Cybercrime is among the top concerns today for our business clients, but limiting the risk of identity theft should be a topic you consider at home and with your family, as well as in the boardroom. This article will provide some practical advice that you can follow to limit the risk of exposure of your financial accounts or other personally-identifiable information to hackers.
In 2014, an estimated 1.02 billion personal or financial records were exposed as a result of more than 1,500 data breach incidents nationwide. That translates to an astounding 32 records per second over the course of the year. Many of these records are deliberately hacked by criminals, largely based overseas and beyond the reach of American law enforcement. But records can also be exposed by the mere negligence of those organizations to which you entrust your financial and other personally-identifiable information, such as when records are improperly stored or discarded.
So there are good reasons why 88% of consumers say they are concerned about their online accounts being hacked. Exposure of personal information does not just risk fraudulent transactions, it also puts an enormous burden on those affected: victims of identity theft spend an average of 100 hours–and hundreds of dollars–resolving the impacts of such intrusions.
In light of these facts, many organizations are realizing that, despite their best efforts, security breaches are unavoidable. That’s why McNees has formed a dedicated Privacy and Data Security Law practice group, which combines lawyers from across our firm to assist our organizational clients in developing data security policies, managing compliance, and assisting with a response if a breach occurs.
But there are common-sense measures you and your family can take to safeguard your personal information. From our privacy lawyers, here are steps you can take to protect yourself and your assets:
-
Consider what personal information you have to protect
“Personally-identifiable information” generally is defined to include your name, in combination with one of the following: your Social Security number; your driver’s license or state identification number; or, your financial account information (such as a debit or credit card number or bank account number), with or without a security code or password. In some instances, other personal information, like your mother’s maiden name, your address, or your phone number, might be considered personally-identifiable information.
Certain organizations may require such information to perform services for you, including your bank, investment advisor, lawyer, or doctor. But consider carefully before you entrust your personal information to anyone. A great way to limit the risk to your information is to limit the number of places where it is stored and could be discovered.
-
Use strong passwords and keep them secure
Hackers laugh at most of our passwords, and not just “weak” efforts like “password” or “12345.” They use sophisticated programs that can test thousands of English and foreign words in an instant. If your password is eight characters long and all in lower-case, such as “puppydog,” it would take under four minutes for a hacker to crack.To make your passwords more secure, make them longer and more complex. First, consider using a phrase that you will remember, i.e. “pledgeallegiancetotheflag.” Then, incorporate upper case letters, numbers, and symbols --- “PleDGEa11egiance2THEflag,” for example. This type of long, complex password would take thousands of years to crack.Then, to keep your passwords secure, do not disclose them to anyone and do not store them anywhere they might be found (like on a sticky note in your desk drawer). And use different passwords for different websites or accounts. If you might have difficulty remembering different passwords, consider using an online password manager, such as Dashlane or LastPass. You create one password for their service, and it will create randomized passwords for each website that you visit on your computer.
-
Talk to your financial institutions about authentication procedures for business and personal account and wire transfers
Many people think that banks are required to reimburse customers for fraudulent transactions. Although that is mostly true for fraudulent credit and debit card transactions, it is not the case for bank account and wire transfers. Under state law, financial institutions can create reasonable policies to authenticate a customer’s identity before processing a bank account or wire transfer. So long as those procedures are followed by the bank, it is the customer who is on the hook for any losses due to fraudulent transactions.One common identity theft scheme is “spoofing” such wire transfers, and it has cost victims more than $1 billion dollars in the last two years, according to the Secret Service. It works like this: your business regularly transfers funds from its bank account to your accounts, or those of your customers or business partners.
Your bank requires some authentication before processing those transfers; most often, they will require verification by telephone or e-mail. Hackers, using information gleaned from your business’s e-mail accounts, steal account information and then are able to identify the individuals responsible for such verifications, perhaps your assistant or business manager. The hackers input a wire transfer from your business account to their sham account, often overseas. Then, the hackers find a way to spoof your verification. This could be done by faking an e-mail from you to your business manager, instructing them to approve the transaction. Hackers might even know, from illicitly accessing your electronic calendar, that you are on vacation, making it less suspicious that you are providing such instructions to employees by e-mail and ensuring that you will not be in the office to disrupt their scheme. Or, the fraudsters might electronically intercept the bank’s e-mail or telephone call to you, and provide the bank themselves with the verification password they’ve stolen from your system. The bank believes you have verified the transaction and processes the wire transfer. Once the money has left your account, it is often difficult or impossible to recover, and the bank is not required to and likely will not reimburse you for the stolen funds.How can you prevent this common scam? First, talk to your financial institution about their control processes for wire transfers. Authorize them to put as many controls as possible on transfers from your account, including two forms or sources for verifications. And make sure your employees know about this scam, and know that you will never instruct them to conduct or verify a large wire transfer by e-mail or without direct authorization.
-
Use multiple e-mail accounts for different purposes
Think of all the personal information a hacker would find if they broke into just your e-mail service. Most of us have in our inboxes and trash folders e-mails from our banks or investment statements, together with business and personal correspondence, which would reveal a trove of personal information, such as account numbers, addresses, phone numbers, and names of family members.To limit that risk, use separate e-mail accounts for different purposes, such as: one for friends and family, one for business correspondence, one for online shopping websites, and one for your financial institutions. Should one be compromised, your exposure will be greatly limited.
-
Avoid unknown Wi-Fi hotspots
Wireless data connections are a great convenience, but you cannot know whether a public hotspot is secure. When you connect your phone or laptop to a wireless network, you cannot know whether the wireless router has been updated to maintain its security. And the names of Wi-Fi networks can be “spoofed,” so the network that appears to be offered by your favorite coffee shop might instead connect to a hacker’s computer nearby.
Accordingly, limit your use of public Wi-Fi. Turn off any “auto-connect” features on your phone and computer so that it will not connect to a network without your authorization. And never use hotspots for banking or shopping transactions, or transmitting any information that you want to keep private.
-
Secure your home network
If you have a Wi-Fi network at home, there are steps you should take in setting it up to protect yourself. First, change the default name and password that came installed on the router and use a complex new password instead. Make sure that encryption and the firewall are turned on, and turn off the feature that broadcasts your home network’s name to other devices. Finally, download software and firmware updates to your router on a regular basis: manufacturers use these updates to patch security flaws as they are discovered.
-
Think before you click
The internet offers amazing resources and tools for modern life, but it also puts you directly in touch with hackers and their malicious programs, or “malware.” Malware can allow hackers a back door into your computer through which they can steal your information. Make sure that you have installed and keep updated a virus protection program on all your devices. And do not click any links unless you are familiar with the website or download any programs if you do not need them or do not know the source. If your firewall or virus protection program alerts you to a suspicious file, follow the warnings, cancel the download, and delete the suspect file.
Although there is no way to guarantee the safety of your personal and financial information in today’s cyber-economy, following this sampling of tips will help secure your information, as well as that of your business and family, from hackers.
