Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

No one is too small to hack

Matthew F. Prewitt, partner at law firm Schiff Hardin | Feb. 18, 2015
Smaller companies shouldn’t be complacent in the thought that cyberattackers have bigger game in their sights.

As the White House and Congress consider new cybersecurity legislation, some middle-market companies may still be questioning whether the cybersecurity crisis is a real threat for their businesses.

The notion that a business might be too small or too boring for a cyber breach is a comforting fiction. The reality is that most cyber breaches are not the work of international criminal gangs or foreign intelligence operatives; they are attributable to the company's own employees. Mere negligence by even a well-intentioned employee can trigger substantial investigation and response costs, and an employee who is leaving to join a competitor or who simply carries a grudge against her boss can cause substantial competitive or reputational injury. But even a company that is lucky enough to avoid ever having an actual breach may be required as a condition of doing business to provide its commercial partners assurances of adequate data security. Thus, for even the rare company that can be confident it will never attract the attention of external cyberthreats, cybersecurity is still an essential part of risk management.  

For some companies, cybersecurity compliance is expressly mandated by industry-specific regulations. For example, HIPAA's Data Security Rule is generally applicable to most healthcare providers and insurers, and the Gramm-Leach-Bliley Act imposes security standards on financial institutions. More broadly, the Payment Card Industry Data Security Standards are, by contract, binding on most companies that regularly accept payment by credit card. There are, however, many middle-market companies that are not subject to any industry-specific regulations and that do not regularly accept payment cards and may be led to the false conclusion that they are exempt from any requirements. 

One of the most important lessons from the Target breach -- which has been attributed at least in part to lax security by a single HVAC vendor -- is that effective cybersecurity requires commercial partners with effective cybersecurity. Major public companies have responded by implementing or expanding data security requirements for their vendors and service providers. In the current environment, for many companies, cybersecurity is not just risk management; it is responsive customer service.  

Another problem with the "too obscure to hack" theory is that cyberthreats sometimes are not specifically targeted to any particular business. For example, ransomware -- a malware designed to shut down a computer network unless a "ransom" is paid -- may be distributed broadly in the hope of finding vulnerable targets. Such malware does not discriminate based on the size or public profile of the affected business. Business disruption due to a cyberattack presents uncertain and potentially broad liability. The liability of a commercial party that breaches a customer contract because a computer virus shuts down the company's operations has not yet been extensively litigated, but a company that has not taken reasonable efforts to prevent such an attack will be a far less sympathetic defendant for the court and the jury. 


1  2  Next Page 

Sign up for CIO Asia eNewsletters.