It’s pretty rare that anyone has anything good to say about banks, but my Cross Town Civic Credit Union is awesome.  It’s awesome because they have figured out how to provide excellent security on my accounts and 24/7 monitoring of my personal and business account.  From the postings I’ve put up – you know what a big fan of monitoring I am!

Imagine my surprise when I received a verification phone call from my Cross Town Civic Credit Union when I added a credit card to my list of vendors.  I was delighted that they called.  For a year  or so I’ve been Beta testing a feature, which they have now released in a Summer 2011 newsletter.

Email Alert – New Internet Banking Security Enhancement

Cross Town Civic Credit Union has recently added an additional security feature to our Internet Banking, called Email Alert.

The Emil Alert feature allows you to set a threshold on each of your accounts, and you will be sent an immediate (Ok subject to delays from your ISP) Email Alert for all specified transactions posted to your account above the threshold.

The process is easy to use, simple to change, completely within your control, and is provided free of charge.  You can add several email addresses as well.

This is an awesome feature, and I would have gladly given them $ 5.00 a month for this, but they are providing it for free.

This is a huge enhancement for the security of your accounts, and it is also available for business accounts.   It can provide great piece of mind while traveling (or while a spouse is travelling); or for the small business owner who wants to know when large transactions are taking place - it can be configured to send email alerts.

If you have a business partner or spouse and want to have some visibility about transactions this is a great tool.  If you have followed some of my past postings you know I am very interested in security and I try to see both sides of something new and awesome. 

If you are trying to be deceitful in your business or personal dealings this feature will catch you red-handed.  The email alerts contain enough information to track your movements and provide a time stamp.  If you require anonymity in your personal or professional dealings, start paying in cash and be cautious about where or when you stick your ATM card into a bank machine.

***Note: THIS IS NOT LEGAL ADVICE. It is an opinion of the authors only, and in no way should it be used, thought about, conceived of, or construed as legal advice. Talk to your lawyer if you have legal issues. Negligence and Liability are complex and intricate topics. It is something to consider, and talk to your lawyer about! We hope that this post will raise your awareness about an issue that is developing in the courts and the IT industry. That is all! ***

            Anonymous, Anti Sec and other hacker groups are hitting large, profile companies.  Advanced Persistent Threats from China, Iran and organized criminal hacker groups are getting into large multi-national companies. The internet is a scary place and it’s making headlines.  All these events have created a new cottage industry called Data Breach Insurance.  In September of 2011, the Hartford Insurance Group launched an enhancement to their business insurance products.  They now provide additional coverage for the legal liability resulting from a data breach. The coverage also provides access to services to help business owners comply with regulatory requirements and address customer concerns.

The term "legal liability resulting from a data breach" is a significant phrase that is used in the Hartford press release. The phrase brings to mind several questions: What is liability and how could it result from a data breech? How is liability determined and what are the consequences for being found liable. The idea of liability and IT systems seems like a strange combination of ideas.

            What is liability? A person is said to be liable when they are financially and legally responsible for something. There are several ways that this can occur, but most likely Hartford is talking about being found negligent in tort law or liable for a breach of contract for unauthorized disclosure of information.

            The interesting piece here is the idea of negligence. Negligence is composed of four things; duty of care, breach of the duty of care, causation, and damages. A modifier on the general theories of negligence and data breach is that some US states and other countries have data breach notification laws, and depending on your industry, PCI compliance may factor into the legal liability question.  Privacy law, such as HIPA or PIPEDA may also contain fines for un-authorised disclosure.

            The general view on many of the breaches that are occurring in large organizations is that there was a systemic failure. This may be because the companies were not properly managing their data systems (not patching and updating servers comes to mind). When negligence is found by the court a substantial financial penalty may result. But it the world of IT, is it possible to prove negligence?

Negligence and an IT system

1. Duty of Care: Your organization provides a service, access to a system, or some other good, you receive payment and you must treat the customer's information with care. Even if you are only being entrusted to handle a 3rd parties data, you still owe a duty of care to this person or organization.

2. Forseeability: Before the breech took place, was it reasonably foreseeable that your (or your companies’) actions or lack thereof will cause harm?  Yes, if you are running a system which is vulnerable to compromise and the manufacturer recommends patches, updates and best practices, it is reasonable to suggest that the system could be compromised if this direction is not followed. Is it reasonably foreseeable that a zero day exploit will be used to compromise your network? For many companies yes.  Are there hundreds of nefarious individuals working around the clock to exploit zero day attacks on any large manufacturer of software, or organization? You betcha! However, duty of care and standard of care can both exist, but there still may not be a finding of negligence.  This is because of the third modifier, the standard of care.

            It is a good idea to keep records of your when dealing with 3rd party software, make sure you have email indicating you requested the latest updates and patches be implemented and the 3rd party refused to do this, because it would “break stuff” or “may not work anymore”.  The law loves evidence, so collect as much of it as you can. If you ever do end up in a lawsuit due to a data breach, this might save you an expensive trip to the settlement table, or at least significantly reduce the pain.

3. Standard of Care: The idea behind standard of care is what would the reasonable person do? The test of the reasonable person is based on the industry standards and expectations. Would a reasonable IT professional, or company patch and update their servers? Yes. It is an established best practice in the industry and government policy directs organizations to test, patch and update servers.

4. Harm: For financial damages to be awarded, there must be some sort of demonstrable harm that has taken place. Unauthorized disclosure of your personal information, fraudulent use of your identity or some other loss, will most likely demonstrate that there was in fact harm.

            One of the really interesting things about negligence is the test that it applied to find liability. Unlike criminal law where there must be proof beyond a reasonable doubt (a very high standard), negligence requires proof on the balance of probabilities. That means that if it is MORE likely than NOT that you contributed to the harm suffered by the other party, you could be found guilty of negligence.

            Proving negligence of 3rd party software, hosted solutions, or software under maintenance contract, may not be in the interest of victimized organizations. It would require them to publicly announce the breech occurred. Further, most law suits now settle out of court. This means that you may never hear about the liability challenges of an organization. However, you can bet that lawyers from Hartford will seek remedy from any source if they are forced to pay out on a Data Breach Insurance policy.  

            When you look at software companies who develop E-commerce software that they believe can only stably run on non-patched servers, or on a version of Java with known vulnerabilities, there might be a big bull’s-eye painted on their chests.

            If your organization has a business relationship with an individual, or another business and you're not protecting that data, you are potentially negligent as well.

            If your software, IT infrastructure or business processes are proven, on the balance of probabilities, to be the likely cause of harm, or contributed to harm, you may be found negligent.  In the US the lawsuits from such high profile events such as Sony's Play Station Network breach will slowly move through the courts.  There will be long and protected legal battles, or cash settlements with non-disclosure agreements.  So, what is the small and medium business to do? We think that GFI MAX can help provide a solution to several of the concerns raised. Why? Because GFI MAX = Due Diligence!

1. Duty of Care - Commitment to best practices and the SANS 20 critical security controls will show your customers that you treat their information with confidentiality.

2. Forseeability: GFI MAX, GFI MAX Mail Protection and GFI Managed Anti-Virus are all great tools to harden your organization against attacks and exploits. While zero day attacks can not be foreseen, the vulnerabilities that are already out there are what you really need to be worried about when it comes to negligence.

3. Standard of Care: GFI MAX would  meet a relatively high standard of care by enabling you to address critical vulnerabilities as soon as a patch or update is available.

4. Harm:  GFI MAX will help gather forensic data and help provide detailed information in the event of a breach. This can help assess, reduce and mitigate the harm.

For small and medium business might be a helpful risk management tool. GFI MAX provides a level of enterprise assurance, monitoring and patch management for a fraction of the cost of an enterprise solution.  If your business can't afford an expensive Data Breach Insurance Policy or if retaining lawyers to deal with negligence lawsuits would bankrupt you, than you can make your business a hard target with GFI MAX.  Ask us for a quote today.