Companies including Equifax, Target and JP Morgan Chase have been susceptible to large-scale data hacks in the past few years, which has a number of other employers concerned if they are the next target.
Epstein Becker Green attorneys Robert Hudock, a member in the Health Care and Life Sciences practice in Washington, D.C., and Brian Cesaratto, a member in the Employment, Labor & Workforce Management practice in New York City, spoke with Employee Benefit News to discuss the latest hacks, how employers can protect themselves from internal and external threats, and why the benefits department should be involved.
This conversation has been edited and condensed.
Employee Benefit News: How employers are feeling in this climate?
Robert Hudock: When I’m talking with an executive or board of directors or general counsel, they just don’t want to be that person next to be affected by a significant breach. Is this a problem that I need to worry about? What can I do to prevent this from happening to my organization? It’s fear and then looking for an answer to solve this problem. When they look for that answer to solve this problem, there are lots of people out there saying buy this tool. With the Equifax breach, you saw some of the bigger tools. The reality of this is a lot of this is human, human issues. The tools aren’t going to solve a lot of these things.
EBN: Is it worth paying for them? Should these companies be buying cybersecurity tools?
Hudock: What you need to do is you need to think about the risk profile of your organization and what are the key vulnerabilities and threats to our mission or my mission in order to say,
“Should I buy this tool? Should I not buy this tool?” What we try to do is every time a breach happens, we develop a library of cases so we can say when we’re working with executives: This is the type of situation that happened. This is how it happened. What if this happened to your organization? How would this be handled? And then try to estimate the likelihood that this could happen, and then you get into the tools.
Brian Cesaratto: The tools are one technique of part of a larger strategy for insiders like employees. You’re talking about policies, hiring, system use. In the benefits area, employers maintain benefits. That’s very sensitive data. Social security numbers, health information. What we see happening more and more with what’s happening in the news with the breaches, is that there’s an increased awareness that you need to look at, like your key data. Benefits information is one component of that. How do we safeguard it? What do we put in place? As Robert said, it’s the human element too, which is personnel. Looking at your personnel and putting in place policies and techniques to try and prevent it in the first instance.
EBN: Who should be coordinating efforts to prevent hacks?
Cesaratto: Our approach is that it should be a coordinated effort — HR, benefits, IT and legal coming together with a strategy that looks to prevent in the first instance, then to detect and respond in a way that’s appropriate. [They need to] be prudent and to take prudent precautions ahead of time because the consequences are so dire.
EBN: What’s the best strategy for an employer to implement before a hack occurs?
Hudock: Developing a good incident response plan for likely scenarios is key. The next step is to go through a tabletop exercise, which is sort of a high-level process of saying, “Pretend this happens. Who do we communicate with?” It’s about understanding those communication pathways so that we’re ready to address a breach when it does occur.
At the next level up from that, you begin to simulate the breach. You create the artifacts that the system has been compromised and we see this evidence. What are we doing? In a more technical level, integrating all the different pieces together because what people sometimes fail to realize, incident response is just not about IT. It’s about IT interacting with the executives and having a proper communication pathway. If you don’t have that, you potentially have someone in IT making a decision that binds the organization to a particular pathway that they may not want. What we recommend is building out an incident response plan similar to this, then going through tabletop exercises.
EBN: I know with hospitals in particular, that’s been a big target for breaches because there’s so much data available. Have you been working with hospitals and health systems?
EBN: What are they doing to avoid a hack?
Hudock: I actually have one example that may be very relevant to the employer space, and that is 401(k)s. We actually see a large number of incidents where an insider potentially tries to cash out a 401(k) of employees. In that type of situation, you’re putting in place monitoring. You have only certain numbers of people that have access to that information to begin with. You also compartmentalize. If someone takes this information, then we have a good indication of specifically who that person was.
Taking a step back and talking about hospitals, hospitals have some additional problems to worry about. It’s not just monitoring when information is being taken. Because yes, we see medical identity theft where gangs come into the organization and bribe nurses to steal sheets for certain patients. Patients that are very old, disabled, have severe mental disabilities, are much less likely to detect that their identities have been absconded. Those particular people are very valuable for medical identity theft.
EBN: Do you find that employees or customers will have less of an incentive to work or shop at a hacked company? Have you seen an impact on the consumer/employee level?
Hudock: With Target, you had some specific issues in the short term around people trusting Target. People’s memories are short. With the Equifax breach, that will be an interesting case because the product they sell, that was compromised here, was central to the organization’s purpose. Target wasn’t a credit card company. Target is a retail company. Equifax, they’re in the business of identity theft prevention. Now they themselves have become the weakness.
Cesaratto: Absolutely. The other thing on the malware piece where they lock you down and demand money, it’s the same type of analysis for benefits or payroll. If they lock down your payroll, can you keep your company going? And thinking about that and how you protect that. In the event that that happens, do you have another place to go to restore that data, keep your payroll going until you fix the problem.
EBN: Is cybersecurity something employers are regularly talking about with counsel or is this a reactionary process once a hack occurs?
Cesaratto: I certainly think that the awareness is increasing and the education level is increasing, in part because of [the Russian hacking scandal during the 2016 election]. It’s front and center in the news every day. It wasn’t like that a few years back. People are thinking about it more and at least considering what they should do and what to put in place to protect themselves, to protect their company.