Last week, the nation’s second largest health insurance company, Anthem, announced a massive data breach. According to reports, personal information for as many as 80 million customers and employees of Anthem was accessed. While no bank account or credit card numbers were apparently stolen, information taken includes names, addresses, social security numbers, and medical records numbers.
I have echoed the warnings of security experts who have identified health care organizations as a major future target of hackers. While Anthem is not the first health care-related business that has suffered a data breach, it’s currently the largest.
But the Anthem hack targeted a health insurance company. What can we lawyers possibly learn?
Plenty.
1) Hackers aren’t just looking for credit cards.
Why do you rob banks? “Because that’s where the money is.”
Willie Sutton’s famous quote (and one he denied ever making) is appropriate here. The hackers behind the Anthem hack didn’t go after credit card or billing information. They went after personal identity information (“PII”). Why? Because that’s where the money is.
With your PII, a hacker can steal your identity. More significant, they can do so anytime they want to. How is that? Well, just having your SSN is one thing, but what happens when they know your email and your mother’s maiden name. Yep, that password hint that you added to make your email more “secure.” Now they don’t need to use your credit card before you report it stolen. Instead, they can wait years before taking out a loan in your name.
Health care providers have a wealth of PII in their possession. Medical records have all kinds of information about a patient, including a lot of the personal information that you use in response to various security questions, such as your mother’s maiden name.
The Anthem Hack’s Lesson for Lawyers:
You’re vulnerable. And you’re a target.
Like Anthem, your law firm has a significant amount of PII for your clients, witnesses, experts and employees. Hackers know where the money is, which is why they didn’t need to get credit card information from Anthem. The information your firm has is valuable to hackers. That makes you a target.
2) After a data breach, the hackers aren’t your only problem.
Anthem’s customers are already targets of scams called “phishing.” Past and present subscribers to Anthem’s services have reported receiving emails purportedly from Anthem regarding the hack. The emails promise free credit monitoring and a year of free credit protection. All you have to do is click on a link and provide some information. Apparently, these phishing scams are happening over the phone too.
Anthem, for its part, has consistently reported that it has not and will not send any notifications over email. Unfortunately, since 80 million people’s information was exposed, the likelihood that a few of these scams will work is pretty high. Imagine that – you get your identity stolen. Then, by accepting someone’s offer of help, you get your identity stolen again.
(This kind of phishing scam happened to victims of the Target hack, too.)
The Anthem Hack’s Lesson for Lawyers:
Have a secure way to notify your clients in the event of a breach.
If you’re the victim of a hack, make sure that your ass isn’t the only thing you’re covering. As soon as your clients’ information is stolen, they’re vulnerable. But they can’t protect themselves if they don’t know!
By getting the information out quickly, Anthem has been able to publicly notify its customers that these email messages are phony. Could it be argued that the announcement made these hucksters’ jobs easier? Sure, in one respect.
But given the choice, I’d always prefer to answer questions from my clients about why I notified them about a data breach too quickly, rather than too late.
3) Your clients will be reminded about the hack for years.
As one of Anthem’s own releases indicated, the PII that was stolen is exactly the kind that makes it easy to steal someone’s identity. As I discussed above, the truly insidious part is that the information the hackers obtained is exactly the info you use to enhance your digital security.
When a credit card is stolen, you have to worry about what was purchased prior to cancellation. When someone gets your SSN, you have to be concerned about what actions were taken prior to setting extra security.
But when a hacker knows your email, your home address, and has access to much of the private info you use to secure those accounts? Hackers can use the PII from the Anthem hack for years.
The Anthem Hack’s Lesson for Lawyers:
A successful data breach will hurt you for years.
Hacks hurt. They cause a lot of damage immediately. Client’s are upset. The state bar is curious. Security experts are expensive. But the wound can fester, sometimes even after you’ve done everything you can to fix the problem.
The lingering damage from a hack, particularly the pain it could cause to some of your most important clients, can be immense. Once you’ve been hacked, there’s nothing you can do about it. So, what can you do to reduce your vulnerability? I’m so glad you asked…
4) Encryption is always a good idea, even if it adds some inconvenience.
Do you encrypt your data? Anthem didn’t. Reports indicate that the data stolen from Anthem was not encrypted. Apparently, Anthem only encrypts data when it’s transferred in or out of their database. For data not being transferred, it uses “other measures,” such as elevated user credentials, to protect the data.
Why, you ask? Because encrypting all that data would have made it much harder to analyze the data and share it with health care providers and state governments. You heard right – the personal information of 80 million people wasn’t encrypted because doing so was inconvenient.
The Anthem Hack’s Lesson for Lawyers:
Encrypt everything!
How many times have you avoided increasing security of your digital data because it made it less convenient? We do it all the time. Security and convenience exist in a nearly inverse relationship – if it’s more secure, it’s less convenient.
But none of that matters, because you have a duty to your clients to keep their information confidential. Anthem is likely going to play a price with the public for failing to encrypt the data. If you were in their position, you’d have to deal with your state bar too. What do you think they’d say if you argued that encrypting the data was inconvenient?
The inconvenience involved in encrypting your data is worth it. So do it.
Speaking of PR…
5) In the event of a breach, your PR is best handled early.
Currently, federal law requires that a company notify its customers of a potential data breach within 60 days. President Obama’s recently announced plan would reduce that deadline to 30 days. However, when it comes to stolen personal information, the clock is running as soon as the information is stolen. Even 24 hours might not be enough.
Target, in an act of what I consider to be grotesque stupidity, decided to wait until an internal investigation was nearly complete to inform their customers about stolen data. This delay allowed personal credit card and debit card information to be sold on the black market for nearly two months before the public was even aware of the breach.
Anthem announced the data theft less than a week after it was discovered. By making the announcement quickly, including a list of the types of information that was likely stolen, they have given their customers and employees an opportunity to take steps to prevent identity theft.
The Anthem Hack’s Lesson for Lawyers:
In the event of a suspected breach, notify any affected clients immediately!
Nobody wants to have to tell their customers about a data breach. No matter how strong your security, someone will claim you didn’t do everything you could. This is going to happen no matter when you notify your customers. However, imagine how many more people will be making that claim if you wait to notify them until after someone has already stolen their identity!
Regardless what mistakes may have been made leading to the data breach, Anthem handled this part right.