This post is a follow-up my previous posts covering the Yahoo-Verizon merger. ((Matthew Dolloff, The Verizon-Yahoo Merger, MBELR Online (Jan. 22, 2017), http://mbelr.org/the-verizon-yahoo-merger/.))
The Threat of Cyber-crime
Cyber-crime is one of the greatest threats that businesses face, ((Denise Lugo, Verizon Team Warns of Increased Cybercrime in Accounting, Bloomberg (Mar. 23, 2017), https://www.bloomberglaw.com/search/results/7ebb9e82c35d26b469a8a186711bd74e/document/X2ESTUVG000000.)) and it’s a problem that is only becoming more prevalent. The New York Office of the Attorney General saw a 60% increase in data breach reports in 2016 compared to the prior year. ((George Lynch, New York Sets Data Breach Notice Record in 2016, Bloomberg (Mar. 22, 2017), https://www.bloomberglaw.com/search/results/7ebb9e82c35d26b469a8a186711bd74e/document/XEGCUMNG000000.)) This was an all-time record, and the personal data of over one million people was compromised. The Verizon-Yahoo merger is a perfect example of the impact that cyber-crime can have a company’s bottom line; the hack reduced the company’s acquisition value by $350 million, and both companies will continue to incur litigation costs pending numerous class action lawsuits. ((See Seth Fiegerman, Verizon Cuts Yahoo Deal Price by $350 Million, CNN (Feb. 21, 2017), http://money.cnn.com/2017/02/21/technology/yahoo-verizon-deal/.))
Cybercrime can also damage companies more directly. According to Verizon Enterprise Solutions’ Chris Novak, it is relatively easy for scammers to target a company’s financial department due to the nature of their work. A company could have $200 to $300 million stolen, and it might not be discovered until it’s too late for the company to act and recover the losses. ((Lugo, supra note 2.)) The most vulnerable entities are those that handle countless transactions in an average day, like a retailer or bank. ((Id.)) Many businesses lack basic defenses against cyber-scams. For instance, 65% of data breaches involved a broken or weak password, which is not a sophisticated method for breaking into a system. ((See Id.)) Businesses need to make cybersecurity a greater priority.
An important step towards greater protection of customer data and business networks are laws requiring businesses to ensure that their security is up to date. Regulations that mandate a minimum standard gives businesses an incentive to invest in more protection, which would benefit their customers and mitigate their own risk for loss.
New Cyber-Security Laws
New federal and state regulations are being introduced to ensure that companies are strengthening their online defenses. ((Lugo, supra note 2; Lynch, supra note 3.)) New York is one of the first States to protect against cyber-crimes with new regulations that went into effect at the beginning of March. The laws require banks and insurers to meet a cybersecurity standard, which is designed to protect their networks and customer data from cyber-attacks. ((Karen Freitfeld & Jim Finkle, New York State Cyber security Regulation to Take Effect March 1, Reuters (Feb. 16, 2017), http://www.reuters.com/article/cyber-new-york-idUSL1N1G11F2.)) The regulations cover a variety of subjects, such as penetration testing, multi-factor authentication, and encryption. ((Jack Hewitt, Bloomberg Law Insights: An Analysis of New York’s Cybersecurity Regulation, Bloomberg (Feb. 21, 2017), https://www.bna.com/bloomberg-law-insights-n57982084083.)) The laws also impose requirements on the corporations to disclose cyber events to state regulators. ((Id.)) Some provisions of the regulations have grace periods of over a year, so some businesses might not be in compliance until 2018, ((Id.)) but hopefully New York will see a reduction in breach reports as companies tighten up cybersecurity.
However, a minimum security standard will not solve all data breach problems. In Yahoo’s case, the attack was state-sponsored – which is likely to be more difficult to repel. ((See Brian Womack & Jordan Robertson, Yahoo Security Lapses Laid Bare as Russia Blamed for Hack, Bloomberg (Mar. 17, 2017), https://www.bloomberglaw.com/search/results/cdaf51a77cf727707653bfc46dd0fe2d/document/X1A707PK000000.)). National Security Agency Deputy Director Richard Ledgett said the government needs to help its domestic businesses in cybersecurity, ((See Jimmy H. Koo, U.S. Cybersecurity Insufficient, Intelligence Officials Say, Bloomberg (Mar. 22, 2017), https://www.bloomberglaw.com/search/results/7ebb9e82c35d26b469a8a186711bd74e/document/XEGCUMNG000000.)) and preventing state-sponsored attacks would go a long way in protecting against domestic economic loss.