By: Kisha Wilson
Throughout 2020 into the first quarter of 2021, a number of highly publicized data breaches continue to highlight the growing need for increased accountability for cyber security standards. In December 2020, reports surfaced that SolarWinds, a Texas-based IT company serving many Fortune 500 companies as well as a number of departments in the United States government, had suffered a major data breach in which hackers infected software updates with malware which were then pushed to many customers. As many as 18,000 of SolarWinds’ customers may have been affected by the breach which allowed unauthorized access to sensitive information and government data. Microsoft also discovered a major breach in January 2021, when the Microsoft Exchange Server was hacked leaving thousands of their customers victims of a cyberattack.
The recent attacks appear to be ongoing as hackers have increased their activity and pose a massive threat to the victims and information systems all around the world. The response to these threats varies, but include solutions like private security patches and even possible government action. As companies and governments assess vulnerability, some have assigned blame to weak security practices of their employees. As The Wall Street Journal reported, “hackers linked to the attack have broken into these systems by exploiting known bugs in software products, by guessing online passwords and by capitalizing on a variety of issues in the way Microsoft cloud-based software is configured, investigators said.” In a recent lawsuit against SolarWinds, a lot of emphasis was placed on the vulnerability of weak passwords and in a Congressional hearing, Sudhakar Ramakrishna, chief executive of SolarWinds, blamed the weak password on an intern. This has resurfaced questions of accountability during cyberattacks and data breaches.
Despite all of the recent attention on attacks by hackers, employee negligence still remains one of the top causes of data breaches. Insufficient training, loss and theft of physical and digital assets, and insufficient policies for the disposal of confidential information all contribute to the increasing trend of data breaches. With each data breach costing companies on average $8.64 million, the proper policies and procedures for avoiding breaches caused by employee negligence becomes more critical.
During the COVID-19 pandemic, many companies moved to a remote working environment adding another layer of potential vulnerability. The potential for a major data security breach could increase as employees introduce more risk by operating under relaxed at-home data security practices such as accessing unsecured networks or by accessing company systems from personal devices. Additionally, many companies do not have robust work-from-home data security policies or guidance for employees to help them protect themselves from data security threats.
Addressing employee negligence alone will not put an end to data breaches. Companies need to start preparing themselves not only to strengthen their data security practices, but also to protect themselves from the legal risks of cyberattacks. While it is true that employees may bear some of the responsibility to secure their work by ensuring they don’t create additional vulnerability, including by using weak passwords or by clicking on harmful links in phishing e-mails, the organizations themselves are vulnerable to vicarious liability if they don’t take the proper steps to ensure strong data security standards and reporting guidelines in the event of a breach. The best ways to address these problems is to have clear and comprehensive data security policies for on-premise and remote postures for employees, contractors and vendors; and to provide robust and ongoing training to employees on the best practices for protecting information and reducing the likelihood of data breaches. Companies can also purchase cyber insurance.
The growth in the cyber insurance industry underscores the increased vulnerability of organizations to data breaches and cyberattacks. The cyber insurance industry is expected to grow at least 30% per year over the next 5 years. Companies are seeking protection because they are becoming increasingly aware of the ever-increasing cost of liability during a breach. Employees acting in the ordinary course of employment do not necessarily take on the full liability for breaches even if their own actions cause a vulnerability. As more and more companies become connected through the internet of things and cloud servers, the risk of cyberattacks and breaches increases as new points of vulnerability are introduced into information systems. The responsibility for mitigating the risk of cyberattacks and data breaches will need to be shared by both employees and their employers.
Student Bio: Kisha Wilson is a third-year evening law student at Suffolk University Law School. She is a staffer on the Journal of High Technology Law and a Legal Innovation & Technology (LIT) Fellow in the LIT Lab at Suffolk University Law School. Kisha received a Bachelor of Arts in International Relations from Boston University.
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.