Viruses on Rise, but Are Companies Liable?

Information Management Journal, May/Jun 2004 by Swartz, Nikki

Computer viruses designed to steal victims' personal and financial information - names, addresses, and credit card numbers - are becoming increasingly widespread on the Internet, according to an Internet-security trends report by security software maker Symantec Corp. Unfortunately, companies are trying to limit their liability when such online security breaches hijack customer data.

Symantec's study of the 10 most prevalent viruses during the last six months of 2003 shows a 519-percent increase in the volume of virus-laden messages that constituted threats to user privacy and confidentiality compared with the first six months of the year. These infectious programs sought either to expose documents or to filch data like passwords and financial-account information, often using programs for logging users' keystrokes and sending the data back to virus authors. There was also a definite increase in viruses and worms that open backdoors to provide hackers with entry into victim PCs at a later date. Backdoors allow hackers to download any program they choose, including those that steal personal information, to turn the PCs into spam relay points, or create foot soldiers to carry out other Internet attacks.

Symantec said it is unclear as to what degree businesses and consumers are being victimized by these malicious viruses or how much damage is being done. Half the companies analyzed by Symantec experienced a serious security breach in the second half of 2003, up significantly from one-sixth in the first half, due mainly to the period's hugely successful viruses and worms. Six of the top-10 attack types Symantec saw, including viruses, worms, and targeted attacks, exploited flaws in Web applications, which are attractive targets because traditional firewalls block traffic in certain applications but allow most Web traffic.

When it came to severe, targeted hacker attacks on corporations, financial services, healthcare, and power and energy companies topped the list of the hardest-hit. The financial services industry experienced 7.8 severe attacks per every 10,000 security events, compared with 1.9 sustained by the 10th-ranked telecommunications industry. Most of these attacks - 58 percent appeared to originate from the United States.

In the face of these ongoing hacker attacks, some companies that store customers' personal data are adopting a new defensive tactic: They are writing policies specifying that they are not legally responsible if a customer's information is stolen. Internet retailers and other service providers that handle consumer transactions, including Verizon Wireless and American Airlines, are now requiring customers to agree to waive any right to sue the companies if the businesses are hacked, regardless of how secure their systems are. However, the waivers are often contained in lengthy online terms-of-use agreements that consumers often click to accept without reading closely.

Companies say that despite their best efforts, they cannot guarantee that personal data will be secure and do not want to get sued over intrusions that arc out of their control. According to media reports, firms also fear the Federal Trade Commission (FTC), which has actively pursued cases in which companies have failed to live up to security assurances made to customers.

The FTC has brought three high-profile cases against companies for making security commitments they failed to meet. In one case, Eli Lilly & Co. was fined and forced to enter into a 20-year consent decree with the FTC after it inadvertently exposed the e-mail addresses of hundreds of Prozac users.

According to The Washington Post, organizations such as retailers, banks, credit card firms, universities, and state agencies, with extensive databases of customers' credit card and Social security numbers or other identifying information, are prime targets. And liability for network attacks is an area with little legal precedent, according to experts.

Most online businesses, the Post said, encrypt or scramble information that passes back and forth between a consumer's and the company's computers when transactions are executed. But companies often do not encrypt the data that they store because that is expensive, relying instead on defending their systems against hackers breaking through in the first place. Others use third parties to store their data. To alleviate concern, some companies, such as Hewlett-Packard Co., store only basic customer data - not credit card numbers - to minimize risk.