Cyber attack ranked more serious threat than nuclear explosion

FEMA’s first annual National Preparedness Report also detailed other disturbing findings.  For example, when the individual state agencies were asked what would cause the most stress to their emergency response systems, they ranked cyber attacks as the first among human-caused events, ahead of even a nuclear bomb detonation.

The potential magnitude of a coordinated cyber offensive on government and business is significant.  But the frequency of cyber attacks is also cause for concern:  US Computer Emergency Readiness Team statistics show that from FY 2006 to FY 2010, cyber incidents increased 650 percent, and that nearly two-thirds of US firms have fallen prey to some form of cyber crime.  The report notes that these numbers might actually be low, because management often fails to report cyber incidents to law enforcement or other government agencies.

Little action being taken against cyber threat

Perhaps most surprising is that while awareness of the cyber threat is widespread, little is being done about it.  In fact, the Department of Homeland Security’s 2011 National Cybersecurity Review, which found that among 162 state and local entities, only a little over half had implemented a formal cyber risk management program.

The private sector is in a similar position:  Only 2 of out 10 small and medium-sized businesses have an insurance policy that protects against loss due to cyber crime.

Some tools can slow down cyber attacks

There are some ways government agencies and businesses can fight back, though.  For instance, the US Postal Service (USPS), has partnered with the National Cyber Forensics and Training Alliance, to investigate ways to limit cyber attacks.  The two organizations use software that can identify emerging digital threats, and have also reverse-engineered code used in cyber attacks on the USPS, leading law enforcement officials to the source of the crime.

Internet insurance can protect private-sector firms

Most private firms have limited digital resources, though, and are easier for cyber criminals to breach.  Thus, cyber liability insurance is vitally important.  The assaults on businesses come from a variety of sources, including denial of service attacks, malicious viruses that infect the company network and exploit security holes to access private information, and bogus emails seeking confidential data from an unsuspecting employee (a technique known as “spear phishing”).

A single cyber event cost a company hundreds of thousands of dollars – from legally mandated notification expenses to client lawsuits to loss of revenue due to business interruption. But all these cyber risks, and many others, can be insured against with a properly designed, comprehensive Internet insurance policy.

Like any other business, law firms are vulnerable to network breaches.  Because of the extremely sensitive information attorneys possess, however, the consequences can be particularly devastating.

Many attorneys unnecessarily put themselves in danger of huge losses.  But the legal profession is hardly alone – it is estimated that only about 2 in 10 small businesses have any cyber liability coverage at all.  This is quite amazing, especially considering the daily news headlines telling of cyber crimes against all sorts of businesses and government agencies.

What if someone hacked into your computer network?

Every law firm stores valuable data on its computers.  If a hacker broke in, various nightmare scenarios could unfold.  For instance, confidential and proprietary information found in contracts, even those yet to be executed, would be available.  The hacker could extort the law firm and its client to keep from revealing the data to the world.  And even if the criminal had no use for this particular content, the mere fact of a security breach would put the firm in danger of being sued by the client whose data was exposed.

There are even ways that a data breach could occur unintentionally by employees of the law firm.  For example, if a worker unwittingly opened a virus-infected email, the virus could then reveal protected information, such as tax returns.  Social Security numbers and client income amounts might become public knowledge.

Other cyber dangers abound

There are other hazards to be aware of, too.  Data storage on laptops is common, but if the device gets lost or stolen, client information is exposed.  So, for example, if a burglar breaks into an attorney’s house or car and steals a laptop used for work, the secrecy surrounding intellectual property, discovery files, and all sorts of other legal documents would be broken.

Furthermore, a typical law firm has paper files as well as digital ones.  A negligent employee might lose paper files, triggering a legal crisis.  Or, if paper files are archived by a third-party provider, and files get compromised, the law firm is still liable.

Any loss involving client data might also necessitate a rapid public relations response, which would be expensive.

State and federal laws also require notification to each individual person whose information has been breached.

Occasionally, and often without explanation or warning, records in a network become corrupted, or the entire network might become inoperable – either situation would result in a break of business continuity and lost revenue.

Network breaches cause big cyber liabilities

A typical network breach exposes hundreds or even thousands of records. The Ponemon Institute estimates that each compromised file costs the victimized company $214.  By the time lawsuit and client notification expenses have been paid, the average hacking incident costs a whopping $7.2 million.  But even if only one single file is exposed, lawsuits and other consequences can cost huge sums.

Take precautions, but realize they aren’t fail-safe

There are some preventative measures that attorneys can take.  For example, encrypting all sensitive data will make it more difficult for the bad guys to get access to client information.  And having strong network security protocols can reduce the likelihood of a successful attack.

But even for law firms that are diligent in taking precautions, a breach is probably of matter of when, and not if.  As mega-companies with a ton of security resources continue to be victimized – like Visa and Google – it is becoming almost impossible for smaller firms to maintain a sense of invincibility.

The good news:  Internet insurance offers protection

To fully exercise due diligence, attorneys need to acquire cyber insurance to cover the wide range of liability exposures they face on a routine basis.  Such protection, also called “Internet insurance” and “information insurance,” can provide payment for claims generated by both first and third parties.

In addition to the scenarios previously mentioned, cyber liability policies can be written to cover other circumstances, including malevolent actions of a rogue employee and a firm’s unintentional breach of its own privacy policy.  There is even coverage available in the event that compromised records enable the stalking of a client.

As attorneys and other professionals grow more aware of the diversity and potential severity of cyber risks, more firms are seeking coverage.  Growth in the cyber risk insurance sector grew by an estimated 20-30% last year.  But navigating the complexities of coverage can be daunting.

INSUREtrust offers expertise in Internet insurance

We at INSUREtrust have been cyber liability insurance experts for over 15 years, and every day help businesses determine the right policies for their particular needs.

Internet insurance doesn’t have to be expensive, but it is money well spent. The premium cost for a cyber insurance policy can be as little as a few thousand dollars for a $1 million policy limit.

Over the past ten years, INSUREtrust has written more than $100 million in premiums and paid more than $30 million in claims. Insurers are looking for business and we can find competitive pricing and terms for any risk.

The bill getting the most attention is the Cyber Intelligence Sharing and Protection Act (CISPA).  It would make it easier for the federal government to gather information about citizens’ Internet activities from web-based companies that retain such data.  CISPA would allow, for example, Facebook and Google to reveal what their users are up to, if the government asks for it.  In exchange, the government would be allowed to tell these companies about cyber threats that would be classified information to everyone else.

CISPA loosens the burdens on both ends of the equation:  It would negate the government’s need to obtain a search warrant or have probable cause before inquiring about a person’s Internet activity, and it would give companies immunity from privacy lawsuits brought by their users.

Because of its promise to stem the tide of cyber attacks, the proposal has bi-partisan support, and is generally viewed favorably by big technology and the broader business community.

But powerful forces are also emerging in opposition, concerned about the erosion of civil liberties and individual privacy.  Among them are the ACLU and consumer rights groups.

Republican presidential candidate Ron Paul has jumped into the fray, issuing a statement deriding CISPA as tool to spy on US citizens:  “CISPA is essentially an Internet monitoring bill that permits both the federal government and private companies to view your private online communications with no judicial oversight…”

Paul asserts that under CISPA, the government could easily glean private, personal information from emails and other online activity.  “Imagine having government-approved employees embedded at Facebook,” he predicts, “complete with federal security clearances, serving as conduits for secret information about their American customers.”

But at least one national security expert says that CISPA doesn’t go far enough to protect the US from cyber attacks.  In a recent article in Bloomberg Businessweek, former U.S. national intelligence director Mike McConnell argued in favor of robust governmental powers:  “In looking at corporate America, we haven’t been able to find a single corporation that cannot be penetrated to the point of capturing the most essential information.”

Other bills under consideration on Capitol Hill would impact several areas of cyber law, according to Forbes.  One proposal would create a federal standard for how companies notify customers when their data has been lost or stolen.  Currently, regulations vary from state to state.  The SAFE Data Act, another plan, would force businesses to tighten security around their customers’ sensitive data.

What information does a merchant have a right to gather from you when you pay with a credit card? Should a merchant be barred from obtaining your zip code on the grounds that it is personally identifiable information (PII)?

In California, these questions have been at the forefront of a recent series of court cases. And, the implications go far beyond the borders of the most populous state: Companies that are not physically located in California, but which do business with California residents over the Internet, could also be impacted.

Zip codes considered personal information

California’s Song-Beverly Credit Card Act of 1971 is a pro-consumer, state law that, among other things, limits a retailer’s collection and use of PII. In February 2011, the California Supreme Court ruled in the landmark case Pineda v. Williams Sonoma that under Song-Beverly, a zip code by itself constitutes PII and merchants are therefore barred from obtaining that data.

In the case, a Williams Sonoma store requested and recorded the plaintiff’s zip code and later used reverse search software to obtain the plaintiff’s complete address. This information was not only used by Williams Sonoma for targeted marketing efforts, but was also sold to other business for their own marketing purposes.

Lawsuits abound against companies collecting private information

The ruling opened the door to many other class action suits, because any business that collects PII in California is subject to the Song-Beverly restrictions. In fact, more than 100 other cases have been filed against a variety of firms, including oil companies, chain retailers, big box home improvement centers, electronics stores and office supply companies.

Subsequent cases involving Song-Beverly have refined the limits of how the law can be applied. In the March 2012 case of Sterk v. Redbox, the court held that the Pineda ruling only applied to “pen and paper” transactions that took place in person on store premises, leaving open the permissibility for an online retailer to collect PII.

In another March 2012 case, Flores v. Chevron, a lawsuit was brought to stop the gasoline giant from collecting zip code information when a customer pays at the pump with a credit card. In this case the court ruled that Chevron’s information collection was for the purpose of credit card fraud prevention, making it a special situation the court viewed as outside the intent of Song-Beverly.

In all three cases, a conflict exists between consumers’ privacy rights and merchants’ right to utilize PII for business purposes that involve marketing or fraud prevention. Ultimately, businesses gather all sorts of PII about their customers, whether online or face-to-face in a retail store.  As such, businesses are responsible for maintaining the confidentiality of that information.

Cyber crime endangers both businesses and their customers

A company deliberately selling customers’ PII without permission is certainly one way privacy can be violated. But another breach of privacy, unintentional on the part of the business holding the PII, frequently comes at the hands of cyber criminals, who release PII routinely.

To protect against these criminals, companies can buy Internet insurance, also known as cyber liability insurance, to minimize the costs of unexpected breaches of data networks.

Such Internet insurance can defend the business in lawsuits brought by consumers whose PII is stolen. It can also pay a portion of regulatory fines and the cost of notifications that various laws require companies to send to consumers in this situation – a cost that can be extremely burdensome without proper coverage.

INSUREtrust offers expertise in Internet insurance

We at INSUREtrust have been cyber liability insurance experts for over 15 years, and can help businesses determine their obligations under Song-Beverly and other regulations.

Internet insurance doesn’t have to be expensive, but it is money well spent. The premium cost for a cyber insurance policy can be as little as a few thousand dollars for a $1 million policy limit.

Over the past ten years, INSUREtrust has written more than $100 million in premiums and paid more than $30 million in claims. Insurers are looking for business and we can find competitive pricing and terms for any risk.

Vendors hold valuable, sensitive data

Vendors frequently possess personally identifiable information (PII) and other sensitive data.  If this data is stolen or misused while the vendor is handling it, even through no fault of your own, you will have a public relations nightmare to deal with.  Your company will also face numerous other potential problems that can severely damage your bottom line and reputation.

Just last month, for example, credit card giants MasterCard and Visa made major news when they revealed that millions of card numbers had been accessed through an attack on a third-party credit card processor, Global Payments.  Because MasterCard and Visa generally absorb fraudulent charges, this one incident could result in substantial losses.

In another prominent case, Stanford Hospital & Clinics reported last fall that 20,000 patient names, diagnosis codes, and account numbers were published on the Internet while in possession of a third-party billing contractor.  According to Computerworld, one patient has already filed a $20 million lawsuit against Stanford.

Cyber crime in the cloud

Many businesses are increasingly utilizing cloud computing vendors – those that provide software as a service (SaaS) or online storage and backup – because cloud vendors can offer continually updated products in a cost-effective manner.

But dependence on cloud vendors is potentially more dangerous than conventional ones, because cloud companies are often unwilling to contractually assume risk for data that is lost or stolen on their watch, according to the Infosec Island security blog.

Cloud providers argue that because they host resources shared by a large number of customers, one data breach can endanger the data of all customers, and if they as providers accept liability, one instance of cyber crime could easily put them out of business.  Essentially, vendors in the cloud maintain that the benefits inherent in the system necessitate the beneficiaries take on the risks.

Recourse against bad vendors not so easy

Virtually every company depends on vendors of some sort for services that it cannot perform on its own.  But as a decision maker for your firm, you must be aware that you are responsible for data you turn over to third-party vendors.  Even if you have a contract that offers you recourse, you will still have to defend your company’s image in the court of public opinion.

Furthermore, getting a successful resolution in a data breach dispute with a vendor is neither quick nor certain.  MasterCard and Visa can sue Global Payments, for instance, but litigation will take years to complete, and the outcome is not guaranteed to favor MasterCard and Visa.

Stanford has accused its vendor of violating their contract and the law.  But the damage is done to Stanford’s public image, regardless of where a court ultimately places legal blame.  And Stanford has already incurred large costs, including those of patient notification and litigation.

Business insurance needs to be part of your risk mitigation plan

In light of the unnerving prospect that your data falls victim to cyber crime while on a vendor’s watch, there is some good news to be had.  Internet insurance (also know as cyber liability insurance) can cover a wide range of first and third-party risks.  This kind of business insurance is a good low-cost solution to problems that cannot be completely resolved contractually.

Many owners and managers believe they are already covered for cyber risks.  But commonplace commercial general liability (CGL) policies rarely protect against data theft, hacking, or other electronic crimes, a policy specifically protecting against cyber liability is necessary.

In the last article, we suggested four ways that small businesses can lower the risk of getting hacked by a cyber criminal.  We’ll offer four more in this edition.

It is crucial to keep in mind, however, that small companies with strong and numerous safeguards in place still fall prey to cyber crime.  This is not surprising, given the fact that even large corporations with security budgets in the millions of dollars are attacked routinely.

Protect your online bank account from cyber crime

Consumer advice guru Clark Howard recommends that small businesses have a single computer dedicated solely to online banking.  Doing so will lower the risk of the business’ bank account getting hacked because it limits the computer’s potential exposure to malware, which is a main way cyber crooks can gain access to the hard drive.

Another method to fight against cyber theft is by using software that recognizes patterns of bank use over time and helps prevent fraud.  According to USA Today, there is an app that will send a text message to an employee’s smartphone to ask for permission before executing any suspicious transactions.

Banking security is a big deal, because a company does not enjoy the same protections afforded to a private individual.  Losses can be huge and difficult, if not impossible, to recoup.

Encrypt hard drives

If a computer is lost or stolen, the data will be much safer if it is encrypted.  Basically, this means that data cannot be easily viewed by someone who doesn’t have rights to it.  While it is impossible to protect the data 100%, encryption does makes the cyber criminal’s job much harder.

Lock mobile devices

Smartphones are an integral part of many small businesses.  Because they can hold sensitive and proprietary information, it is critical to include them in cyber security precautions.  Be sure to put a password lock on your mobile phone.  Additionally, Businessweek reports that remote wipe services exist that allow the owner to remove data from a smartphone that is no longer in the owner’s possession.

Keep computer software updated

A very simple way to reduce the likelihood of a cyber attack is by keeping server and workstation computers’ operating system (OS) software up-to-date.  Software makers frequently update their OS in order to combat newly discovered security holes.

Antivirus software should also be regularly updated with the latest virus definitions.  The network and software can be configured to automatically push out the updates to all the company’s computers.

Running old OS and antivirus software is akin to putting a “Welcome” mat at the front door for a cyber thief.  Implement a system to ensure this does not happen.

Get business insurance

Cyber crooks are sophisticated, and even vigilant small businesses become cyber attack victims.  Small business owners must recognize the limits of taking preventative measures against actions that are not entirely preventable.

Business insurance that specifically covers Internet and digital theft and hacking, known as cyber liability insurance or sometimes Internet insurance, is crucial to protect the company.  It can guard against all sorts of first party and third party issues, and compensate for losses inflicted by cyber criminals that could otherwise be catastrophic.

In fact, smaller firms are more vulnerable to cyber attacks in some ways.  Small business owners overwhelmingly believe that they are of low priority for cyber criminals – 85% in one survey said a large company was more likely to be hacked.  But this attitude can lead to complacency and a false sense of security, because hackers do target small businesses quite frequently.

Furthermore, small businesses are often unsophisticated in their approach toward network security, a fact not lost on the cyber thieves.  For instance, many small operations have a nominal IT budget and no IT director.  So they possess no expertise in dealing with cyber threats.

Adding to these challenges, small businesses are less prepared to react when they fall victim to a data breach and the problems that follow, including lawsuits, notification costs, regulatory penalties, and other fallout.

Put a plan in writing

One of the first things a small business needs to do to minimize cyber risk is develop written policies and procedures on how to deal with various network security issues.  Any potential gateway for hackers should be addressed, including email, web browsers, and mobile devices.  The FCC Small Biz Cyber Planner is an excellent resource to get this process going.

Educate and train employees

Once a plan is in place, small business owners must insist that employees and vendors alike adhere to it.  After all, a diligent and thorough plan is only as good as its execution.  But employees are likely to be unaware of how to be safe online:  A survey by Symantec and the National Cyber Security Alliance found that only 37% of small business owners train their employees in Internet safety.  The owner needs to set the tone by explaining the serious consequences of a hacking incident, and create a culture of concern over cyber security issues.

Backup data regularly

One cyber liability faced by small businesses is the corruption and/or loss of data.  Because digital information is so valuable and many businesses would grind to a halt if they lost their data, it is paramount that small businesses have an effective backup system.  Methods vary, but experts suggest having a physical backup made frequently and stored offline, at an off-site location.  The stored data should also be encrypted.

Audit your company’s network security

Small business owners should also undergo an audit of the company’s entire network security infrastructure.  This process, best performed by an IT expert who is given access to the network for a limited time window, will serve to expose holes in the system that could be exploited by cyber criminals.

Business insurance steps in when safeguards fail

Even small businesses that are diligent in constructing safeguards against cyber attacks become victims.  So it’s important to recognize the limits of taking precautions and understand that cyber liability insurance is crucial to protect the company.  Cyber insurance can protect against all sorts of first party and third party issues, and compensate for hacking losses that could otherwise easily become catastrophic.

The ambulance industry is not alone in this regard – it is estimated that only about 2 in 10 small businesses have any cyber liability coverage at all.  This is quite amazing, especially considering the daily news headlines telling of cyber crimes against all sorts of businesses and government agencies.

What if someone hacked into your computer network?

Every ambulance firm stores valuable data on its computers.  If a hacker broke in, any number of nightmare scenarios could unfold.  For instance, sensitive corporate information like non-disclosure agreements and confidentiality agreements would be available.  The hacker could extort the ambulance company to keep from revealing the data to the world.  And even if the criminal had no use for this particular content, the mere fact of a security breach would put the company in danger of being sued by the third parties whose data was exposed.

In a recent case in Georgia, a clerical worker at Emory Healthcare accessed digital files in a get-rich-quick scheme:  The employee allegedly printed off copies of patients’ hospital bills and passed them off to a crime ring, which then allegedly used the data – including Social Security numbers and dates of birth – to file fraudulent tax returns in the patients’ names.  The Atlanta Journal Constitution reports that Emory mailed thousands of its patients a notification letter.

Another possibility is that a disgruntled, vengeful employee could use data for unauthorized purposes.  Or maybe an employee with no ill will simply makes a mistake that leads to a data breach.  Regardless of the motive and method, the ambulance company faces liabilities.

Typically, a network breach exposes hundreds or even thousands of records. The Ponemon Institute estimates that each compromised file costs the victimized company $214.  By the time lawsuit and client notification expenses have been paid, the average hacking incident costs a whopping $7.2 million.  But even if only one single file is exposed, lawsuits and other consequences can cost huge sums.

Possession of medical records creates potential land mines

Because the ambulance industry deals with medical records, there are additional liabilities.  The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides for civil penalties if patient medical data is compromised.

And, since society places particular importance and sanctity on medical privacy, a judge and jury are likely in a lawsuit to be much more sympathetic towards the individual whose medical records have been stolen, as opposed to the company that was charged with safeguarding the record, even if the company itself was a victim of cyber crime.

Don’t just fear lawsuits – financial companies can levy their own penalties

Frequently, ambulance companies possess confidential financial information on patients too.  This creates another layer of liability, and another potential source of punishment from a data breach.  For example, if a cyber criminal steals payment information that includes credit card numbers, and then uses those accounts to make purchases, payment card industry (PCI) rules allow the bank which issued the credit card to both fine the ambulance company, and force it to pay for material losses.

Other dangers abound

There are other hazards to be aware of, too.  Data storage on handheld computers, tablets, and laptops is common, but if the device gets lost, patient information is exposed.  Furthermore, a typical ambulance company has paper files as well as digital ones.  A negligent employee might lose paper files, triggering a legal crisis.  Or, if paper files are archived by a third-party provider, and files get compromised, the ambulance company is still liable.

Any loss involving client data might also necessitate a rapid public relations response, which would be expensive.

Something as simple as a computer virus could lead to corrupted records or an inoperable network, resulting in a break of business continuity and lost revenue.

The good news:  Business insurance offers protection

There is light at the end of this tunnel, though.  For all of the scenarios outlined above, and for many others, business insurance can provide an ambulance company owner peace of mind.  Unfortunately, most small business owners fail to take advantage insurance products for cyber and privacy violation risks, and so remain vulnerable to potentially catastrophic fines, penalties, and lawsuits.

Prior to the change, those who subscribed to any one of a number of Google-owned sites agreed to the collection of private information about them by only that particular site.  For example, information gathered from a YouTube (yes, it is owned by Google) user would be retained and utilized by YouTube alone.

But now, all the information about someone that Google gathers from its various business segments is consolidated.  So, what one does on YouTube is now shared with other Google-owned services such as Gmail, Blogger, and Google Maps.

So, in the new Google system, you have a single identity profile that can be sliced and diced, mixed in a blender, and extrapolated any way the Internet giant deems in its self-interest.

Privacy vs. convenience

The key issue here is whether Internet users are prepared to give up privacy in return for greater efficiency of services.  While many people find the Internet a valuable tool for communication, work, education, and entertainment, privacy is a core value of American culture and an asset not easily relinquished by most.

CNN noted the conundrum that Google’s new privacy policy poses for all Internet users is the challenge of the Internet age itself:  Better and more creative Internet services means giving up greater amounts of personal privacy.  And while web users fear the loss of privacy, Google and other firms focus on the potential for new services and products.

Internet users must bear in mind that Google is neither gathering an increased quantity of personal data on its subscribers, nor new kinds of data.  Furthermore, Google subscribers can adjust their privacy settings to limit how the company uses their personal data and can even use Google services without logging in.  Private information cannot be gathered at all with this kind of anonymous activity.

Internet privacy rules broken?

Still, BBC News has reported that European Union commissioners doubt Google’s new policy conforms to EU privacy rules and transparency requirements.  European, particularly French, regulators have expressed deep concerns to Google, and an investigation is going forward.

Google is also under scrutiny in the United States for monitoring the web-surfing habits of users of Safari, a browser found on Apple Macintosh computers.  If investigated, this would be the second run-in Google has had with the Federal Trade Commission in recent years; an earlier FTC complaint concerned possible deception by Google involving its now-defunct social media platform, Buzz.

Google’s policy change may be heavy-handed, but is not necessarily improper:  Though users may feel violated, the company has not, in fact, broken its own privacy policy.

Business culture:  Profit over privacy

The Wharton Business School online publication, Knowledge@WhartonToday, has explored the culture inside Google. Business ethics experts commented that a culture clash occurs inside all companies over security and privacy, but particularly inside technology companies. This usually happens between legal teams and IT engineers, and the push for new products often comes out ahead.

The Wharton ethics professors concluded that in engineering oriented cultures, privacy and security might be considered a secondary item, where potential privacy errors are simply things to be cleaned up rather than designed around.

Business insurance for privacy policy violations

Technology insurance is available for companies with security and privacy risk, including business practices that unintentionally conflict with a company’s stated privacy policy.  Other areas covered under this kind of business insurance include fines and penalties levied by regulatory agencies such as the FTC.

Late last year, The Internet Corporation for Assigned Names and Numbers (ICANN) began selling the new .xxx top-level domain to owners of pornographic web sites.  The sex domain joins other top-level domains such as .com, .org, .gov, and .biz.

“Why should I care about this at all?” you may be thinking.  “I run a respectable, legitimate business that has nothing whatsoever to do with porn.”  Here’s why:  It’s a big deal because anyone could take your company name and stick the .xxx domain on it.  You could suffer a public relations crisis, losing customers and revenue.

Why would anyone use my web site name with a .xxx domain?

The bad guys have numerous motives for doing this.  Let’s say, for example, that you own Bob’s Pizza and your web site address is www.bobspizza.com.  A cyber criminal knows that you depend on your site both to process online orders and to foster general awareness of your brand.  So, he purchases www.bobspizza.xxx and then notifies you that you can either buy the web site name from him at an exorbitant price, or he will post porn on the site in an attempt to ruin your reputation.

But extortion isn’t the only reason your good name could be hijacked.  Disgruntled customers or former employees might also engage in this practice to exact revenge on a business for its perceived wrongdoing.

There is also the possibility that a pornographer might actually want your business name as part of his own web site address, if your company is well liked or has wide name recognition.  Such a scenario would, at least in theory, drive traffic to the sex site.

Cyber threat widely acknowledged

This might sound far-fetched, but some major entities are concerned enough to be spending thousands of dollars to prevent these very scenarios from coming to pass.  According to the Lincoln (NE) Journal Star, all four campuses of the University of Nebraska have bought numerous .xxx addresses:  Among them are nebraska.xxx, huskers.xxx, and gobigred.xxx.

In fact, the fear is so real that as of December 2011, over 80,000 .xxx domain addresses had been sold to non-pornographers as they moved to protect their good name.

Take precautions against cyber crime

Of course, if you’re a victim of this type of cyber attack, you could file a civil lawsuit and possibly seek criminal charges as well.  But by the time you got relief, if you got relief at all, substantial damage would have already been done.  Furthermore, according to a blog by law firm Myers Lin, it might prove difficult to take down a porn site if the owner claims he was operating the site as a parody of your business.

So, what should you do?  Well, it is at least worth considering whether you should buy a .xxx name that matches your business’s current .com address.  But remember that there might be numerous web addresses that could represent your company, and buying domain names for all of them quickly runs up the price.

You should also seriously consider purchasing technology insurance to protect your company from a variety of cyber risks, including extortion and damage to brand.  (Yes, insurance for this does exist!)  If you fall victim to cyber crime, the costs can be huge.  But insurance against Internet dangers doesn’t have to be.

About INSUREtrust

We invented the nation’s first Internet insurance policy over 15 years ago, and are experts in cyber risks.  Over the past ten years, INSUREtrust has written more than $100 million in premiums and paid more than $30 million in claims.  We can tailor make a technology insurance policy to fit your specific needs for any risks, and we can do it at a competitive price because insurers are looking for business.