CPAs, law firms, PEOs, financial advisors, and insurance agents have at least two things in common:
- They have large amounts of sensitive Personal Information (PI) and Protected Health Information (PHI) about their clients and employees; and
- They are the new targets for sophisticated cyber/data thieves.
A recent report on Chinese hacking released by Mandiant, a U.S. cybersecurity firm, indicated that law firms make ideal targets for hackers as they store a voluminous amount of sensitive information for a wide variety of clients. It has become a “one-stop shop for the attackers,” according to the report. By compromising just one professional organization’s network, a hacker can obtain PI and PHI relative to thousands of companies and individuals.
Hackers have become much more sophisticated and narrow in their efforts to steal information. Recent reports have shown that hackers are now choosing to attack organizations that do not have as secure of a network as one might think and targeting companies that have not invested the money and time to protect the sensitive PI and PHI that they possess.
Hacking criminals are not your only risk. “Simple” data thieves, both within and outside of organizations are targeting CPAs, law firms, PEOs, financial advisors and insurance agents because of the amount of PI that these companies have in their possession. According to a recent Verizon study, 85 percent of data thefts are not due to complex hackings. Rather, the data thefts are the result of organizations not having simple preventative security measures in place.
While major corporations are indeed targets for cyber attacks, most of those companies have taken the proper steps to minimize the risk of additional privacy incidents. The smartest cyber criminals have realized that while corporate America and the U.S. government employ sophisticated security systems, many service providers such as law firms and CPA firms are still in the age of Windows 95. The cyber criminals have taken advantage of this failure, or inability, to keep up with them and, as a result, client and employee data is at serious risk. When the class actions and attorneys general enforcement actions are filed, courts will look to this failure to stay one step ahead of, or at least on par with, the criminals, when assessing legal liability — and it will cost them! Statutory damages for data privacy negligence can reach nearly seven figures, in addition to private civil actions and penalties from other governmental agencies.
Professional service organizations, especially CPAs, law firms, PEOs, financial advisors, and insurance agents, run a very high risk of losing their client base if they fail to take the precautionary measures to avoid a data privacy incident or cyber attack. Clients are starting to say to their professional service providers: We take the following preventative measures to protect our own sensitive information —what are you doing to protect our PI and PHI at your firm? And you need to be in a position to respond with a better answer than: We use passwords on our computers!
The following is a summary of preventative policies and practices your organization should have in place to minimize the risk of a data privacy incident:
- Conduct a data privacy and cybersecurity review
- Require confidentiality agreements of employees, vendors and visitors
- Draft a Written Information Security Program (WISP) and comply with it
- Prepare an Incident Response Plan and assemble your Incident Response Team
- Determine your organization’s Social Media Policy
- Enforce strict Computer Usage Policies
- Manager your Document Retention Policies
- Create a Telecommuting Policy
- Review the security of your organization and protection of physical access (where and how documents are stored; access to buildings)
- Require visitors to sign-in and use ID badges
- Conduct training on your data security policies
For more information, please contact one of the attorneys listed below.