Three Steps to Improving Your Cybersecurity Posture in 2022
No Breach January
By Lauren C. Ostberg
Along with the widely reported cyberattacks on behemoths like LinkedIn and Facebook, 2021 also saw cyberattacks on local governments, small businesses, school systems, nonprofit organizations, and other smaller, more vulnerable targets. For more than a decade, Massachusetts has enumerated a set of administrative, physical, and technological safeguards designed to protect consumer’s personal information.
“This personal information is what you are obliged to safeguard; access, use, or compromise of this personal information by an unauthorized person constitutes a reportable breach.”
For more than a decade, you — a natural person, corporation, association, partnership, or other legal entity who uses, stores, or otherwise accesses personal information in connection with the provision of goods and services or with employment — have been required by law to put such safeguards in place.
Whether a genuine desire to comply with 201 CMR 17 or the breaches of 2021 motivates you, the new year is the perfect time to strengthen your cybersecurity position with three simple steps.
Inventory the Personal Information You Possess
Under applicable Massachusetts law, ‘personal information’ is a Massachusetts resident’s first and last name or first initial and last name combined with a Social Security number, driver’s license or state ID number, financial-account number, or credit- or debit-card number. This personal information is what you are obliged to safeguard; access, use, or compromise of this personal information by an unauthorized person constitutes a reportable breach. A useful first step in developing, or improving, your cybersecurity position, then, is compiling a list of every location where you keep this personal information.
Creating this list should make some security risks apparent — do you have Social Security numbers in your e-mail inbox, in an unlocked filing cabinet, or stored on the desktops of employees’ unencrypted laptops? In the event you experience a ransomware attack or another cybersecurity incident, knowing where personal information was stored can help you quickly determine whether the potentially compromised data contained ‘personal information’ and, thus, whether you have experienced a ‘breach’ reportable to regulators.
If you already have a well-developed written information security program (WISP) and feel confident in your cybersecurity posture, this step still applies to you. Reviewing and updating this inventory can (and should) be part of your annual review of that WISP’s scope and effectiveness.
Learn to Encrypt Personal Information
Massachusetts regulators require that personal information (when held by a person other than the consumer) be encrypted ‘in transit’ and ‘at rest.’ In transit refers to information when it is transmitted across networks — say, from one e-mail account to another. At rest refers to storage, on a flash drive, laptop, etc., or on an e-mail server.
If you comply with this regulation, an employee’s lost laptop or a compromised e-mail account will not impact consumers or raise the risk of identity theft because that sensitive information should be inaccessible to unauthorized parties. Encryption can be a simple process — in some cases, it’s a matter of a few well-placed clicks. Let this year be the one you figure it out.
If you have already enabled encryption on relevant devices and accounts, and have policies requiring the encryption of personal information, congratulations. After you pat yourself on the back, make sure your employees are aware of these policies and that they knew how and when to make use of these safeguards.
Train on Phishing
Massachusetts’s data-security regulations require employee training as both an enumerated administrative and technical safeguard. This is because internal policies regarding access to use of, and the transportation of, personal information required by 201 CMR 17 are of limited use if they are not consistently followed company-wide.
Similarly, the best malware protection and server encryption will not protect a business whose employees hand over the proverbial keys to the kingdom by providing their credentials or downloading malware by clicking a link in a phishing e-mail.
Because individuals responding to phishing e-mails is a known vulnerability, it is a useful place to start training. Phishing, which can take the form of e-mails or phone calls, is the fraudulent practice of attempting to obtain personal information or other valuable data from a person by pretending to be a reputable, and trusted, third party. Training employees to recognize, avoid, and report these scams is an initial step (and one endorsed by the FTC) to improving your cybersecurity hygiene.
While other safeguards in 201 CMR 17 and the Attorney General’s Compliance Checklist (like two-factor authentication) are important considerations, if you inventory your personal information, enable and use encryption, and train yourself and your employees to avoid phishing scams, you will be well on your way to a breach-free January and a compliant 2022.
Lauren Ostberg is an attorney in Bulkley Richardson’s cybersecurity group; (413) 272-6282.