New Study Shows Small Businesses Vulnerable to Cyber Attacks

Posted on November 14, 2009 by N. Kane Bennett

The National Cyber Security Alliance recently released a new study with some startling numbers concerning small businesses and the threat of data loss, security breach, or cyber attack.  Some of the key numbers obtained from polling small business owners include:

  • 65% store customer information on computer systems
  • 43% store financial records
  • 33% store credit card information
  • 86% do not have anyone focused on system security
  • 11% of owners never check their computer security systems.
  • 75% use the internet to communicate with customers
  • 28% have formal internet security policies

What do these numbers suggest? Deborah Cohen, who covers small business for Reuters.com, published an article following release of the study and “confirmed that small businesses are among the most vulnerable to Internet crime. . .” She quoted Michael Kaiser, executive director of the National Cyber Security Alliance, who noted that “small businesses are pretty robust targets” for cyber attacks citing the lack of Internet protocol and employee training. Cohen’s article also offers some tips from Kaiser for small businesses to help confront cyber attacks.  

If you are looking for some guidance or help with cyber security, read here for some of my earlier posts.  If you are looking for a do-it-yourself placer to start, try the U.S. Chamber of Commerce.  The Chamber offers a great resource entitled“Common Sense Guide to Cyber Security for Small Businesses.” It’s a 12 step plan to increase cyber security. Here are some highlights:

·         Use strong passwords and change them regularly

·         Watch for strange email attachments

·         Install computer security software and network security

·         Keep software updated

·         Limit access to sensitive and confidential data

·         Establish and follow security plan

·         Maintain insurance coverage

The threat of data loss or security breach is not going away, but will only increase. Lawsuits concerning data loss and security breach are more frequent. Business owners need to stay on top of the threat by implementing a sound data loss and privacy plan. There is no one size fits all approach and every business will have its own risk exposures. If you are a business owner, consider having your business evaluated for risks of cyber attack or data loss. 

 

Tags: , , , , , , , , ,

Connecticut Defamation Law, The Internet, And Social Networking

Posted on October 13, 2009 by N. Kane Bennett

In the Business Torts category of this blog, I recently covered the basic law in Connecticut concerning interference with business relationships.  Today's post concerns another business tort known as "defamation" and how it intersects with the growing use of social networking sites.

There already have been several lawsuits for defamation arising out of use of social networking sites, such as Twitter and Facebook. For example,  The California Defamation Blog lists several celebrities involved in defamation cases, including Courtney Love who was sued by a fashion designer for defamation after a series of derogatory Twitter posts by Love.  Craig Kanalley of Chicagonow.com reported that a property owner sued a tenant for disparaging Twitter comments. The Chicago Tribune recently reported on a defamation lawsuit brought by a mother and her son after a phony Facebook profile was created showing the son was a racist.   

Should Connecticut businesses be concerned?  Clearly, the type and variety of these suits are on the rise. In legal circles, these type of claims have a category of their own called "cyber slander" or "internet defamation."  Given the popularity in use of social networking sites, and the ease in which statements can be broadcast to millions, it is safe to  predict that more defamation cases will be filed in the future. 

Connecticut businesses can be affected by defamation suits involving social networking sites and the internet in a number of ways, such as:

  • Employees making comments about a competitor
  • Employees making comments about supervisors or co-employees
  • Employees making comments about the company's products
  • Competitors making derogatory comments about the company
  • Phony Facebook or Twitter profiles
  • Derogatory comments about the company 

In Connecticut, defamation encompasses defamation by spoken (slander) and written (libel) words. In general, to raise a proper claim for basic defamation, a plaintiff must show that:

  1. A defamatory statement was made
  2. The statement identified the plaintiff to a third person
  3. The statement was published to a third person
  4. The plaintiff's reputation suffered injury as a result of the defamatory statement

In regards to businesses, there is also a defamation claim sometimes referred to as "commercial disparagement" or "trade libel."  For this type of claim, a plaintiff must prove disparagement of a business' goods or services by falsehoods published or communicated to a third person.

With the ease of publication to millions over the internet, it is easy to see how someone might publish a defamatory comment whether it be on a blog, social networking site, or website.   Chances are, if you are in business, either you, someone who works for you, or a competitor has commented about the business in cyberspace.

For a business, the best way to avoid a lawsuit for defamation as a result of employee use of sites such as Twitter and Facebook is to have a written policy that governs employee use.  The details of each policy will differ depending on your business, but clearly the policy should prohibit any defamatory or derogatory comments about the business, employees, or competitors.

In situations where a competitor or customer disparaged your business' products or services, a business may want to consider legal action and determine if grounds exist to issue a cease and desist letter, a take down letter, or initiate a lawsuit.  Internet defamation can ruin a business' reputation overnight and should be addressed immediately regardless of whether the business pursues legal action.   

For a business, whether legal action is taken may depend on the severity of the disparagement and the damage done.  In some cases, a cease and desist or retraction is a practical solution especially when a defamation suit would bring added attention to the matter.  In other cases, legal action, such as a defamation lawsuit, may be required to stop ongoing damage or serious problems.

Regardless of the situation, Connecticut businesses should, at a minimum, monitor cyberspace for defamatory comments.  Comments that might lead to a lawsuit could come from your own employees, a competitor, or a disgruntled customer.  A written policy is a good way to minimize risks of employee comments.  As for competitors and customers, Google alerts is a good way to monitor use of a business' name on the Internet. The alert will send you an email every time your business name is found on the internet. 

Tags: , , , , , , , , , ,

Do Not Count On Beating Goliath: Implement A Management Plan To Avoid Software Licensing Problems

Posted on August 11, 2009 by N. Kane Bennett

This month's business technology tip arises from the recent David v. Goliath story reported on by Douglas Malan of the Connecticut Law Tribune.  Kent Johnson, the owner of a small computer repair shop in Connecticut was sued by the software Goliath Microsoft for allegedly selling one improperly licensed version of Microsoft Office. Microsoft put 15 people on the case and sued Mr. Johnson in federal court for copyright infringement.  

Mr. Johnson represented himself against Microsoft and reportedly reached a favorable settlement.   Mr. Johnson has a website that provides all the details of the case form the very beginning.   As much as Mr. Johnson's apparent success against Microsoft was unusual, the notion of Microsoft going after business owners for copyright infringement is not. 

Microsoft, and other software publishers, might pursue an infringement case directly or through enforcement groups such as the Business Software Alliance (BSA) and the Software & Information Industry Association (SSIA).  These groups estimate that piracy costs software publishers seven billion dollars annually.

When you purchase software for your business, the software comes with a license that restricts your use of the software.  If you violate the restrictions in the license by copying or distribution, software publishers consider it piracy.  For example, typically you cannot install a software program for several users on multiple computers without purchasing additional licenses.  Also, you generally cannot install a program on a network server and let multiple users have access to it without the proper number of licenses.

Violation of a software license or copyright can implicate significant civil (and potential criminal penalties) in piracy cases.  Penalties can range up to $150,000 per offense for copyright infringement and there may be additional damages for lost profits. Many of these cases result in significant financial settlements in favor of the software publisher. 

You might be wondering how Microsoft finds out about a small company violating its software license.   Typically, an anonymous informant (an employee or IT consultant) reports the company to the software publisher, BSA, or SSIA in hopes of recovering a reward.  These groups openly advertise rewards of up to a million dollars for anonymous tips that lead to successful enforcement  actions. 

Many times businesses can inadvertently run afoul of licensing restrictions without realizing it.  Violations can occur when trying to cut costs, relying on bad advice from IT professionals,  or an employee's improper downloading of software.  When groups like the BSA become aware of allegations of software piracy, they usually issue a software audit letter to the business or initiate a lawsuit in federal court.  The BSA will request proof of proper licensing from the business.

After receiving an audit letter a business will have to decide to either fight it in court or cooperate.  Facing Microsoft or the BSA in court can be risky financially and many businesses chose to cooperate.  Problems often arise for businesses that cooperate because they cannot establish sufficient proof of licensing or the business is not aware of the extent of the infringement. 

The best way to prevent problems with software licensing or an audit is to implement a software asset management plan.  Ideally, the plan would include at a minimum a written policy covering: (a) terms for copying, use,and transfer of company software; (b)  the risks or improper use of software and piracy; and (c) disciplinary action for employee misuse.  The plan should also include software management including a system for record keeping of all receipts, licenses, and original copies of the software.  The plan should further include regular self-audits of company computer systems to verify proper licensing.

With a good software management plan in place, a business will be better equipped to defend a software audit or avoid it in the first place.  In either case, if your business is facing an audit or other enforcement action, you should seek legal advice.  If you face Goliath alone, do not count on obtaining the same success as Mr. Johnson.

Tags: , , , , , , , , ,

Insurance Might Be An Option for Data Loss Lawsuits Alleging Negligence Against Businesses

Posted on July 21, 2009 by N. Kane Bennett

Every business in Connecticut, big or small, faces significant financial consequences for data loss or a breach of security.  As I noted in a business tips post on this blog, implementing a strong data loss and privacy policy is critical for preventing a loss or mitigating its effects and damages.  Of course, once you have a policy or procedure in place, your business could face a lawsuit for negligence for violation of these same policies and procedures.   To add extra protection against the devastating costs of data loss or a security breach, businesses should also consider insurance coverage.

Lawsuits over data loss and security breaches are becoming more common.  Obtaining insurance to cover losses from data loss can potentially save your business.  Business litigation attorneys bringing lawsuits over data losses often include negligence as one of the grounds or theories of recovery in these cases.  Take for example, the recent class action lawsuit for data loss filed against Aetna in Federal Court in Pennsylvania.  The lead theory of recovery in the complaint against Aetna is negligence.   

There may be many reasons why attorneys pursue negligence as a theory of recovery in these security and privacy cases.  However, pursuing a negligence theory increases the possibility of triggering the breaching company's insurance coverage for data loss, if the company has a policy.  If a business has insurance coverage that applies to the allegations in the complaint, the insurance company typically will also provide a legal defense to the claim.   Legal costs alone could be enough to sink a business, let alone the damages.   

When considering the cost of a data loss insurance policy, a business owner should likewise consider the cost to the business of a data breach.  How can you estimate the cost?  One way to estimate the cost is to use a data loss calculator.  You might also estimate your data loss costs by referencing this 2009 Ponemon Institute benchmark study estimating costs at $202 per page and rising. 

The price of an insurance policy may be cost effective when you consider the potential devastating financial impact of a major data loss or security breach.  In addition, if a business has a strong data loss policy and procedure in place, the cost of insurance should be lower.   Although cyber liability insurance has been available for over ten years, more of these insurance policies are being offered at better prices today.  Here are some links to major insurance companies offering insurance policies for data loss, cyber liability, and technology errors. 

Technology 404 by Darwin.

CyberChoice by The Hartford

 CyberSecurity by Chubb

ACE DigitTech

OneBeacon @vantage

 

Tags: , , , , , , , , , ,

Technology Tips For Connecticut Businesses To Avoid Litigation

Posted on July 9, 2009 by N. Kane Bennett

As part of this Blog, I am going to regularly post technology tips for any Connecticut business to manage risks and avoid lawsuits. These tips will be based on a presentation I did for the Hartford Business Journal's Etechnology Summit concerning technology bombs that can sink a business.

Here's todays tip for Connecticut businesses to avoid financial loss as a result of datal loss and security breaches.

Implement a Data Loss Policy and Solution

Any business that stores third party information or personal indentifiers (credit card information, social security numbers) on its computer systems faces potential exposure under a host of privacy laws.  For a good resource on privacy laws go to the Privacy Law Blog by Proskauer Rose LLP.  For an example of a new privacy law in Connecticut, consider the"Act Concerning the Confidentiality of Social Security Numbers."  Connecticut's Unfair Trade Practices Act could also be implicated in a data loss case.

Data loss or a security breach can cause a huge financial problem, bad public realtions, and signficant down time.  Consider the recent case of TJX reported on by Sheri Qaulters for the National Law Journal.  Discount retailer TJX had a data breach involving exposure of 45 million credit and debit cards.   TJX entered into various settlements including payment of $9.75 million to 41 states; $30 to every consumer who used a credit or debit card; and an undisclosed settlement with three banks. Ouch.

TJX is an extreme example, but data loss can sink a small to medium sized business.  How can a business mimize its exposure to lawsuits from data loss or security breach?

Implement a data loss policy and solution for your business.   There is no one size fits all policy and solution and every business will have different needs.  If you already have a policy, you should have it reviewed regularly for changes in the law.  If you do not have a policy in place, you need to start somewhere.  For "do it yourselfers" there is the Federal Trade Commision's Guide for Business and Protecting Personal Information.  The FTC's guide is a 5 step plan from identifying your risk exposure to implementing procedures. 

 In addition  to implementing policies, any business with a significant risk exposure for data loss (i.e. medical practice, retailers, e commerce) should consider purchasing a cyber liability insurance policy.  These policies are now more afforadable and many insurers such as The Hartford are now actively underwriting polices to cover first and third party data loss claims and providing ongoing resources and information.  

The bottom line is, a business cannot afford to take the risk of ignoring data loss and security breach exposure.  Do not wait for the first breach or lawsuit. 

Tags: , , , , , , , , , ,