e-Commerce Companies v. Hackers

The 21st century is clearly the age of cybercrime, and e-commerce companies of all stripes should be especially concerned because there are only two types of computer systems: those that have been hacked, and those that will be hacked.

Companies are uniquely vulnerable in two areas because they possess massive collections of personally identifiable information (“PII”), and they have substantial asset bases of intangible property. The PII and the intangible assets can be easily copied without leaving the premises.

Any transaction involving a card with a magnetic strip involves risk, and any company's computer system designed to allow access to multiple users (such as franchisees, vendors and suppliers) is at enormous risk of being penetrated. All companies using e-mail or the Internet are vulnerable, because firewalls offer no protection once a hacker has infiltrated.

And things are going to get worse. Speaking to the BBC for a report on technology, Mikko Hypponen, chief research officer at F-Secure, an IT-security firm based in Helsinki, said last year, “Crime tends to rise when you have more unemployment. If you look, in general, where the attacks are coming from you can find social reasons behind them.”

Experts at the 2009 World Economic Forum in Davos, Switzerland, called for a new system to tackle well organized gangs of cybercriminals, and they claimed that online theft costs $1 trillion a year, that the number of attacks is rising sharply and that too many people do not know how to protect themselves.

Even if you can protect your system from outsiders, a company can still be easily betrayed from within.

“The damage that insiders can do should not be underestimated. It can take just a few minutes for an entire database that has taken years to build to be copied to a CD or USB stick,” says Adam Bosnian, a spokesman for Newton, MA-based Cyber-Ark, a developer of “digital vaults” for securing electronic information. “With a faltering economy, companies need to be especially vigilant about protecting their most sensitive data against nervous or disgruntled employees.”

A prime example of this is the recent case of mortgage giant Fannie Mae, which narrowly avoided a software time bomb set to destroy all data on its computers. Federal authorities allege that a disgruntled contractor embedded a malicious code in Fannie Mae's system, set to go into effect on all 4,000 of the company's servers months after he was gone. The code was tucked at the end of a legitimate software program scheduled to run each morning and was discovered only by chance by another Fannie Mae technician.

According to the Identity Theft Resource Center, based in San Diego, breaches were up more than 25% in 2008 and affected more than 35.7 million people.

“This may be reflective of the economy, or the fact that there are more organized crime rings going after company information using insiders,” Linda Foley, the center's co-founder, says. “As companies become more stringent with protecting against hackers, insider theft is becoming more prevalent.”

Accordingly, an e-commerce firm must evaluate its risk to determine and implement appropriate policies and procedures. The authors have formulated a “Chan Scale of Cyber In-Security',” which can provide companies a framework for considering the potential harm that can be caused:

• 1 Chan ' Low risk. Hacker has gained entry to system, but minimally. Minor risk of business disruption, but access can aid attackers in gathering information and planning future attacks.
• 2 Chans ' Medium risk. Malware has been implanted in the company's network that could cause malfunctions and mischief. Significant risk of a business disruption that could result in financial loss and/or damage of good-will.
• 3 Chans ' Medium to high risk. Using sniffers or other equipment, hackers have obtained PII from point-of-sale systems. Significant risk of business disruption that could create financial loss and/or damage goodwill.
• 4 Chans ' High risk. Often an inside job in which data is stolen by a disgruntled employee. Serious risk of business disruption that would result in financial loss and damage of goodwill; customers' PII may be vulnerable, as well as company's confidential information and financial information.
• 5 Chans ' Critical risk. Hackers have breached system and can access PII, and the company's financial and confidential information. Severe risk of business disruption, financial loss, and damage of goodwill. System, applications, and database have been compromised.

In light of such exposure, companies may have to reach out to members of the organization with diverse areas of expertise, including legal, technical, risk management, finance and crisis management. Here are 20 questions about cybersecurity that must be answered. (For an in-depth review of this subject, see, The Financial Impact of Cyber Risk, published jointly last year by the American National Standards Institute and the Internet Security Alliance. The report provided the basis for many of the following questions.)

General

1. What is the definition of cybersecurity?

Answer: The protection of any computer system, software program and data against unauthorized disclosure, transfer, modification or destruction, whether accidental or intentional. Cyber attacks can come from internal networks, the Internet, or other private or public systems.

2. Is cybercrime on the rise?

Answer: On average, there has been a reported cybersecurity event every day since 2006. Thefts of PII have been reported regularly in the media, but other types of attacks against public and private entities, though much less often reported, have resulted in data destruction, down time and other problems.

3. What financial exposure is associated with cybercrimes?

Answer: Major liability may be incurred from individual litigation, class litigation, regulatory investigation, contract dispute, loss of customers, reputation damage, and data theft, denial of service, cyber terrorism, cyber extortion and fraud.

Questions for the Company's Lawyer

4. Has the company's cyber liability been analyzed?

Answer: Potential liabilities may relate to the information kept by the company, its vendors or third parties.

5. Has cyber protection been built into contracts with vendors?

Answer: Wherever possible, vendors (especially applications vendors) should be required to warrant that company data is appropriately protected and should be required to indemnify the company for losses arising from cybersecurity breaches that are the fault of the vendor. Contracts should also require that vendors have network-security insurance, which shifts the financial burden for losses to the insurer. The other benefit of insurance is, typically, it indicates that a third party (the insurer) has thoroughly evaluated the vendor's cybersecurity systems.

6. Has the cyber risk to trade secrets and other IP been assessed?

Answer: Confidential operating manuals, trade secrets and other intellectual property are the mainstays of many e-commerce systems. Because these usually are held in electronic or digital form, they are easily subject to misappropriation through a cyber attack. Unlike the theft of physical assets, a theft of digital assets leaves the stolen asset behind ' which makes the theft much more difficult to discover ' so that without penetration-testing and proper monitoring, a company may not even know it's been compromised.

7. What can be done to mitigate cyber risk, and how often should a company conduct a cyber analysis or cyber audit?

Answer: Performing comprehensive reviews of all systems and system logs at least quarterly is essential. Companies also must perform a legal audit of all applicable regulations, vendor contracts, internal procedures and policies to deal with potential thefts of PII. In the event of a breach, the audit trail will help to keep the costs of litigation under control.

8. Has the company analyzed what regulations (federal, state, local and global) exist with respect to cyber data, and whether or not the company is in compliance?

Answer: Some statutes addressing liability include:

• Communications Act of 1934, updated in 1996;
• Computer Fraud and Abuse Act of 1984;
• Computer Security Act of 1987;
• Economic Espionage Act of 1996;
• Electronic Communications Privacy Act of 1986;
• Federal Privacy Act of 1974;
• Health Insurance Portability and Accountability Act of 1996;
• National Information Infrastructure Protection Act of 1996; and
• U.S.A. Patriot Act of 2001.

In the 21st century, a company cannot expect to claim ignorance of applicable regulations and get away with it.

9. How is compliance monitored on an ongoing basis?

Answer: In the event of a security breach, a company must be able to demonstrate that it had reasonable processes in place to ensure compliance with regulations, including access controls and visible audit trails. Without these processes, a company's potential liability increases.

10. Does the company have policies in place with respect to data retention, data destruction, privacy policies and customer disclaimers?

Answer: If a security breach occurs, the company should expect a regulatory investigation. Unless the company is able to show that its policies were well documented, up-to-date and observed, it will risk significant fines, agency oversight or worse. The policies must be more than window dressing; failure to conform to a company's own stated internal policies may be worse than having no policies.

Questions for the Technology Team

11. Is there a companywide compendium or directory of what regulated data the company has, where it exists and what format it's in?

Answer: If there is, it must be regularly reviewed. If the directory doesn't exist, it must be created.

12. How vulnerable are the confidentiality, integrity and availability of the company's data systems?

Answer: Confidential information includes anything a company wants to keep out of the hands of competitors and the public. Examples include recipes, operations manuals, customer lists, and personal data about executives and employees. A plan must be in place to keep this information secure, and it is also important to maintain the integrity (i.e., the accuracy) of the company's records and the availability of systems to keep the business running (e.g., to avoid or contain a denial-of-service attack). The cost of downtime can be devastating.

13. Does the company have physical security controls at each of its sites (data center, home office, franchisees or other sites)?

Answer: Physical security, which is relatively low-tech, can easily be overlooked in the process of protecting digital assets. Nonetheless, good cybersecurity practices must include appropriate barriers to the accidental or malicious access to vital systems by unauthorized persons, such as keeping them away from company computers.

14. How often does the company reevaluate its technical exposure?

Answer: Although a security plan might be sufficient at any one point in time, hackers are always developing techniques for exploiting vulnerabilities. To provide long-term protection, the company must have personnel and processes in place to be up-to-date on new types of threats, and must engage in regular periodic internal penetration and security testing.

Questions for the
Crisis-Management Team

15. Has the company prepared incident response and business continuity plans based on a full understanding of the potential financial impact of a crisis? And has the company conducted “fire drills” to see if its plans work?

Answer: Unfortunately, there is no way to ensure protection against cyber attacks 100% of the time. This makes careful planning and flawless execution of a crisis-management plan a necessity. The company should conduct mock drills regularly, evaluate the performance of all components and make adjustments to remedy any deficiencies.

16. If the company's computer system is penetrated, does the company's crisis-communications plan include provisions to advise all necessary parties about the situation? If there's a cybersecurity event involving PII, does the company have an existing set of procedures to identify who must be notified and how to do it?

Answer: Many regulators demand prompt notification of individuals affected by a data-security breach. The company must have protocols in place to communicate the required details to the regulators and the affected populations quickly and accurately.

17. Does the company have a budget and reserves to account for a cyber event? Is it reflected in the company's financials?

Answer: The expense of dealing with a cybersecurity event can come as a shock. According to some studies, the average cost of basic notification for a large data breach can be $1 to $2 per customer record and may reach $3-$6 if call center services are required. According to research from the Ponemon Institute, a security research firm, the cost of data breaches in 2007 was $202 per compromised record.

Questions for the Executive in Charge of Insurance

18. Does the company have insurance to cover cyber events? Is there a provision regarding PII?

Answer: This must be carefully reviewed with the company's P&C carrier because most policies focus on damage to tangible assets only.

19. Does the policy cover identity theft?

Answer: Many policies do, and many identity-theft risk-management services include personal identity-theft insurance.

20. Will the company's directors and officers face increased potential liability if they don't get cyber insurance?

Answer: Failure to obtain insurance against financial loss may be grounds for a management-liability suit by shareholders. Yet, most D&O policies have an exclusion for a failure-to-obtain-insurance claim.

Conclusion

The major players of any company who don't recognize the enormity of its potential exposure and liability to cybercrime are delusional. All companies must, at a minimum, learn to search for and keep track of vulnerabilities; hold vendors responsible for supplying patches or fixes in a timely manner; check user access to software programs; and mandate the use of passwords by all authorized employees.

Most important, companies must conduct penetration-testing of all corporate networks and Internet-facing applications to see, among other things, if there have been penetrations, if there is any unapproved software installed on peer-to-peer file-sharing software, or if anything else can compromise the company's confidential data. These prophylactic reviews must be done regularly and done by security professionals. IT departments are usually well informed about applications and networks, but in-house IT staff might not be current about data protection and information security.

Counsel is well advised to tell companies to start evaluating their technology risks as soon as possible, before the hackers beat them to it. The Financial Impact of Cyber Risk report concluded:

“An organization that is unprepared to avert or manage a data breach can suffer severe financial losses and irreparable damage to its reputation and customer base. Conversely, when an organization is prepared and responds skillfully to a cyber threat, the crisis can go down ' as an event that cements customer loyalty and a positive brand image.”

The 21st century is clearly the age of cybercrime, and e-commerce companies of all stripes should be especially concerned because there are only two types of computer systems: those that have been hacked, and those that will be hacked.

Companies are uniquely vulnerable in two areas because they possess massive collections of personally identifiable information (“PII”), and they have substantial asset bases of intangible property. The PII and the intangible assets can be easily copied without leaving the premises.

Any transaction involving a card with a magnetic strip involves risk, and any company's computer system designed to allow access to multiple users (such as franchisees, vendors and suppliers) is at enormous risk of being penetrated. All companies using e-mail or the Internet are vulnerable, because firewalls offer no protection once a hacker has infiltrated.

And things are going to get worse. Speaking to the BBC for a report on technology, Mikko Hypponen, chief research officer at F-Secure, an IT-security firm based in Helsinki, said last year, “Crime tends to rise when you have more unemployment. If you look, in general, where the attacks are coming from you can find social reasons behind them.”

Experts at the 2009 World Economic Forum in Davos, Switzerland, called for a new system to tackle well organized gangs of cybercriminals, and they claimed that online theft costs $1 trillion a year, that the number of attacks is rising sharply and that too many people do not know how to protect themselves.

Even if you can protect your system from outsiders, a company can still be easily betrayed from within.

“The damage that insiders can do should not be underestimated. It can take just a few minutes for an entire database that has taken years to build to be copied to a CD or USB stick,” says Adam Bosnian, a spokesman for Newton, MA-based Cyber-Ark, a developer of “digital vaults” for securing electronic information. “With a faltering economy, companies need to be especially vigilant about protecting their most sensitive data against nervous or disgruntled employees.”

A prime example of this is the recent case of mortgage giant Fannie Mae, which narrowly avoided a software time bomb set to destroy all data on its computers. Federal authorities allege that a disgruntled contractor embedded a malicious code in Fannie Mae's system, set to go into effect on all 4,000 of the company's servers months after he was gone. The code was tucked at the end of a legitimate software program scheduled to run each morning and was discovered only by chance by another Fannie Mae technician.

According to the Identity Theft Resource Center, based in San Diego, breaches were up more than 25% in 2008 and affected more than 35.7 million people.

“This may be reflective of the economy, or the fact that there are more organized crime rings going after company information using insiders,” Linda Foley, the center's co-founder, says. “As companies become more stringent with protecting against hackers, insider theft is becoming more prevalent.”

Accordingly, an e-commerce firm must evaluate its risk to determine and implement appropriate policies and procedures. The authors have formulated a “Chan Scale of Cyber In-Security',” which can provide companies a framework for considering the potential harm that can be caused:

• 1 Chan ' Low risk. Hacker has gained entry to system, but minimally. Minor risk of business disruption, but access can aid attackers in gathering information and planning future attacks.
• 2 Chans ' Medium risk. Malware has been implanted in the company's network that could cause malfunctions and mischief. Significant risk of a business disruption that could result in financial loss and/or damage of good-will.
• 3 Chans ' Medium to high risk. Using sniffers or other equipment, hackers have obtained PII from point-of-sale systems. Significant risk of business disruption that could create financial loss and/or damage goodwill.
• 4 Chans ' High risk. Often an inside job in which data is stolen by a disgruntled employee. Serious risk of business disruption that would result in financial loss and damage of goodwill; customers' PII may be vulnerable, as well as company's confidential information and financial information.
• 5 Chans ' Critical risk. Hackers have breached system and can access PII, and the company's financial and confidential information. Severe risk of business disruption, financial loss, and damage of goodwill. System, applications, and database have been compromised.

In light of such exposure, companies may have to reach out to members of the organization with diverse areas of expertise, including legal, technical, risk management, finance and crisis management. Here are 20 questions about cybersecurity that must be answered. (For an in-depth review of this subject, see, The Financial Impact of Cyber Risk, published jointly last year by the American National Standards Institute and the Internet Security Alliance. The report provided the basis for many of the following questions.)

General

1. What is the definition of cybersecurity?

Answer: The protection of any computer system, software program and data against unauthorized disclosure, transfer, modification or destruction, whether accidental or intentional. Cyber attacks can come from internal networks, the Internet, or other private or public systems.

2. Is cybercrime on the rise?

Answer: On average, there has been a reported cybersecurity event every day since 2006. Thefts of PII have been reported regularly in the media, but other types of attacks against public and private entities, though much less often reported, have resulted in data destruction, down time and other problems.

3. What financial exposure is associated with cybercrimes?

Answer: Major liability may be incurred from individual litigation, class litigation, regulatory investigation, contract dispute, loss of customers, reputation damage, and data theft, denial of service, cyber terrorism, cyber extortion and fraud.

Questions for the Company's Lawyer

4. Has the company's cyber liability been analyzed?

Answer: Potential liabilities may relate to the information kept by the company, its vendors or third parties.

5. Has cyber protection been built into contracts with vendors?

Answer: Wherever possible, vendors (especially applications vendors) should be required to warrant that company data is appropriately protected and should be required to indemnify the company for losses arising from cybersecurity breaches that are the fault of the vendor. Contracts should also require that vendors have network-security insurance, which shifts the financial burden for losses to the insurer. The other benefit of insurance is, typically, it indicates that a third party (the insurer) has thoroughly evaluated the vendor's cybersecurity systems.

6. Has the cyber risk to trade secrets and other IP been assessed?

Answer: Confidential operating manuals, trade secrets and other intellectual property are the mainstays of many e-commerce systems. Because these usually are held in electronic or digital form, they are easily subject to misappropriation through a cyber attack. Unlike the theft of physical assets, a theft of digital assets leaves the stolen asset behind ' which makes the theft much more difficult to discover ' so that without penetration-testing and proper monitoring, a company may not even know it's been compromised.

7. What can be done to mitigate cyber risk, and how often should a company conduct a cyber analysis or cyber audit?

Answer: Performing comprehensive reviews of all systems and system logs at least quarterly is essential. Companies also must perform a legal audit of all applicable regulations, vendor contracts, internal procedures and policies to deal with potential thefts of PII. In the event of a breach, the audit trail will help to keep the costs of litigation under control.

8. Has the company analyzed what regulations (federal, state, local and global) exist with respect to cyber data, and whether or not the company is in compliance?

Answer: Some statutes addressing liability include:

• Communications Act of 1934, updated in 1996;
• Computer Fraud and Abuse Act of 1984;
• Computer Security Act of 1987;
• Economic Espionage Act of 1996;
• Electronic Communications Privacy Act of 1986;
• Federal Privacy Act of 1974;
• Health Insurance Portability and Accountability Act of 1996;
• National Information Infrastructure Protection Act of 1996; and
• U.S.A. Patriot Act of 2001.

In the 21st century, a company cannot expect to claim ignorance of applicable regulations and get away with it.

9. How is compliance monitored on an ongoing basis?

Answer: In the event of a security breach, a company must be able to demonstrate that it had reasonable processes in place to ensure compliance with regulations, including access controls and visible audit trails. Without these processes, a company's potential liability increases.

10. Does the company have policies in place with respect to data retention, data destruction, privacy policies and customer disclaimers?

Answer: If a security breach occurs, the company should expect a regulatory investigation. Unless the company is able to show that its policies were well documented, up-to-date and observed, it will risk significant fines, agency oversight or worse. The policies must be more than window dressing; failure to conform to a company's own stated internal policies may be worse than having no policies.

Questions for the Technology Team

11. Is there a companywide compendium or directory of what regulated data the company has, where it exists and what format it's in?

Answer: If there is, it must be regularly reviewed. If the directory doesn't exist, it must be created.

12. How vulnerable are the confidentiality, integrity and availability of the company's data systems?

Answer: Confidential information includes anything a company wants to keep out of the hands of competitors and the public. Examples include recipes, operations manuals, customer lists, and personal data about executives and employees. A plan must be in place to keep this information secure, and it is also important to maintain the integrity (i.e., the accuracy) of the company's records and the availability of systems to keep the business running (e.g., to avoid or contain a denial-of-service attack). The cost of downtime can be devastating.

13. Does the company have physical security controls at each of its sites (data center, home office, franchisees or other sites)?

Answer: Physical security, which is relatively low-tech, can easily be overlooked in the process of protecting digital assets. Nonetheless, good cybersecurity practices must include appropriate barriers to the accidental or malicious access to vital systems by unauthorized persons, such as keeping them away from company computers.

14. How often does the company reevaluate its technical exposure?

Answer: Although a security plan might be sufficient at any one point in time, hackers are always developing techniques for exploiting vulnerabilities. To provide long-term protection, the company must have personnel and processes in place to be up-to-date on new types of threats, and must engage in regular periodic internal penetration and security testing.

Questions for the
Crisis-Management Team

15. Has the company prepared incident response and business continuity plans based on a full understanding of the potential financial impact of a crisis? And has the company conducted “fire drills” to see if its plans work?

Answer: Unfortunately, there is no way to ensure protection against cyber attacks 100% of the time. This makes careful planning and flawless execution of a crisis-management plan a necessity. The company should conduct mock drills regularly, evaluate the performance of all components and make adjustments to remedy any deficiencies.

16. If the company's computer system is penetrated, does the company's crisis-communications plan include provisions to advise all necessary parties about the situation? If there's a cybersecurity event involving PII, does the company have an existing set of procedures to identify who must be notified and how to do it?

Answer: Many regulators demand prompt notification of individuals affected by a data-security breach. The company must have protocols in place to communicate the required details to the regulators and the affected populations quickly and accurately.

17. Does the company have a budget and reserves to account for a cyber event? Is it reflected in the company's financials?

Answer: The expense of dealing with a cybersecurity event can come as a shock. According to some studies, the average cost of basic notification for a large data breach can be $1 to $2 per customer record and may reach $3-$6 if call center services are required. According to research from the Ponemon Institute, a security research firm, the cost of data breaches in 2007 was $202 per compromised record.

Questions for the Executive in Charge of Insurance

18. Does the company have insurance to cover cyber events? Is there a provision regarding PII?

Answer: This must be carefully reviewed with the company's P&C carrier because most policies focus on damage to tangible assets only.

19. Does the policy cover identity theft?

Answer: Many policies do, and many identity-theft risk-management services include personal identity-theft insurance.

20. Will the company's directors and officers face increased potential liability if they don't get cyber insurance?

Answer: Failure to obtain insurance against financial loss may be grounds for a management-liability suit by shareholders. Yet, most D&O policies have an exclusion for a failure-to-obtain-insurance claim.

Conclusion

The major players of any company who don't recognize the enormity of its potential exposure and liability to cybercrime are delusional. All companies must, at a minimum, learn to search for and keep track of vulnerabilities; hold vendors responsible for supplying patches or fixes in a timely manner; check user access to software programs; and mandate the use of passwords by all authorized employees.

Most important, companies must conduct penetration-testing of all corporate networks and Internet-facing applications to see, among other things, if there have been penetrations, if there is any unapproved software installed on peer-to-peer file-sharing software, or if anything else can compromise the company's confidential data. These prophylactic reviews must be done regularly and done by security professionals. IT departments are usually well informed about applications and networks, but in-house IT staff might not be current about data protection and information security.

Counsel is well advised to tell companies to start evaluating their technology risks as soon as possible, before the hackers beat them to it. The Financial Impact of Cyber Risk report concluded:

“An organization that is unprepared to avert or manage a data breach can suffer severe financial losses and irreparable damage to its reputation and customer base. Conversely, when an organization is prepared and responds skillfully to a cyber threat, the crisis can go down ' as an event that cements customer loyalty and a positive brand image.”