to best prepare against them.

“Be proactive. The time to get to know the investigators is before breaches occur,” Hagan said.