CyBIR: Cyber and Privacy Breaches – Insurance and Reinsurance Data Privacy Lawyers: Walker Wilcox & Matousek Law Firm


Adware: Software installed on a computer for the sole purpose of producing advertisements as pop-ups or banner displays to generate revenue for the advertiser.


Anonymous: An on-line hackers group suspected as the party responsible for the massive Sony breaches in May 2011, which Anonymous denies.  It has admitted responsibility for the system breaches at MasterCard and Visa following the Wiki leaks disclosures.  The group slogan is “We Are Legion.”


Blog: From the term “web log,” a type of website, usually in reverse chronological order, maintained by an individual with regular entries.  Unlike a static website, most blogs are interactive, allowing visitors to post comments.


Botnet: A collection of software designed to forward transmissions (including spam and viruses) from one computer to another without the owner’s knowledge or consent.  The computer is referred to as a “zombie” or “robot” (hence, “bot”) because it automatically follows instructions from the originator of the virus or spam.   Typically a botnet gains access through an inadequate firewall.  Computers in the “zombie army” may be directed to submit multiple transmissions to overwhelm and prevent access to a particular website, sometimes a competitor.


CIRT: “Computer Incident Response Team” Refers to an organization’s procedures for handling a cyber attack.  The team should be responsible for designing preventative measures, detecting the attack, preserving critical data and communicating with the public and law enforcement.  Also known as Computer Security Incident Response Team (CSIRT).


Cloud Computing: “The data has left the building.”  Service delivery model characterized by delivery over the internet (the cloud); resources such as software and platforms are proved and payment is based on demand, like gas or electric utilities.  Servers are located off-premises in a “server farm” and may be shared by several companies.  Owners of the data lease server space away from its own location and outsource IT and server maintenance to save capital expenditures.


Cookies: A type of message given to a web browser by a web server and then stored in the computer’s hard drive. Cookies are used to save log-in information and create a personalized website that reads, for example, “welcome back Jack” when the website is next opened.  Local shared objects, also known as “flash cookies” store more information and are not listed among the cookies stored on a hard drive.  Many users are unaware of flash cookies or mistakenly believe they have been deleted.  Several class action lawsuits charge media and technology companies with using flash cookies to create consumer profiles without their knowledge.


COPPA: “Child Online Privacy Protection Act”  Enacted in 1998, this federal legislation is intended to protect children under 13 years of age.  The act places responsibilities on websites and online services operated for commercial purposes to protect children’s privacy and safety online.  Many websites disallow underage children from using their services due to the amount of paperwork involved.


Crimeware: A class of malware designed specifically to automate cyber crime.  It is distinguished from adware, spyware and malware because it is designed to perpetuate identity theft in order to illegally access and use another’s online accounts. Crimeware includes stealing passwords, installing a keystroke logger to track confidential information or redirecting a web browser to a counterfeit website.


Denial of Service: Denial of Service attacks make computer resources unavailable to users.  The two most common DOS attacks are those that crash the system and those that saturate the target with so many communications it cannot respond. If an attacker mounts an attack from a single host, it is a DOS attack.  If the attacker uses multiple systems to cripple another system, it is a Distributed Denial of Service (DDOS) attack.  In December 2010, unidentified individuals in support of WikiLeaks’ disclosure of confidential U.S. government documents initiated DDOS attacks on two credit card companies who refused donations to WikiLeaks, resulting in 30 lost internet hours for the credit card companies.  Two days later, WikiLeaks’ own site was the subject of a DDOS attack.


Encryption: Conversion of data into a form called “ciphertext” that cannot be easily understood by unauthorized users.  In order to recover the contents of an encrypted signal, the correct decryption key is required.  Modern cryptography is based on the use of algorithms to scramble or encrypt the original message (plain text) into unintelligible data (ciphertext). Some governments view strong encryption as a potential vehicle by which terrorist could function.  These governments propose a key-escrow agreement in which those who use a cipher would be required to provide the government with a copy of the decryption key.


FACTA: “Fair and Accurate Credit Transaction Act”   Enacted in 2003, this federal legislation is intended to protect consumers from identity theft.   Among its provisions, the Act permits consumers to receive a free credit report annually and requires devices that print credit card numbers to truncate the number to the last four digits.


GLBA: “Graham-Leach-Bliley Act” (Financial Services Modernization Act of 1999) repealed a 1933 law that barred the consolidation of financial institutions and insurance companies.  Included within GLBA are multiple sections relating to the privacy of financial information.  Companies must provide written notice to consumers of their privacy rights and explain the company’s procedures for safeguarding data.


Hackers: Persons who use computer skills to trespass, uninvited, into another’s computer system. To some, hackers are different from “crackers” who infiltrate computer systems for criminal purposes only.


HIPAA: “Health Insurance and Portability and Accountability Act”  Enacted in 1996, the Act regulates the use and disclosure of certain health-related information held by “covered entities,” which include health plans, health care clearinghouses (i.e. billing services) and health care providers.  HIPAA requires, among other things that covered entities notify individuals of the uses of their PHI; monitor disclosures of PHI; document privacy policies and procedures; and appoint a privacy official and contact person to receive complaints regarding privacy breaches.  The HIPAA requirements were significantly expanded by HITECH.


HITECH: “Health Information Technology for Economic and Clinical Health Act”   Enacted in 2009, this federal law requires physicians and medical facilities to adopt electronic health records. The Act also expands HIPAA privacy laws: medical providers must notify each patient of security breaches within 60 days and notify the federal government and social media if more than 500 patients are involved.  Criminal and civil penalties up to $1.5 million are possible.


ITERA: “Identity Theft Enforcement and Restitution Act.”  Enacted in 2008, ITERA lowers the threshold for prosecutors to bring criminal charges for unauthorized access to a computer and provides for restitution to the victim “equal to the value of the time reasonably spent by the victim in an attempt to remediate the intended or actual harm incurred by the victim from the offense.”


Malware: Abbreviated for “malicious software” it is designed to secretly access a computer system without the owner’s consent and steal data for illegal purposes. Malware includes computer viruses, Trojan horses, crimeware, rootkits and worms.


Phishing: Criminally fraudulent attempt to acquire sensitive personal information such as user names, passwords and credit card data by masquerading as a trustworthy site.  It often originates as an email directing a person to click on the link to a fraudulent website that appears genuine and instructs the person to enter sensitive data by “verifying an account.”  “Ph” is a common substitute for the letter “f” among hackers (e.g. “phone phreaking”).  Phishing should not be confused with Phish, an American band.


PHI: “Protected Health Information”  Information concerning the health status, provision of health care or payment for health care that can be linked to any individual; typically interpreted broadly to include any part of an individual’s medical history or health-related payment history.


PII: “Personally identifiable Information”  Unique information that establishes an individual identity such as date of birth, social security or national identification number, race, gender, etc.


PCIDSS: “Payment Card Industry Data Security System.”  A set of policies and standards for securing credit and debit cards information.  It was created jointly in mid-2004 by four credit card companies (American Express, Visa, MasterCard and Discover).  It addresses security requirements such as firewalls, encryption and anti-virus software.


Point of Sale System: A system mostly used in restaurants and hotels in which a computer replaces a cash register.  Besides recording transactions, a POS accepts credit and debit card data, usually with a bar code, tracks inventory and records employee hours.


Ransomware: A form of malware in which an unauthorized user inserts a computer virus to encrypt data and then demands money for the decryption key in order to restore the data, a type of “cyber extortion.”  Some ransomware locks the user’s keyboard and leaves a mobile phone number for the user to call to unlock the keyboard, for a fee.


Red Flag Rule: Effective in June 2010, this legislation requires all businesses who accept credit to have a written policy that addresses how it will prevent and handle identity theft.  “Red flags” include tampered photo ids, unverified addresses.  The law imposes fines of $3,500 per violation.  The legislation was modified in December 2010 to exempt physicians, lawyers and other professional service providers.


Rootkits: A form of malware in which an unauthorized program that tracks data is undetected because it subverts normal authentication and authorization systems. Some rootkits are installed intentionally, e.g. to prevent copying copyrighted materials on CDs.


Skimming: The use of a counterfeit device that takes credit or debit card data including the magnetic “swipe” tape that contains credit or debit data.  ATM skimming occurs when thieves create a fraudulent façade that fits over the ATM screen which is indistinguishable from the real ATM machine.  When a debit card is inserted, the data may be accessed remotely. A small camera placed over the keypad copies pin numbers.  An estimated $350,000 per day is skimmed from ATMs worldwide.


SMiShing: A combination of phishing and SMS.  SMiShing uses cell phone text messages to deliver a message with a hyperlink or a phone number to call which when completed may either download a Trojan horse or entice the recipient to provide personal information which is the used by the criminal party.


Spear Phishing: Unlike phishing which sends emails to a random group of people, spear phishing targets a select group of people with something in common, such as the same employer or bank or college.  The targets are sent emails that appear to be from the genuine organization seeking personal information.  Often the targets are asked to click on a link that takes them to another site that looks genuine.  A phishing email is addressed “Dear customer” whereas a spear phishing email is addressed “Dear your name.”  The recent Epsilon breach raises the likelihood of spear phishing.


Spyware: A type of software that can be installed in computers to collect small pieces of information without the owner’s knowledge.  In addition to monitoring information, it can track websites visited, change computer settings to slow the computer’s function or block internet access.  It is seen most often on personal computers and to create a marketing profile.  Microsoft’s Internet Explorer is the browser most vulnerable to spyware in part because it is the most widely used and because of its tight integration with Windows.


SQL Injection: Malicious software consisting of an insertion or “injection” of a SQL (standard query language) from an unauthorized source, typically seen with database-driven web sites.  Databases enable web applications to store and sort data.  The web uses a “string query” to extract data from the database.  The string query consists of the query and any parameters, for example, the user retrieves a product name and price by entering the product ID number.  A SQL Injection inserts commands inside the parameters so the data retrieved from the database is not what the user requested.  In the example above, if the word “delete” is inserted before “product ID number” then the server will delete the products ID table.  SQL Injections are one of the most common forms of web attacks.


VPN: “Virtual Private Network”   A computer network that uses the internet to provide secure access to a private network by remote users.  Its purpose is to avoid expensive leased lines or dial-up phone lines.  VPN uses cryptographic “tunneling” protocols to provide confidentiality.  Amazon’s EC2 offers VPN to link users to its cloud computing.


Wardriving: Act of searching for Wi-Fi wireless networks by a person in a moving vehicle, using a portable computer or PDA.  Wardriving is used to hack into business networks and retrieve credit card information.


Warkitting: A combination of wardriving and rootkitting.  In a warkitting attack, a hacker replaces the firmware of an attacked router. This allows them to control all traffic for the victim, and could even permit them to disable SSL by replacing HTML content as it is being downloaded.


Wiki: A collaborative website that allows anyone to edit, add or delete contents, in contrast to a blog which permits readers’ comments but only allows the author to change the contents.  The first wiki was developed in 1995.  A common misconception is that Wiki is an acronym for “what I know is.” The term “wiki” means “quick” in Hawaiian.