T-Mobile Data Breach is a Wake Up Call for your Business
August 16, 2022
Last month, T-Mobile agreed to a $350 million settlement of a class action lawsuit filed against the wireless phone carrier. The lawsuit was in response to the 2021 announcement that the company had fallen victim to a cyberattack and that nearly 80 million customers had personal information, including social security numbers, stolen.
T-Mobile is the latest in a long-line of high profile corporations that have fallen victim to cyberattacks in recent years. When cases like this surface, the most common question we receive from employers is, ‘what can I do so this doesn’t happen to me?’ The thought for many is, if multi-billion dollar corporations like T-Mobile and Target are being breached, what chance does a much smaller company like mine stand against these cyberattacks?
The true answer is, that no company, large or small, is without risk of a cyberattack. That doesn’t mean there aren’t steps you can take to minimize that risk, and insulate yourself against potentially liability in the event your security is breached. Although every company and organization is unique, here are a few suggestions we offer to companies seeking to minimize the chances of a data breach.
Hire an expert to analyze your current system
Bringing in a qualified, thirty-party expert to conduct an analysis of your current system for storing and handling sensitive data will give you a sense of where you stand – which is critical to understanding what improvements need to be made.
Encrypt your data
There is no silver bullet approach to preventing a cyberattack, but data encryption is viewed by many experts as close. Some clients initially ignore the option of data encryption, in part because it sounds intimidating to a lay person. In reality, data encryption is relatively easy, and critical for any business that retains personally identifiable information (PII) from their clients. The cost of encryption can seem prohibitive at first, but when weighed against the cost of a data breach, it can be money well spent.
Train (and retrain) your employees
According to data included in the IBM Cyber Security Intelligence Index Report, 95 percent of cybersecurity breaches are found to be cause by human error. Among those errors are several that are easily avoidable, especially with proper training of your employees.
Weak password selection is a perfect example of a common path for hackers to gain access to your internal data. Security experts say best practice is to change passwords every 90 days. Employers can set the system to make employees password rules complex. In addition to the common practice of requiring a mix of letters, numbers and symbol, it is recommended that the password not be allowed to contain any words found in a standard dictionary. Your job is to make the cyberbots job as difficult as possible.
Another common way hackers gain access to a system is through the use of phishing emails. Today’s phishing emails are much more sophisticated than random emails promising fortunes for those who respond. They can even include deceptions to make it appear as though the email was sent from a coworker or even your boss. This greatly increases the chances an email is opened and a virus is unleashed. Steady reminders to your employees, including sharing examples of phishing emails that have been sent, will keep them vigilant of what to look out for and reduce the chances an employee unwittingly lets a virus into your system.
It is also prudent to limit employees’ access to outside websites from their work devices. This can be a fine line for some employers. On one hand, you don’t want employees to believe you don’t trust them, or you are taking a “Big Brother” approach to monitoring their workspace. On the other hand, visiting a site that is itself a virus, or, visiting a site that may have been compromised by a virus, is another common way to fall victim to a cyberattack. We advise clients to communicate clearly to employees what security protocols you are putting in place and why you are doing so. Transparency with your team should eliminate some of that tension, while keeping your clients, customers, and employees’ personal data safe.
You want your clients and customers to feel secure when they provide you with their PII. A cyberattack can not only cost you in the immediate aftermath of the attack, but for years to come in the loss of customer/client confidence in your organization. Each business has to decide what level of risk is acceptable, and manage it accordingly. That being said, if you have questions or concerns and want to make sure you are doing everything you can to avoid ending up on the wrong end of a cybersecurity lawsuit, give me a call.
Trevor M. Torcello is a shareholder of Gross Shuman P.C. who focuses his practice in the areas of commercial real estate, business transactions, agribusiness and working with emerging businesses. He has extensive experience representing various parties in complex business transactions. He can be reached at 716.854.4300 ext. 227 or ttorcello@gross-shuman.com.