Posts

NewsOK Q&A: Data security, cyber threats are everyone’s concern

From NewsOK / by Paula Burkes
Published: September 20, 2017
Click to see full story – Data security, cyber threats are everyone’s concern

Click to see Fred Leibrock’s attorney profile

Fred A. Leibrock is an experienced trial lawyer who has tried dozens of jury trials and has served as lead counsel in a number of significant cases involving complex, multi-jurisdiction issues.

Q: With the recent breach of Equifax, it seems that vulnerability to identity fraud is everywhere. Are there measures I can take on behalf of my company and employees to minimize risk?

A: Act now and seek professional technical assistance. Hire the right technical person or firm to help you test your systems, assess your vulnerabilities and implement your protection and recovery plans. The question isn’t whether someone will try to steal your data, but when. You need to be ready.

Q: From a legal standpoint, if my company’s data is breached, can my company be held liable for harm to employees or customers whose information may have been compromised?

A: Yes. Although this is a rapidly emerging area of the law, as a general rule an entity that is negligent in safeguarding confidential customer or employee data can be held liable as a result of a breach, or as a result of disregarding legal notice requirements after the breach. The principal question on the issue of liability is whether the entity took reasonable steps before the breach to protect the data, and after the breach to protect and notify the customers or employees. What’s reasonable is a moving target that must be determined on a case-by-case basis. However, there are few legitimate excuses in this day and age for a company to not take significant affirmative steps to safeguard electronic data.

Q: What are some of the bigger mistakes that companies make when it comes to protecting their data?

A: According to the Federal Trade Commission, the principal unreasonable practices that result in data breaches include weak password policies, lack of encryption, broad dissemination of administrative passwords, and lack of security between systems with sensitive data and other computers inside and outside the network.

Q: What measures can I take to protect my company from a data breach?

A: Engage in advance planning. To reduce the risks of a data breach, follow the recommendations of the National Institute for Standards & Technology by planning ahead of a breach to: identify the components of your systems and their vulnerabilities; protect the components from penetration; detect latent threats that may have already penetrated your systems; respond to a breach and recover from a breach. Also, train your employees to be alert to cybersecurity risks.

Q: It seems like all businesses rely on digital data transfer, whether it’s using file transfer services or sending sensitive documents through email. How do I continue to take advantage of these conveniences and still secure my information?

A: Avoid unnecessary risks. There are a million affordable products on the market that allow you to encrypt stored data and data in transmission. Use them and be willing to pay for data protection. If you must transmit sensitive data over an unsecure network, at a minimum encrypt it with a strong password before transmitting it.

Roth: Energy cybersecurity

By Jim Roth, Director and Chair of the Firm’s Clean Energy Practice Group. This column was originally published in The Journal Record on April 24, 2017.


Jim Roth is a Director and Chair of the firm’s Clean Energy Practice.

Energy cybersecurity

This past week was the 22nd anniversary of the Murrah Federal Building bombing on April 19 and as is the solemn custom each year Oklahomans gathered and memorialized those lives lost and those lives changed forever.

In addition, for the third year, the Judge Alfred P. Murrah Center for Homeland Security Law & Policy at the Oklahoma City University School of Law gathered people to study and examine the threats in our world today. As the center says in describing the tragic events of April 19, 1995, “It opened our eyes to the reality that terrorism could strike anywhere, at any time.”

This sad reality has required that we Americans keep our eyes wide open and with the help of experts at the Murrah Center and around the country, vigilance, insight and knowledge are necessary constants today.

At this year’s conference, the issues of cybersecurity in banking, gaming and energy, with the helpful sponsorship from the law firm of Crowe & Dunlevy, brought into focus for a reality check of the threats around us. And in the event you aren’t aware of how often attacks are actually occurring here and abroad, be sure to check out Norse Corp.’s real-time visibility into global cyberattacks website and you too might be shocked at the frequency: map.norsecorp.com/#/.

Like a modern-day version of Missile Command, this site shows and live tracks the attack origins, the attack types, attack targets and countries involved in real time. And it is very freaky, because cyber risks and attacks do not sleep, they do not take weekends off and they certainly don’t quit.

In the energy sector, much is being done to safeguard every step, from production to midstream delivery, to customer consumption and engagement, as every link is a vulnerability. At last week’s seminar, experts from Devon Energy, Continental Resources and Oklahoma Gas & Electric described their own real-world efforts and safeguards in what appears to be a constant evolution of learning, reacting and working to stay safe and a step ahead of these risks.

The U.S. Department of Energy is the pre-eminent national guide for cybersecurity for critical energy infrastructure and energy delivery systems. As DOE says: “…the nation’s security, economic prosperity, and the well-being of our citizens depend on reliable energy infrastructure.” And they work to accomplish these needs through three key areas:

• Strengthening energy sector cybersecurity preparedness.

• Coordinating cyber incident response and recovery.

• Accelerating research, development and demonstration of game-changing and resilient energy delivery systems.

Oklahoma is certainly an energy state, with blessings above and below our red dirt. Our production and delivery of these resources now include once-unimaginable threats of attack from sophisticated computer hackers and attacks from nation-states and rogue actors looking to create havoc in our economy and across the world. Our energy companies are helping to keep our energy systems safe and they need our vigilance too.

So the next time you get a strange email offering you riches from a never-known dead relative in a foreign country, please do not click on the link or forward it to others to check it out, as it may just be the attack that takes out your town’s electricity or the oil and gas well nearby.

As my mother used to say, “if it sounds too good to be true, it probably is.” In today’s world of cyber risks, the new mantra may need to be “If it sounds too good to be true, it’s probably a malicious malware virus launched from an anonymous attacker to bring down your household or country.”

But then again, it could just be “a guy sitting on their bed who weighs 400 pounds,” as a candidate for president once scoffed. Either way, it’s past time to take it serious, especially for the energy sector in America.

Jim Roth, a former Oklahoma corporation commissioner, is an attorney with Phillips Murrah P.C. in Oklahoma City, where his practice focuses on clean, green energy for Oklahoma.