Not more than a few years ago most of us would have thought “BYOD” was a typo in an article for private club leaders; the only hacker team we knew of was the few guys down the end of the bench who were put in the game when their basketball team was down 15 points with two minutes remaining; and if phishing and spear phishing (the other spellings) were taking place, it would be done in water.
This article is not about food and beverage trends, basketball or fishing. Instead, this article will look at the history of technology attacks and the risk to a private club, its board, members and employees.
Many clubs are finding the Internet to be a powerful way to communicate with members, spread the word on current events, manage club accounting and member payments and much more. While each of these uses offers great benefits to club efficiency, they all involve privacy concerns that should be considered when creating an online presence for your club.
History of Hacking
Although it seems the subject of cyber-attacks comes up now in weekly conversation and we have to scratch our heads to recall when we first began to hear about it, cyber and privacy threats are nothing new in the U.S.
In 1988, one of the first recognized worms to affect the world’s cyber infrastructure spread across computers largely in the U.S. The worm slowed down computers to the point of being unusable. The worm was the work of a man who said he was just trying to gauge how big the Internet was. He subsequently became the first person to be convicted under the U.S. Computer Fraud and Abuse Act. He now works as a professor at MIT.
Since then, the following cyber, privacy and security incidents have been in the news:
A prestigious university in Connecticut reported the theft of a computer containing the Social Security numbers of 10,000 current students and 200 faculty members. They were required by state law to notify all of those who were affected.
A health services company in Indiana was sued for violations of privacy and negligence with damages of $1,000/person when an outside contractor returned a computer bag to a store, with important disks containing patient records still in the pocket. Some 260,000 patients and 6,200 employees were affected by the incident.
A major retail pharmacy in Texas was sued by the state when medical prescription forms with the names, addresses, date of birth, and types of prescriptions were found in a dumpster behind the building. The Attorney General’s office sought the maximum penalty of $50,000 per violation.
A state department in Ohio notified employees of a potential breach of 64,000 state workers’ personal information including Social Security numbers. The potential breach was the result of backup disks that had been stolen from an employee’s car.
A Chicago-based independent insurance broker was cited by the New York Attorney General for failing to report the loss of computer containing confidential information in a timely fashion. The company was forced to pay for notifying clients and also paid the state $60,000 for the cost of the investigation.
A major toy store in New Jersey was sued based on a 2003 federal law that requires retail stores to limit the amount of identifying information that is shown on credit card receipts.
If those stories do not sound familiar, it may be because they all occurred in 2007 or prior.
More Recent Attacks
In July 2014, TotalBank, a subsidiary of Banco Popular that has 21 locations in South Florida, announced it was notifying 72,500 customers that their account information was potentially exposed after an unauthorized third party gained access to the bank’s computer network. The bank says in a statement that it initiated an investigation with the help of data forensics experts who reviewed the systems and protocols put in place by the financial institution. The forensics experts discovered that unauthorized individuals may have obtained access to customer names, addresses, account numbers, account balances and personal identification numbers, such as Social Security numbers and driver’s license numbers, the bank reports. The information did not include passwords or the type of information that would allow access to a customer bank account. The bank is offering those potentially affected by the breach a year’s worth of free credit monitoring and identity protection services.
In August 2014, 25,000 or more undercover U.S. investigators had their personal data exposed to hackers after a cyber-attack struck a key contractor of the Department of Homeland Security.
Also in August, Community Health Systems Inc., one of the biggest U.S. hospital groups, said it was the victim of a cyber-attack from China, resulting in the theft of Social Security numbers and other personal data belonging to 4.5 million patients.
On August 20, 2014, United Parcel Service Inc., (UPS) said a breach of computer systems at UPS Store retail outlets might have exposed customers’ personal and payment data at some locations this year. Malware was found at 51 locations in 24 states, or about 1 percent of the 4,470 franchise stores across the U.S. About 105,000 transactions were affected, although the company can’t yet say how many customers.
And of course, we know about the largest cyber hack in U.S. history involving Target. Recent estimates have Target’s total cost of that breach at $148 million, with insurance picking up about $38 million of it. As expected, this has negatively affected their earnings and stock price in the last eight months.
EBay also recently contacted 145 million of their users to change their password after a May 2014 cyber-attack may have affected these users.
Recent surveys say two out of three enterprise security professionals say that a breach is inevitable and other reports show that small and midsize businesses (SMBs) suffered data breaches more often than larger firms. Moreover, another recent survey found that two thirds of small to midsize businesses were not concerned about cyber threats—either external or internal threats. External threats include a hacker or cyber criminal stealing data while internal threats include employee, ex-employee or contractor/consultant stealing data.
It seems reasonably sensible for a club to consider themselves not on the high priority list of a cyber criminal. Conversely, these criminals realize SMBs are less likely to devote significant dollars for cyber security, providing easier targets. As such, it is prudent to assume you are a target.
How to Protect Your Club Data
Because of the value of the data that clubs keep, the low risk the criminals take to get high returns in a cyber attack, SMBs are easy targets and sometimes let their guard down. Security tools are not as well equipped to combat today’s advanced technology attacks—small to midsize businesses are certainly at risk.
In addition to malicious activity, a significant portion of data breaches is caused by user error, internal accidents or negligence. Here are a few security recommendations to help protect your club:
- Have a dedicated IT professional or proactive outsourced provider
- Understand what type of data you collect, who has access to it and how long you store it
- Work with an IT professional and an attorney with experience in this space to craft a privacy policy that creates transparency and provides assurance to employees, members and other constituents. Additionally, if social media is going to be part of a club’s technology strategy, your IT and legal partners may need to be reminded that your private club is private.
- Stop using software products that are no longer being supported for security upgrades
- Dedicate certain computers, users and passwords for online banking, credit card procurement, background checks, payroll, etc., and avoid web browsing and e-mail on these computers if possible
- Regularly back up critical data and make sure one copy is encrypted and stored offline
- Keep computers up to date with security updates, anti-virus and anti-malware
- Have a strong password program with strong passwords that are changed and tested on a regular basis
- Require employees to avoid accessing the club’s system through unprotected and public Wi-Fi
- Have your IT professional develop a BYOD (bring your own device) and wearable policy
- Educate users on what “phishing” is and how they can avoid it
- Develop a response plan if your network were to become infected
And if these recommendations fail to stand up to unintended keystroke, virus or cyber thief—there’s another way to protect your club: consider a Privacy and Cyber insurance product. Click here to read Privacy & Cyber Insurance: New Protections for New Times.
Bill Dalton is president of Bridgepoint Insurance Group, a specialty property & casualty insurance brokerage located in Wayne, Penna., with a focus on the golf and club industry. He can be reached at [email protected] or 888-687-5712 x223.