T-Mobile Data Security Incident Should Provide Businesses with Reminder to Review Cybersecurity Practices

27 August 2021 Privacy, Cybersecurity & Technology Law Perspectives Blog
Authors: Chanley T. Howell Steven M. Millendorf Kevin M. Hotchkiss

On August 15, 2021, a number of media outlets indicated that T-Mobile was investigating a data breach that may have included the names, date of births, phone numbers, T-Mobile account pins, Social Security numbers, and Drivers’ License numbers of over 30 million current and former T-Mobile customers. A number of class-action lawsuits have already been filed, which allege negligence, violation of applicable law (including the California Consumer Privacy Act, CCPA), and/or other wrongful conduct.

The incident is a stark reminder that data breaches have become common for organizations of any size and in every industry. From Main Street to Wall Street, from Fortune 500 companies to the small local businesses, no company is immune from cybersecurity attacks. Today’s cyber-criminals are well organized crime syndicates who seek to make a profit, one way or another. They have perfected their “art” of hacking to maximize profits with lowering the probability of being identified and prosecuted. Their “art” includes exploiting routine vulnerabilities, making money through various means, and then disappearing into the ether until they emerge for their next cyber-attack. This is especially true of ransomware attacks, where the current trend is to not only demand a ransom for decryption of the data, but also additional demands for not publicly disclosing the information should the victim company recover the data from backups or other means. As former FBI Director Robert Mueller once said, “There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again. Maintaining a code of silence will not serve us in the long run.

The information stolen from T-Mobile was allegedly offered for sale on the dark web for approximately $270,000, a clear suggestion of how little value there is in laundering the identity information of affected individuals compared to the costs to affected businesses. Hackers make money by expending little cost and effort exploiting the same vulnerabilities over and over in different organizations once a vulnerability is discovered. In contrast, the 2020 Ponemon Cost of Data Breach Report suggested that the average total cost of a data breach is $3.86 million, with ransomware and other destructive malware attacks having a greater average cost than the overall costs of a data breach. And this figure continues to be very dependent on geographic region, with the average cost for a data breach in the US costing $8.64 million - more than double than this global average and the highest on the planet Earth (Brazil is the lowest with an average cost of $1.12 million). Approximately 2/3rds of these costs are as a result of the aftershocks of a cybersecurity event, i.e., they take the form of lost business and the costs of call centers, credit monitoring, legal expenses, product discounts, and fines.

Steps for Businesses to Develop a Cybersecurity Program

But the data also suggests that, because Hackers stand to gain so little for any particular data breach, there is a light at the end of the proverbial tunnel for organizations: make it harder for the hackers to breach the organization’s system, so that they turn their attention to an easier target. This doesn’t mean defending against every potential cybersecurity event, but simply making it hard enough to exploit the easy, well known vulnerabilities that only the most determined (and well-funded) bad actors will continue their attempts. the Ponemon study may provide some useful guidance on where organizations should expend resources. The Ponemon study found a number of factors that may reduce or increase the average total cost of a data breach.

DECREASES COST OF A DATA BREACH  INCREASES COST OF A DATA BREACH 
Incident Response Testing
Business Continuity Planning
Training of Personnel
Use of Encryption
Vulnerability Testing 
Appointing a CISO 
Complexity of security systems 
Migration to Cloud
Shortage of security skills
Compliance failures
Third-party breaches 
FIVE FUNCTIONS OF AN EFFECTIVE
CYBERSECURITY PROGRAM 
   1. Identify
   2. Protect 
   3. Detect 
   4. Respond
   5. Recover

While the specific value of each of these factors have varied over time, the Ponemon reports over time have generally shown the same factors as improving outcomes and the same factors have generally been found to make outcomes worse. Organizations of all sizes that have a basic security framework already in place should therefore focus resources on the greatest returns, i.e., the activities shown in the left hand column. At the same time, these organizations should actively seek to minimize the activities on the right, especially reducing the complexity of the security systems wherever possible.

However, organizations that are just starting to develop a cybersecurity plan often need guidance on where to start. While there are many industry standards, some excellent starting points include the guidelines published by the FTC as well as industry standards such the cybersecurity guidelines published by the National Institute of Science and Technology (NIST), including the NIST Cybersecurity Framework. A roadmap based on these industry standards is described below:

1. Identify

Organizations should develop an understanding of their environment to properly manage cybersecurity risk to systems, people, assets, data, and operations.

  • Identify all of your technology assets (computers, smartphones, software, data, etc…).
  • Create incident response policies that detail steps to take to protect against an attack.
  • Create policies that define security roles and responsibilities for employees and vendors.

2. Protect

Businesses should adopt and maintain appropriate safeguards to ensure continued operation of critical business functions.

  • Have access controls in place – every user should not be able to access all data. Very few users should have the ability to install or modify systems.
  • Acquire and use security software to regularly scan your organization’s systems.
  • Encrypt all data at rest and in transit.
  • Backup essential data regularly.
  • Always keeps your systems up to date.
  • Educate and train employees on the proper use of data.

3. Detect

Organizations should develop and implement appropriate procedures to identify the occurrence of a cybersecurity event.

  • Monitor all data in and our of your system, whether through removable media such as a USB, or through the internet.
  • Check the network for unauthorized users – remove access to terminated users immediately.
  • Investigate unusual activities.

4. Respond

Organizations should develop, maintain, and regularly test an incident response plan to take action regarding a cybersecurity incident that has been detected or that has been attempted and poses a significant threat to the organization.

If an organization has a breach or is subject to a cybersecurity attack, it is important that they have a plan for:

  • Notifying customers, employees, and any others whose data is at risk.
  • Continuing normal business operations.
  • Reporting to law enforcement.
  • Investigating and containing the attack.
  • Updating policies with lessons learned.
  • Inadvertent events like hurricanes or other natural disasters.

5. Recover

Organizations should develop appropriate policies and procedures for resilience against a cybersecurity incident and to promptly restore any services or other business operations that may have been impacted due to a cybersecurity incident.

  • Repair and restore the equipment and parts of your network that were affected.
  • Keep employees and customers informed of your response and recovery activities.

Organizations should also be reminded that these organizations also provide guidance on how to protect the privacy of personal information, once appropriate security controls have been deployed to protect that information.

Foley has significant expertise in assisting organizations of all sizes in developing and enhancing their cybersecurity and privacy programs, including such programs based on FTC guidance, the NIST Cybersecurity Framework and other industry standards. For additional information on where to start a cybersecurity program or how to improve upon an existing one, please contact one of the authors below or any of the Partners or Senior Counsel core members of Foley’s cybersecurity practice.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.