Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

KickerFeaturesTopicsCommercial LawRegulationTechnology Media and TelecomSectionsNewsLJN Newsletterse-Commerce Law & Strategy

e-Commerce Companies v. Hackers

By Henfree Chan and Bruce S. Schaeffer
March 30, 2009

The 21st century is clearly the age of cybercrime, and e-commerce companies of all stripes should be especially concerned because there are only two types of computer systems: those that have been hacked, and those that will be hacked.

Companies are uniquely vulnerable in two areas because they possess massive collections of personally identifiable information (“PII”), and they have substantial asset bases of intangible property. The PII and the intangible assets can be easily copied without leaving the premises.

Any transaction involving a card with a magnetic strip involves risk, and any company's computer system designed to allow access to multiple users (such as franchisees, vendors and suppliers) is at enormous risk of being penetrated. All companies using e-mail or the Internet are vulnerable, because firewalls offer no protection once a hacker has infiltrated.

And things are going to get worse. Speaking to the BBC for a report on technology, Mikko Hypponen, chief research officer at F-Secure, an IT-security firm based in Helsinki, said last year, “Crime tends to rise when you have more unemployment. If you look, in general, where the attacks are coming from you can find social reasons behind them.”

Experts at the 2009 World Economic Forum in Davos, Switzerland, called for a new system to tackle well organized gangs of cybercriminals, and they claimed that online theft costs $1 trillion a year, that the number of attacks is rising sharply and that too many people do not know how to protect themselves.

Even if you can protect your system from outsiders, a company can still be easily betrayed from within.

“The damage that insiders can do should not be underestimated. It can take just a few minutes for an entire database that has taken years to build to be copied to a CD or USB stick,” says Adam Bosnian, a spokesman for Newton, MA-based Cyber-Ark, a developer of “digital vaults” for securing electronic information. “With a faltering economy, companies need to be especially vigilant about protecting their most sensitive data against nervous or disgruntled employees.”

A prime example of this is the recent case of mortgage giant Fannie Mae, which narrowly avoided a software time bomb set to destroy all data on its computers. Federal authorities allege that a disgruntled contractor embedded a malicious code in Fannie Mae's system, set to go into effect on all 4,000 of the company's servers months after he was gone. The code was tucked at the end of a legitimate software program scheduled to run each morning and was discovered only by chance by another Fannie Mae technician.

According to the Identity Theft Resource Center, based in San Diego, breaches were up more than 25% in 2008 and affected more than 35.7 million people.

“This may be reflective of the economy, or the fact that there are more organized crime rings going after company information using insiders,” Linda Foley, the center's co-founder, says. “As companies become more stringent with protecting against hackers, insider theft is becoming more prevalent.”

Accordingly, an e-commerce firm must evaluate its risk to determine and implement appropriate policies and procedures. The authors have formulated a “Chan Scale of Cyber In-Security',” which can provide companies a framework for considering the potential harm that can be caused:

  • 1 Chan ' Low risk. Hacker has gained entry to system, but minimally. Minor risk of business disruption, but access can aid attackers in gathering information and planning future attacks.
  • 2 Chans ' Medium risk. Malware has been implanted in the company's network that could cause malfunctions and mischief. Significant risk of a business disruption that could result in financial loss and/or damage of good-will.
  • 3 Chans ' Medium to high risk. Using sniffers or other equipment, hackers have obtained PII from point-of-sale systems. Significant risk of business disruption that could create financial loss and/or damage goodwill.
  • 4 Chans ' High risk. Often an inside job in which data is stolen by a disgruntled employee. Serious risk of business disruption that would result in financial loss and damage of goodwill; customers' PII may be vulnerable, as well as company's confidential information and financial information.
  • 5 Chans ' Critical risk. Hackers have breached system and can access PII, and the company's financial and confidential information. Severe risk of business disruption, financial loss, and damage of goodwill. System, applications, and database have been compromised.

In light of such exposure, companies may have to reach out to members of the organization with diverse areas of expertise, including legal, technical, risk management, finance and crisis management. Here are 20 questions about cybersecurity that must be answered. (For an in-depth review of this subject, see, The Financial Impact of Cyber Risk, published jointly last year by the American National Standards Institute and the Internet Security Alliance. The report provided the basis for many of the following questions.)

General

1. What is the definition of cybersecurity?

Answer: The protection of any computer system, software program and data against unauthorized disclosure, transfer, modification or destruction, whether accidental or intentional. Cyber attacks can come from internal networks, the Internet, or other private or public systems.

Read These Next
Bonus Content: How Emerging Technologies Are Impacting IP: A Chat With Legalweek Speaker Ryan Phelan Image

A Q&A with conference speaker Ryan Phelan, a partner at Marshall, Gerstein & Borun and founder and moderator of legal blog PatentNext, to discuss how courts and jurisdictions are handling novel technologies, the copyrightability of AI-assisted art, and more.

Overview of Regulatory Guidance Governing the Use of AI Systems In the Workplace Image

Businesses have long embraced the use of computer technology in the workplace as a means of improving efficiency and productivity of their operations. In recent years, businesses have incorporated artificial intelligence and other automated and algorithmic technologies into their computer systems. This article provides an overview of the federal regulatory guidance and the state and local rules in place so far and suggests ways in which employers may wish to address these developments with policies and practices to reduce legal risk.

Is Google Search Dead? How AI Is Reshaping Search and SEO Image

This two-part article dives into the massive shifts AI is bringing to Google Search and SEO and why traditional searches are no longer part of the solution for marketers. It’s not theoretical, it’s happening, and firms that adapt will come out ahead.

While Federal Legislation Flounders, State Privacy Laws for Children and Teens Gain Momentum Image

For decades, the Children’s Online Privacy Protection Act has been the only law to expressly address privacy for minors’ information other than student data. In the absence of more robust federal requirements, states are stepping in to regulate not only the processing of all minors’ data, but also online platforms used by teens and children.

Revolutionizing Workplace Design: A Perspective from Gray Reed Image

In an era where the workplace is constantly evolving, law firms face unique challenges and opportunities in facilities management, real estate, and design. Across the industry, firms are reevaluating their office spaces to adapt to hybrid work models, prioritize collaboration, and enhance employee experience. Trends such as flexible seating, technology-driven planning, and the creation of multifunctional spaces are shaping the future of law firm offices.