Data Privacy: Risks and Prevention

Countries around the world are bracing for more fallout from Friday’s worldwide ransomware attack. Security experts are calling the so-called WannaCry malware attack the largest such attack in history. So far, more than 150 countries and major businesses and organizations, including FedEx, Hitachi, and Great Britain’s National Health Service, have been affected. Approximately 200,000+ computers around the world have been hit by the malware, which takes advantage of a security vulnerability in computers running the outdated Windows XP operating system. Although Microsoft began offering a security patch in March, many users have yet to install it. This incident once again demonstrates the vulnerability of computer systems and IT architectures around the world. As such, we wanted to make you aware of the issue and provide some very basic steps to help mitigate your risk of such an attack and respond appropriately in the event you find yourself a target:

• Communicate with your Information Technology and Security Teams to ensure they are aware of any incident and the need to take steps to protect your IT systems, including installing appropriate patches, updates, and antivirus software.
• Ensure your Information Technology and Security Teams remain vigilant to signs of a compromise, are available 24/7, and are ready to engage your incident response process, if necessary.
• Review your backup and disaster recovery systems.
• Educate your workforce about the risks and steps that can and should be taken, including:
  • Help them recognize common signs of a phishing attack and take appropriate action (or inaction), for example:
    • Are they expecting the email?
    • Do they recognize the sender?
    • Is the email formatted professionally with correct grammar?
    • Remind them to hover over (but do not click) any links and the sender address to view the underlying domain of the links. Do the links point to the same domain as the sender? Is it a domain they recognize?
    • Most Importantly: does the email ask them to DO anything? An email that asks for action such as clicking a link or asking the recipient to log in or reply with information should be viewed as a red flag.
    • Remind them to be aware of the “unsubscribe” trick, in which case the email contains an unwanted solicitation that includes an obvious unsubscribe link. The unsubscribe link will then lead to an infected website. Again, remind them to check the underlying domain of the link.
  • Remind them to always bring suspected phishing attacks to the attention of the Information Technology and Security Teams to allow identification of coordinated attacks and issuance of warnings.
  • Avoid using public Wi-Fi to access work email and other systems, unless and until notified by the Information Technology and Security Teams.
  • Disconnect from the company network by unplugging a physical connection and turning off the Wi-Fi connection in the event of any unusual computer activity.
  • Circulate the correct contact information for the Information Technology and Security Teams.
• In the event of a suspected or actual information security incident:
  • Initiate your cyber incident response plan.
  • Involve in-house or outside legal counsel at the beginning of your incident response to help properly protect privileged communications.
  • Use your legal counsel to engage appropriate third party consultants, including forensics and public relations experts.
  • Contact your cyber-insurance carrier to evaluate potential coverage.
• Our data privacy professionals can also assist you with the following:
  • Developing data privacy management programs.
  • Establishing and updating data privacy policies and incident response plans.
  • Represention in litigation or investigations regarding data privacy breaches or alleged improper use of data.
  • Creating vendor risk management programs.
  • Conducting privacy due diligence in M&A transactions and structuring deal terms to help mitigate risk.
  • Advising executives and boards of directors on cyber-risk and facilitating breach incident response exercises.