Marine corp data breach lesson: human error is often the cause and is preventable

There has been a data breach emanating from the U.S. Marine Corps Forces Reserve that impacted 21,426 individuals. The breach exposed their sensitive personal information such as truncated social security numbers, bank electronic funds transfer and bank routing numbers, truncated credit card information, mailing address, residential address and emergency contact information.

Calm down and press the pause button on the hysteria hype machine — it was not the Russians behind it! It was something far more treacherous when it comes to the real world of data breaches: it was human error.

In this case, it happened when an individual sent an email to the wrong email distribution list and the email was unencrypted and included an attachment that contained the personal information described above. You can read more about the breach here: Major data breach at Marine Forces Reserve impacts thousands

THE TAKEAWAY:  The important lesson to take away is that scenarios such as this are far more common than all of the super-sophisticated “hacking” type over-politicised stuff that we usually hear about through the media. This is the real world of data breach that most companies face far more often than they face state-sponsored espionage. In fact, research into actual data breaches reveals that 90% of all claims made on cyber insurance stemmed from some type of human error and, as reported by the highly reputable Online Trust Alliance, “in 2017, 93 percent of all breaches could have been avoided had simple steps been taken such as regularly updating software, blocking fake email messages using email authentication and training people to recognize phishing attacks.” The good news is this type of problem is preventable with some effort.

Below is a checklist of good cyber hygiene that, in reality, all companies should be doing these days. How do you make sure you’re doing it? You develop and implement a cyber risk management program that is tailor-made for your company and is continuously maturing to address the risks your company face — such as my CyberGard™ program.


Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

The Most Positive Cybersecurity Trend I Have Seen in Nearly 20 Years!

business-1989131_1920In the last quarter of 2017, I have observed a cybersecurity trend that has given me more hope than any that I have seen previously. Let me explain.

As an attorney, I have been practicing what can generally be described as cyber law or cybersecurity law since 1999, which means that my practice has evolved a lot over the years. It also means that I have seen a lot over the years.

My practice has been divided into three distinct areas over the last several years:

  1. Proactively, by helping clients assess and understand their overall cyber risk and then developing, implementing, and maturing a strategic cyber risk management program that prioritizes their efforts to help minimize their cyber risk.
  2. Reactively, by leading companies through the cyber incident response and data breach response process (e.g.,  as a “breach guide” or “breach quarterback”) and regulatory investigations and enforcement actions.
  3. Reactively, by representing clients in litigation involving cyber-related claims like data loss, data theft, computer hacking, and business to business disputes concerning responsibility for cyber incidents.

For nearly twenty years, the number of clients that have hired me to help in a reactive role, such as with incident response and litigation of cyber claims, has towered above those who have sought my help for proactively assessing their cyber risk and developing and implementing a cyber risk management program. It has not even been close.

This has not been due to a lack of effort on my part. I have always done my best to encourage clients to be responsible when it comes to cybersecurity by being proactive and focusing first on risk management and prevention but this has generally fallen on deaf ears. They did not want to be cyber responsible — or, even if they did want to be, they were not willing to invest resources into being cyber responsible.

But in the last quarter of 2017, this has changed.

The trend that I have observed developing over the last Quarter of 2017 is outstanding! For the last few months I have had substantially more clients hire our firm for helping them with a proactive cyber risk management program than we have ever seen in the past, so much so that the amount of work we are now doing on these programs is equal to or greater than the amount of work we are doing on incident response and litigation.

What makes this trend so great? The answer is simple: it shows that companies are finally starting to get it! They are finally seeing that it is better for them to invest resources into proactively preventing cyber incidents and data breaches from happening than it is to sit back and wait with the only strategy being to hope that it will not happen to them — because it will happen to them if they do nothing to stop it.

I hope that the trend that I am seeing is consistent across the industry. If it is, we just may be turning the corner in the war on cybercrime that is destroying our companies and decimating our individual privacy.


Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

3 Legal Points for InfoSec Teams to Consider Before an Incident

secureworldAs a teaser to my presentation at SecureWorld – Dallas last week, I did a brief interview with SecureWorld and talked about three of the points I would make in my lunch keynote, The Legal Case for Cybersecurity. If you’re going to SecureWorld – Denver next week, join me for the lunch keynote on Thursday (11/2) as I will again be making The Legal Case for Cybersecurity.

In the SecureWorld article, Why InfoSec Teams Need to Think with a ‘Legal’ Mind, Before an Incident, we discuss these three points:

  1. There are three general types of “cyber laws” that infosec needs to understand;
  2. Sadly, far too many companies do not take cybersecurity seriously until after they have had a significant incident; and
  3. Companies’ need for implementing and continuously maturing a cyber risk management program (such as my CyberGard).


Will Officers & Directors Be Held Legally Responsible for Companies’ Data Breaches and Cybersecurity Incidents?

Cybersecurity Risk: Law and Trends – Ethical Boardroom Article

The law is trending toward more risk of liability for Officers and Directors. Learn more about this from my recent article in Ethical Boardroom — full text available without paywall here: Cybersecurity Risk: Law and Trends.

Learn more about the CyberGard Business Cyber Risk Management Program


Practical ways your company’s contracts can help improve its cybersecurity odds

I am sharing two articles with you because, as you well know, cybersecurity is a really hot topic right now due to the threat it poses to virtually all businesses. I hope you find these helpful.
I was recently interviewed by CSO Magazine and asked to give one suggestion that companies could do to improve their cybersecurity chances. I suggested they focus on their contracts as they relate to cybersecurity issues (HERE).
Yesterday, on Norse’s DarkMatters, I explained this issue in greater detail and provided basic examples of cybersecurity issues that every business should address in their contracts (HERE).
As you read through these articles, think about the different kinds of data your company has, the many ways the bad guys could get to it, and how additional safeguards could be put into place for those within your company as well as its third-party relationships. These are just a few examples of the areas where addressing cybersecurity issues in your contracts can help improve your company’s overall cybersecurity posture, and the contracts issue is only one of many areas that make up a comprehensive cyber risk protection program that is what all companies really need. 
If your company already has a program that includes these kinds of precautions, then congratulations because you are well ahead of most other companies! If you do not, we would love to help you get these protections in place so let me know and let’s schedule a time to get together over breakfast or lunch – my treat!


Shawn Tuma (@shawnetuma) is a cybersecurity and data protection lawyer that business leaders trust to help solve problems with cutting-edge issues involving cyber risk and compliance, computer fraud, data breach and privacy, and intellectual property law. He is a partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes across the United States and, through the Mackrell International Law Network, around the world.

Platform Magazine Quotes Tuma Discussing CyberGard: The Public Relations Side of a Data Breach

CyberGard - Cyber Risk Protection ProgramThank you to Platform Magazine for quoting me discussing the PR component of my CyberGard – Business Cyber Risk Protection Program in this forward thinking article about the value of getting public relations on board before your company has a data breach.

In a recent post I explained why a data breach response must focus on the business side of the breach: “The most important issue is how the incident will impact the company’s overall business. No matter how great of a job we do on the legal side, if the business side suffers too much, it is an overall failure. These situations are not the time for tunnel vision.”

Click here to learn more about CyberGard

A key component to focusing on the business impact is the businesses’ communications with the public. This where having professionals to help with the “messaging” becomes so important. Read more in The Public Relations Side of a Data Breach | Platform Magazine.


Excellent info from Travelers: Company Data Security Policy & Standards

Computer-ThiefTravelers just published a list of 9 things companies should consider for data security policies and standards. It is excellent. You can see it by following the link below.

But first, check out my CyberGard–Cyber Risk Protection Program that can help with implementing these 9 steps!

via Company Data Security Policy & Standards | Travelers Insurance.

“Defense wins championships” when preparing for the inevitable data breach

“The best strategy to manage the inevitable data breach of your enterprise is to be prepared.” -Adam Greenberg, SC Magazine

Exactly–you must prepare on 2 fronts: Defense & Response

In a recent article in SC Magazine, Adam Greenberg marches along faithfully with many of us in trying to get you, the business leader, to appreciate the severe risk that data breaches pose to your business. He starts by repeating the old data breach proverb, “It is not a matter of if, but when,” which readers of this site have heard many times before.

It is now a given that every enterprise either already has been, or will be, the victim of a data breach. It’s just life in the digital age, get used to it.

More importantly, prepare for it. A data breach can be either (1) a catastrophic event that threatens the very existence of your enterprise, or (2) just another adversity that your enterprise faces, manages, and learns from along its journey to success.

The choice is yours and is determined by whether you stick your head in the sand and ignore the risk or prepare for it. The first step you must take is to decide that you will not ignore this threat and that you will prepare for it. This is the most difficult step for many business leaders but, once we get past it, we start making progress.

Preparing for a data breach requires preparing a defensive strategy and a responsive strategy.

Preparing to Defend

-Defense Wins Championships-“Offense sells tickets; Defense wins championships” -Coach Paul “Bear” Bryant Jr.

When we talk about preparing for a data breach, some people jump the gun and start thinking about how they will respond. This loses sight of the primary objective–your duty–PROTECTING THE DATA which, necessarily, requires defending your system.

The top priority for your enterprise is to take steps to assess and strengthen its cyber security posture. Then, the deficiencies that are identified must be corrected (there are always deficiencies). And don’t forget to document the steps that are taken (here is why).

Preparing to Respond

After you have prepared your defensive strategy, the next step is to prepare for responding to the inevitable data breach. Every enterprise needs a data breach response strategy that is documented in a written breach response plan (here is why).

The breach response plan needs to be comprehensive, readily accessible in an emergency, and everyone needs to be trained on their roles in the plan. You can read more about breach response plans here.

Fortunately, this process is not as intimidating as it may sound. The most difficult part is that you must decide that you will make sure your enterprise is prepared for this risk. After you make that decision, a qualified adviser who has helped other enterprises prepare for these situations can guide you through the process.

Learn more about the author’s unique CyberGard–Cyber Risk Protection Program.


Source of original article: Plan ahead: Prepare for the inevitable data breach – SC Magazine.


Gov’t Contractors Must Notify of Data Breach Within 3 days

Is your company prepared to respond to aIf your business is a contractor for the federal government, you had better have your data breach response ducks in a row. The moment you detect a breach, the clock starts ticking and you have only 3 days to notify of the breach. Yes, I said 3 days!

You better already know who your legal counsel a/k/a “breach coach” will be.

You better already know who is on your company’s breach response team.

You better already know who your cyber security forensics and remediation firm will be.

You better already have your PR professional in place.

You better already have your notification vendor in place.

You better already know what information must be in your notifications, depending on the jurisdiction.

You better already know what information cannot be in your notifications, depending on the jurisdiction.

You better already have your cyber insurance in place.

In other words, you had better have your breach response plan in place and be ready to execute that plan within 3 days’ time.

Tick. Tock.

 If you are not prepared, now is time to get prepared. Take the first step by contacting Shawn Tuma and learning more about his unique CyberGard–Cyber Risk Protection Program.


Source: Feds to Toughen Up Data-Breach Reporting Rules | Corporate Counsel.