Issue link: https://nebusinessmedia.uberflip.com/i/1507605
HARTFORDBUSINESS.COM | SEPTEMBER 18, 2023 31 FOCUS: ACCOUNTING According to Yoder, the 2021 law protects only against potential punitive damages, and a business or entity could still face having to pay compensatory damages because of litigation filed following a cyber attack. Even so, Yoder said proper compli- ance with a recognized cybersecurity framework "will minimize the scope and severity of harms that might flow from a security breach." "Protecting businesses against puni- tive damages — that's still a significant protection," Yoder said. Breaches and lawsuits Hackers have been successful recently attacking multiple Connecticut targets, from large hospitals to a city. California-based Prospect Medical Holdings, which owns Waterbury, Manchester Memorial and Rockville General hospitals, was the victim of a ransomware attack reported in early August. While Prospect indicated its clinical staff has continued to provide unin- terrupted patient care, it had to take computer systems offline. In another recent breach, about $6 million was stolen from the New Haven school system after a hacker got access to a city worker's email account and was able to secure wire transfers. The city, as of August, had recovered about $3.6 million. According to Statista, in the first quarter of 2023 alone, more than 6 million data records were exposed via breaches worldwide. Meanwhile, the number of lawsuits related to cyber attacks continues to grow. On Aug. 17, a class action lawsuit was filed in U.S. District Court in Connecticut against Hartford Life and Accident Insurance Co. claiming it failed to prop- erly safeguard personal information, from names and dates of birth to Social Security numbers. The litigation claims cybercriminals infiltrated the Hartford-based insurance company's "inadequately protected" network servers in a data breach in May. A federal class action lawsuit filed in May against Stamford-based Webster Bank claimed nearly 200,000 customers' personal information was exposed because of a data breach, putting them at risk for identity theft and fraud. In March, a federal class action was filed in Connecticut against Ridge- field-based Merritt Healthcare Advisors over a data breach discovered in November 2022. Plaintiffs claim the busi- ness failed to safeguard their personal information and failed to notify them until March 2023. Nationwide, class action cases related to cyber attacks have been filed in recent months against Johns Hopkins University, Norton Healthcare in Kentucky, and the law firm Orrick, Herrington & Sutcliffe International, to name a few. 'Just nonstop' Wisneski, of Whittlesey, in late August was working on seven open cyber breach cases for clients, and he described the frequency of breaches as "just nonstop." Cyber attackers are most frequently using tactics such as phishing, in which a hacker pretends to be someone trust- worthy, typically via email, to gain sensi- tive data like bank account information. A new trend has been "multifactor bypass." Through typical multifactor authentication, many entities require not just a password, but a secondary step, such as a code sent via text that a user has to enter. Now, hackers are setting it up so it appears to a user that they are doing this secondary authentication, when actually the hackers are stealing their session, according to Wisneski. "We rely on multifactor and think it's got to be secure, well now you can't think like that all the time, unfortunately, because of this new attack," Wisneski said. Another common ploy used by hackers is to target third-party vendors or suppliers to larger entities, such as banks. Those secondary targets may have much of the information hackers want, while being easier to infiltrate. Steve Maresca, a senior security engineer at Vancord, said ransomware is the "biggest threat that most busi- nesses see on their horizon." "The chief concern that keeps everyone up at night is ransomware — the disabling of data and services because it's encrypted by an attacker," Maresca said. Here's how to respond to a cyber attack By Michelle Tuccitto Sullo msullo@hartfordbusiness.com S o, what happens if your business is victimized by a cyber attack? Security and legal experts say contact your in-house or outside IT provider immediately, so steps can be taken to mitigate the impact, such as shutting down the system and disconnecting it from the network. This provides some time to figure out what has been affected, said Chris Wisneski, manager of IT security and assurance services with accounting and consulting firm Whittlesey. Experts also advise to immediately contact your insurance provider. "The insurer needs to be part of that equation for all manner of reasons, including legal assistance that they can offer," said Steve Maresca, a senior security engineer at Milford cybersecurity services provider Vancord. Another key thing to do is consult with a cyber expert to make sure you respond appropriately. Cyber firms can provide incident response assistance, including interacting with scammers, breach investigations and compliance help. For example, employers need to find out their state's deadline to report breaches so they are in compliance. In Connecticut, employers have no more than 60 days to report on a cyber attack after discovering a breach. If hit with a ransomware attack, experts advise employers to seek help and never interact with the attackers directly. They also advise against negotiating with anyone making demands. "Once you start negotiating, they see that, the dark web sees that, and you want to avoid being that company that negotiates and pays out money," Wisneski said. Criminals can't be trusted to decrypt files if you pay a ransom, he noted. Instead, hackers could take the ransom money and still never help an employer retrieve their files. Entities that have negotiated or paid ransoms typically still lose their data, and immediately get a demand for more money, notes Maresca. "There's no real positive outcome by engaging with those who already acted in a nefarious manner," Maresca said. Prevention measures The U.S. Department of Health and Human Services recommends having an incident response plan as a preventive measure to a cyber attack, noting it can minimize damage. It also recommends using endpoint security tools to check all points of entry in a network and stop anything malicious. Firewalls and intrusion detection systems can also help block suspicious activity. A detection and response system is also helpful, such as with ongoing monitoring of unusual traffic or logins. Experts say employees are the first line of defense against attacks, so regular training is needed to boost security awareness. Wisneski recommends ongoing phishing awareness campaigns to educate workers on what they look like, as he said phishing is still the primary way hackers breach systems. He also recommends periodic cybersecurity assessments to gauge risk and fix problems. Teach employees what to do if there is a problem, including drills or exercises to simulate an actual event, Maresca recommended. The best way to avoid being impacted by a ransomware attack is to solidly back up all information offline, according to Wisneski. While not perfect, having two-step verification, a password plus a code to enter, can still deflect a large portion of attacks, according to Maresca. Michael Grande, president and CEO at Vancord, said cybersecurity needs to be ongoing, and companies need to routinely monitor it and make upgrades. NUMBER OF EXPOSED RECORDS (IN MILLIONS) 150 125 100 75 50 25 0 Number of data records exposed worldwide Q1 2020 Q1 2022 Q1 2021 Q1 2023 Q3 2020 Q3 2022 Q3 2021 Q2 2020 Q2 2022 Q2 2021 Q4 2020 Q4 2022 Q4 2021 Source: Statista