It’s no secret the number of high-profile data breaches and cyber threats across the globe are on the rise. Just last month, 143 million Americans had their personal information compromised because of the Equifax data breach. A data breach can cause damage to a company in multiple ways. Damaging customer trust is one of the worst and most common results of a data breach. A study by Semafone found that out of 2,000 people, close to 87 percent would not do business with a company that faced a data breach involving credit or debit card information. The reputational damage companies suffer due to lack of protection of personal data can cause a huge loss of business, affecting the company for years to come. A report done by Forbes Insight and IBM showed that 46 percent of companies have suffered reputational damage due to a data breach. This puts even more emphasis on the importance of state data breach laws.
Alabama is one of only two states without a data breach law on the books, South Dakota being the other. What this means simply, is that if a company in Alabama has a data breach, they do not have a legal obligation to notify customers their personal information has been compromised. In the case of the Equifax breach, hackers gained access to personal information such as Social Security numbers, birth dates, addresses and full legal names. The Equifax breach has since sparked a campaign from multiple groups calling on Congress to replace varied state laws with a uniform federal law. Equifax is one of three major credit bureaus that keeps track of the financial affairs of U.S. consumers to help banks make decisions on lending, from tracking credit card balances to payment history and court judgements. Consumers don’t have a choice to “not do business” with Equifax, a daunting scenario becoming more prevalent as networks fall victim to data breaches like recent SAMSAM ransomware attacks.
SAMSAM is a form of ransomware currently on the rise with the ransom demands getting bigger as hackers become more sophisticated. According to an IBM study, these types of attacks increased 6,000% in 2016 over the number of attacks in 2015, making ransomware a billion dollar business in 2016. Ransomware, a kind of malware which locks infected systems, encrypts files and demands a payment in return for decryption, can be debilitating for businesses, governments and institutions. Without access to core networks and systems, many firms and organizations will pay up rather than suffer through disruption. Large enterprises, organizations, schools, governments, hospitals and healthcare service providers are increasingly falling prey to these attacks with the ransom demands getting bigger by the minute.
An example of this type of ransomware attack came in November of 2016 for the Bigfork, Montana school district. The Bigfork school system was hit with a ransomware attack which encrypted huge amounts of data making the files impossible to access by Bigfork employees. Perpetrators of this attack left a message for the school system IT Director demanding a ransom payment in exchange for the decryption key to unlock the data. Once the virus infects a network, it will scramble every Word document, spreadsheet and data file in its path and demands the currency be paid in bitcoin, an untraceable virtual currency. In this instance, the Bigfork school district took a hardline stance and refused to pay the currency, opting to restore the data systems from back-ups. The FBI’s cyber division discourages victims from paying the ransom saying it only serves to embolden the criminal. While this may be true, sometimes the cost-benefit analysis of the damage vs. the time required to restore the files leaves no other option. Such was the case for South Carolina’s Horry County school system in 2016. The cost of the ransom amount of $30,000 was determined to be less than the cost per day of not having access to 43,200 students. To further complicate things, even when the ransom is paid, there is no iron-clad guarantee the perpetrators will hand over the decryption key needed to restore data files. To avoid this type of breach, cybersecurity assessments can be done on the front-end to pro-actively determine an institution or company’s vulnerabilities, but once the breach happens, options for resolution become much more limited.
Legislative leaders in Alabama are pushing to get legislation passed during the 2018 legislative session. Data breach legislation has been introduced in past Alabama legislative sessions but has received push back from business groups citing burdensome regulation and expense as two main objections. The recent Equifax breach and rise in ransomware attacks provide a platform for serious consideration of data breach legislation in Alabama.