Mallory King - May 18, 2020 - Internet Law, Privacy
More and more often, small companies have no choice but to operate in the digital space of the internet. This poses security issues not only for your own information that exists online, but also for the personal information that your customers entrust to you in their online interactions. You are responsible for the customer data that you collect through the internet, and there are unique vulnerabilities in that space that you must address to protect yourself from unnecessary legal risks.
Before a breach even happens, you will need to take steps to create a data breach notification plan to deal with cybersecurity threats if they come up, and that will require knowledge of the risks to your systems and the steps you can take to mitigate any harm. Many businesses operating online may not have the resources and decades of experience like other companies with well-established online presences have, and the process of bolstering your online defenses as a new business can seem a daunting task. Fortunately, there are public resources available for cybersecurity monitoring and reporting that organizations have put in place to make the online space a more secure frontier for businesses of any size.
Please note: Traverse Legal does not endorse, sponsor, or have an affiliation with any of the below organizations or make any guarantees on the results associated with the same. However, the tools available through these organizations may be useful for businesses seeking to bolster their data security.
MITRE is a non-profit organization funded by a number of federal organizations that performs research and development for tools to make improvements to technology. This organization created the Adversarial Tactics, Techniques, and Common Knowledge project, or ATT&CK, to track how bad actors online breached digital security measures, and to create a common understanding of the language of cybersecurity among people operating in the digital space. The latter can be particularly helpful to those who are new or otherwise not well versed in hacking terminology to learn the dangers of operating a business online. Because everyone benefits when online knowledge and defenses are improved, the fruits of this project are free to contribute to and examine online. One of the most useful tools that ATT&CK has published is the ATT&CK Matrix, which shows the pathways hackers can take in stealing data. Learning about these processes and the terminology can help you to plan your cybersecurity strategy, gain knowledge that reduces your risk of negligent behavior online, and help create a safer internet for everyone online. Their site also allows for contributions to the project, which can allow you to help the team provide even better free tools in the future.
The website VirusTotal is a free tool that operates independently from other paid antivirus scanners. It allows you to easily upload and analyze files and links that seem suspicious and may put your collected data at risk. The site has a simple interface to help you quickly submit your questionable material, and the site will analyze it for malware. If the file or link you uploaded was safe, it will let you know and you can securely open it. If it is not safe, VirusTotal will warn you without the risk of compromising your data, and the site will automatically make the malware you discovered available to the cybersecurity community to deconstruct and examine for better defense in the future. This is another entirely free site that can greatly improve the tools one has against a potential data breach.
Google employs a team of security analysts called Project Zero for the purposes of finding “zero-day” cybersecurity vulnerabilities. These vulnerabilities are named for the fact that it has been zero days since the owner of the system has discovered the vulnerability, thus they are new and valuable to hackers. The team functions as a public service, finding vulnerabilities for free and giving notice to the companies with a 90-day opportunity to fix the issue before notifying the consumers so they can protect their data.
The existence of zero-day vulnerabilities is very dangerous to businesses operating online, because they are hidden issues in security systems that can result in massive data breaches that can require costly efforts to mitigate and pay customers for their compromised data. While not all hackers are operating benevolently when they contact you with a vulnerability in your system, Project Zero and other “white hat” hackers are working to keep the internet safe for your data, and can be a valuable source of help if there is a hidden issue with your security that you could not have found on your own.
Information Sharing and Analysis Centers (ISACs) are non-profit organizations that assist US critical Infrastructures in bolstering cybersecurity defenses by offering a centralized place for each kind of organization to share and learn about all known cybersecurity threats. Information Sharing and Analysis Organizations (ISAOs) are an upgrade to this system that encourages the formation of additional information sharing groups by providing legal liability protections to those organizations that participate. These different groups are desginated to a specific industry, and offer various levels of membership that grant access and benefits from the cybersecurity efforts of the ISAC or ISAO. The industry-specific help provided by these groups can be even more effective than the general standards and best practices that most other cybersecurity resources can provide. This will give you the information you need to make an educated and effective strategy for your data breach plan, and help you protect your customers from such a data breach in the first place.
Altogether, it is not only important to keep track of what personal information you are collecting, how you are using it, and who you are sharing it with, but also to anticipate potential data breaches of that personal information. If you have questions about the legal effects of your cybersecurity effort or assistance navigating data breach liability, contact Traverse Legal’s attorneys today.
This blog post contributed, in part, by Traverse Legal Virtual Law Clerk Scott Pehoushek.