, Washington Technology 2004-03-05
In the face of ongoing attacks by computer hackers, some companies that store
their customers' personal data are adopting a new defensive tactic: If yourinformation is stolen, they're not legally responsible.
Across the Internet, retailers and other service providers that handle consumer
transactions are requiring customers to agree to waive any right to sue the
companies if the businesses are hacked, regardless of how secure their systems
are.
The waivers are contained in lengthy terms-of-use agreements that consumers
often click to accept without reading closely.
"You agree to assume all risk and liability arising from your use of Verizon
Wireless's online services, including the risk of breach in the security" of
its system, according to the mobile-phone giant's use agreement, if you choose
to use its online billing system.
American Airlines' Web site sports similar language, warning that it is not
liable for break-ins by outsiders "regardless of whether American Airlines was
given . . . notice that damages were possible."
The waivers are yet another sign of the struggle to provide reliable online
commerce in the face of increasingly sophisticated and organized computer
criminals intent on making money, not just mischief.
Companies said that despite their best efforts, they cannot guarantee that
personal data will be secure and don't want to get sued over intrusions. And
they fear the Federal Trade Commission, which has actively pursued cases in
which companies have failed to live up to security assurances made to
customers.
But consumer advocates said companies should be held accountable.
"If companies are willing to derive the benefit of information collection, but
not the responsibility to secure it . . . it won't be difficult for consumer
attorneys to invalidate these provisions as being unfair," said Chris Jay
Hoofnagle, associate director of the Electronic Privacy Information Center.
Although hacking takes many forms -- including targeting poorly protected home
computers -- companies with extensive databases of consumers' credit card
numbers, Social Security numbers or other identifying information are prime
targets, experts said. Organizations at risk include retailers, banks, credit
card firms, universities and state agencies. Lax internal controls also have
led to customers' data being exposed at several companies.
A robust market for stolen credit card numbers can easily be found on the
Internet, with prices varying based on the amount of information available.
Meanwhile, identity theft cases continue to grow, jumping 40 percent last year
over 2002, according to the FTC, though not all those resulted from hacking.
Whereas a fraudulent charge on a credit card is generally covered by the credit
card firm, a hacker gleaning enough data to create new accounts by posing as
someone else can inflict long-lasting damage to the victim's credit rating.
No one knows how much of the supply of such data results from attacks on
corporate networks, as opposed to online scams that trick consumers into
providing information, or thieves sifting through garbage for credit card
receipts or other personal documents.
But security experts said that companies are attacked by hackers far more often
than is ever reported. According to a 2003 industry survey by the
California-based Computer Security Institute and the FBI, only 30 percent of
companies that said they suffered security breaches reported them to law
enforcement.
Often, attacks on networks fail. If they succeed, some companies inform the
affected customers, as several major banks and credit card companies have done
in the past year. But for most industries, there are no national disclosure
requirements.
"It's a convoluted system," said Dan Clements, chief executive of Cardcops.com,
a company devoted to helping consumers determine whether their credit cards
have been compromised. "No one has taken the lead in informing the American
consumer that their information has been exposed. Everyone is pointing to
someone else."
The result is that consumers have little way of evaluating the vigilance of a
particular vendor when it comes to security.
"Right now, you're nowhere," said Philip J. Weiser, a professor of Internet law
at the University of Colorado. "You have to find some vendors in the online
world that make this a competitive issue" by advertising how their security
features are better than others.
Few do. For most, security is a marketing tightrope act of touting a commitment
to protecting data without over-promising that security can be assured.
Many firms make little or no mention of their security efforts.
"To make any statements about the quality of your data protection efforts is
dangerous," said Charles H. Kennedy, a Washington lawyer who advises companies
on their Internet policies. "You are holding yourself up to a standard of
perfection."
Kennedy blames the FTC for the emerging trend of companies disclaiming
liability for security breaches.
Because the agency's mandate is fraud and unfair trade practices, the FTC has
brought three high-profile cases against companies for making security
commitments they failed to meet.
In one such case, Eli Lilly & Co. was fined and forced to enter into a 20-year
consent decree with the FTC after it inadvertently exposed the e-mail addresses
of hundreds of users of Prozac. The agreement with the FTC required broad
changes to the firm's computer security practices.
In another, Microsoft Corp. was found to have made misleading security promises
to consumers who signed up for its Passport system, which is designed to
streamline online transactions by automatically passing on personal data about
its members.
"The FTC has been very aggressive in an area where they don't have a lot of
statutory authority," Kennedy said. "Now companies are afraid to say anything."
But J. Howard Beales III, head of consumer protection at the FTC, said his
agency would not be deterred, even if companies make fewer claims about
security as a way of evading scrutiny.
"We're not saying every breach is avoidable," Beales said. But "if a company
fails to take reasonable security measures, it would be easy to argue that . .
. that's not fair to the consumer" regardless of what promises were made.
But liability for network attacks is an area of law with little precedent, said
Peter P. Swire, a law professor at Ohio State University.
Many companies insist that they take the strongest security measures possible,
no matter what their liability policies say.
"Verizon Wireless is very concerned with customer security and privacy," said
Steven Tugentman, a Verizon Wireless associate general counsel. "But we are
trying to be fiscally responsible to protect the company from lawsuits."
Like most online businesses, Verizon Wireless encrypts -- or scrambles --
information that passes back and forth between a consumer's and the company's
computers when transactions are executed.
But companies often don't encrypt data that they store, relying instead on
defending their systems against hackers breaking through in the first place.
Others use third parties to store their data.
Barbara Lawler, chief privacy officer of Hewlett-Packard Co., said that
encrypting databases can be expensive, especially for small businesses or those
with multiple, older systems. Moreover, varying degrees of encryption exist,
some of which can be easily decoded.
Hackers are increasingly using viruses and worms to leave trapdoors in computer
systems, which can be exploited long after an attack if left undiscovered.
Lawler said HP, which sells computers, printers and other equipment online,
decided to store only minimal customer data -- and not credit card numbers --
to minimize risk.
Lawler also supports considering a federal equivalent of a California law that
requires companies to disclose breaches of unencrypted data. Privacy groups
said it helps keep the heat on companies to be vigilant.
"It really is a stick to tighten up on security," said Joanne McNabb, the head
of California's Office of Privacy Protection.
Some companies are taking a different tack, to distinguish themselves from
competitors.
Without guaranteeing a security breach won't happen, online retailer
Bluefly.com states it will pay for any credit card losses not covered by the
credit card companies.
"We like that answer," Beales of the FTC said of Bluefly.com's policy. "There
are people willing to compete on this characteristic."
