With a majority of businesses being run from home, using less secure networks, and disrupting normal security protocols, hackers are seeking to capitalize. The FCC and the FTC have seen an uptick in scams during the pandemic in the form of fake charities requesting donations, fake sources offering financial relief, fake information regarding COVID-19 vaccines, and phishing e‑mails. Ransomware attacks are also increasing as hackers prowl the Internet for vulnerable systems, while VPNs are in high demand.
Secure Your Information
Maintain security while working from home. Businesses should be taking reasonable measures to ensure the safety of personal information during these challenging times. Examples include:
- Encrypting video chat platforms and securing meetings with access codes for attendees. Most communication platforms encrypt chat programs by default, but this is not the case with video programs.
- Reminding employees to be aware of what’s in sight during video calls. Employees should be sure that confidential information is not visible to those with whom they are conferencing.
- Reminding employees that they should continue to use the same verification processes that they would use in the office to confirm the accuracy of payment requests. Remember: failure to use normal protocols may void insurance coverage or other risk-management protections.
Keep up with new security requirements. Enforcement of the California Consumer Privacy Act (the “CCPA”) is set to begin on July 1, although companies should have been in compliance as of January 1, 2020, when the law went into effect. The CCPA permits a private right of action if “nonencrypted and nonredacted personal information” is disclosed or stolen “as a result of the business’s violation of the duty to implement and maintain reasonable security procedures.” (Emphasis added.) Companies that meet the regulation’s threshold requirements, must comply with the CCPA and ensure that they are meeting this standard. For more information regarding your duties in connection with the CCPA, see this new blog post (CCPA Enforcement Will Not Be Delayed Due to COVID-19: Is Your Business in Compliance?) with up-to-date information.
Cyber Insurance Is More Critical Than Ever
Considering the increased risks associated with remote work, if your business has not carried cybersecurity insurance before, it is time to reconsider. Cybersecurity insurance can help reduce the financial risks associated with doing business online. The loss of electronic data can have significant impacts on a business, and liability can extend to the consequential damages of the data loss. Insurance policies commonly cover costs associated with:
- Meeting extortion demands from a ransomware attack;
- Notifying customers when a security breach has occurred;
- Paying fees imposed as a result of privacy violations;
- Hiring computer forensic experts;
- Restoring identities of customers whose personally identifiable information was compromised; and
- Providing credit monitoring services for customers affected by a data breach.
Because cybersecurity policies will vary widely from one provider to another, companies should review the details of each policy closely to properly evaluate which one fits their business best. For more information, see our prior posts: Northwest Data Breach Laws Are Changing—Is Your Cyber Insurance Keeping Up?, Will Your Cyber Insurance Cover GDPR Fines & Penalties?, and Considering Cyber-Insurance After “WannaCry”? Here Are Things to Consider.
Already Have Cybersecurity Insurance? That Is Only Step One
If your business already has the proper insurance in place, now is a good time to remind employees to maintain the same protocols as if they were working out of the office. Many insurance policies include “failure to follow” exclusions under which coverage is void if the insured fails to maintain minimum/adequate security standards. Many policies require the insured to disclose its procedures during the application process, and if the business does not follow those procedures, the resulting incidents will not be covered.
Beware of Social Engineering Fraud
Social engineering fraud schemes, designed to trick victims into transferring sensitive data or funds to the attacker’s account, are usually not covered by cybersecurity insurance policies. Most cyber policies require an unauthorized access of your system for coverage to apply, which means that voluntary conduct by employees—even if tricked—is not within the scope of the policy. Coverage is available for social engineering fraud, usually through an add-on to your cyber or crime policy.
To avoid being a victim of social engineering fraud, your employees should be reminded of the following:
- Be suspicious of e‑mails, phone calls, or visits from individuals asking about employees or other internal information.
- If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
- Do not provide personal information or information about your organization unless you are certain that the recipient is authorized to have the information.
- Do not reveal personal or financial information via e‑mail, and do not respond to e‑mail solicitations for this kind of information.
If you have questions regarding your current cyber policy or practices, or need guidance on selecting a new one, our attorneys are available to help your business become adequately protected.