By now you’ve probably heard of the creatively-named “Heartbleed” bug. Heartbleed, which has its own slick logo courtesy of the organization that discovered the bug, is a flaw in certain versions of SSL (the encryption protocal used by most websites worldwide to protect information like passwords and account names). Disturbingly, the bug has been present for over two years, though it only recently came to light. There’s a good chance your business has either been vulnerable itself, or has transmitted information to a vulnerable third party site within the past two years. Here’s a helpful (but non-exhaustive) list of affected sites.
So what does Heartbleed mean to you? For starters, it poses enormous risks to your organization’s data security. There are three kinds of information which may be at risk:
- Communications to and from your own organization’s servers running affected versions of SSL or using vulnerable routers and other network hardware;
- Communications by employees to third-party organizations affected by Heartbleed; and
- Communications by employees to affected organizations during their personal use of the internet at home or at work, if the employee uses the same password to access websites that he or she uses at work.
Of course, with the risk of data breaches comes the risk of legal consequences for those breaches. For instance, if an organization discovers that Heartbleed was exploited to allow access to data containing individuals’ personal information, Maine’s Notice of Risk to Personal Data Act would require that organization to notify those individuals of the breach or face penalties. Moreover, an organization could be exposed to civil suits by individuals harmed by a breach.
Because Heartbleed is now well-known and has existed for over two years, organizations should act quickly to prevent unauthorized data access. A business should determine whether it has any vulnerable systems, patch those systems, and require all employees to change their passwords used for its own patched systems and for patched third-party websites. Make sure employees change their passwords only after a website or system has been updated; changing the password before the patch could expose the new credentials.
If you’re unsure of what needs to be done to secure your business’ data, you should consult with an IT professional, as failing to deal with this bug could have financial and legal consequences. As always, feel free to contact the attorneys at Tucker Law Group for more information.