A Chicago law firm faces a lawsuit alleging they failed to properly protect sensitive client information. Johnson & Bell faces a class action citing JBoss, VPN, and SSL vulnerabilities. Interestingly, according to the filing, there was no evidence of compromise but the suit claims the firm could have been easily penetrated.
How many other law firms could face similar legal actions for allegations of poor cyber security practices? This could be a significant issue for legal firms of all sizes across the country.
LP3 is watching this case carefully; we ensure that our clients are implementing sound cyber security practices based on NIST and CIS Top 20 best practices.
Visit https://lp3.com/assessandtest/ or email CyberHELP@LP3.com for a comprehensive vulnerability and business risk assessment.
A few questions:
- How exactly did the third-party get compromised? What network segmentation was in place or not?
- How much is the breach going to cost Sentara?
- Did Sentara conduct any cyber security due diligence with the third-party vendor? Vulnerability assessments? Monitoring?
- How was the breach detected? Did Sentara detect it? Or were they notified from elsewhere? What worked? What didn’t work?
It’s critically important to work closely with HIPAA/HITECH business associates on a technical cyber security level since the hackers will take advantage of the weakest link in the connected IT systems.
Heck…with any business associate…Target was compromised through an HVAC vendor. If the company networks are connected, they need to be under continuous monitoring and vulnerability tested at least annually.
“We’ve been hacked! What did we lose? We don’t know yet. When did it start? We don’t know that yet either. What do we do next? Who do we contact FIRST?”
- IT Provider
- Cloud Provider
- Clients or Customers
Making this decision in the heat of a crisis is not ideal. To minimize business impact and cost, do you know exactly what to do when your business gets hacked?
The right answer? B. Attorney. Getting legal help immediately is the correct answer in most situations. One big reason is attorney-client privilege; you and your attorney control information release and can shape the messaging. Secondly, breach notification requirements vary based on location. Careful compliance assessment and prompt action can avoid significant penalties.
Obviously, your IT staff will also assess the situation in parallel. Some businesses choose to recover as quickly as possible—an approach that can leave your operations vulnerable to the same attack. Professional cyber security support may be required to determine root cause and identify mitigations to prevent future attacks.
To prepare effectively, get help. Do you have an Incident Response Plan? If not, LP3 can help. Contact LP3 for a comprehensive vulnerability and business risk assessment.