Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

KickerFeaturesTopicsCommercial LawRegulationTechnology Media and TelecomSectionsNewsLJN Newsletterse-Commerce Law & Strategy

e-Commerce Companies v. Hackers

By Henfree Chan and Bruce S. Schaeffer
March 30, 2009

The 21st century is clearly the age of cybercrime, and e-commerce companies of all stripes should be especially concerned because there are only two types of computer systems: those that have been hacked, and those that will be hacked.

Companies are uniquely vulnerable in two areas because they possess massive collections of personally identifiable information (“PII”), and they have substantial asset bases of intangible property. The PII and the intangible assets can be easily copied without leaving the premises.

Any transaction involving a card with a magnetic strip involves risk, and any company's computer system designed to allow access to multiple users (such as franchisees, vendors and suppliers) is at enormous risk of being penetrated. All companies using e-mail or the Internet are vulnerable, because firewalls offer no protection once a hacker has infiltrated.

And things are going to get worse. Speaking to the BBC for a report on technology, Mikko Hypponen, chief research officer at F-Secure, an IT-security firm based in Helsinki, said last year, “Crime tends to rise when you have more unemployment. If you look, in general, where the attacks are coming from you can find social reasons behind them.”

Experts at the 2009 World Economic Forum in Davos, Switzerland, called for a new system to tackle well organized gangs of cybercriminals, and they claimed that online theft costs $1 trillion a year, that the number of attacks is rising sharply and that too many people do not know how to protect themselves.

Even if you can protect your system from outsiders, a company can still be easily betrayed from within.

“The damage that insiders can do should not be underestimated. It can take just a few minutes for an entire database that has taken years to build to be copied to a CD or USB stick,” says Adam Bosnian, a spokesman for Newton, MA-based Cyber-Ark, a developer of “digital vaults” for securing electronic information. “With a faltering economy, companies need to be especially vigilant about protecting their most sensitive data against nervous or disgruntled employees.”

A prime example of this is the recent case of mortgage giant Fannie Mae, which narrowly avoided a software time bomb set to destroy all data on its computers. Federal authorities allege that a disgruntled contractor embedded a malicious code in Fannie Mae's system, set to go into effect on all 4,000 of the company's servers months after he was gone. The code was tucked at the end of a legitimate software program scheduled to run each morning and was discovered only by chance by another Fannie Mae technician.

According to the Identity Theft Resource Center, based in San Diego, breaches were up more than 25% in 2008 and affected more than 35.7 million people.

“This may be reflective of the economy, or the fact that there are more organized crime rings going after company information using insiders,” Linda Foley, the center's co-founder, says. “As companies become more stringent with protecting against hackers, insider theft is becoming more prevalent.”

Accordingly, an e-commerce firm must evaluate its risk to determine and implement appropriate policies and procedures. The authors have formulated a “Chan Scale of Cyber In-Security',” which can provide companies a framework for considering the potential harm that can be caused:

  • 1 Chan ' Low risk. Hacker has gained entry to system, but minimally. Minor risk of business disruption, but access can aid attackers in gathering information and planning future attacks.
  • 2 Chans ' Medium risk. Malware has been implanted in the company's network that could cause malfunctions and mischief. Significant risk of a business disruption that could result in financial loss and/or damage of good-will.
  • 3 Chans ' Medium to high risk. Using sniffers or other equipment, hackers have obtained PII from point-of-sale systems. Significant risk of business disruption that could create financial loss and/or damage goodwill.
  • 4 Chans ' High risk. Often an inside job in which data is stolen by a disgruntled employee. Serious risk of business disruption that would result in financial loss and damage of goodwill; customers' PII may be vulnerable, as well as company's confidential information and financial information.
  • 5 Chans ' Critical risk. Hackers have breached system and can access PII, and the company's financial and confidential information. Severe risk of business disruption, financial loss, and damage of goodwill. System, applications, and database have been compromised.

In light of such exposure, companies may have to reach out to members of the organization with diverse areas of expertise, including legal, technical, risk management, finance and crisis management. Here are 20 questions about cybersecurity that must be answered. (For an in-depth review of this subject, see, The Financial Impact of Cyber Risk, published jointly last year by the American National Standards Institute and the Internet Security Alliance. The report provided the basis for many of the following questions.)

General

1. What is the definition of cybersecurity?

Answer: The protection of any computer system, software program and data against unauthorized disclosure, transfer, modification or destruction, whether accidental or intentional. Cyber attacks can come from internal networks, the Internet, or other private or public systems.

Read These Next
Major Differences In UK, U.S. Copyright Laws Image

This article highlights how copyright law in the United Kingdom differs from U.S. copyright law, and points out differences that may be crucial to entertainment and media businesses familiar with U.S law that are interested in operating in the United Kingdom or under UK law. The article also briefly addresses contrasts in UK and U.S. trademark law.

The Article 8 Opt In Image

The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

Legal Possession: What Does It Mean? Image

Possession of real property is a matter of physical fact. Having the right or legal entitlement to possession is not "possession," possession is "the fact of having or holding property in one's power." That power means having physical dominion and control over the property.

The Anti-Assignment Override Provisions Image

UCC Sections 9406(d) and 9408(a) are one of the most powerful, yet least understood, sections of the Uniform Commercial Code. On their face, they appear to override anti-assignment provisions in agreements that would limit the grant of a security interest. But do these sections really work?