Articles Posted in Cybersecurity

Published on: | by

According to its website, the Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. LifeLock has used the massive security breaches of companies like Anthem and Target to increase its membership. On July 21, 2015, the Federal Trade Commission (FTC) claimed that LifeLock—an identity theft protection company—has violated a 2010 Settlement it had made with the agency and thirty-five state attorneys general. This assertion was made due to LifeLock’s alleged misrepresentation of its security capabilities and failing to take steps to protect consumers’ information.

What is the Federal Trade Commission’s responsibility?

The FTC was created to prevent anti-competition business practices and protect consumers against deceptive or unfair business dealings. The Federal Trade Commission Act (which incorporates the U.S. Safe Web Act amendments of 2006) sets the parameters for how the agency can prosecute companies, which it believes are misleading consumers through false or deceptive advertising.  In fact, sections 45 and 52 of the statute indicate that, when a company commits an unfair act or deceptive practice, “and if it shall appear to the Commission that a proceeding … would be to the interest of the public, it shall issue and serve … a complaint stating its charges …”   In addition, section 52 addresses the illegality of false advertisements, which would be likely to induce consumers to purchase a product.  Although, LifeLock was not advertising a product, it was falsely advertising services, so consumers were induced to buying memberships.  Therefore, the FTC is utilizing its ability to prosecute companies for violating the law.

Continue Reading ›

Published on: | by

Cloud computing is a service that is offered by service providers and allows for large amounts of information to be stored in virtual servers.  These organizations are referred to as Cloud Computing Service Providers (collectively “CCSPs”) and operate within the “cloud.”  They are able to operate on a global scale, which makes their activities subject to international laws and places their users at the risk of loss of privacy.

What steps have been taken to protect user data?

In general, users of cloud computing relinquish their data, which may include confidential information, in order to store large amounts of information. Thus, CCSPs must be careful to protect privacy according to industry standards. The failure to establish proper safeguards may result in legal action by private individuals or governmental agencies (e.g., Federal Trade Commission). However, due to the security risk that users face by storing their data, governments have taken active roles in protecting against information loss. For example, the European Commission has instituted a Data Protection Directive.  The purpose of this directive is to to give citizens control over of their personal data and to simplify the regulatory environment for business.

Continue Reading ›

Published on: | by

LastPass is a password management service that allows users to centralize all of their collective passwords under one master password. On June 15, 2015, LastPass announced that it was hacked and user data was compromised in the process.

What was stolen from the LastPass database?

LastPass officials released a statement following the attack proclaiming that the hackers did not steal master passwords, but instead gained access to authentication hashes and/or checksums. These are used in order to verify that the master password is correct upon trying to access an account. The attack also compromised cryptographic salts, password reminders, and user email addresses. Officials are confident that LastPass encryption measures ensure the protection of most users and their master passwords. However, it is also possible that fairly weak master passwords, or ones short in length, were also subject to the attack.

Continue Reading ›

Published on: | by

In general, computer crime is a term that covers a variety of crimes involving internet or computer use that may be prosecuted under state or federal laws. Because of the rise in computer crimes, California state laws include provisions that prohibit these violations. In addition, other states have passed computer crime statutes in order to address this problem.

What is a computer crime?

An individual who accesses a computer, computer system or computer network and alters, destroys, or disrupts any of its parts is considered a perpetrator of computer crime. The charge is selected based upon the intention of unlawful access. Hacking is the breaking into a computer, computer system, or computer network with the purpose of modifying the existing settings under malicious intentions. Unlawful or unauthorized access means that there is trespassing, storing, retrieving, changing, or intercepting computer resources without consent. Viruses, or other contaminants, include, computer code that modify, damage, or destruct electronic information without the owner’s permission. This often disrupts the operations of a computer, computer system, or network. As such, Congress enacted the Computer Fraud and Abuse Act in order to regulate computer fraud and to expand laws against it. This federal statute provides that “whoever knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period” shall be punished accordingly.

Continue Reading ›

Published on: | by

On June 4, 2015, four million current and former federal employees were informed that China-based hackers were suspected of gaining access to and compromising their personally identifiable information (PII) via a breach of government computer networks. The scope of the attack has allowed it to be described as one of the largest governmental data thefts.

What actions have been taken since the attack?

Directly after the attack, the administration decided to expand the National Security Agency’s internet traffic surveillance, especially in regards to international hackers.  The FBI is currently investigating the attack by looking into the threats posed to the public and private sectors. The Office of Personnel Management (OPM) reported that federal employees will be appropriately notified and given access to credit reports, credit monitoring, identity theft insurance, and recovery services. The OPM is responsible for collecting and processing security clearance forms, which were accessed in the breach. It is possible that the hackers have access to the personal and professional references of the victims. Because of the breadth of the data held by the OPM, the agency is telling individuals to monitor and report unusual activities.

Continue Reading ›

Published on: | by

On May 26, 2015, the Internal Revenue Service (“IRS”) announced that criminals illegally accessed data to retrieve the past tax returns of approximately 100,000 individuals through the IRS website. The criminals managed to use social security numbers, birth dates, street addresses, and “out of wallet” data (e.g., person’s first car, high school mascot.)

How was the personal information accessed?

During the months of February to May, attackers attempted to get access to tax information over 200,000 times through the IRS “Get Transcript” online application, which allows for viewing information from previous returns. The criminals managed to go through many steps of an authentication process to view these previous returns, exploiting data from breaches in the past. Recent breaches of companies like Target, Home Depot, JP Morgan Chase, Sony, and Anthem have allowed for personal information to be easily accessible to hackers. In addition, it is possible for identity thieves to get basic answers to security questions from individuals’ social media accounts and search databases. The IRS proceeded to send $50 million in refunds before detecting the criminal activity.

Continue Reading ›

Published on: | by

The recent cyberattack on Anthem, Inc., one of the largest health insurance companies in the United States, illustrates the persistence and severity of the risk of data breaches. On February 4, 2015, Anthem confirmed that one of its databases had been hacked. The data breach exposed personal information of approximately 80 million Anthem customers and employees—including names, birthdays, member health ID and Social Security numbers, street addresses, telephone numbers, e-mail addresses, and employment information—potentially the most damaging cyberattack to date on a health insurer.

Noting a pattern of medical data thefts from health insurers by foreign intelligence organizations, the FBI concluded that the attack was likely the work of Chinese hackers attempting to gain access to the networks of defense contractors and government workers. Moreover, while hackers have targeted healthcare providers, similar attacks on companies like Target, Sony, JP Morgan Chase, and Home Depot, signify the risk to all types of businesses.

One obvious implication for businesses that fall victim to these attacks—beyond negative press—is the exposure to liability for the resulting invasion on individuals’ privacy. For instance, individuals have already begun filing class action lawsuits for this particular breach, asserting that Anthem should be held responsible given its inadequate security measures—namely, its failure to employ encryption to prevent unauthorized access to their personal information.

Continue Reading ›

Published on: | by

Online banking is an electronic payment system that enables customers of a financial institution to conduct financial transactions on the web.   In today’s high-tech world, online banking fraud is committed on a daily basis.  As such, sometimes customers may not be liable for certain unauthorized online transactions, subject to the terms and conditions of the bank’s service agreement.  Online banking fraud is to defraud a financial institution or obtain money or other property under the custody of a financial institution by false pretenses.  A related issue includes financial identity theft.   So, financial institutions use encryption technology (e.g., secure socket layer – a/k/a “SSL”) to prevent unauthorized access to data.

In general, the customer must notify bank within 60 days after receiving a periodic statement pursuant to 15 U.SC. § 1693f.  Under 15 U.S.C. § 1693g(b), the burden of proof of consumer liability is on the bank.  So, in order to establish a customer’s liability, the bank must prove the transfer was authorized.  In case of a violation, the bank may be subject to civil liability under 15 U.S.C. § 1693m.

What Are the Common Methods Used to Defraud Customers?

Continue Reading ›

Published on: | by

In recent times, e-residencies (a/k/a “electronic residency”) have become a trend in some European societies. For example, the Republic of Estonia implemented this concept into its banking systems in order to permit people to manage their funds in an electronic environment. According to the Information System Authority, in 2001, the first nation-wide ID-card was introduced as the primary identity document for Estonian citizens both in the real and digital world. It is possible to attach a digital signature to the ID-card that constitutes a handwritten signature.

The Republic of Estonia is operating on the cutting-edge of technology. It has created an electronic state (“e-State”) where almost all transactions are completed by using technology. For example, Estonians developed Skype. The government permits its citizens to start a business online, pay taxes online, administer schools online, and pay their car park fees by mobile phone. It seems that their logistics transcend most societies. However, their achievements have not been without problems. In 2007, a cyberattack took place against its government’s websites and data communication networks.

What are the legal ramifications?

Continue Reading ›

Published on: | by

In recent years, much of consumer retail consumption has transitioned to the online marketplace. So, many of us engage in e-commerce, especially when shopping for the upcoming holiday season. While e-commerce is convenient and easy, consumers are becoming more aware of the risks posed by hackers that commit online fraud. Merchants who administer websites for online shopping must take measures to assure that their sites are protected from online hackers and fraud. Online merchants may be held liable for online fraud if the proper steps are not taken to prevent it. Are you an online merchant? Are you worried about protecting the sensitive information of your customers? If so, then you must take certain steps to prevent fraud and unauthorized access (i.e., hacking).

How Does Online Fraud Occur?

Online fraud is fraud that is committed using the Internet. This type of fraud typically comes in two forms: (i) financial fraud; and (ii) identity theft. Financial fraud often occurs when a hacker collects a consumer’s financial information to steal money.  Identity theft usually occurs when a hacker collects a consumer’s information, and then uses it to open bank, mortgage, or credit card accounts. Many times the two types of fraud happen concurrently. Hackers often target e-commerce websites because consumers are constantly offering their credit card and personal information through these websites. Online merchants must take precautions to prevent hacking that leads to this kind of fraud.

Continue Reading ›