Identity Theft and Your Business’s Liability to Your Clients’ Safety

After being victimized by hackers this Summer who hacked into his Apple, Twitter, and Gmail accounts and remotely deleted all the content on his MacBook, iPhone, and iPad — all within the space of one hour — tech guru and writer for Wired magazine, Mat Honan, wrote an excellent article in the November 2012 edition of Wired to document the serious safety pitfalls of online accounts: “Kill the Password: Why a String of Characters Can’t Protect Us Anymore.”

If an online tech master like Mat Honan can be hacked, it’s safe to assume that we are all vulnerable as well. There is a panoply of organized crime and hobby hackers who try every day to break into online accounts, computers, and portable devices via virus-laden spam, malware like ZeuS, and other manner of fraud. Small businesses are increasingly hacked by such criminals because they are often more lucrative targets than individuals and less security-minded than larger corporations.

Mr. Honan has provided in his article some basic precautions that we can take to try to prevent such intrusions. Mr. Honan suggests to never do any of the following: reuse passwords, use dictionary words as passwords, use standard number substitutions for letters (e.g., a “5” to replace an “S”), or use short passwords. Instead, Mr. Honan recommends to enable 2-factor authentication whenever possible, give bogus answers to security questions, scrub your online presence, and to use a unique email address for password recovery.

You can read his article for more details about all these suggestions. Mr. Honan also offers some advice to online companies and industries for system-wide changes that can provide all of us more online security. People’s accounts are often hacked because, he says, customer support representatives fall prey too quickly to hackers who call them and impersonate the actual account owners by offering some personal information about them that is easily found online. The hackers gain valuable information from such calls. Hackers also use personal information about their targets that they can look for and find on various social media and other loose-security websites (i.e., via a search process called “socialing”). Together with information acquired from customer service agents at online companies with security loopholes, hackers use private data about their targets to break into their target’s other accounts, stealing confidential information that they use to commit other crimes such as business fraud, larceny, immigration fraud, and other serious felonies, misdemeanors, and torts against the target and others.

A hacker can remotely access your computer or portable handheld device, steal and then delete all the data on such devices, including financial data, personal files, work files, photos, and videos, and then commit a series of crimes and try to frame you for them. Similarly, a hacker can break into your email and other online accounts, delete all the data on there, and use all the data acquired from such accounts to commit crimes against you or others. A hacker can use your stolen financial information to take out loans, acquire a social security number, steal from others, induce others into fraudulent contracts and investments, all in your name. The possibilities for illicit actions are endless, and the consequences that you may suffer are grievous. It is best to protect yourself as well as possible.

Mr. Honan gives an example of a hacker who called Apple in January 2012 and impersonated a client. The hacker provided an array of incorrect account and security information to the customer service representative, and yet the Apple rep provided the caller with a password reset link for the target’s account that was sent to the hacker’s own email address! The relevant portion of the transcript of this shocking call between Apple and the hacker is copied in Mr. Honan’s article.

With more stringent policies in dealing with such calls from persons seeking to reset their passwords or gain confidential information about a client, online companies can help us all avoid being hacked. Mr. Honan concludes his article by suggesting that biometrics, such as retina and fingerprint scans and speech analysis, are the key to online security in the near future. In the meantime, he stresses the importance of following his list of online security “do’s and dont’s.”

As a business, it is essential to take reasonable precautions to secure all your information and that of your clients so as to help avoid liability to your clients if their private data is stolen from your databases and accounts by hackers and other criminals. If your business’s account is hacked and your client’s data, such as account numbers, social security numbers, or other confidential data, is stolen, you may be sued and considered liable to your clients for negligently failing to take reasonable precautions to safeguard their data. You may also be sued for breach of contract if you have various contractual obligations to your clients to maintain the confidentiality of their information.

Thus, it is best to review your business’s policies and procedures in maintaining the highest available levels of security for your databases and online accounts, be as organized and diligent as possible in your data management and online security practices, and take all the necessary precautions by training your personnel appropriately. Since nobody is impervious to online attacks, as we learn from Mr. Honan’s unfortunate example, it is important to also clearly inform your clients of such possibilities in your contractual language.