Our team has seen recent attacks where mailboxes have been successfully infiltrated and malicious messages containing attachments are sent to unsuspecting contacts. A recent example that we saw in one of our personal inboxes came with someone as a reply to a message that was previously sent.
What's alarming is that this clearly shows the attacker was inside the victim's mailbox, having access to some of the following capabilities:
- Existing e-mails (potentially containing protected data under Florida law)
- Infecting others
- Password resets (YIKES!!!)
- Banking info (personal & business)
- And so on...
Because this has some legal repercussions, we thought it would be helpful to get some thoughts from attorney Lisa Shasteen of Shasteen & Percy, P.A., a boutique law firm specializing in cyber and privacy law. "I think the issue for most business people is that you’re assumed to know the law, but there are so many laws, it’s hard to keep track", Shasteen said. She elaborates that, "there are many laws that nobody seems to have heard of, and it’s not just for banks and healthcare!"
A Legal Problem?
In our conversation with Ms. Shasteen it was alarming to note that an event like this, which is seemingly harmless on the surface, could carry the responsibility to report to the Florida Attorney General's office under F.S. 501.171. According to Shasteen, the statute "requires all businesses in Florida to protect personal information of customers, employees, etc."
But what's the standard to report an incident? We may think the standard is that we have to prove the attacker actually viewed or downloaded data on your employees or clients.
The actual standard is whether the hacker had sufficient access to do it, according to Shasteen. "Most businesses want to ignore it and move on, and we understand that, but keep in mind that 70% of breaches are reported by your clients who are contacted by the hackers and harmed in some way", says Shasteen, "the best and least expensive approach is to work with an attorney on a risk assessment and make sure your technology is professionally managed by a company like DataCorps that is sensitive to security."
How do they get in?
Most of us think that hackers use elaborate methods to break into our systems but, sadly, the reality is far worse. We literally let them in by choosing very simple, easy to guess passwords. We've previously addressed passwords in our post, "Picking Perfect Passwords", so we won't cover that here but this highlights the importance and priority that should be placed on having a strong password.
What do I do now?
Here are the standard recommendations we have for all our clients:
- Change your passwords to strong ones, if you are using weak ones
- Do not re-use a password across systems
- Implement two-factor authentication everywhere possible
- Get a Dark Web Scan from us to ensure your passwords aren't already out there. Fill out the form on this page!
- Conduct a Risk Assessment on your business with a firm like Shasteen & Percy, P.A. to ensure any findings are protected with attorney/client privilege.
