We need a bigger boat: Whaling, the latest threat to cybersecurity

By Lana Smith, DePaul University College of Law, WK Legal Scholar

In the early 2000’s a phenomenon known as “phishing” began. This neologism received its name from the similarities it has with the leisure activity, since both use something as bait in order to catch a victim. Phishing, though, exists in digital form, and is the attempt to acquire personal information from internet users by “phishermen” being disguised as a trustworthy entity, such as the user’s bank or credit card company, according to the Handbook of Information and Communication Security (2010). The information collected from users who take the bait can then be used to commit crimes such as fraud and theft of the user’s funds or identity. Due to the dramatic increase in phishing throughout the years, the Federal Trade Commission created the Anti-Phishing Working Group to slow the increase of phishing emails, websites, and popups. However, the Group may need a bigger net in order to catch the latest trend in cyber security attacks.

Unlike phishing that targets everyday Internet users, “whaling” or “spear phishing” is designed to target upper-level managers in private companies. Hackers who use whaling are attempting to deceive the executives in order receive confidential company information. Whaling can take a wide range of forms, such as an email with its contents specifically crafted to target the person’s role in the company, a request from the CEO to deposit funds in a particular bank account, and a complex legal subpoena.

Regrettably, many executives are falling for the whaling scams. In 2008, a subpoena created to look as if it were from the Federal Bureau of Investigation (FBI) was sent to 20,000 corporate CEOs, 2,000 of which clicked the whaling link in the email. This link recorded the CEOs passwords and forwarded them to whaling “phishermen” who hacked into sensitive company materials. In a response to whaling attacks, the FBI created the Internet Crime Complaint Center (“C3”) in late 2013. C3 reported in the following year more than 7,000 U.S. companies had been affected by whaling alone, equating to more than $740 million dollars in losses.

The health care industry has also felt the turbulent wake from whaling attacks. In May 2015, the Ponemon Institute published the Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data. It found that health care organizations’ and their business associates’ total data breach costs were approximately $6 billion. The study showed more than 90 percent of represented health care organizations had a data breach, with 40 percent of those having more than five breaches in the past two years. Half of the organizations had little to no confidence in their ability to detect all patient data loss or theft, and with the average cost of a data breach exceeding $1 million, health care organizations and their business associates should seek the proper measures to help abate whaling.

To complicate matters, a recent decision in the Seventh Circuit, Remijas v. Neiman Marcus Group, reevaluated the “substantial risk” standard for Article III. Neiman Marcus released a statement indicating 350,000 of its customers’ credit cards were possibly exposed to malware, and 9,200 cards of this group had in fact been used fraudulently. The court held that 2.5 percent of compromised credit card holders is sufficient to show a substantial risk to an entire universe of credit card holders with breached data. While Neiman Marcus argued the possibility of a future injury was too speculative to create Article III standing, the Seventh Circuit concluded the harm was “certainly impending” rather than possible. If followed in other circuits, this decision may open the door for claimants to file suit for future harm if a data breach has occurred in a health care organization or through a business associate.

With 88 and 90 percent of breaches occurring from whaling in health care organizations and their business associates, respectively, each should review their procedures for protecting against whaling and explore forms for the transference of risk. Beyond indemnification clauses in contracts, health care organizations and business associates should consider purchasing cyber risk insurance to eliminate or reduce their exposure to Remijas-type future damage claims. Most policies should contain first-party protections, which satisfy costs for providing notifications and cover some amount of credit monitoring and/or identity theft protection. Further, most policies provide insurance to defend and satisfy the liability created when claimants pursue the health care entity. Beyond the protections through cyber risk insurance, health care organizations and business associates should also contract with monitoring services to further increase their protections against whaling and other common cyberattacks. If properly prepared, the health care industry may be able to better navigate the waters of large whaling and phishing attacks.

Lana Smith is currently pursuing her law degree and health law certificate from DePaul University College of Law. She completed her undergraduate degree from the University of Michigan in International Studies – Comparative Cultures & Identities. Lana is the Co-Director of Outreach & Recruitment of the Jaharis Health Law Institute Student Board, a staff writer for the Institute’s online publication, the E-Pulse, and is an active Health Law Fellow.