Below is a link to my article on the Cipriani & Werner website about cyber risk from a professionalviewpoint.
The following is an article which I wrote and was recently published via email by the PICPA.
Lost Your Smart Phone? Now What?
So much data is stored on phones, laptops, and other electronic devices that a loss can be devastating. FBI statistics indicate that a laptop is lost or stolen every 53 seconds. That is more than 10,000 every week. This statistic must be higher in the case of smart phones. In its 2003 Global Information Security Survey, Ernst & Young found that one-third of corporate chief technology officers indicated that they do not have insurance coverage for cyber events, and another 22 percent did not know if they had coverage. These numbers are frightening considering how much information we store on these devices.
I can’t emphasize enough that you should consult with an attorney about your actions if you find yourself in this position, but I am realistic enough to know that many of you will not. Perhaps this article will help you make more informed decisions, but please keep in mind that this article barely touches the surface of the numerous connsiderations that are dependent on your specific circumstances.
From the moment an electronic device is placed in your hand, you need a well-thought-out procedure for how to handle its loss. Things to consider include what state and federal laws apply, and what are the legal requirements for reporting a loss. Compliance with the law is just the beginning. If not required under the law, should you still report the loss to your clients? Will you report to the authorities? Do you have security in place, such as the ability to wipe the memory on the device remotely or any tracking software? Do you need to cancel credit cards or change Passwords? There is much to consider.
When an item goes missing, the first step is to determine whether it was lost or whether it may have been stolen. The response is dependent on the circumstance. Also, if stolen, can you determine if it was taken for the device or the contents of the device? If stolen, do you contact the police or some other agency? Further, do you contact the press, shareholders, or your employees?
I’ll state again that you need to contact your attorney, and that may be the first contact you should make. Contacting your insurance company also will help you determine if you have coverage that will protect your loss. There are a number of types of insurance that may provide coverage, but general liability and most standard policies will likely have exclusions. This is something to consider prior to any loss. There is one other must-contact, in my opinion: your computer consultant. The consultant can help you navigate the security issues and determine what data may be or has been breached.
Know that once you notify any outside entity, you will begin to lose control. This will matter if you are attempting to avoid bad publicity or negative information going to your clients. Regardless, you may be required to notify clients, depending on the circumstances. The Pennsylvania Breach of Personal Information Notification Act (BPINA) will apply if you have a Pennsylvania company with a loss in the state and the affected clients are Pennsylvania residents. Requirements if the device is lost outside the state or some of the clients live in other states or jurisdictions is still an evolving area of law. The BPINA, effective in 2006, requires notification if personal information (as defined by the statute), which is unencrypted and unredacted, is “reasonably believed to have been accessed and acquired by an unauthorized person.” This is certainly not a bright line test and is subject to interpretation. There are some exceptions to the reporting requirement that have to be considered. How and when do you notify, what information you provide, and whether you must do anything else should all be considered.
The type of data on the device will make a difference as well. Medical records are subject to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), both of which may apply to a CPA firm that provides services to a hospital or other medical provider. There are other federal statutes that may have notification requirements, too.
Violations of these laws carry some harsh penalties. Violation of BPINA, for instance, is deemed a violation of the Unfair Trade Practices and Consumer Protection Law, is prosecuted by the office of the attorney general, and carries penalties that include treble damages and attorney’s fees.
If the decision is made that there is no legal requirement to notify clients, then whether to notify authorities becomes a tougher question. Although convictions are made in about one in 10 of these types of thefts, they may be highly publicized by the police and prosecutor as they try to use the case as a deterrent. This must be considered.
It is easy to say that passwords need to be changed, accounts closed, and credit cards canceled if that information was on the device, but it is easier said than done. Do you even know which of this information is on the device in some form? Another consideration, and one that you will want to make in consultation with your IT experts and possibly the authorities, is whether to keep any of these accounts active but have them alerted so unauthorized access
can be traced.
The loss of data and the potential data breach can lead to numerous expenses. Losses and expenses include the cost of lawyers, the cost of a forensic audit, loss of reputation, cost of IT services, and the cost of credit and identity monitoring. There is also considerable loss of productivity from dealing with these issues.
It is important to be proactive, and consider some of these items prior to any data loss:
- Data encryption other security measures
- Insurance to cover any losses
- Insurance to cover regulatory fines and penalties
- Communication plan
I hope you will consider the points in this article before you encounter the loss of a device. You certainly will be considering them if such an event occurs.
Jeffrey T. McGuire, JD, is a partner with Cipriani
& Werner PC in Lemoyne and serves as legal counsel to the PICPA. He can be
reached at email@example.com.
As counsel to numerous professional firms and associations I am asked frequently about cyber risk. As technology advances we have more and more information stored in electronic devices and in the so called “cloud.” Cyber risk is of particular concern for professionals like CPAs and attorneys because they have confidential client information like Social Security Numbers and financial information. There is no prohibition to maintaining our data electronically and particularly in the cloud, however, we must be aware of the risks and take reasonable precautions to protect our data and particularly our clients’ confidential information. As professionals we must remember that our clients trust us and we have to make sure that trust is not misplaced.
Clients have an increased expectation that we are available 24/7 and that we have all their information at our fingertips to answer their questions and respond to their concerns. Therefore, we are more and more dependent on technology and storing more and more information, which is available remotely. This makes our data subject to increased cyber risk. The first question is, are we prepared for the risk? Generally, the answer is that firms are
not. They are not fully aware of the risk and are not prepared for it. The second question is, are we prepared to respond to a breach of our data? Again, generally, the answer is that firms are not.
Any size firm is subject to cyber risk. The statistics are alarming. Identity theft and security breaches are on the rise. The cost to respond to a breach has been reported up to $204 per record with an average cost of $2.4 million per breach. The cost to respond to a cyber-breach can be staggering. The damage from a cyber-breach can be tremendous. Ignoring just the financial cost of responding, there may also be bad publicity, loss of productivity, and loss of reputation.
Now, I generally don’t use text messaging for work but where are those messages stored and how safe are they?
When we are using technology we need to evaluate the risk and what if any safeguards are in place. I just assume Verizon has those text messages secured on their end but what about my phone? If my phone is stolen everything that I have texted and not deleted is open for reading. But do I have access to wipe the phone’s memory remotely?
These are questions we need to know about all our devices. Do we have an inventory of all the devices that are subject to cyber risk? (Every server, desktop, laptop, iPad, cell phone etc.) And not just company owned devices, but also personal devices that have access to company data. Do we have an inventory of the types of data on each device? (Documents, emails, contact information, texts etc.) Do we have an inventory of what data of each type on each device? Without all this information, we can’t fully appreciate the cyber risks involved.
Of course, there is insurance available to help with some of the risk. From a professional firm’s standpoint, insurance is about spreading or lessening risk. There are several types of policies available and I suggest any firm consult with their insurance broker about the type of insurance that might work best for them. Fortunately, this type of insurance is not expensive, because although incidents are on the rise, there is a relatively low incident rate. Unfortunately, as touched on above, the losses can be extremely high, so be careful that your policy will cover the full extent of the loss.
The reality is that professional firms need to spend time addressing their cyber risk. They need to catalog their data and determine action plans to prevent the loss of data and to respond to any loss. I recommend you address these issues immediately in consultation with your computer experts, your insurance broker, and your attorney.
Since posting this blog, the following exchange took place in LinkedIn which you may find helpful:
Jeffrey - it is far less costly and much more effective to implement appropriate (i.e., cost vs countermeasures; reduction of risk to an acceptable level) information system security policies, procedures and countermeasures than purchase insurance policies. Properly implemented, an adequate IS security program will obviate the need of additional insurance and go much further to prove prudent managerial action (for litigation). This is not just a technical issue as most incidents involve human behavior (both authorized insiders as well as non-authorized outsiders). Also - there is a slight (but very important) differences in implementing risk mitigation for information system incidents versus disaster recovery planning. The IS security profession has been around for several decades and some very well-regarded professional certification systems are now key (e.g., CISSP, GIAC). There are even a couple LinkedIn groups for this.
Thanks for the additional information. I completely agree that appropriate information system security policies, procedures and countermeasures must be implemented. But I'm not sure there is an acceptable risk level. This is particularly true for associations and depends upon what confidential information an organization or company maintains. That is why I think everything should be assessed and considered.
If there is no acceptable level of risk, no firm has enough resources nor are there enough countermeasures available. Here is synopsis of information system controls viewed to be critical:
That is an excellent list! Thank you for sharing it. I think we agree on this. My point is that there is no one level of risk that is acceptable across the board and each company must assess the risk. There are far too many variables. Even if a company does everything listed, there remains a risk. For some companies I believe that risk is too great to not purchase insurance but that is why a complete assessment is needed. From everything I have read on the subject the data cannot be completely protected if it is to be accessible and usable. At that point, what confidential information is contained in the data will certainly be a factor. Lawyers and CPAs whom I represent maintain social security numbers and a lot of other extremely confidential information. A data breach would be extremely expensive and the firm should decide ahead of time
what risk they will take and whether they will insure it.
Unfortunately, Many companies do not know the risks and take no