2017 is going to be a big year for cybersecurity and data privacy, possibly even bigger than 2016 — and 2016 was a whopper.
In this blog post, I’ll look back at some of the key cybersecurity and data privacy events of 2016, and follow up in my next blog post with a look ahead at what 2017 has in store.
In 2016, there were several developments that were simply unprecedented — some of which helped inspire me to start Hexagon CyberLaw, a law firm dedicated to cybersecurity and data privacy.
2016 was the first time that cybersecurity was a significant political issue. Throughout her Presidential campaign, Hillary Clinton was consistently dogged by Republicans over her handling of classified and sensitive information with a private email server while Secretary of State, conduct which the FBI publicly deemed “extremely careless.” And, as we’re currently learning more about, we had Russia’s intervention with the election by hacking the email accounts of the Democratic National Committee and Clinton campaign chair John Podesta, and releasing thousands of their private (and often embarrassing) emails to WikiLeaks.
The hack of those email accounts was apparently accomplished via a commonly used method– phishing, in which hackers learn information, such as login credentials or account information, by impersonating a trusted person or entity.
Carelessness and phishing hacks are cybersecurity and data privacy risks that even the smallest businesses face every day, and had big political implications in 2016.
Like the years before it, 2016 saw several large data breaches. Yahoo!’s breach involving data from more than 500 million accounts, was one of the largest ever. In addition to the usual data breach fallout (damage to reputation, loss of customers and revenue, class action lawsuits, regulatory scrutiny, etc.), the Yahoo! breach is significant because news of it came just as the company was finalizing a $5 billion deal in which it would be sold to Verizon. Not surprisingly, Verizon threatened to back out of the deal due to the breach.
While record breaking data breaches at large corporations are the ones that make the news, small and medium-sized businesses are hit far more often. In fact, more than 75% of data breaches target small and medium-sized businesses. And, 60% of small businesses that are hit with a cyberattack will close within six months.
Ransomware is a type of malware that blocks access to data (typically by encrypting it) until a ransom is paid to a hacker, and in 2016 it became the most profitable form of malware in history. In 2016, there were an average of over 4,000 ransomware attacks per day (a 300% increase from 2015’s 1,000 per day).
Hospitals and other healthcare facilities were the favorite target of ransomware attacks, and understandably so- they provide critical care and rely on accurate, up to date information (patient records, drug histories, surgery plans, etc.). To avoid delays, harm to patients, and lawsuits after a ransomware attack, many victims paid the ransom– and then kept their fingers crossed to get their data unlocked.
Early in 2016, in the aftermath of the mass shooting in San Bernardino, CA, we had the standoff of the FBI vs. Apple (security vs. privacy) over the encryption of an iPhone connected to the attack. After weeks of battling it out in the media, before Congress, and in court proceedings, the legal showdown ended with a whimper when the FBI (via an undisclosed third party) was able to unlock the iPhone without Apple’s assistance. While that particular case is over, the underlying cybersecurity and privacy issues remain unresolved.
The Office of Civil Rights (OCR), which is responsible for HIPAA enforcement, had a big year in 2016. This included the OCR’s settlement with Advocate Healthcare Network for $5.5 million, the largest ever settlement for a HIPAA violation. And, that settlement was only one of 12 such settlement agreements in 2016. To put that in perspective, from 2003 through 2015 there were only 29 published settlement agreements.
Think OCR only goes after big businesses? Think again. One of 2016’s settlements was with Complete P.T., Pool & Land Physical Therapy, Inc., a company with eight physical therapists that settled their HIPAA violation for $25,000.
While the OCR’s 2016 settlements were varied in terms of the size of the covered entities and the dollar amounts of the settlements, there were two areas that most of the cases had in common that highlight lessons for all companies that might be considered “covered entities” or “business associates” and subject to HIPAA. One was that their laptops or mobile devices were lost or stolen, and on top of that not encrypted. The other was that they violated many of the same HIPAA provisions by failing to perform an organization-wide risk analysis, and/or failing to enter into business associate agreements (such as with cloud service providers).
So, that’s where we’ve been in 2016. Stay tuned for my next blog post regarding what lies ahead in 2017.