02 Mar After a successful attack on your computer systems, then what?
Madison, Wis. — There may no yellow tape or chalk outlines of a body, but companies need to preserve evidence of computer crimes if they want remedies, said a lawyer who spoke at the Fusion 2005 CEO-CIO Symposium on Wednesday.
Daniel Vaccaro, a partner with Michael Best & Friedrich, said that organizations whose systems have been compromised by Internet fraudsters or disgruntled employees can benefit from learning to work with law enforcement.
“You get to ride on the backs of experienced criminal investigators, who solve this crime, track this person, and it doesn’t cost the business money,” he said.
But companies that simply clean up after an attack on their systems and move on may be destroying data that investigators could use as evidence. IT administrators might even want to consider keeping or backing up the hard drives of employees who leave the company, Vaccaro said, in case they could later turn up evidence of leaked information.
Data from an employee computer proved critical in the case of Creative Computing, which created a Web site where truckers could find available routes. A rival, GetLoaded.com, posed as a fake trucking company to get an account, then hacked into the site to copy its code, Vaccaro said.
After a Creative Computing employee left to join the other company, investigators managed to find evidence of improper data access. A court in 2004 awarded the company $510,000 in total damages and a permanent injunction preventing GetLoaded.com from marketing to its clients, which Vaccaro called “a rare and difficult thing.”
The decision was based on the federal Computer Fraud and Abuse Act, which defines seven computer-related crimes and allows criminal charges to be brought over more than $5,000 worth of damage to computer systems that are used in interstate commerce.
When organizations’ systems are compromised, they may have another reason to preserve evidence. Perhaps following California’s privacy law, which requires companies to notify people if their information is leaked, Wisconsin Senator Ted Kanavas is introducing identity-theft legislation in this state.
Kanavas, a Republican representing Brookfield, said the bill would focus on notification requirements.
Some Wisconsin organizations aren’t waiting. Peter Stockhausen, CIO at Manpower Inc., suggested the previous day that companies pursue proactive compliance, using privacy and accountability to customers as a selling point.
Companies must also watch out for attacks that don’t even touch their computer systems. Mark McLane, CEO of Madison-based NameProtect, said the Internet has made certain types of fraudulent schemes much easier. NameProtect watches for misused brands, including consumer fraud based on respected brand names.
“A huge market attracts criminals,” he said, after projecting that brand counterfeiting accounts for around 5 to 7 percent of overall global product turnover.
That can do serious harm to a company’s business, both by taking away potential sales and by tarnishing the brand image.
For customers, a healthy dose of caution is the primary way to avoid being taken in. Technical and legal solutions may come, McLane said, but “it’s going to get worse before it gets better.”
“The answer is cultural rather than technological, at least for the time being,” “We [CIOs] have got to take that upon our shoulders,” Ace said.