Are Businesses Liable For Fraud Resulting From The Heartbleed Bug?
Most people by now have heard of the Heartbleed bug. It’s the programming flaw in one of the most common encryption methods on the internet: OpenSSL. It makes what should be secure websites, and the personal information they contain, vulnerable to hackers. It is more important, though, than just another internet threat. Every business should consider whether it can be liable for depending on the vulnerable encryption software in the first place. This is especially important in light of the Federal Trade Commission’s efforts to ensure that businesses take reasonable precautions to protect their customers’ digital data.
The same day the Heartbleed bug was announced, April 7, 2014, Federal District Court Judge Esther Salas, upheld the Federal Trade Commission’s right to police corporate cybersecurity practices. As we previously mentioned, the court denied Wyndham Worldwide Corp.’s motion to dismiss a suit the FTC brought against it which arose out of three separate alleged hacking incidents that occurred over a two year period.
According to a story by Matt Egan published on April 8, 2014 in Fox Business.com, the FTC sued Wyndham Worldwide Corp. and three subsidiaries, alleging that Wyndham, unreasonably and unnecessarily, exposed consumers’ personal data to unauthorized access and theft that resulted in hundreds of thousands of customers having their payment card account information exported to a domain registered in Russia and a fraud loss of more than $10 million. The suit reportedly alleged that, among other things, Wyndham:
- Failed to use readily available security measures like firewalls;
- Allowed software to be configured inappropriately;
- Failed to ensure hotels implemented adequate information security policies;
- Failed to remedy known security vulnerabilities.
What makes the ruling especially relevant to the Heartbleed bug is the way that the encryption software the bug affects is developed and maintained.
According to an April 8, 2014 article by Danny Yadron, in the Wall Street Journal, four core programmers manage the OpenSSL project. They all are located outside the U.S. in order to avoid export restrictions on transmitting advanced encryption code. Only one counts the work as his fulltime job. The project itself has limited resources. Its entire budget for 2013 was less than $1 million, according to Steve Marquess, president of the OpenSSL Software Foundation, a separate entity which solicits funding for the project.
Is it really reasonable to rely on such a scheme? It might be, but look at how the Heartbleed bug came into existence. According to an April, 11, 2014 article by David Gilbert in the International Business Times, the Heartbleed Bug was the result of a mistake made by one programmer. On New Year’s Eve 2011, respected software developer Dr. Robin Seggelmann reportedly submitted 20 changes to the code of OpenSSL. The problem, reportedly, was that Dr. Seggelmann’s code was flawed; and, even though it was reviewed by Dr. Stephen Henson, the flaw was missed and the flawed update was sent out to the plethora of online users who use OpenSSL. It not discovered for more than another two years; and was used unsuspectingly all during that time.
Reportedly, it was a simple error; one that is easily correctable. The problem, however, is that because it is such a simple mistake, can you be sure that similar mistakes have not been made already or will not be made in the future? What control do you have over whether they are or are not? Is it reasonable for your business to protect its clients’ information with encryption code that reportedly is free and maintained mainly by volunteers; and, if it is not, what liability could your business face if a hack does occur?
The problem, however, is even more interesting than that. Everyone paid attention to the Heartbleed bug almost immediately after its existence was announced, because up to two-thirds of websites reportedly use some form of OpenSSL encryption tools. Does the fact that almost everyone uses it make it reasonable to use? What about the fact that many governments, government agencies, and major corporations use it? The Defense Department and Department of Homeland Security reportedly use OpenSSL. The Canadian Government reportedly shut down its online tax filing system for five days because of the Heartbleed bug; it still had the private information of approximately 900 people compromised; and yet went back to using an updated, tested, version of OpenSSL, according to an April 14, 2014 Reuters’ report. If the Canadian government can use it, and go back to it after it was hacked, would it be reasonable for a business to do the same?
These are just some of the important questions that seem to constantly come up because of the widespread use of, and reliance on, the internet in business and in our daily lives. How you and your business answer these questions is up to you. One thing that you can count on, though, is that there will be more to come; soon.
Go raibh maith agat.