Lessons Learned from the DNC Security Hacks 15:24, June 24, 2016

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Our Resources

Lessons Learned from the DNC Security Hacks

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Russian espionage, presidential campaign strategy, and covert actions shroud the recent data security hack of the Democratic National Committee’s (DNC) system in political intrigue. At first, it may seem too James Bond to the modern American workplace. But, by looking at how the DNC reacted amidst the legal and risk management backdrop, we can learn how to avoid similar data security hacks.

The Facts

The Washington Post broke the story of Russian government hackers accessing the DNC system. The apparent target was DNC research on Republican presidential presumptive nominee Donald Trump. This wasn’t an immediate hack job. According to TechCrunch, the hackers, identified as Cozy Bear and Fancy Bear, were found to have been monitoring DNC emails and chat traffic since June 2015 and April 2016, respectively. According to Wired, the hackers accomplished this by installing malware on the DNC’s servers and computers that continually stole and sent information back to the hackers’ servers. To stay undetected, the hackers regularly changed their malware and “persistence” techniques to avoid antivirus programs and similar security measures.

According to the Washington Post, while there is no hard evidence, the security breaches were likely the result of “spearphishing” emails that look legitimate but contain links or attachments that, when opened, deploy malicious software that give hackers access to internal networks. In a statement, the DNC claimed that “no financial, donor or personal information appears to have been accessed or taken.” DNC staffers report that their research on Donald Trump would have been made public sooner or later.

The Law

The claims that no private information has been accessed or taken from DNC’s system is a critical legal issue. As we’ve reported earlier, a growing patchwork of state and federal laws govern the duties of businesses and organizations to keep personal and information secure. Most states require organizations to notify individuals whose personal data was accessed by an unauthorized source. Personal information often includes unencrypted medical and financial information, but with more frequency includes email addresses linked with passwords or answers to security questions. This duty serves a notice function to those whose personal information may have been compromised.

In addition to notification, businesses have been found liable for data security breaches under their watch. Many legal theories percolate through the courts- negligence, breach of contract, and violation of state data security laws are most popular according to law firm Bryan Cave. Fact patterns in investigations or cases against companies like Dwolla, LinkedIn, and Home Depot provide commonalities of suspect behavior:

     *     Promising data security to customers and failing to deliver

     *     Not reacting quickly enough after learning about a data security breach

     *     Insufficient internal protocols that do not meet industry standards

     *     Unfair, deceptive, or abusive business practices that harm consumers (government agencies like the Federal Trade Commission and recently the Consumer Financial Protection Bureau are enforcers)

In the case of the DNC data breach, it appears no personal information was accessed (investigation is still pending), though Gawker rebukes DNC’s statement by showing names, donor amounts, e-mail addresses and personal addresses being accessed in the hack. While many people would consider this information private, it generally doesn’t meet legal standards.

If there turns out to be unauthorized access of personal information, the DNC’s reaction was quick, a point in its favor. As explained by Wired, when the DNC IT department noticed suspicious behavior, it informed DNC’s CEO, who then told DNC’s outside counsel, who then called cybersecurity firm CrowdStrike to help with the breach. “Within 24 hours of the first signals that something was amiss, CrowdStrike was brought in to install monitoring software to analyze the details of who was responsible. The DNC has also been in contact with the FBI since the hack was discovered.” The DNC’s reaction was smart because leaders of the organization were apparently informed immediately, an expert was brought in to investigate, and the organization cooperated with law enforcement.

Lessons Learned

The DNC provides many helpful compliance tips for businesses operating in the 21st century.

     *     Secure your data. Because the DNC IT department was the first group to notice suspicious activity, chief technology officers should be imminently concerned with securing data and implement stringent policies and procedures. As a starting point, the Consumer Financial Protection Bureau’s Dwolla consent order provides recommendations.

     *     React quickly and thoroughly. Reacting to a data breach is just as important as ensuing it doesn’t occur in the first place.

     *     Train everyone in your organization. No longer is data security exclusively in the realm of hackers and IT experts. It affects anyone who has access to an organization’s network; most data breaches are the result of human error. Fake “spearfishing” emails were directed at DNC staff, making human error the probable cause of the data breach.

Data security training, good policies, and technical solutions work together to create a comprehensive cyber security program. Learn more about LawRoom’s online data security training or read our white paper on what makes an effective data security training.

You might also be interested in...

  • Data Security Snafu not NegligentFebruary 6, 2017 Data Security Snafu not Negligent It was a true data security horror story. Hackers, according to a recent appeals court opinion in Pennsylvania, accessed and stole confidential information of 62,000 employees and former employees of the University of Pittsburgh Medical Center (UPMC). The information included names, […] Posted in legal update, data security
  • Don’t “WannaCry”? Take Charge & Raise Cybersecurity AwarenessJune 1, 2017 Don’t “WannaCry”? Take Charge & Raise Cybersecurity Awareness If even the National Security Administration (N.S.A.) can have its secrets stolen and exploited, what about private companies that have profit (not data security and intelligence) as their prime directive? According to the New York Times, cybercriminals turned stolen N.S.A. hacking tools […] Posted in data security
Douglas Kelly
Douglas Kelly is EverFi's lead legal editor. He writes on corporate compliance and culture, analyzing new case law, legislation and regulations affecting US companies. Before joining EverFi, he litigated federal and state employment cases and wrote about legal trends. He earned his JD from Berkeley Law and BBA from Emory University.

Leave a Reply

Leave a Reply

White Paper
Data Security training
for employees

  |   Download White Paper

 

Compliance Course Catalog
  |   Download Catalog