Connecticut Business Litigation Blog : Connecticut Business Lawyer & Attorney : N. Kane Bennett : Raymond & Bennett Law Firm : Hartford, Middletown, Glastonbury

The Ponemon Institute recently published the First Annual Cost of Cyber Crime Study. Download here.  The study was conducted by Ponemon, an independent research group with a focus on privacy and data protection, and ArcSight, a security and compliance management provider.  The study involved a benchmark cost analysis of 45 different companies ranging from 500 employees to over 100,000.                                                                             

Here are the significant points from the executive summary:

• The median cost of cyber crimes for the 45 organizations was $3.8 million per year (ranging from $1 million to $52 million)
• Cyber attacks are the most common occurence
• The most costly attacks (amounting to 90% of the attacks) are web attacks, malicious code, and malicious insiders
• The companies in the study were experiencing 50 successful attacks per week
• Average number of days to address a cyber attack was 14 days, with insider attacks taking more than a month
• Costs for company compliance depended greatly on the level of security programs at each company

The study defined cyber attack as any criminal activity conducted via the Internet, including theft of intellectual property, confiscating online information and accounts, distributing viruses, and disclosure of confidential information.  The study referred to some well publicized cases of cyber attack, such as TJX companies, which I posted about on this blog previously.

What should you do if you or your Connecticut business has been a victim of cyber attack? 

• Act quickly.  Responding quickly to a cyber attack is essential.  Hopefully, your business has developed a data loss and privacy plan that will address the steps your business should take in response to a cyber attack.  There should be a dedicated response team and protocal for any such event.   
• Determine whether notification is necessary.  Depending on the nature of the attack and the information compromised, notification of consumers, customers, or governmental authorities may be required.
• Consult a privacy attorney and business litigation attorney to determine what legal steps might be taken to address the attack.  For example, if there was an identifiable person or group responsible, such as an insider or a competitor, there may be criminal or civil remedies for computer crimes that provide for the recovery of damages.
• Determine if insurance is available to cover the damages from the cyber attack. See some of my prior posts on insurance to address data loss and security breach.  Also, read this article by Tom Risen of the National Journal that summarizes the potential solutions that insurers offer to businesses in the United States. 

Although the Ponemon study involved large companies, many experts in the field suspect that small business are equally, if not more, exposed to cyber attacks.  Therefore, regardless of the size of your company, it is a good idea to have a risk management audit to determine your company's ability to respond to a cyber attack.  Advanced planning is critical to mitigating damages from cyber attacks.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

In Connecticut, a person commits a computer crime if there is any violation of the provisions in Connecticut General Statutes 53a-251.  This is Connecticut's computer crime statute.   The statute defines criminal conduct under the following categories:

• Unauthorized access to a computer system
• Theft of computer services
• Interruption of computer services
• Misuse of computer system information
• Destruction of computer equipment

The computer crime statute itself does not provide for a civil cause of action.  Instead, a victim of a computer crime may rely on Connecticut General Statutes 52-570b, which permits a civil lawsuit for computer-related offenses. The statute provides a basis for a lawsuit for "an aggrieved person who has reason to believe that any other person has been engaged, is engaged or is about to engage in" conduct that violates the computer crime statute. 

As part of a computer crime lawsuit, a business may seek a temporary or permanent injunction, restitution, actual damages, unjust enrichment, an order to appoint a receiver who may take property into his possession, or any other equitable relief.  Punitive damages may be available if there is a showing of malicious or willful conduct. Further, a victim of computer crime may obtain an award of attorney's fees and costs.

One of the more common types of computer crime or cyber attack is an insider attack with unauthorized access to a computer network.  A common example is a disgruntled employee or vendor with some level of access to the computer network of a business that turns into unauthorized use or damaging conduct. The cyber attack might involve theft of confidential or proprietary information, installing a virus or malicious code to infect the system, or theft and disclosure of information to third parties. 

The most common defense raised to computer crime charges is "authorized access."  The statute exempts conduct that might qualify as improper, but was undertaken with a reasonable belief that it was authorized.  As such, the issue of authorization becomes a critical element in these cases.  Courts might look to the policies and practices of a business with respect to access and security to determine if a reasonable belief defense exists.  Courts will also look to the nature of the conduct to determine if a reasonable belief defense is legitimate under the circumstances of the case.

Responding quickly to a computer crime or cyber attack is important.  A business that is the victim of a computer crime or cyber attack should consider involving an attorney as part of the response team depending on the severity of the incident.  The attorney can assess whether a business that is victim of a computer crime can bring a lawsuit to recover damages or possibly make a claim for losses to an insurance company.  An attorney can  also assist with critical decision making regarding notification to outside parties in the case of a security breach or data loss.  An attorney can further assist with determining the need for involvement of an appropriate forensic expert to preserve and develop critical electronic evidence of the cyber attack. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The National Cyber Security Alliance recently released a new study with some startling numbers concerning small businesses and the threat of data loss, security breach, or cyber attack.  Some of the key numbers obtained from polling small business owners include:

• 65% store customer information on computer systems
• 43% store financial records
• 33% store credit card information
• 86% do not have anyone focused on system security
• 11% of owners never check their computer security systems.
• 75% use the internet to communicate with customers
• 28% have formal internet security policies

What do these numbers suggest? Deborah Cohen, who covers small business for Reuters.com, published an article following release of the study and “confirmed that small businesses are among the most vulnerable to Internet crime. . .” She quoted Michael Kaiser, executive director of the National Cyber Security Alliance, who noted that “small businesses are pretty robust targets” for cyber attacks citing the lack of Internet protocol and employee training. Cohen’s article also offers some tips from Kaiser for small businesses to help confront cyber attacks.  

If you are looking for some guidance or help with cyber security, read here for some of my earlier posts.  If you are looking for a do-it-yourself placer to start, try the U.S. Chamber of Commerce.  The Chamber offers a great resource entitled“Common Sense Guide to Cyber Security for Small Businesses.” It’s a 12 step plan to increase cyber security. Here are some highlights:

·         Use strong passwords and change them regularly

·         Watch for strange email attachments

·         Install computer security software and network security

·         Keep software updated

·         Limit access to sensitive and confidential data

·         Establish and follow security plan

·         Maintain insurance coverage

The threat of data loss or security breach is not going away, but will only increase. Lawsuits concerning data loss and security breach are more frequent. Business owners need to stay on top of the threat by implementing a sound data loss and privacy plan. There is no one size fits all approach and every business will have its own risk exposures. If you are a business owner, consider having your business evaluated for risks of cyber attack or data loss. 

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link