Lessons Learned from the DNC Security Hacks
Russian espionage, presidential campaign strategy, and covert actions shroud the recent data security hack of the Democratic National Committee’s (DNC) system in political intrigue. At first, it may seem too James Bond to the modern American workplace. But, by looking at how the DNC reacted amidst the legal and risk management backdrop, we can learn how to avoid similar data security hacks.
The Washington Post broke the story of Russian government hackers accessing the DNC system. The apparent target was DNC research on Republican presidential presumptive nominee Donald Trump. This wasn’t an immediate hack job. According to TechCrunch, the hackers, identified as Cozy Bear and Fancy Bear, were found to have been monitoring DNC emails and chat traffic since June 2015 and April 2016, respectively. According to Wired, the hackers accomplished this by installing malware on the DNC’s servers and computers that continually stole and sent information back to the hackers’ servers. To stay undetected, the hackers regularly changed their malware and “persistence” techniques to avoid antivirus programs and similar security measures.
According to the Washington Post, while there is no hard evidence, the security breaches were likely the result of “spearphishing” emails that look legitimate but contain links or attachments that, when opened, deploy malicious software that give hackers access to internal networks. In a statement, the DNC claimed that “no financial, donor or personal information appears to have been accessed or taken.” DNC staffers report that their research on Donald Trump would have been made public sooner or later.
The claims that no private information has been accessed or taken from DNC’s system is a critical legal issue. As we’ve reported earlier, a growing patchwork of state and federal laws govern the duties of businesses and organizations to keep personal and information secure. Most states require organizations to notify individuals whose personal data was accessed by an unauthorized source. Personal information often includes unencrypted medical and financial information, but with more frequency includes email addresses linked with passwords or answers to security questions. This duty serves a notice function to those whose personal information may have been compromised.
In addition to notification, businesses have been found liable for data security breaches under their watch. Many legal theories percolate through the courts- negligence, breach of contract, and violation of state data security laws are most popular according to law firm Bryan Cave. Fact patterns in investigations or cases against companies like Dwolla, LinkedIn, and Home Depot provide commonalities of suspect behavior:
* Promising data security to customers and failing to deliver
* Not reacting quickly enough after learning about a data security breach
* Insufficient internal protocols that do not meet industry standards
* Unfair, deceptive, or abusive business practices that harm consumers (government agencies like the Federal Trade Commission and recently the Consumer Financial Protection Bureau are enforcers)
In the case of the DNC data breach, it appears no personal information was accessed (investigation is still pending), though Gawker rebukes DNC’s statement by showing names, donor amounts, e-mail addresses and personal addresses being accessed in the hack. While many people would consider this information private, it generally doesn’t meet legal standards.
If there turns out to be unauthorized access of personal information, the DNC’s reaction was quick, a point in its favor. As explained by Wired, when the DNC IT department noticed suspicious behavior, it informed DNC’s CEO, who then told DNC’s outside counsel, who then called cybersecurity firm CrowdStrike to help with the breach. “Within 24 hours of the first signals that something was amiss, CrowdStrike was brought in to install monitoring software to analyze the details of who was responsible. The DNC has also been in contact with the FBI since the hack was discovered.” The DNC’s reaction was smart because leaders of the organization were apparently informed immediately, an expert was brought in to investigate, and the organization cooperated with law enforcement.
The DNC provides many helpful compliance tips for businesses operating in the 21st century.
* Secure your data. Because the DNC IT department was the first group to notice suspicious activity, chief technology officers should be imminently concerned with securing data and implement stringent policies and procedures. As a starting point, the Consumer Financial Protection Bureau’s Dwolla consent order provides recommendations.
* React quickly and thoroughly. Reacting to a data breach is just as important as ensuing it doesn’t occur in the first place.
* Train everyone in your organization. No longer is data security exclusively in the realm of hackers and IT experts. It affects anyone who has access to an organization’s network; most data breaches are the result of human error. Fake “spearfishing” emails were directed at DNC staff, making human error the probable cause of the data breach.
Data security training, good policies, and technical solutions work together to create a comprehensive cyber security program. Learn more about LawRoom’s online data security training or read our white paper on what makes an effective data security training.