By Peter Kelman, Esq.
This article appeared in substantially the same form in the Boston Law Tribune, April 30, 2001.
You would not deposit money in a bank that did not lock its vault. You would not bring a ring for repair to a jeweler that did not secure its premises. As consumers, we expect that merchants will take appropriate steps to safeguard our property. In the world of traditional retail, where we interact with merchants whose “sites” are stores, we feel capable of assessing the security of that which we can see and touch. Think of the assurance you feel walking into a bank lobby (assuming you are not doing an ATM transaction), to see behind rows of steel bars the foot-thick slab of lead that seals the safety vault. Security, thy name is mass.
Apparently not even the owners of web sites. And therein lies the problem. What does it mean if a web site says its data is secure when in fact it is not? What liability arises if a web site does not “lock the door” to its data vault? For example, consider the condition discovered by David Ritchie, President of PetRock Technology, Inc., a Boston and New York technology consulting and software development firm. While modifying a client web site, PetRock discovered that the administrative password to the database had never been changed from the default password that came out of the box with the original database. If you identified yourself as “User” with a password of “Password”, you could have had full access to all data stored by the site. PetRock then randomly queried approximately 10,000 sites and discovered six other sites that had similarly failed to change administrative passwords from the default provided by the manufacturer.
No site wants to publicize it security failures, but some make the news. For example, in January, Travelocity.com, Inc. disclosed that it had exposed the names and email addresses of about 44,000 subscribers. The company stated that the file was “inadvertently posted” on its Web site and apologized to its customers. More recently, VeriSign discovered that it had compromised security of certain Microsoft products by improperly issuing digital certificates to an individual who impersonated a Microsoft employee. Computerworld’s Security Newsletter reported the incident in an article entitled “Human Error May be No. 1 Threat to Online Security.” Security experts agree that the most substantial risk to system integrity comes not from the attack of a malicious hacker, but from the failure of an enterprise to adequately protect against internal mistakes.
It is just a matter of time before information, improperly disclosed by a web site, facilitates the commission of cyber-crimes common in today’s information age, such as identity theft, misappropriation of credit information, or dissemination of private information, to name a few. It would be naïve to think that a letter from the offending site to its customers apologizing for the security lapse would redress all harms suffered by its subscribers. In today’s world, where there’s harm, there’s lawyers.
As a site owner, you can take steps to minimize exposure against such a breach of security. Security is as much about policies and procedures as it is about technology. The strongest lock in the world affords no protection if the night clerk leaves in the key. You may want to insure against such potential lapses.
Jim Stoller, an account executive with the Telamon insurance network, devotes a large part of his practice to insuring technology companies. He notes that many insurers have developed new policies to protect against cyber risks. The AIG insurance company has created a group of policies it calls “netAdvantage Suite” to protect against the perils of doing business on the Internet. Stoller believes that these new insurance products offer security to businesses because they adopt the language of the Internet and e-commerce to describe the risks covered, thereby reducing ambiguity as to what is covered and what is not. For example, it is not clear, under a traditional insurance policy, whether a disruption to business caused by a hacker’s onslaught would be an insurable peril.
In the end, vigilance may be your best defense. Computer systems are becoming increasingly complicated. As interoperability and seamless communications become more widespread, the consequences of a security lapse magnify many-fold. It may be impossible to put your customer’s data in a bank-like vault on the Internet, but you would be wise to continuously monitor and test your security procedures. Make sure the programmers who design, develop and implement your security features understand the importance of their jobs; get their feedback on the effectiveness of your security measures. Accidents will happen and may be out of your control; but the consequences of accidents can be controlled by careful planning.
Copyright 2001, Peter Kelman.