Know the Risks of a Cyberattack - and How to Protect Your Association
Originally published in Associations Now magazine.
Preventing and responding to cyberattacks has become one of an association's highest priorities. The first step is to understand the risks and then implement the policies and procedures you need to keep your data safe. Here's what the law requires.
Ten years ago, almost no one was talking about cybersecurity, especially in the association world. Today, cybersecurity is on the mind of the vast majority of association executives, and discussions of the subject top the agendas of staff and board meetings. Associations of all sizes have realized how vulnerable they are to a data security breach or malicious cyberattack and have begun to understand the financial and liability risk such an event poses.
Technology is constantly changing, as are the malicious means used by third parties to access and disrupt an association's technology infrastructure. Currently, two of the most prevalent cybersecurity risks are ransomware attacks and data security breaches.
Ransomware attacks are becoming an increasingly popular means of disrupting business. In response to a congressional inquiry, the Department of Justice revealed in March 2016 that the Internet Crime Complaint Center had received nearly 7,700 complaints pertaining to ransomware since 2005 and that such complaints represented $57.6 million in damages, including ransoms paid and costs incurred in dealing with the attacks.
Ransomware attacks can take several forms. For instance, an email may be sent to an employee that contains what appears to be a legitimate attachment or link. Or an employee may innocently be surfing the web and click on a link displayed on a social media site. When the employee opens the attachment or clicks on the link, a malicious code infects his or her computer and often spreads throughout the organization's network, locking its digital files. The perpetrator demands the association pay a ransom for a decryption key required to unlock the files.
Another threat is a data security breach. Almost daily, media reports alert us to breaches of well-known companies (Sony, Target, and Citibank have all experienced data breaches) or government agencies (so has the IRS). Associations are prime targets as well.
This is because hackers are looking to access databases that contain personally identifiable information (PII). Generally, PII is defined under state law as a person's name in combination with his or her Social Security number, driver's license number, bank-, credit-, or debit-card number, or taxpayer identification number. This data is a valuable commodity on the black market. Associations collect PII from members, certificants, donors, or employees every day, while maintaining volumes of PII in their databases. Such information is a potential goldmine for a hacker.
A breach of an association's technology infrastructure is not the only way an association could be affected. Breaches can result from an employee losing his or her laptop or a flash drive containing member information. What most associations don't realize is that they can suffer a breach even if their technology infrastructure was not infiltrated. This happens in cases where an organization has contracted with a third party to maintain its PII, and that contractor's database is hacked.
Ransomware attacks and data breaches not only disrupt business operations. They also put the association at risk for considerable financial loss, jeopardize its reputation and the confidence of members, and subject it to legal liability in every state. State laws regarding data security breaches generally apply to all businesses, including associations, that collect or maintain PII for a state resident.
For instance, an association located in Virginia that had a single member in California would be required to adhere to California law in safeguarding PII and reporting security breaches involving PII. Assuming the association had members in other states, it would be required to adhere to those states' laws as well.
Under many state statutes, businesses that experience a data security breach are required to conduct an investigation and report the incident to the person or people whose PII was compromised, as well as various government agencies. Some states, including Maryland and Massachusetts, also require businesses to implement written information security plans (WISPs), which document the organization's administrative and technical safeguards for the protection of PII and outline how it will respond should it experience a breach.
While WISPs are not required in every state, developing one forces an association to assess its current technology infrastructure and think about how susceptible it may be to a cyberattack. In other words, a WISP forces an organization to plan ahead by developing policies and procedures that would apply if it were to experience a data security breach or fall victim to ransomware.
The provisional requirements for WISPs vary from state to state, but a few components are commonly required:
- a clear statement of the association's information security program's objective, purpose, and scope
- the appointment of one or more employees responsible for overseeing the program
- the identification of reasonably foreseeable internal and external risks to PII maintained by the association
- a policy regarding employee storage, access, and transportation of PII outside the association
- documentation of responsive actions that will be taken should a data security breach occur
As part of a WISP, associations should consider putting together an internal response team comprising the individuals who will be primarily responsible for carrying out its plan in the event of a cyberattack. The team should include a member of the senior management team as well as staff from the IT, legal, and communications departments.
Regular employee training is critical. Employees should be educated about various types of cyberattacks, their potential impact on the association and its members, and the types of information considered confidential. They also should understand policies pertaining to personal use of the organization's computers and mobile devices.
Associations often assume that their general liability insurance policy will protect them from any damage or liability resulting from a cyberattack. At least one recent case in New York suggests otherwise. In Zurich America Insurance v. Sony Corporation of America, PlayStation users sued Sony after more than 70 million user accounts were compromised by a third-party hacker. The court ruled that Sony's policy covered security breaches committed by Sony but not by third-party hackers. Cyberattacks can also damage an association's technology infrastructure, and in some instances, general liability policies will not cover it. Associations should determine whether their insurance policies cover both of these risks.
Finally, under the data security laws of many states, associations are required to report a breach even if it involved a contractor's technology infrastructure. Additionally, some states, such as Massachusetts, require WISPs to include a policy that any contract that the association enters into with third parties who will who have access to the association's PII will require the vendor to safeguard the data.
Associations should ensure that contracts with third-party contractors specify that the contractor agrees to comply with all applicable data security and privacy laws, to reimburse the association for costs incurred due to any data security breach the contractor experiences, and to indemnify the association against third-party claims arising from the contractor's breach.
Again, if an association has a single member in a state that requires a WISP, it must comply with that state's legal requirements, and the penalties for noncompliance can be significant. It is essential that associations that collect and maintain PII know the law that applies to them.