There's the old playground philosophy: if you want to stop a bully, you need to fight back. That's exactly the approach some cyber security firms are taking when they offer "hack backs." There's just one problem: hack backs are illegal.
What's a hack back? Say a company has just been hacked. The company could hire a security consultant to go after the hacker, find a way into their computer, and try to do some damage.
While this eye-for-an-eye Internet justice might seem appealing, Al Jazeera America reports that hack backs exist in a legal gray area. Clients that hire a security firm to attack hackers might actually be committing a crime, and you could be exposed to liability if you recommend a security firm that uses this strategy.
To protect your company, let's take a closer look at how hack backs work and why you need to avoid them.
Can You Hack the Hackers?
Despite the temptation to hack the hackers, it’s illegal. The Computer Fraud and Abuse Act prohibits the unauthorized access of a computer. And if a client hires a security firm to go after a hacker, they could be exposing their business to a legal mess. Big problems can arise from taking matters into your own hands. Here are some things to be aware of:
- Hackers aren't stupid. When cyber criminals steal data from your clients, they often store it on someone else's computer. In fact, an entire attack is probably routed through innocent IP addresses. This means that when cyber security firms chase an attacker, they might accidentally access an innocent bystander's computer.
- Non-regulated security firms spell trouble. In order to execute a hack back, a U.S. security firm might have to open an office in a country with no data security laws (or contract with a firm located there). To put it another way, IT consultants don't want to hire the "Dog the Bounty Hunter" of security firms to do their dirty work.
- Gathering intelligence is a gray area. Instead of hacking back, some companies are advocating seeking out information about hackers. But probing for the source can lead to more holes in security.
It's worth pointing out that – so far – no one has been prosecuted for hack backs. But that doesn't mean the Justice Department has given them the all clear. Just because no one has gone to jail for hacking hackers doesn't mean it's a smart business practice.
IT Liability: Welcome to the Wild, Wild West
If the idea of a "hack back" strikes you as closer to the Wild West than Silicon Valley, you're not alone. A few weeks ago we ran the story, "CDD Complaint Suggests We're in the 'Wild West' Stage of Digital Privacy,” which explores how ambiguous data privacy laws open the doors for companies to interpret (or ignore) laws as they see fit.
Data security is nearly impossible to regulate, and industry standards can be just as difficult to enforce. In fact, trying to standardize these things might only make it easier for hackers.
That's the unfortunate reality for IT consultants: there's no protocol or legal guidelines to follow that will completely limit your liability. You'll always be exposed to the risk of data breach lawsuits.
Luckily, you can address these exposures with Professional Liability Insurance. It covers cyber liability claims after one of your clients has been hacked. When clients sue you, this insurance can pay for your legal expenses, settlements, and any damages the court rules you owe your clients.
To learn more about IT insurance, call one of our technology insurance agents at 800-688-7020.