For those of you who haven’t been paying attention to the news, there is an epidemic in the online world and it’s getting worse. Last month JPMorgan Chase announced that 76 million households were affected by a recent security breach in which many individuals had their personal information stolen by hackers. To put things in perspective, JPMorgan Chase has 65.8 million open accounts including 30.1 million checking accounts. It’s the second largest mortgage originator in the U.S., and the third largest auto-lender not owned by a car manufacturer.
According to the Identify Theft Resource Center, there have been 579 data breaches this year, a 27.5 percent increase over the same period last year. In addition to JPMorgan Chase, reportedly, Target, P.F. Chang’s, Jimmy John’s, Neiman Marcus, Michaels and Sally Beauty Supply have all recently fallen victim to massive hacks and data theft.
Millions of pieces of data including names, birthdates, addresses, telephone numbers, drivers license numbers, credit card numbers and more are now in the hands of individuals with bad intentions. This sensitive data is being traded, sold and utilized unbeknownst to individuals all over the world.
Sadly, the media doesn’t find all data breaches juicy enough to make the headlines, but in addition to the banking, restaurant and retail sectors, it’s been a horrible year for data breaches in education, and critical infrastructure. In the education arena, the Universities of Maryland, Wisconsin and Iowa State University all fell victim to massive security failures. In those cases, social security numbers, credit card numbers, health records and intellectual property produced by research departments were exposed according to Stephen Boyer, co-founder and CTO of Bitsight.
If you are reading this article and still aren’t concerned, perhaps you didn’t hear that the U.S. Nuclear Regulatory Commission (NRC) reportedly sustained an email based hack recently as well (the third such event in recent years). The NRC is the regulator of the nation’s use of nuclear materials and commercial power plants.
In the healthcare arena, the North Carolina Department of Health and Human Services blamed a computer programming error for the mailing of more than 48,000 Medicaid cards for children to the wrong addresses; St. Joseph Health Systems (based in Texas) was hacked and 405,000 former and current patients, employees and employee beneficiaries were affected; Sutherland Healthcare Solutions in Los Angeles suffered a data breach affecting 338,700 California residents, which included social security numbers and medical diagnosis being compromised; and last but not least, Variable Annuity Life Insurance Co. had a thumb drive stolen that contained the sensitive data of 774,000 people that participate in the company’s insurance programs.
In the celebrity world, in the past few months, Jennifer Lawrence, Kate Upton, Jessica Brown Findlay, Amber Heard, Erin Heatherton, Gabrielle Union, Kirsten Dunst, Kaley Cuoco, Kim Kardashian, Nina Dobrev, Anna Kendrick, Cara Delevingne, Rihanna, Jenny McCarthy, Mary-Kate Olsen, Mena Suvari, Kelly Brook, Nick Hogan, Mary Winstead, Hope Solo, Becca Tobin and Teresa Palmer, amongst others, have all had their private and personal photos stolen. Many of the photos are sexually explicit and expose private moments that were never meant to be shared with the public.
In the domain arena, Porn.com, purchased in 2007 for $9.5 million, was recently hijacked by an unknown third party, making it the largest domain hijacking in recent memory.
Clearly there is a problem that is getting worse and probably isn’t going to slow down anytime soon. As the Internet and programming continues to evolve so do the hackers of the world. Make no mistake about it, despite their nefarious goals, hackers are educated, bright, creative and adaptive. Underestimating the abilities of today’s hackers is a mistake that appears to always prove costly.
In the U.S., there are laws in place that can be used to attempt to hold hackers criminally responsible but unfortunately investigations into many of the recent headline hackings have been slow and have led to dead ends. Hackers being located far outside of the U.S. have also contributed to the government’s ineffectiveness in dealing with the hacking problem.
- The Computer Fraud and Abuse Act (CFAA) 18 U.S.C. Section 1030, makes it illegal for anyone to distribute computer code or place it in the stream of commerce if they intend to cause either damage or economic loss.
- The Electronic Communications Privacy Act (ECPA) 18 U.S.C. Sections 2510-2521, 2701-2710, protects against the unlawful interceptions of any wire communications – whether it’s telephone or cell phone conversations, voicemail, email and other data sent over the wires.
- The Economic Espionage Act (EEA) makes it a federal crime to take, download, receive, or possess trade secret information obtained without the owner’s authorization.
- The Wire Fraud Act makes it illegal to use interstate wire communications systems, which ostensibly includes the internet, to commit a fraud to obtain money or property.
- The National Property Act (NSPA) prohibits the transportation in interstate commerce of “any goods, wares, securities, or money” valued at $5,000 or more that are known to be stolen or fraudulently obtained. The NSPA has been used in computerized transfers of funds.
The Identity Theft and Assumption Deterrence Act (ITADA) 18 U.S.C. Section 1028(a)(7) criminalizes identity theft and allows courts to assess the losses suffered by individual consumers.
As a consumer and member of society, you need to be vigilant and responsible for what personal information that you share and what security measures you have in place to protect your sensitive information. Additionally, you need to be highly cautious about what electronic data you store on your electronic devices and share online.
I feel bad for all of the recent celebrities and non-celebrities that have had their most private and intimate moments shared with the world involuntarily; however, I also question the level of maturity, and decision-making of these same individuals.
Common sense should not be ignored and you need to be regularly changing your usernames, passwords, and checking your financial statements (credit card statements, bank statements, credit report etc.). I’d also recommend that you keep a list of anyone (including your banks, health care providers etc.) that you have provided any sensitive information to.
As business owners, now is the time to review all of your security protocols and ensure that you are using the best technology available to protect the sensitive information that your consumers are sharing. You need to be considering data encryption, email encryption, complex access credentials, IP access restrictions amongst the many technical options available. You should also find out all out the security protocols for all of your vendors such as your Internet service provider(s) and host(s). You may be doing everything that you can in terms of security but you need to carefully pick your vendors to ensure that your customer sensitive data is safe in their hands as well.
It’s also not all about technology, and as a business owner you need to be responsible in your hiring practices and ensuring that sensitive data can only be accessed by limited, trained and security cleared personnel. It’s no secret that many of the recent Internet security breaches have been inside jobs or were the result of employee negligence. As the employer, it is your ultimate responsibility to do everything that you can to protect your customers’ sensitive data.
It may cost you a few bucks but there are some incredible outside firms for hire that can review your existing security and assist you with identifying and resolving issues that you may not know exist. Additionally, more than ever, businesses are actually hiring former hackers to purposely attempt to infiltrate the businesses’ systems to locate vulnerabilities; this may be one of the best current methods available.
Don’t think that this can’t happen to you or your business; statistically speaking, it may have already happened to you and you aren’t even aware of it yet.
This article does not constitute legal advice and is provided for your information only and should not be relied upon in lieu of consultation with legal advisors in your own jurisdiction. It may not be current as the laws in this area change frequently. Transmission of the information contained in this article is not intended to create, and the receipt does not constitute, an attorney-client relationship between sender and receiver.