Cybersecurity

Protecting Against Data Breaches

Published on: February 16, 2015 | by Law Offices of Salar Atrizadeh

The recent cyberattack on Anthem, Inc., one of the largest health insurance companies in the United States, illustrates the persistence and severity of the risk of data breaches. On February 4, 2015, Anthem confirmed that one of its databases had been hacked. The data breach exposed personal information of approximately 80 million Anthem customers and employees—including names, birthdays, member health ID and Social Security numbers, street addresses, telephone numbers, e-mail addresses, and employment information—potentially the most damaging cyberattack to date on a health insurer.

Noting a pattern of medical data thefts from health insurers by foreign intelligence organizations, the FBI concluded that the attack was likely the work of Chinese hackers attempting to gain access to the networks of defense contractors and government workers. Moreover, while hackers have targeted healthcare providers, similar attacks on companies like Target, Sony, JP Morgan Chase, and Home Depot, signify the risk to all types of businesses.

One obvious implication for businesses that fall victim to these attacks—beyond negative press—is the exposure to liability for the resulting invasion on individuals’ privacy. For instance, individuals have already begun filing class action lawsuits for this particular breach, asserting that Anthem should be held responsible given its inadequate security measures—namely, its failure to employ encryption to prevent unauthorized access to their personal information.

Online Banking Fraud – Part II

Published on: December 29, 2014 | by Law Offices of Salar Atrizadeh

Online banking is an electronic payment system that enables customers of a financial institution to conduct financial transactions on the web. In today’s high-tech world, online banking fraud is committed on a daily basis. As such, sometimes customers may not be liable for certain unauthorized online transactions, subject to the terms and conditions of the bank’s service agreement. Online banking fraud is to defraud a financial institution or obtain money or other property under the custody of a financial institution by false pretenses. A related issue includes financial identity theft. So, financial institutions use encryption technology (e.g., secure socket layer – a/k/a “SSL”) to prevent unauthorized access to data.

In general, the customer must notify bank within 60 days after receiving a periodic statement pursuant to 15 U.SC. § 1693f. Under 15 U.S.C. § 1693g(b), the burden of proof of consumer liability is on the bank. So, in order to establish a customer’s liability, the bank must prove the transfer was authorized. In case of a violation, the bank may be subject to civil liability under 15 U.S.C. § 1693m.

What Are the Common Methods Used to Defraud Customers?

e-Residencies, e-States, And The Risk of Cyberattacks on Digital Societies

Published on: December 8, 2014 | by Law Offices of Salar Atrizadeh

In recent times, e-residencies (a/k/a “electronic residency”) have become a trend in some European societies. For example, the Republic of Estonia implemented this concept into its banking systems in order to permit people to manage their funds in an electronic environment. According to the Information System Authority, in 2001, the first nation-wide ID-card was introduced as the primary identity document for Estonian citizens both in the real and digital world. It is possible to attach a digital signature to the ID-card that constitutes a handwritten signature.

The Republic of Estonia is operating on the cutting-edge of technology. It has created an electronic state (“e-State”) where almost all transactions are completed by using technology. For example, Estonians developed Skype. The government permits its citizens to start a business online, pay taxes online, administer schools online, and pay their car park fees by mobile phone. It seems that their logistics transcend most societies. However, their achievements have not been without problems. In 2007, a cyberattack took place against its government’s websites and data communication networks.

What are the legal ramifications?

E-Commerce Merchant’s Liabilities Towards Hacking and Fraud

Published on: November 24, 2014 | by Law Offices of Salar Atrizadeh

In recent years, much of consumer retail consumption has transitioned to the online marketplace. So, many of us engage in e-commerce, especially when shopping for the upcoming holiday season. While e-commerce is convenient and easy, consumers are becoming more aware of the risks posed by hackers that commit online fraud. Merchants who administer websites for online shopping must take measures to assure that their sites are protected from online hackers and fraud. Online merchants may be held liable for online fraud if the proper steps are not taken to prevent it. Are you an online merchant? Are you worried about protecting the sensitive information of your customers? If so, then you must take certain steps to prevent fraud and unauthorized access (i.e., hacking).

How Does Online Fraud Occur?

Online fraud is fraud that is committed using the Internet. This type of fraud typically comes in two forms: (i) financial fraud; and (ii) identity theft. Financial fraud often occurs when a hacker collects a consumer’s financial information to steal money. Identity theft usually occurs when a hacker collects a consumer’s information, and then uses it to open bank, mortgage, or credit card accounts. Many times the two types of fraud happen concurrently. Hackers often target e-commerce websites because consumers are constantly offering their credit card and personal information through these websites. Online merchants must take precautions to prevent hacking that leads to this kind of fraud.

Why Does a Business Need Cyber Liability Insurance?

Published on: November 10, 2014 | by Law Offices of Salar Atrizadeh

The purchase of commercial general liability and umbrella insurance policies are ways to protect your business from liability. However, these types of policies have not adapted to protect policyholders from certain types of cyber liability. This issue was recently exposed in a case against Urban Outfitters, Inc., and its subsidiary, Anthropologie, Inc. (collectively “Urban Outfitters”). Urban Outfitters found itself with no suitable insurance coverage when facing several lawsuits for privacy infringement that resulted from credit card transactions. Many businesses collect customer data and infringements of customer privacy may not be covered by traditional insurance policies. Do you run a business that collects consumer data? Are you unsure how far your insurance coverage extends in protecting against consumer data breaches? If so, then you may contact us to speak to an attorney about whether you should obtain cyber liability insurance.

What Was the Issue in the Urban Outfitters Case?

In OneBeacon America Insurance Company v. Urban Outfitters, et al., Urban Outfitters was sued in three different states for consumer privacy breaches. Urban Outfitters was sued because of its practice of collecting consumer zip code information when processing credit card transactions. This practice violated multiple consumer privacy laws. Urban Outfitters then looked to its insurance company to defend the multiple lawsuits. However, the insurance company claimed that its general liability policy did not cover that kind of privacy breach. The federal court in Pennsylvania agreed, and held that the insurance company was not obligated to defend Urban Outfitters in any of the lawsuits. The general liability policy only covered “oral or written publication of material that violates a person’s right of privacy,” and even though Urban Outfitters violated consumer privacy, it never published that material.

Peer-to-Peer Cyber Crimes

Published on: November 3, 2014 | by Law Offices of Salar Atrizadeh

Peer-to-peer networks have provided an invaluable service that allows users to share information and data around the world. These networks became popular for media sharing, culminating in the infamous Napster scandal. Many are aware of the copyright issues that arise with the use of peer-to-peer media sharing. However, there are other cyber-crime issues that users may expose themselves to when using these networks. Peer-to-peer networks may be used in a variety of legal ways, but users must protect themselves from cyber crime prevalent over these networks. Are you developing or using a peer-to-peer network? If so, then you should be aware of the cyber crimes that you may be exposed to or unintentionally committing.

What is a Peer-to-Peer Network?

A peer-to-peer network is created when two or more computers connect and share resources without going through a separate server. Typically, peer-to-peer networks are accessed through free software that allows the user to find and download files on another user’s computer. The traditional computer network uses a client and server model, in which the client computers store and access data on a dedicated server. Peer-to-peer networks move away from the dedicated server. So, each computer is a client and a server. This empowers each user to access and share information directly instead of through a central hub. These networks also provide users with more control. Users can decide to which computers to connect, what files to share, and how many system resources to devote to the network. Users have many controls over a peer-to-peer network. However, the average user may expose himself to committing and being the victim of cyber crimes if he does not know how to control the network settings.

Starting an Online Business

Published on: September 22, 2014 | by Law Offices of Salar Atrizadeh

In the past, to start a business you had to find a location, rent space, and open your doors to the public. Today, many entrepreneurs can do it all online by advertising, communicating with customers, and managing transactions using the web. Many entrepreneurs are interested in starting a new business with a strong online presence. There are several steps that one must take to start a business, plus additional considerations to comply with online business laws. Are you ready to create an online business? Are you unsure which laws you need to be aware of for your e-commerce website? If so, then you need to know the process to start a business and the additional issues that apply to e-commerce.

How Do I Start An Online Business?

The Small Business Administration recommends a ten-step process to start a new business. First, write a business plan. This is your general outline as to the identity of your new company and the structure you are going to build to execute your plan. Second, get the proper assistance and training. No one knows everything and connecting with mentors and experts can help you get off on the right foot. Third, choose your location. If your company is 100% online, you still need to determine the types of customers you plan on attracting and to what areas you plan on making deliveries. Fourth, finance your business. Whether you choose traditional financing from a commercial bank or more creative methods (e.g., crowdfunding), make sure to do your research and figure out what works for your company. Fifth, determine the legal structure of your business. There are many types of entities you can create (e.g., LLC or Corporation). Each entity creates different levels of liability and tax obligations. Sixth, register your business name with the proper state agency (e.g., Secretary of State). Seventh, get a tax identification number (a/k/a EIN) by registering with the Internal Revenue Service. Eighth, register with state and local tax agencies (e.g., Franchise Tax Board, a/k/a FTB). In general, each state has its own tax laws, so make sure you know the obligations within your state. Ninth, obtain business licenses and permits. You should keep in mind that state and federal agencies may require different licenses and permits. Finally, you may need to hire employees or independent contractors.

Cybersecurity Insurance

Published on: September 8, 2014 | by Law Offices of Salar Atrizadeh

Today, most companies are dependent on technology and their computer systems, and there are entities whose primary focus is to hack into these systems. On the other hand, a company might experience an internal breach of its network system, which causes the unauthorized release of sensitive information. Any breach into or out of these systems could be catastrophic. The computer network for a company may contain important data, intellectual property, and consumer information. All industries are susceptible to a data breach. To help protect against these risks, companies must insure themselves with the correct policy. Traditional insurance policies may not be enough to cover all the risks. In recent years, insurance companies have begun to issue specific cybersecurity policies. What kinds of claims are covered under these cybersecurity insurance policies? How can an insurance company ensure that it is mitigating its own risks in underwriting a cyber policy? If you are concerned with these questions, then the effectiveness and scope of these cybersecurity policies is relevant to your company.

What Is Cybersecurity Insurance?

Cybersecurity insurance is an insurance policy that helps mitigate the risks posed by incidents such as “data breaches, business interruptions, and network damages.” The market for this kind of policy is still in development, and insurance companies and consumers are unsure how far reaching the policy protections are. Department of Homeland Security has stated that a more developed cybersecurity insurance market would lead to fewer successful cyber attacks—i.e., by implementing preventive measures in conjunction with policies and lowering premium prices based on the level self-protection. There are steps that companies and individuals can take to reduce their risk level to a cyber attack, and these steps may actually help prevent attacks. Preventive measures can at least lower the risk an insurance company must take in underwriting a cyber policy.

Mobile Banking and Related Security Threats

Published on: July 21, 2014 | by Law Offices of Salar Atrizadeh

The smartphone has brought a world of possibility to the average consumer’s fingertips. Now, this has come to include mobile banking. With fast-paced lifestyles and long lines at the banks, mobile banking has emerged as a thrilling convenience. However, this convenience brings cybersecurity concerns. Therefore, consumers who have turned to mobile banking for their financial needs must protect their financial privacy from cybersecurity breaches.

What Is Mobile Banking?

Mobile banking allows customers to access their financial institutions and conduct transactions through their mobile devices. Initially, this began with SMS Banking, which allowed customers to conduct various financial transactions by sending and accepting SMS messages or “texts.” In its most basic form, mobile banking allows customers to access their bank accounts and check on financial transactions. However, as the systems have progressed, customers can now make bill payments, transfer funds, and monitor deposits. Indeed, customers can now manage their investment portfolios and rearrange their investments through a smartphone or tablet. This has certainly increased everyday conveniences. However, it has also contributed to the speed with which finances can shift. Although, customers can review and monitor their accounts faster and more regularly, this also means greater security threats for the underlying financial information. This expansive access may lead to greater unauthorized breaches.

Attorney General’s Guidelines for Business Cybersecurity

Published on: July 14, 2014 | by Law Offices of Salar Atrizadeh

In the aftermath of high profile cybersecurity breaches, businesses and consumers are alert to the real dangers of cyber vulnerability. In response, various government agencies have taken up efforts to protect against future breaches. Thus, consumers and businesses must continue to take steps to protect themselves and their private information. Accordingly, the office of California’s Attorney General has issued Cybersecurity Guidelines aimed at reducing the threat of electronic security leaks. Furthermore, these guidelines set the standard that businesses must meet to protect customer privacy.

What Are Attorney General’s Cybersecurity Guidelines?

The Attorney General outlined the basics steps to “minimize cyber vulnerability.” First, anyone could be a target. Therefore, assume cybersecurity could affect you and take preemptive steps to protect your network. Also, it is important to know where you store your data. The guidelines are directed towards small to medium-sized firms. So, they focus on the importance for businesses to know which third parties hold company information. It is important to be familiar with these third-party security measures. If a data storage company is not taking proper steps to protect cybersecurity, it may be time to seek different storage options or take steps to counter the vulnerabilities. Alternatively, if your business stores information on the cloud, make sure to back up information, and store data only with secure entities. The overall point is that in the event of a breach, the level of preparedness will limit the consequences. Next, encrypt your data as an added measure of security. It is also helpful to include firewall and antivirus protection on all devices. Additionally, make sure to conduct banking and other financial transactions with reliable vendors. Especially when dealing with third party financial information, the safety and security of those transactions are vital to ongoing business. Finally, it is important to note that these guidelines are the minimum requirements. It is not a comprehensive list and companies must take care to implement personalized measures based on their cybersecurity needs.