Attorney Advertising

Reasonable Precautions in Cybersecurity: How Vulnerable Businesses Really Are

by

illustration-card-1441198-m.jpgJust in case anyone thinks that cybersecurity is nothing more than an esoteric exercise for computer geeks and technicians, of no importance to the average person or business, the Heartbleed bug has come along to show us all how wrong that is. It was only just discovered two weeks ago and its impact was felt around the world almost immediately.

According to an article in the April 9, 2014 Daily Mail, the Heartbleed bug bypasses the normal safety features of websites. It can affect many of those sites that you might have noticed, which begin with an “https://” in front of their internet address, and which often appear with the symbol of a lock, both of which are supposed to mean they are safe. The bug, though, makes them vulnerable. It reportedly could affect more than 500,000 websites
The bug reportedly allows hackers to bypass normal encryption safety measures to get at encrypted information, including the most profitable types such as credit card numbers, user names, and passwords. The unauthorized user can even obtain the digital keys to impersonate other servers or users and eavesdrop on communications.

It’s not considered malicious software or malware because it is more of programing flaw; but that really is not important. What is important is that the flaw, and the vulnerability, went undetected for more than two years until it recently was discovered, independently, by researchers at Google and the Finnish company Codenomicon. A fix is possible, and reportedly fairly easily applied. The problem seems to be that the fix has to be manually applied by the people who run each individual site. That, unfortunately, will take time.

The Heartbleed bug is a real problem, at least according to the Canadian government. It shut down its on-line tax filing systems on Tuesday, April 8, 2013, as a precaution to ensure the safety of personal information on the sites, according to a report published in the April 9, 2014 edition of the Globe and Mail. Canadians originally had until April 30, 2014 to file their personal income tax returns. Now, the deadline to file has been extended five days, equal to the time the online filing system was down.

When you consider the tremendous amount of online information being communicated every day, you can see how trying to protect it is a serious endeavor everyone should pay attention to. It’s not just tax information; think of the healthcare information necessary to be uploaded onto the Health Exchanges if you want to obtain coverage through the Affordable Care Act; or the effort to keep medical histories online so they can be more accessible to each patient’s medical providers. Just consider all the credit card information that people, and businesses, such as Target, transmit every day. With such a big prize, it’s no wonder people always are trying to get at it; the urge to get something for nothing runs deep.

It is not clear what impact the Heartbleed bug ultimately will have on how well everyone’s private information is protected online. It does make the latest methods to safeguard that information that we just wrote about, including quantum encryption or quantum key distribution, encryption based on dynamic coupling, and fully homomorphic encryption, all the more important. It puts new urgency into the Federal Trade Commission’s efforts to enforce what might be called a “reasonable precautions” standard for businesses protecting their customers’ or clients’ personal information. It shows the relevance of Visa and MasterCard’s anti-fraud initiative, beginning in October 2015, to hold a merchant liable for credit card fraud if a credit card has secure smart chip technology but the merchant does not have the right reader to use it, so it processes a more vulnerable magnetic strip transaction instead.

What does seem clear is that:

– More and more businesses will be paying attention to cybersecurity;

– Fraud investigators will not want for work; and

– Insurance companies just might have a market for their cyber-insurance products after all.

We just wrote that this is a never-ending race between the good guys and the bad guys and that we could not wait to see what comes next. Well, I guess it didn’t take that long to find out, after all.

Go raibh maith agat.

Ray Grasing