Category Archives: Identity Theft

Five Simple Things Businesses Can Do to Better Secure Their Data

News of data security breaches at one company or another has become so common that perhaps we are becoming immune to the significant impact these breaches can have on those whose information are affected. Not only can identity theft destroy an affected individual’s credit and limit his/her future buying choices, but also it is becoming clear that, philosophically, perhaps our private data really aren’t private anymore. Think of how easy it is to search public records online and find out personal details about a person well beyond what the phone book would have listed in days past. It is harder and harder to keep secrets when the Internet is involved.

Notwithstanding such developing immunity to the shock of a data breach at any particular company, data breaches are very serious events for a company – of any size. In the aftermath, it is not unusual to hear business executives announce that they “never want to go through that again.”

So, what can you do to minimize your company’s risk for data breach? Here are my top five recommendations: Continue reading

Mobile Device Security Policies for Employers – Small and Large

As a business owner, perhaps you have seen articles about setting ground rules for BYOD (a.k.a. employees bringing their own devices to work to use for work purposes). Placing restrictions on access to Company information, however, should not be limited only to those BYOD devices. Instead, if the Company issues Company-owned devices to employees for use on Company systems, similar ground rules should be put in place to set expectations and provide the backdrop for any disciplinary action that may be needed later if an employee misuses Company information or loses an unsecured device.

Here are some questions to keep in mind as you develop policies for Company-owned devices issued to employees: Continue reading

Is Your Company Subject to Laws Regulating Safe Destruction of Documents?

Many companies have document retention policies – in other words, policies determining how long they will keep certain kinds of documentation.  These policies also frequently cover when documents may be destroyed in the normal course of business.  (Assuming, of course, that no litigation is pending and that there is no other reason why the company would be legally obligated to keep these documents.)  It’s almost a business necessity these days given the cost of document storage.

It is also a fairly safe bet that by now, most people have heard about the potential risks associated with data breaches, or at the very least, have heard about the Target data breach during the holiday season in 2013.

However, did you know that many states regulate how personal information can be destroyed?  Or, more specifically, how documents and records that contain such personal information may be discarded?  To date, at least thirty-one states have enacted laws like this (the link attached omits the Delaware law that was just enacted).

Continue reading

New Law in Utah Prohibits Certain Internet Crimes

On March 26, 2010, the governor of Utah signed into law the Utah E-Commerce Integrity Act (S.B. 26), which prohibits certain Internet-related conduct, including phishing, pharming, spyware and cybersquatting that involves “a computer, software, or an advertisement located in, sent to, or displayed in” Utah. (Legislative history of the bill, and alternate text versions can be found here.)

Essentially, the bill provides the following:

  • Prohibits the facilitation of “certain types of fraud and injury through use of electronic communications;”
  • “Allows for the removal of domain names and online content by an Internet registrar or [ISP] under certain circumstances;”
  • “Forbids the use of various types of software, commonly called spyware, if used for certain purposes;”
  • “Provides exceptions from spyware provisions for various types of communications and interactions, including authorized diagnostics;”
  • “Prohibits the registration of domain names under certain circumstances, commonly referred to as cybersquatting;” and
  • “Provides civil penalties for a violation of cybersquatting provisions”.

It also prohibits the passage of contrary laws by subdivisions of the state and makes other technical changes.

Key among the provisions are definitions of what activities constitute phishing, pharming, spyware and cybersquatting. Notably, the statute only applies to activities that occur after July 1, 2010 (although for cybersquatting and infringement, the effective date is May 11, 2010).

Any ISP that is “adversely affected by the violation”; “an owner of a web page, computer server or trademark that is used without authorization by the violation;” or 3) the attorney general may file suit to recover damages for phishing or pharming activities. Either actual damages or “a civil penalty not to exceed $150,000” per violation can be awarded.

In the case of spyware, not only are the ISP, attorney general and trademark owner whose mark was used to deceive others able to file suit, but the owner of “a software company that expends resources in good faith assisting authorized users harmed by a violation” of this provision can also sue. The damages awarded in these instances can be actual and liquidated damages of between $1,000 and $1,00,000 as well as attorneys fees and costs. There are certain exceptions to the damages thresholds, depending on the circumstances.

The cybersquatting provisions are structured similarly to the AntiCybersquatting Consumer Protection Act (15 USC § 1125(d)), and permit the transfer of an affected domain name in the case of a successful judgment against the defendant, but also differ in certain ways from the federal provisions. Specifically, they allow personal names to be included in the scope of protection under the act and exempt domain name registrars from legal action except in cases of bad faith or reckless disregard. There are other differences as well, but these were the most obvious.

FTC Releases its Staff Report on its 2/09 Fraud Forum

On December 29, 2009, the Federal Trade Commission’s Division of Marketing Practices released its “Staff Report on the [FTC]’s Fraud Forum.” See Report. The report analyzes the recommendations and conclusions made during the FTC’s February 2009 meeting on the topic of preventing consumer fraud. See 12/29/09 Press Release.

The report analyzes the types of scam artists, some of the common scams that have been (at least marginally) successful, the types of victims, reasons why these crimes might be unreported or underreported, and upcoming challenges such as payment system frauds or phishing, spoofing and keystroke logging. The report also makes several proposals for improving the FTC’s anti-fraud program.