Fraud, Fraud Everywhere (Nor Any Relief For the Victim)

It's a good thing we have the Internet-enabled and -enhanced 24-hour news cycle, because many issues are in the news today all the time, around-the-clock. Take fraud for example: No dearth of this topic in the dirty-laundry news cycle, for sure.

From Wall Street executives, to Ponzi scammers like Bernard Madoff, to run-of-the-mill scammers easily exposed at sites such as Snopes.com, the Internet ' as we all should know ' has truly souped up, and made easier, frauders' ability to prey on others than ever before.

Online, the statistics back up that perception. In October, security firm Panda Labs reported that levels of various types of online frauds had increased, including:

• So-called “money mule” jobs (offering payment to transfer funds between countries);
• Job-recruitment spam;
• Rebate-processing positions; and
• “Good old” phishing (to get credit-card or Social Sec- urity numbers) (see, http://news.cnet.com/8301-1009_3-10104748-83.html?tag=mncol).

Fraud is so common today that The Wall Street Journal even had a full feature section on January 2, titled “Why we keep falling for financial scams.” The author, psychologist Stephen Greenspan ' a Madoff victim himself ' traced the history of “gullibility,” based on “the tendency of humans to model their actions ' especially when dealing with matters they don't fully understand ' on the behavior of other humans.”

The New York Times also launched a blog devoted to cons, titled “The Modern Con Man” (eponymously named after the book by Todd Robbins) (see, http://modernconman.blogspot.com/). The government ' appropriately, one can find information at the Web site of the Federal Trade Commission (“FTC”) ' has even created Web sites to help government agencies track frauds (see, www.ftc.gov/sentinel, and www.ftc.gov/sentinel/factsheet.pdf). In fact, it reported that one woman fell for the infamous Nigerian 419 scam recently, despite widely publicized warnings about that dated fraud at sites such as Snopes.com, hoaxbusters.org, urbanlegends.about.com and various anti-virus software firms' Web sites (see, for instance, http://modernconman.blogspot.com/2008/12/more-awards.html).

We can't even trust the Internal Revenue Service (“IRS”), the governmental equivalent of Caesar's wife (www.brainyquote.com/quotes/quotes/j/juliuscaes161092.html), to be above suspicion; it was reported in January that the IRS's own employees have violated prominent taxpayers' privacy by accessing their personal information in the IRS files, although there is no evidence that their motives were anything more than boredom-driven curiosity, rather than any fraudulent intent (see, www.washingtonpost.com/wp-dyn/content/article/2009/01/15/AR2009011500955.html?hpid=moreheadlines).

Everyone knows the importance of being wary, and not to trust anyone, online. Even the casual Internet user has been repeatedly warned not to believe or trust something just because it appears online, without more evidence of credibility. So how can anyone legitimately claim to have been defrauded online, without any legal basis to rely upon online content? My colleague, Tim Szuhaj, a former dot-com general counsel and an expert on e-commerce and intellectual-property law, warns that today, “no one can reasonably rely solely on anything online,” that sole reliance being one of the prerequisites for proof of “actual fraud” (according to Black's Law Dictionary). “If you know the risks, you can't be defrauded.” As the Wall Street Journal article noted, the Madoff fraud victims proceeded with a “risky behavior in spite of (their knowledge of) danger signs or unresolved questions” ' which could be said of virtually any e-commerce site, outside the largest. (I use a separate credit card when shopping online at a site that I have not used before, to avoid exposing my “real” information to unknown sellers.)

Moreover, online e-commerce today is far removed from the “wild wild West” that it was once feared to be. Given the level of e-commerce transactions involving consumers alone, much less the volume of business-to-business deals, the reported level of transactions with problems appears no more fraudulent than in the offline world, if not less, but remains a problem for the sector. (Of course, if victims do not publicize their losses, whether due to shame, or unwillingness to share actual data levels, the rate of online fraud may be higher than perceived.)

2008 Brought a Slew of Protection Efforts

Despite the incongruity of people worrying about fraud in an online environment that everyone acknowledges is inherently untrustworthy, 2008 brought many initiatives on educating businesses and consumers alike about ways to prevent fraud in their online activities. Since each document could itself be the subject of an entire article, let me list just the most recent examples. Although many of these documents mix consumer- and business-oriented materials, the antifraud strategies in each will generally be relevant to e-commerce firms, especially those that obtain individual information from customers. Moreover, each publication has many links and references to other publications. The list follows.

• The FTC issued Protecting Personal Information: A Guide for Business ( see, www.ftc.gov/bcp/edu/pubs/business/idtheft/bus69.pdf). This publication appears on a page of similar business-oriented guidance at www.ftc.gov/bcp/conline/edcams/infosecurity/index.html; links to downloadable individual publications can be found at www.ftc.gov/bcp/edu/microsites/idtheft/business/publications.html, and at www.ftc.gov/bcp/conline/edcams/infosecurity/publish.html.
• In September, the President's Identity Theft Task Force issued its report on implementation of 31 recommendations it had made in an April 2007 strategic plan for protecting information in our society ( see, http://www.idtheft.gov/). The report is available at www.idtheft.gov/reports/IDTReport2008.pdf.
• In December, the FTC issued a report, Security in Numbers: SSNs and ID Theft, discussing ways businesses should use Social Security numbers more responsibly to reduce the risk of abuse ( see, www.ftc.gov/os/2008/12/P075414ssnreport.pdf).
• The FTC delayed enforcement (but repeated its support) for its 2007 Red Flag Rule for certain businesses, requiring “creditors” and “financial institutions” to have programs to monitor for signs that customers may be the target of identity theft ( see, www.ftc.gov/bcp/edu/pubs/articles/art10.shtm).
• In December, the Center for Strategic and International Studies, a Washington think tank, issued its report, Securing Cyberspace for the 44th Presidency, a broad-ranging analysis of policies to improve the country's “national and economic security” against threats and attacks to our
  networks. Chapter 3 of the report, “Rebuilding Partnership with the Private Sector,” emphasizes the need for cooperation among the patchwork of public and private security organizations, because “the private sector designs, deploys and maintains much of the nation's critical infrastructure (which) cannot be secured by government alone” ( see, www.csis.org/media/csis/pubs/081208_securingcyberspace_44.pdf).
• Many states have passed their own laws regulating business practices aimed at preventing traditional fraud that have direct impact on e-commerce. I have cited several states' laws because of the prominence of these states, but other states may have their own comparable rules, which could affect e-commerce sellers across the country, because such laws typically protect information of customers located in a state. In other words, an e-commerce firm in any state with customers in California, Massachusetts or New York (or any other state with such antifraud laws) must comply with those laws.
  • For example, New York's Social Security Number Protection Law, directly regulating business use of Social Security numbers, went into effect on Jan. 1, 2008 (with many provisions delayed until January 3 of this year) ( see, www.consumer.state.ny.us/pressreleases/2008/nov12008.htm; a guide is available at www.consumer.state.ny.us/pdf/the_new_york_business_guide_to_privacy.pdf).
  • In November, California's Office of Information Security and Privacy Protection issued a “Management Memo” on “Safeguarding Against and Responding to a Breach of Security Involving Personal Information” ( see, www.documents.dgs.ca.gov/osp/sam/mmemos/MM08_11.pdf).
  • Massachusetts has also adopted its own similar laws, effective for 2009 ( see, www.lexology.com/library/detail.aspx?g=6675261d-cd85-4b27-8bbd-ab93ecc4e769).

Non-Profits Too

The attention that fraud prevention has drawn has not been limited to the for-profit world. Last March, a report originally published in late 2007 in a professional journal by four accounting professors estimated a staggering level of fraud involving non-profits, based on data from actual fraud cases reported by members of the Association of Certified Fraud Examiners (“ACFE”) (http://www.acfe.com/; see also, http://nvs.sagepub.com/cgi/reprint/36/4/676.pdf and www.nytimes.com/2008/03/29/us/29fraud.html?_r=1&ex=1207454400&en=f4dfbafb2d50131f&ei=5070&emc=eta1). The report may be found at http://nvs.sagepub.com/cgi/reprint/36/4/676.pdf.

Also, financial firms and others in regulated industries must satisfy industry-specific legal obligations to protect information that could be used to perpetrate a fraud (rules for which are beyond the scope of this article). For example, see, You May Have a Duty When Identity is Stolen, at www.metrocorpcounsel.com/current.php?artType=view&artMonth=January&artYear=2009&EntryNo=9309. In addition, the FTC has promulgated its own Standards for Safeguarding Customer Information under the authority of the Gramm Leach Bliley Act to regulate various types of financial transactions, at 16 CFR Part 314 (see, http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr;sid=b0cd29b4fe4d683b65bae448e02226de;rgn=div8;view=text;node=16%3A1.0.1.3.38.0.38.1;idno=16;cc=ecfr).

Best to Keep A Careful Vigil

In this environment of heightened attention to online fraud, with an ever-growing web of federal and state laws to protect information against fraudulent use, the legal basis for an e-commerce firm's duty to its customers to protect them (and itself) against fraud has become almost less important than the practical need to satisfy customer concerns. In our class action-oriented society, as well, claims against a business for fraud losses due to an alleged failure to protect information will also police the behavior of private firms much more quickly than any regulator can do. Therefore, the prudent business ' and its board of directors, who owe fiduciary duties to its owners ' will instead focus on what it can do to prevent such losses from fraudulent acts rather than the legal niceties of what it is required to do by law.

As in many other areas of e-commerce law (and business), the answers will not be very different from those for a bricks-and-mortar firm, for preventing internal and external fraud. For example, proper due diligence and credit review on customers can prevent overextensions of credit; the “know your customer” rules implemented for financial institutions as a post-9/11 security measure could apply equally well to private businesses (see, http://en.wikipedia.org/wiki/Know_your_customer). Whether evaluating the background of a possible seller or buyer, or charitable donor or proposed deal, people paying attention to the same badges that warn of fraud as in a traditional deal remains critical.

Indeed, a search on “e-commerce” at the ACFE Web site reveals that e-commerce fraud has been a perennially popular topic for those auditors. The ACFE's publication, Managing the Business Risk of Fraud: A Practical Guide (www.acfe.com/documents/managing-business-risk.pdf), recommends ways in which boards, senior management and internal auditors can fight fraud in their organizations. Specifically, it provides credible guidance from leading professional organizations that defines principles and theories for fraud risk management, and describes how organizations of various sizes and types can establish their own fraud risk-management program. Specific recommendations (each of which is discussed in great detail) cover:

• Adoption of the board of directors' expectations concerning fraud prevention;
• Periodic assessment of fraud risk;
• Techniques to avoid fraud risk (and to detect and mitigate its effect when those techniques do not work); and
• A reporting process and corrective measures.

Given the sophistication of online fraudsters, however, and the importance of fraud protection, implementing such a program is probably not something that an entrepreneur should try “at home” ' the guidance of a qualified accountant or fraud examiner is well worth the expense.

Fraud Insurance Can Help

While planning against fraud loss is critically important, it won't cover the costs of fixing a problem that occurs, whether reimbursing harmed customers, or dealing with unexpectedly missing cash. In fact, sometimes even an investigation by professionals doesn't help; for instance, witness the many “experts” whose charity clients were on the list of Madoff victims. In that situation, just as with losses from storms or other unexpected events, insurance can help the recovery process (and probably also provide internal audits to prevent a loss in the first place), but buying insurance for fraud-related losses is not as easy as insuring your building against fire or buying a general liability policy. “Coverage provided by traditional insurance policies is based on physical assets, not information assets,” says Tripp Craig, a sales executive and risk-management consultant with the NSM Insurance Group (http://www.nsminc.com/), a national insurance brokerage that has placed such coverage with internationally recognized carriers like Zurich, Chubb Corp. and AIG. “Online exposures are very different than traditional brick-and-mortar businesses. It is very important for businesses utilizing e-commerce strategies of any type to work with an insurance broker committed to obtaining a complete understanding of intellectual property infringement, content and advertising, and employee dishonesty and computer fraud risks and exposures.”

Craig lists various types of e-commerce fraud-related claims he has seen: “Theft of information, sabotage of data or networks, system penetration by outsiders, abuse of Internet access, spoofing, viruses, financial fraud, active wiretapping, unauthorized insider access and theft of laptops ' all cost American companies hundreds of millions in lost revenues every year. Despite firewalls and other protective measures, computer security is inadequate against hackers. Whether a business is for profit or not-for-profit, obtaining insurance to protect company and customer information is essential.”

But Craig emphasizes the limits of traditional insurance, compared with the benefits of policies tailored to online firms: “e-Commerce insurance provides protection from the unique perils of doing business online, and is designed to protect against such risks and exposures, such as breaches of data security, involving unauthorized access to customer data, or the dissemination of customer data by accident or through fraud, and losses due to business interruption when customers are unable to access the Web site because of disruption or denial of service. Business interruption may also lead to financial losses for a third party” (such as a customer unable to purchase needed inventory to fulfill its own contracts). e-Commerce coverage could also involve difficult issues relating to ownership of online content (and legal claims relating to it).

Because of these complexities, it is important that e-commerce firms work with a broker experienced in obtaining the correct type and amount of insurance. For example, in a recent case in a related area of the law, the court held that a restaurant had no coverage under its “typical” policy for violation of an antifraud law restricting use of credit-card information on customer receipts. Whole Enchilada Inc. v. Travelers Property Casualty Co., No. 07-1533, 2008 WL 4442061 (W.D. Pa. Sept. 29, 2008).

But insurance rarely pays 100% of a claim, and has its own sometimes-substantial upfront costs. If a firm (or its customers) has been victimized, it should also consider reporting the problem to the “authorities,” both to try to get any potential recovery, and to prevent others from suffering the same fate.

Reach Out and Get Some Help

Where, however, can one file a complaint for online fraud? While it may be easy to find law-enforcement authorities where the victim is located, a police department in Pennsylvania may have no resources for, or interest in, investigating a fraudster in California ' or India, or Nigeria. While a local enforcement agency may be willing to accept a complaint, often there is little that it can do, not only practically (due to lack of resources), but also legally ' it may have no right or jurisdiction to enforce the laws of another state or local government, or of the federal government.

As a result of the explosion in online business, however, there are many agencies or private organizations to which online fraud can be reported. (Of course, after discovery of an online fraud, the victim should take such traditional, basic steps as closing accounts, particularly those for credit cards, and registering fraud alerts with the major credit-reporting agencies.) Fortunately, government agencies have collected links to many such reporting sites at www.usa.gov/Citizen/Topics/Internet_Fraud.shtml and www.cybercrime.gov/reporting.htm. The FTC also has a “one stop” fraud-reporting site for identity theft at www.ftc.gov/bcp/edu/microsites/idtheft, and a consumer-reporting site at https://www.ftccomplaintassistant.gov/. Depending on the type of fraud, and victim (i.e., consumer or business), there may be specific agencies ready to receive the complaint. For example, the Internet Crime Complaint Center (“IC3″), a partnership between the FBI, National White Collar Crime Center, and the Bureau of Justice Assistance, allows a victim to file a complaint online at www.ic3.gov/complaint/default.aspx. IC3 then reviews and evaluates all complaints and refers them to the appropriate federal, state, local, or international law-enforcement or regulatory agency. However, IC3 does not guarantee that a complaint will be investigated; IC3 goes no further than reporting to (one would hope) the appropriate agency, and does not actually investigate anything, much less provide relief to the injured party, nor does it have any authority to do so.

From the IC3 Web site:

As Internet crime complaints are reported online, the IC3 electronically compiles the data. Trained analysts review and research each complaint, disseminating information to the appropriate federal, state, local, or international law enforcement or regulatory agencies for criminal, civil, or administrative action, as appropriate. After you file a complaint with the Internet Crime Complaint Center (IC3), the information is reviewed by an analyst and forwarded to federal, state, local, or international law enforcement or regulatory agencies with jurisdiction. The IC3 does not conduct investigations and, therefore, is not able to provide the investigative status of a previously filed complaint. It is the IC3's intention to review every complaint and refer them to law enforcement and regulatory agencies having jurisdiction; however, investigation and prosecution is at the discretion of the receiving agencies.

But it is not clear that anything can or will be done as a result of such reports. Without efforts to establish safeguards, however, there can be no progress in the battle against online crime ' filing reports at least will try to help improve the system. Depending on the nature of the fraud, reports can also be filed with the local office of the FBI or U.S. Secret Service's Financial Crimes Division, but in the absence of a specific investigation, finding an agent dedicated to online fraud cannot be guaranteed. (Of course, the official U.S. government response will not be as “final” as in other countries, where financial fraud can be a capital offense (see, www.law.com/jsp/law/international/LawArticleIntl.jsp?id=1202427517680)).

Better Safe Than Scorned

Ultimately, however, the equivalent online sanction for a business that does not protect itself or its customers against fraud may be just as harsh, in a business sense, as in the non-virtual world. Consider all the lawsuits already pending or contemplated against financial advisers who placed clients' money with Mr. Madoff's funds: They'll stop buying from these enterprises. In e-commerce, customers may no longer be willing to entrust their credit-card numbers and other financial information to businesses that do not take reasonable steps to protect it, and make those steps clear to potential customers. (Indeed, the prevalence of online fraud has created a whole industry of firms that will certify the safe practices of e-commerce Web sites, such as http://www.truste.org/, http://www.shopperscanned.com/ or www.buysafe.com/index.html; see, www.Internetretailer.com/printArticle.asp?id=17763.) (Editor's note: buySAFE is a company that, among other activities related to thwarting Internet crime and fraud, bonds sellers. For more on the company, visit its Web site, and see, “Can Bonded Shopping Boost e-Commerce? It's Surety, Security and Peace of Mind. Counsel Should Be Sure Clients Are Aware of This Option,” in the June 2005 edition of e-Commerce Law & Strategy.)

But once an e-commerce firm has been identified as an online-fraud victim, business and consumer purchasers alike may choose not to patronize an e-commerce firm dogged by claims of failure to provide reasonable security. Similarly, donors may not give to a charity that does not protect information, or to one that exposes their gifts to fraudsters.

In today's world, the educated online consumer unwilling to risk being defrauded can shop elsewhere ' easily, and virtually without cost. The e-commerce firm that does not take fraud-prevention seriously will receive a sanction that is just as final and harsh as anything the modern world, adapting to fast-growing technology practices, and as traditional as Adam Smith's laws of free-market competition: the loss of its customers.

Resources Mentioned in This Article

Readers can find a treasury of information on how to protect clients ' businesses and individuals, plus their own firms or companies ' from identity theft and other forms of cyberfraud at the links below (in no particular order).

1. The Federal Trade Commission's Complaint Assistant Web site: https://www.ftccomplaintassistant.gov/.
2. The Association of Certified Fraud Examiners' home page, and a publication there, Managing the Business Risk of Fraud: A Practical Guide: http://www.acfe.com/, www.acfe.com/documents/managing-business-risk.pdf.
3. buySAFE, a company that certifies, monitors and bonds online merchants: www.buysafe.com/index.html.
4. The New York State Consumer Protection Board's Business Privacy Guide: How to Handle Personal Indentifiable Information and Limit the Prospects of Identity Theft and a news release with tips on how to protect against identity theft: www.consumer.state.ny.us/pdf/the_new_york_business_guide_to_privacy.pdf, and www.consumer.state.ny.us/pressreleases/2008/nov12008.htm.
5. The Center for Strategic and International Studies' Securing Cyberspace for the 44th Presidency: www.csis.org/media/csis/pubs/081208_securingcyberspace_44.pdf.
6. U.S. Justice Department Web site with information on how to report cybercrime, computer crime and intellectual-property crime, with links to federal agencies: www.cybercrime.gov/reporting.htm.
7. A recent administrative manual from the California Department of General Services' Office of Information Security and Privacy Protection on how state government can improve information and information-technology security: www.documents.dgs.ca.gov/osp/sam/mmemos/MM08_11.pdf.
8. A trove of information from the Federal Trade Commission on how to fight identity theft and cybercrime, for consumers and businesses, with links to factsheets, complaint-filing forms, articles and more: www.ftc.gov/sentinel, www.ftc.gov/bcp/conline/edcams/infosecurity/index.html, www.ftc.gov/bcp/conline/edcams/infosecurity/publish.html, www.ftc.gov/bcp/edu/microsites/idtheft/business/publications.html, www.ftc.gov/bcp/edu/pubs/business/idtheft/bus69.pdf, www.ftc.gov/os/2008/12/P075414ssnreport.pdf, www.ftc.gov/sentinel/factsheet.pdf.
9. A Web site dedicated to warning people about Internet and other hoaxes and scams, including phishing schemes and other means of compromising identity: http://www.hoaxbusters.org/.
10. The home page of the Internet Crime Complaint Center ('IC3'), a venture of the FBI and the non-profit National White Collar Crime Center: www.ic3.gov/complaint/default.aspx.
11. The President's Task Force on Identity Theft, and the Task Force's September 2008 report: http://www.idtheft.gov/, www.idtheft.gov/reports/IDTReport2008.pdf.
12. A rumor-bursting Web site that covers a diverse variety of rumor topics: http://www.snopes.com/.
13. TRUSTe, a non-profit that monitors and protects against online fraud, and certifies Web sites as secure for transactions: http://www.truste.org/.
14. A Web site focusing on urban legends, including those transmitted by e-mail and that carry information-stealing computer trojans and viruses: http://www.urbanlegends.about.com/.
15. The section of the U.S. government Web portal, USA.gov, dealing with a wide array of Internet fraud and other cybercrimes: www.usa.gov/Citizen/Topics/Internet_Fraud.shtml.

Stanley P. Jaskiewicz, a business lawyer, helps clients solve e-commerce, corporate, contract and technology-law problems, and is a member of e-Commerce Law & Strategy's Board of Editors. Reach him at the Philadelphia law firm of Spector Gadon & Rosen P.C., at [email protected], or 215-241-8866. (Editor's note: Mr. Jaskiewicz and his firm represent NSM Insurance Group, which is mentioned in this article as a source of relevant, useful information.)

It's a good thing we have the Internet-enabled and -enhanced 24-hour news cycle, because many issues are in the news today all the time, around-the-clock. Take fraud for example: No dearth of this topic in the dirty-laundry news cycle, for sure.

From Wall Street executives, to Ponzi scammers like Bernard Madoff, to run-of-the-mill scammers easily exposed at sites such as Snopes.com, the Internet ' as we all should know ' has truly souped up, and made easier, frauders' ability to prey on others than ever before.

Online, the statistics back up that perception. In October, security firm Panda Labs reported that levels of various types of online frauds had increased, including:

• So-called “money mule” jobs (offering payment to transfer funds between countries);
• Job-recruitment spam;
• Rebate-processing positions; and
• “Good old” phishing (to get credit-card or Social Sec- urity numbers) (see, http://news.cnet.com/8301-1009_3-10104748-83.html?tag=mncol).

Fraud is so common today that The Wall Street Journal even had a full feature section on January 2, titled “Why we keep falling for financial scams.” The author, psychologist Stephen Greenspan ' a Madoff victim himself ' traced the history of “gullibility,” based on “the tendency of humans to model their actions ' especially when dealing with matters they don't fully understand ' on the behavior of other humans.”

The New York Times also launched a blog devoted to cons, titled “The Modern Con Man” (eponymously named after the book by Todd Robbins) (see, http://modernconman.blogspot.com/). The government ' appropriately, one can find information at the Web site of the Federal Trade Commission (“FTC”) ' has even created Web sites to help government agencies track frauds (see, www.ftc.gov/sentinel, and www.ftc.gov/sentinel/factsheet.pdf). In fact, it reported that one woman fell for the infamous Nigerian 419 scam recently, despite widely publicized warnings about that dated fraud at sites such as Snopes.com, hoaxbusters.org, urbanlegends.about.com and various anti-virus software firms' Web sites (see, for instance, http://modernconman.blogspot.com/2008/12/more-awards.html).

We can't even trust the Internal Revenue Service (“IRS”), the governmental equivalent of Caesar's wife (www.brainyquote.com/quotes/quotes/j/juliuscaes161092.html), to be above suspicion; it was reported in January that the IRS's own employees have violated prominent taxpayers' privacy by accessing their personal information in the IRS files, although there is no evidence that their motives were anything more than boredom-driven curiosity, rather than any fraudulent intent (see, www.washingtonpost.com/wp-dyn/content/article/2009/01/15/AR2009011500955.html?hpid=moreheadlines).

Everyone knows the importance of being wary, and not to trust anyone, online. Even the casual Internet user has been repeatedly warned not to believe or trust something just because it appears online, without more evidence of credibility. So how can anyone legitimately claim to have been defrauded online, without any legal basis to rely upon online content? My colleague, Tim Szuhaj, a former dot-com general counsel and an expert on e-commerce and intellectual-property law, warns that today, “no one can reasonably rely solely on anything online,” that sole reliance being one of the prerequisites for proof of “actual fraud” (according to Black's Law Dictionary). “If you know the risks, you can't be defrauded.” As the Wall Street Journal article noted, the Madoff fraud victims proceeded with a “risky behavior in spite of (their knowledge of) danger signs or unresolved questions” ' which could be said of virtually any e-commerce site, outside the largest. (I use a separate credit card when shopping online at a site that I have not used before, to avoid exposing my “real” information to unknown sellers.)

Moreover, online e-commerce today is far removed from the “wild wild West” that it was once feared to be. Given the level of e-commerce transactions involving consumers alone, much less the volume of business-to-business deals, the reported level of transactions with problems appears no more fraudulent than in the offline world, if not less, but remains a problem for the sector. (Of course, if victims do not publicize their losses, whether due to shame, or unwillingness to share actual data levels, the rate of online fraud may be higher than perceived.)

2008 Brought a Slew of Protection Efforts

Despite the incongruity of people worrying about fraud in an online environment that everyone acknowledges is inherently untrustworthy, 2008 brought many initiatives on educating businesses and consumers alike about ways to prevent fraud in their online activities. Since each document could itself be the subject of an entire article, let me list just the most recent examples. Although many of these documents mix consumer- and business-oriented materials, the antifraud strategies in each will generally be relevant to e-commerce firms, especially those that obtain individual information from customers. Moreover, each publication has many links and references to other publications. The list follows.

• The FTC issued Protecting Personal Information: A Guide for Business ( see, www.ftc.gov/bcp/edu/pubs/business/idtheft/bus69.pdf). This publication appears on a page of similar business-oriented guidance at www.ftc.gov/bcp/conline/edcams/infosecurity/index.html; links to downloadable individual publications can be found at www.ftc.gov/bcp/edu/microsites/idtheft/business/publications.html, and at www.ftc.gov/bcp/conline/edcams/infosecurity/publish.html.
• In September, the President's Identity Theft Task Force issued its report on implementation of 31 recommendations it had made in an April 2007 strategic plan for protecting information in our society ( see, http://www.idtheft.gov/). The report is available at www.idtheft.gov/reports/IDTReport2008.pdf.
• In December, the FTC issued a report, Security in Numbers: SSNs and ID Theft, discussing ways businesses should use Social Security numbers more responsibly to reduce the risk of abuse ( see, www.ftc.gov/os/2008/12/P075414ssnreport.pdf).
• The FTC delayed enforcement (but repeated its support) for its 2007 Red Flag Rule for certain businesses, requiring “creditors” and “financial institutions” to have programs to monitor for signs that customers may be the target of identity theft ( see, www.ftc.gov/bcp/edu/pubs/articles/art10.shtm).
• In December, the Center for Strategic and International Studies, a Washington think tank, issued its report, Securing Cyberspace for the 44th Presidency, a broad-ranging analysis of policies to improve the country's “national and economic security” against threats and attacks to our
  networks. Chapter 3 of the report, “Rebuilding Partnership with the Private Sector,” emphasizes the need for cooperation among the patchwork of public and private security organizations, because “the private sector designs, deploys and maintains much of the nation's critical infrastructure (which) cannot be secured by government alone” ( see, www.csis.org/media/csis/pubs/081208_securingcyberspace_44.pdf).
• Many states have passed their own laws regulating business practices aimed at preventing traditional fraud that have direct impact on e-commerce. I have cited several states' laws because of the prominence of these states, but other states may have their own comparable rules, which could affect e-commerce sellers across the country, because such laws typically protect information of customers located in a state. In other words, an e-commerce firm in any state with customers in California, Massachusetts or New York (or any other state with such antifraud laws) must comply with those laws.
  • For example, New York's Social Security Number Protection Law, directly regulating business use of Social Security numbers, went into effect on Jan. 1, 2008 (with many provisions delayed until January 3 of this year) ( see, www.consumer.state.ny.us/pressreleases/2008/nov12008.htm; a guide is available at www.consumer.state.ny.us/pdf/the_new_york_business_guide_to_privacy.pdf).
  • In November, California's Office of Information Security and Privacy Protection issued a “Management Memo” on “Safeguarding Against and Responding to a Breach of Security Involving Personal Information” ( see, www.documents.dgs.ca.gov/osp/sam/mmemos/MM08_11.pdf).
  • Massachusetts has also adopted its own similar laws, effective for 2009 ( see, www.lexology.com/library/detail.aspx?g=6675261d-cd85-4b27-8bbd-ab93ecc4e769).

Non-Profits Too

The attention that fraud prevention has drawn has not been limited to the for-profit world. Last March, a report originally published in late 2007 in a professional journal by four accounting professors estimated a staggering level of fraud involving non-profits, based on data from actual fraud cases reported by members of the Association of Certified Fraud Examiners (“ACFE”) (http://www.acfe.com/; see also, http://nvs.sagepub.com/cgi/reprint/36/4/676.pdf and www.nytimes.com/2008/03/29/us/29fraud.html?_r=1&ex=1207454400&en=f4dfbafb2d50131f&ei=5070&emc=eta1). The report may be found at http://nvs.sagepub.com/cgi/reprint/36/4/676.pdf.

Also, financial firms and others in regulated industries must satisfy industry-specific legal obligations to protect information that could be used to perpetrate a fraud (rules for which are beyond the scope of this article). For example, see, You May Have a Duty When Identity is Stolen, at www.metrocorpcounsel.com/current.php?artType=view&artMonth=January&artYear=2009&EntryNo=9309. In addition, the FTC has promulgated its own Standards for Safeguarding Customer Information under the authority of the Gramm Leach Bliley Act to regulate various types of financial transactions, at 16 CFR Part 314 (see, http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr;sid=b0cd29b4fe4d683b65bae448e02226de;rgn=div8;view=text;node=16%3A1.0.1.3.38.0.38.1;idno=16;cc=ecfr).

Best to Keep A Careful Vigil

In this environment of heightened attention to online fraud, with an ever-growing web of federal and state laws to protect information against fraudulent use, the legal basis for an e-commerce firm's duty to its customers to protect them (and itself) against fraud has become almost less important than the practical need to satisfy customer concerns. In our class action-oriented society, as well, claims against a business for fraud losses due to an alleged failure to protect information will also police the behavior of private firms much more quickly than any regulator can do. Therefore, the prudent business ' and its board of directors, who owe fiduciary duties to its owners ' will instead focus on what it can do to prevent such losses from fraudulent acts rather than the legal niceties of what it is required to do by law.

As in many other areas of e-commerce law (and business), the answers will not be very different from those for a bricks-and-mortar firm, for preventing internal and external fraud. For example, proper due diligence and credit review on customers can prevent overextensions of credit; the “know your customer” rules implemented for financial institutions as a post-9/11 security measure could apply equally well to private businesses (see, http://en.wikipedia.org/wiki/Know_your_customer). Whether evaluating the background of a possible seller or buyer, or charitable donor or proposed deal, people paying attention to the same badges that warn of fraud as in a traditional deal remains critical.

Indeed, a search on “e-commerce” at the ACFE Web site reveals that e-commerce fraud has been a perennially popular topic for those auditors. The ACFE's publication, Managing the Business Risk of Fraud: A Practical Guide (www.acfe.com/documents/managing-business-risk.pdf), recommends ways in which boards, senior management and internal auditors can fight fraud in their organizations. Specifically, it provides credible guidance from leading professional organizations that defines principles and theories for fraud risk management, and describes how organizations of various sizes and types can establish their own fraud risk-management program. Specific recommendations (each of which is discussed in great detail) cover:

• Adoption of the board of directors' expectations concerning fraud prevention;
• Periodic assessment of fraud risk;
• Techniques to avoid fraud risk (and to detect and mitigate its effect when those techniques do not work); and
• A reporting process and corrective measures.

Given the sophistication of online fraudsters, however, and the importance of fraud protection, implementing such a program is probably not something that an entrepreneur should try “at home” ' the guidance of a qualified accountant or fraud examiner is well worth the expense.

Fraud Insurance Can Help

While planning against fraud loss is critically important, it won't cover the costs of fixing a problem that occurs, whether reimbursing harmed customers, or dealing with unexpectedly missing cash. In fact, sometimes even an investigation by professionals doesn't help; for instance, witness the many “experts” whose charity clients were on the list of Madoff victims. In that situation, just as with losses from storms or other unexpected events, insurance can help the recovery process (and probably also provide internal audits to prevent a loss in the first place), but buying insurance for fraud-related losses is not as easy as insuring your building against fire or buying a general liability policy. “Coverage provided by traditional insurance policies is based on physical assets, not information assets,” says Tripp Craig, a sales executive and risk-management consultant with the NSM Insurance Group (http://www.nsminc.com/), a national insurance brokerage that has placed such coverage with internationally recognized carriers like Zurich, Chubb Corp. and AIG. “Online exposures are very different than traditional brick-and-mortar businesses. It is very important for businesses utilizing e-commerce strategies of any type to work with an insurance broker committed to obtaining a complete understanding of intellectual property infringement, content and advertising, and employee dishonesty and computer fraud risks and exposures.”

Craig lists various types of e-commerce fraud-related claims he has seen: “Theft of information, sabotage of data or networks, system penetration by outsiders, abuse of Internet access, spoofing, viruses, financial fraud, active wiretapping, unauthorized insider access and theft of laptops ' all cost American companies hundreds of millions in lost revenues every year. Despite firewalls and other protective measures, computer security is inadequate against hackers. Whether a business is for profit or not-for-profit, obtaining insurance to protect company and customer information is essential.”

But Craig emphasizes the limits of traditional insurance, compared with the benefits of policies tailored to online firms: “e-Commerce insurance provides protection from the unique perils of doing business online, and is designed to protect against such risks and exposures, such as breaches of data security, involving unauthorized access to customer data, or the dissemination of customer data by accident or through fraud, and losses due to business interruption when customers are unable to access the Web site because of disruption or denial of service. Business interruption may also lead to financial losses for a third party” (such as a customer unable to purchase needed inventory to fulfill its own contracts). e-Commerce coverage could also involve difficult issues relating to ownership of online content (and legal claims relating to it).

Because of these complexities, it is important that e-commerce firms work with a broker experienced in obtaining the correct type and amount of insurance. For example, in a recent case in a related area of the law, the court held that a restaurant had no coverage under its “typical” policy for violation of an antifraud law restricting use of credit-card information on customer receipts. Whole Enchilada Inc. v. Travelers Property Casualty Co., No. 07-1533, 2008 WL 4442061 (W.D. Pa. Sept. 29, 2008).

But insurance rarely pays 100% of a claim, and has its own sometimes-substantial upfront costs. If a firm (or its customers) has been victimized, it should also consider reporting the problem to the “authorities,” both to try to get any potential recovery, and to prevent others from suffering the same fate.

Reach Out and Get Some Help

Where, however, can one file a complaint for online fraud? While it may be easy to find law-enforcement authorities where the victim is located, a police department in Pennsylvania may have no resources for, or interest in, investigating a fraudster in California ' or India, or Nigeria. While a local enforcement agency may be willing to accept a complaint, often there is little that it can do, not only practically (due to lack of resources), but also legally ' it may have no right or jurisdiction to enforce the laws of another state or local government, or of the federal government.

As a result of the explosion in online business, however, there are many agencies or private organizations to which online fraud can be reported. (Of course, after discovery of an online fraud, the victim should take such traditional, basic steps as closing accounts, particularly those for credit cards, and registering fraud alerts with the major credit-reporting agencies.) Fortunately, government agencies have collected links to many such reporting sites at www.usa.gov/Citizen/Topics/Internet_Fraud.shtml and www.cybercrime.gov/reporting.htm. The FTC also has a “one stop” fraud-reporting site for identity theft at www.ftc.gov/bcp/edu/microsites/idtheft, and a consumer-reporting site at https://www.ftccomplaintassistant.gov/. Depending on the type of fraud, and victim (i.e., consumer or business), there may be specific agencies ready to receive the complaint. For example, the Internet Crime Complaint Center (“IC3″), a partnership between the FBI, National White Collar Crime Center, and the Bureau of Justice Assistance, allows a victim to file a complaint online at www.ic3.gov/complaint/default.aspx. IC3 then reviews and evaluates all complaints and refers them to the appropriate federal, state, local, or international law-enforcement or regulatory agency. However, IC3 does not guarantee that a complaint will be investigated; IC3 goes no further than reporting to (one would hope) the appropriate agency, and does not actually investigate anything, much less provide relief to the injured party, nor does it have any authority to do so.

From the IC3 Web site:

As Internet crime complaints are reported online, the IC3 electronically compiles the data. Trained analysts review and research each complaint, disseminating information to the appropriate federal, state, local, or international law enforcement or regulatory agencies for criminal, civil, or administrative action, as appropriate. After you file a complaint with the Internet Crime Complaint Center (IC3), the information is reviewed by an analyst and forwarded to federal, state, local, or international law enforcement or regulatory agencies with jurisdiction. The IC3 does not conduct investigations and, therefore, is not able to provide the investigative status of a previously filed complaint. It is the IC3's intention to review every complaint and refer them to law enforcement and regulatory agencies having jurisdiction; however, investigation and prosecution is at the discretion of the receiving agencies.

But it is not clear that anything can or will be done as a result of such reports. Without efforts to establish safeguards, however, there can be no progress in the battle against online crime ' filing reports at least will try to help improve the system. Depending on the nature of the fraud, reports can also be filed with the local office of the FBI or U.S. Secret Service's Financial Crimes Division, but in the absence of a specific investigation, finding an agent dedicated to online fraud cannot be guaranteed. (Of course, the official U.S. government response will not be as “final” as in other countries, where financial fraud can be a capital offense (see, www.law.com/jsp/law/international/LawArticleIntl.jsp?id=1202427517680)).

Better Safe Than Scorned

Ultimately, however, the equivalent online sanction for a business that does not protect itself or its customers against fraud may be just as harsh, in a business sense, as in the non-virtual world. Consider all the lawsuits already pending or contemplated against financial advisers who placed clients' money with Mr. Madoff's funds: They'll stop buying from these enterprises. In e-commerce, customers may no longer be willing to entrust their credit-card numbers and other financial information to businesses that do not take reasonable steps to protect it, and make those steps clear to potential customers. (Indeed, the prevalence of online fraud has created a whole industry of firms that will certify the safe practices of e-commerce Web sites, such as http://www.truste.org/, http://www.shopperscanned.com/ or www.buysafe.com/index.html; see, www.Internetretailer.com/printArticle.asp?id=17763.) (Editor's note: buySAFE is a company that, among other activities related to thwarting Internet crime and fraud, bonds sellers. For more on the company, visit its Web site, and see, “Can Bonded Shopping Boost e-Commerce? It's Surety, Security and Peace of Mind. Counsel Should Be Sure Clients Are Aware of This Option,” in the June 2005 edition of e-Commerce Law & Strategy.)

But once an e-commerce firm has been identified as an online-fraud victim, business and consumer purchasers alike may choose not to patronize an e-commerce firm dogged by claims of failure to provide reasonable security. Similarly, donors may not give to a charity that does not protect information, or to one that exposes their gifts to fraudsters.

In today's world, the educated online consumer unwilling to risk being defrauded can shop elsewhere ' easily, and virtually without cost. The e-commerce firm that does not take fraud-prevention seriously will receive a sanction that is just as final and harsh as anything the modern world, adapting to fast-growing technology practices, and as traditional as Adam Smith's laws of free-market competition: the loss of its customers.

Resources Mentioned in This Article

Readers can find a treasury of information on how to protect clients ' businesses and individuals, plus their own firms or companies ' from identity theft and other forms of cyberfraud at the links below (in no particular order).

1. The Federal Trade Commission's Complaint Assistant Web site: https://www.ftccomplaintassistant.gov/.
2. The Association of Certified Fraud Examiners' home page, and a publication there, Managing the Business Risk of Fraud: A Practical Guide: http://www.acfe.com/, www.acfe.com/documents/managing-business-risk.pdf.
3. buySAFE, a company that certifies, monitors and bonds online merchants: www.buysafe.com/index.html.
4. The New York State Consumer Protection Board's Business Privacy Guide: How to Handle Personal Indentifiable Information and Limit the Prospects of Identity Theft and a news release with tips on how to protect against identity theft: www.consumer.state.ny.us/pdf/the_new_york_business_guide_to_privacy.pdf, and www.consumer.state.ny.us/pressreleases/2008/nov12008.htm.
5. The Center for Strategic and International Studies' Securing Cyberspace for the 44th Presidency: www.csis.org/media/csis/pubs/081208_securingcyberspace_44.pdf.
6. U.S. Justice Department Web site with information on how to report cybercrime, computer crime and intellectual-property crime, with links to federal agencies: www.cybercrime.gov/reporting.htm.
7. A recent administrative manual from the California Department of General Services' Office of Information Security and Privacy Protection on how state government can improve information and information-technology security: www.documents.dgs.ca.gov/osp/sam/mmemos/MM08_11.pdf.
8. A trove of information from the Federal Trade Commission on how to fight identity theft and cybercrime, for consumers and businesses, with links to factsheets, complaint-filing forms, articles and more: www.ftc.gov/sentinel, www.ftc.gov/bcp/conline/edcams/infosecurity/index.html, www.ftc.gov/bcp/conline/edcams/infosecurity/publish.html, www.ftc.gov/bcp/edu/microsites/idtheft/business/publications.html, www.ftc.gov/bcp/edu/pubs/business/idtheft/bus69.pdf, www.ftc.gov/os/2008/12/P075414ssnreport.pdf, www.ftc.gov/sentinel/factsheet.pdf.
9. A Web site dedicated to warning people about Internet and other hoaxes and scams, including phishing schemes and other means of compromising identity: http://www.hoaxbusters.org/.
10. The home page of the Internet Crime Complaint Center ('IC3'), a venture of the FBI and the non-profit National White Collar Crime Center: www.ic3.gov/complaint/default.aspx.
11. The President's Task Force on Identity Theft, and the Task Force's September 2008 report: http://www.idtheft.gov/, www.idtheft.gov/reports/IDTReport2008.pdf.
12. A rumor-bursting Web site that covers a diverse variety of rumor topics: http://www.snopes.com/.
13. TRUSTe, a non-profit that monitors and protects against online fraud, and certifies Web sites as secure for transactions: http://www.truste.org/.
14. A Web site focusing on urban legends, including those transmitted by e-mail and that carry information-stealing computer trojans and viruses: http://www.urbanlegends.about.com/.
15. The section of the U.S. government Web portal, USA.gov, dealing with a wide array of Internet fraud and other cybercrimes: www.usa.gov/Citizen/Topics/Internet_Fraud.shtml.

Stanley P. Jaskiewicz, a business lawyer, helps clients solve e-commerce, corporate, contract and technology-law problems, and is a member of e-Commerce Law & Strategy's Board of Editors. Reach him at the Philadelphia law firm of Spector Gadon & Rosen P.C., at [email protected], or 215-241-8866. (Editor's note: Mr. Jaskiewicz and his firm represent NSM Insurance Group, which is mentioned in this article as a source of relevant, useful information.)