The largest hack in the platform’s history was just the latest in a long series of incidents. What implications does this lack of security have for ordinary New Yorkers?
Hackers recently compromised some of the platform’s largest accounts and used them to promote a Bitcoin donation scam.
Twitter is much smaller than Facebook and some other social media platforms, but it is extremely influential.
Many accounts have millions of followers worldwide.
So, it is a very tempting target for hackers. Some observers think that Twitter was ill-prepared to handle this latest onslaught.
“Good cybersecurity is so often getting the basics right over and over again: strong passwords, good multi-factor authentication. . .a willingness to test systems until they break to learn how to improve them, and more,” commented Atlantic Counsel Cyber Statecraft Director Trey Herr.
“It may be that Twitter has some work to do on this basic blocking and tackling,” he added. Twitter did not immediately respond to this allegation.
In recent years, hackers have sent fraudulent tweets and the Justice Department accused Twitter employees of spying.
Information Security Liability
Huge security lapses like the latest Twitter breach normally grab the headlines.
But most data breaches involve small companies and a few hundred accounts. The injuries these cyber victims sustain are just as bad, or even worse.
A number of smaller hacks do not involve the internet at all.
A number of groups, especially doctors, lawyers, accountants, and other professional organizations, have liberal BYOD (bring your own device) policies.
Thumb drives and other such devices are quite secure, if the owners do not leave them lying around.
Unfortunately, these small, compact drives are very easy to misplace or forget.
On a related note, many companies encourage employees to use their laptops and work remotely. It is rather easy to hack into an open WiFi account at a coffee shop or restaurant.
Additionally, many small companies have rather weak security safeguards. But the information they store is quite valuable.
All these issues could lead to legal liability for a security breach. A negligence claim in this area has three basic prongs:
- Nature of the Business: Almost all businesses store some personal information, but in many cases, this information is in unusual places. For example, a law office probably knows to protect bank account information in a payment portal, but an obscure line on a random form might be vulnerable to attack.
- Preventative Measures: The standard of care often comes into play here. Professionals, especially financial professionals, must use the highest level of encryption available. Other businesses, like a retailer who stores nothing but sales records, might only need lesser deterrent security.
- Breach Response: This final area is usually relevant in terms of damages. When breaches happen, many companies fail to report them or understate their extent. Such wrongful conduct arguably entitles a plaintiff to additional punitive damages.
Many businesses have cybersecurity insurance that covers situations like these. Because this is still an emerging area, insurance companies are often slow to respond, as set out below.
Business owners and injured people count on insurance companies to do the right thing in these situations.
But many insurance companies readily sell cybersecurity insurance policies, although they lack the necessary infrastructure to handle these claims.
This lack of infrastructure does not affect the insurance company’s duty in these situations.
Initially, insurance companies have a duty to promptly and thoroughly investigate claims.
Small hacks might fly under the radar and large hacks might be overwhelming. But the insurance company’s responsibility remains the same.
Additionally, if liability is relatively clear, insurance companies have a duty to pay promptly as well.
Although cybersecurity breaches are essentially negligence cases, many normal negligence defenses, such as contributory fault, do not apply.
Many victims had no idea their information was stored carelessly, so they had no role in the breach whatsoever.
And, for business owners, most of these policies are quite clear in terms of coverage parameters.
If a lawyer must take action to enforce your rights in an insurance dispute, the insurance company must normally cover the plaintiff’s attorneys’ fees and legal costs.
A cybersecurity sensitive information breach could be one of the most serious personal injury your family could sustain.
For a free consultation with an experienced personal injury attorney in New York, contact Napoli Shkolnik PLLC.