We have received numerous calls from concerned clients about the Anthem data breach. If you use Anthem as your health plan provider, you should, by now, have started to assess your own obligations and exposure as a result of the breach. But just because you don’t use Anthem doesn’t mean you aren’t affected by Anthem’s breach. You are. And you should be strengthening your defenses now.  

The Anthem breach is believed to have started with a spear phishing email to employees that delivered malware into Anthem’s system. Spear phishing relies on tricking users into believing the email or link is genuine when it is not. When the email or link can mimic the appearance of a user’s trusted company or friend, it is more likely to succeed in convincing the user to click on links or open attachments that are harmful. 

Another data breach was also announced this week. Forbes reported that its "Thoughts for the Day” pop-up screen was the target of a zero-day exploit, which resulted in the infection of thousands of computers linked to blue chip companies from Nov. 28 through Dec. 1, 2014. A zero day exploit is a flaw in an application that has not yet been patched and that allows hackers into the system.

These attacks, and others like them, will spawn more attacks. The data stolen from Anthem and Forbes provides hackers with more tools to target other people. That data can be used, for example, to create spear phishing emails targeting the tens of millions of individuals whose information was stolen. Those individuals may well be your employees, contractors, and vendors. So you need to be ready.

To reduce your risk, you should take the following steps now:

1. Review and update your privacy and security policies.
2. Notify your employees about the risks of cyberattacks and train them to protect your data.
3. Decrease your alert thresholds for identifying cyberattacks.
4. Audit your privacy practices and fill any identified gaps.

Visit Taft's Privacy and Data Security Insight blog for timely updates and analysis on this and other data privacy and security topics.