There were two stories this past week that should serve as warnings to the owners and operators of small or medium-size businesses. The first appeared in the LA Times and concerned an employment lawyer in Woodland Hills, Calif., who discovered that her office phone system had been hacked and some US $20 500 in international calls charged to her telephone account. When she contacted AT&T about it, the woman was initially told that the she wouldn't be held responsible for the fraudulent calls, but the $20 000 charge kept showing up on her monthly telephone bill anyway.
The Times story says that AT&T apparently decided that the lawyer was indeed responsible for the charges, and that if she didn't pay up, her phone service would be terminated.
The Times contacted AT&T for a comment about the case, which told the paper that:
"... if a customer's phone system gets hacked, the company isn't responsible for any fraudulent charges that accrue.
"If your toaster blows up in your home, you don't expect the electricity company to be responsible for it... [an AT&T spokesperson explained] It's your toaster."
The Times also reports that Verizon operates under a similar policy. I presume that is true of other telecom companies as well.
The story says that AT&T and the employment lawyer have now settled the matter (I would guess in part because the Times contacted AT&T about it), but exactly how it was settled isn't described; a nondisclosure agreement prohibits either party from discussing it.
In a similar vein, there was a Bloomberg News story last week about cyber crooks stealing as much as $1 billion a year from the bank accounts of small and medium US businesses, which have little recourse to get their money back if the bank claims that the businesses lost their money because the businesses' IT systems were hacked. Business bank accounts are not protected from wire-transfer fraud in the same way that consumer accounts are.
As a point of comparison, the story says that about $43 million was taken in US bank heists last year.
Bloomberg says that only JPMorgan Chase & Co., the second-largest bank in the US, insures commercial deposits against the hacking that is now targeting small and medium businesses, as detailed in a Wall Street Journal article from last month. Small and medium businesses—as well as the banks they typically do business with—are seen as having very weak IT security that can be easily defeated and or exploited by phishing attacks.
There is proposed legislation at the federal level to extend wire-fraud protection to small business accounts, but the American Banking Association is opposed to it, the Bloomberg story states. The reasons apparently are that the banks—especially the small and mid-sized ones—don't want the added IT expense of monitoring client accounts for potentially fraudulent activities or to pay for the insurance to cover the losses.
However, the company Experi-Metal recently won its case against Comerica Bank, which might change the risk-responsibility landscape a bit. The case is detailed at Brian Krebs' security blog, but in short, Experi-Metal was hacked and its bank accounts "electronically ransacked" even after the company informed Comerica that its IT system had been compromised. When the bank refused to cover Experi-Metal's losses, the company sued, claiming the bank should have done more to prevent the hacking from happening as well as stop its accounts from being tapped by the cyber thieves—especially after the company told the bank about the hacking. You can read the court opinion (PDF) in favor of Experi-Metal here.
Comerica was going to appeal, but apparently has decided not to and has paid Exper-Metal back its stolen money. Meanwhile, in another very similar wire-transfer fraud case, this time involving the construction company Patco v. Ocean Bank, the courts just this week have reaffirmed a ruling in favor of the bank.
So, given the conflicting court findings, at least for the foreseeable future, small and medium businesses should keep AT&T's admonition in mind when it comes to IT security and protecting their computer and phone systems from hackers: "It's your toaster."
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.