While individual consumers can be reimbursed for fraudulent charges on their bank accounts, it's much harder for businesses to recover damages related to a cyber heist. This means it's important for IT consultants to make sure their clients are practicing proper data security to protect their online banking.
Take the case of Tennessee Electric – the TN-based utility company that had over $300,000 stolen from its bank accounts. As Krebs on Security reports, the electric company is in the middle of a two-year legal battle and still hasn't recovered the full amount of money it lost.
Businesses operate under different laws (the Uniform Commercial Code), which protects banks and limits their cyber liability when sued by businesses whose accounts were hacked.
Your clients actually have more risk than the average consumer. Let’s look at these risks and how you can prepare for cyber theft.
What IT Consultants Need to Know about the UCC and Data Breach Lawsuits
The Uniform Commercial Code (UCC) only lets businesses recover the amount of money that was stolen from them by hackers who committed bank fraud. But there's a problem…
In order to recover money, businesses usually need to file a lawsuit against their bank. Given how expensive lawsuits are, a hacked business will often spend more on legal fees than what was stolen from its bank account.
The UCC protects banks from liability as long as they take "commercially reasonable efforts" to secure their clients’ data. Generally speaking, the courts have protected banks from owing more damages as long as they follow industry standards and abide by the terms set out in their contracts.
Tennessee Electric is suing their bank. If it wins, the case could set a new precedent that makes it easier for companies to recover money stolen from their bank accounts. However, such a ruling is still a long way from happening.
For more on the current state of data breach laws, see the post, “Why IT Contractors Shouldn't Hold Their Breath for Universal Data Breach Legislation.”
How to Protect Your Clients from Cyber Attacks on Their Bank Accounts
When hackers gain access to a client's account, they've presumably done so by stealing a password. We've seen an explosion in spear phishing attacks, where cyber criminals send spoof emails that trick a user into divulging a password.
In the body of the email, hackers include a link (or malware), which takes the user to a website that looks like a bank, email, or other account login page. When users mistakenly enter their passwords, hackers are able to steal the keys to castle. (For a recent example of this attack, read the post, “eBay Data Breach Shows Danger of Phishing Attacks on Small Businesses.”)
To prevent password theft on bank accounts, it's smart to put extra security measures in place for any financial accounts, such as…
- Requiring two people to sign off on every transaction.
- Requiring two-factor authentication.
- Mandating unique passwords for all bank and financial accounts.
- Requesting the bank confirm transactions (via phone) over a certain amount.
Why Bank Hacks Matter to IT Consultants
Say your client's bank accounts have been hacked. Money's been stolen, but your client can't recover damages from the bank. Where is the client going to turn to recover money? That's right: their IT contractor.
If a client is the victim of a phishing or malware attack that siphons their passwords, they probably won't be able to sue their bank, but they can file a lawsuit against the IT professional that installed their network security software. A client could allege that you didn't put in adequate security procedures to protect their computers, prevent hacks, and safeguard their passwords.
Because you're much easier to sue than a big bank that is protected by the UCC, you're an attractive target for a business that's looking to recover money it lost in a hack.
In addition to taking measures to prevent data breaches and educate your clients, it's paramount that tech professionals have adequate insurance. Professional Liability Insurance for IT consultants can pay for lawsuits over client data breaches, covering legal defense expenses and damages. For free quotes on IT insurance, submit an online insurance application.