Firms look to limit liability after hacks --- Jonathan Krim --- Online Security

Online Security, a global provider of computer forensics and information technology risk mitigation since 1997

Original Source: http://msnbc.msn.com/id/4452795/

Firms look to limit liability after hacks
Author: Jonathan Krim

Customers required to waive right to sue

In the face of ongoing attacks by computer hackers, some companies that store their customers' personal data are adopting a new defensive tactic: If your information is stolen, they're not legally responsible.

Across the Internet, retailers and other service providers that handle consumer transactions are requiring customers to sign agreements waiving any right to sue the companies if the businesses are hacked, regardless of how secure their systems are.

The waivers are contained in lengthy terms-of-use agreements that consumers often click to accept without reading closely.

"You agree to assume all risk and liability arising from your use of Verizon Wireless's online services, including the risk of breach in the security" of its system, according to the mobile-phone giant's use agreement if you choose to use its online billing system.

American Airlines' Web site sports similar language, warning that it is not liable for break-ins by outsiders "regardless of whether American Airlines was given . . . notice that damages were possible."

The waivers are yet another sign of the struggle to provide reliable online commerce in the face of increasingly sophisticated and organized computer criminals intent on making money, not just mischief.

Companies said that despite their best efforts, they cannot guarantee that personal data will be secure and don't want to get sued over intrusions. And they fear the Federal Trade Commission, which has actively pursued cases in which companies have failed to live up to security assurances made to customers.

Accountability at issue

But consumer advocates said companies should be held accountable.

"If companies are willing to derive the benefit of information collection, but not the responsibility to secure it . . . it won't be difficult for consumer attorneys to invalidate these provisions as being unfair," said Chris Jay Hoofnagle, associate director of the Electronic Privacy Information Center.

Although hacking takes many forms -- including targeting poorly protected home computers -- companies with extensive databases of consumers' credit card numbers, Social Security numbers or other identifying information are prime targets, experts said. Organizations at risk include retailers, banks, credit card firms, universities and state agencies. Lax internal controls, such as laptops being stolen, also have led to customers' data being exposed at several companies.

A robust market for stolen credit card numbers can easily be found on the Internet, with prices varying based on the amount of information available.

Meanwhile, identity theft cases continue to grow, jumping 40 percent last year over 2002, according to the FTC, though not all those resulted from hacking. Whereas a fraudulent charge on a credit card is generally covered by the credit card firm, a hacker gleaning enough data to create new accounts by posing as someone else can inflict long-lasting damage to the victim's credit rating.

No one knows how much of the supply of such data results from attacks on corporate networks, as opposed to online scams that trick consumers into providing information, or thieves sifting through garbage for credit card receipts or other personal documents.

But security experts said that companies are attacked by hackers far more often than is ever reported. According to a 2003 industry survey by the California-based Computer Security Institute and the FBI, only 30 percent of companies that said they suffered security breaches reported them to law enforcement.

'A convoluted system'

Often, attacks on networks fail. If they succeed, some companies inform the affected customers, as several major banks and credit card companies have done in the past year. But for most industries, there are no national disclosure requirements.

"It's a convoluted system," said Dan Clements, chief executive of Cardcops.com, a company devoted to helping consumers determine whether their credit cards have been compromised. "No one has taken the lead in informing the American consumer that their information has been exposed. Everyone is pointing to someone else."

The result is that consumers have little way of evaluating the vigilance of a particular vendor when it comes to security.

"Right now, you're nowhere," said Philip J. Weiser, a professor of Internet law at the University of Colorado. "You have to find some vendors in the online world that make this a competitive issue" by advertising how their security features are better than others.

Few do. For most, security is a marketing tightrope act of touting a commitment to protecting data without over-promising that security can be assured.

Many firms make little or no mention of their security efforts.

"To make any statements about the quality of your data protection efforts is dangerous," said Charles H. Kennedy, a Washington lawyer who advises companies on their Internet policies. "You are holding yourself up to a standard of perfection."

Kennedy blames the Federal Trade Commission for the emerging trend of companies disclaiming liability for security breaches.

Because the agency's mandate is fraud and unfair trade practices, the FTC has brought three high-profile cases against companies for making security commitments they failed to meet.

In one such case, Eli Lilly & Co. was fined and forced to enter into a 20-year consent decree with the FTC after it inadvertently exposed the e-mail addresses of hundreds of users of Prozac. The agreement with the FTC required broad changes to the firm's computer security practices.

In another, Microsoft Corp. was found to have made misleading security promises to consumers who signed up for its Passport system, which is designed to streamline online transactions by automatically passing on personal data about its members.

"The FTC has been very aggressive in an area where they don't have a lot of statutory authority," Kennedy said. "Now companies are afraid to say anything."

'Not fair to the consumer'

But J. Howard Beales III, head of consumer protection at the FTC, said his agency would not be deterred, even if companies make fewer claims about security as a way of evading scrutiny.

"We're not saying every breach is avoidable," Beales said. But "if a company fails to take reasonable security measures, it would be easy to argue that . . . that's not fair to the consumer" regardless of what promises were made.

But liability for network attacks is an area of law with little precedent, said Peter P. Swire, a law professor at Ohio State University.

Many companies insist that they take the strongest security measures possible, no matter what their liability policies say.

"Verizon Wireless is very concerned with customer security and privacy," said Steven Tugentman, a Verizon Wireless associate general counsel. "But we are trying to be fiscally responsible to protect the company from lawsuits."

Like most online businesses, Verizon Wireless encrypts -- or scrambles -- information that passes back and forth between a consumer's and the company's computers when transactions are executed.

But companies often don't encrypt data that they store, relying instead on defending their systems against hackers breaking through in the first place. Others use third parties to store their data.

Barbara Lawler, chief privacy officer of Hewlett-Packard Co., said that encrypting databases can be expensive, especially for small businesses or those with multiple, older systems. Moreover, varying degrees of encryption exist, some of which can be easily decoded.

Hackers are increasingly using viruses and worms to leave trapdoors in computer systems, which can be exploited long after an attack if left undiscovered.

Lawler said HP, which sells computers, printers and other equipment online, decided to store only minimal customer data -- and not credit card numbers -- to minimize risk.

Lawler also supports considering a federal equivalent of a California law that requires companies to disclose breaches of unencrypted data. Privacy groups said it helps keep the heat on companies to be vigilant.

"It really is a stick to tighten up on security," said Joanne McNabb, the head of California's Office of Privacy Protection.

Some companies are taking a different tack, to distinguish themselves from competitors.

Without guaranteeing a security breach won't happen, online retailer Bluefly.com states it will pay for any credit card losses not covered by the credit card companies.

"We like that answer," Beales of the FTC said of Bluefly.com's policy. "There are people willing to compete on this characteristic."