The protections for small businesses that suffer from a cyber-hack are not the same as those for consumers.
You have heard all of the stories about consumers suffering losses related to cyber-crime, and you have received all the warnings and updates from your bank telling you what to do if you are victimized.
But businesses in this country shop at many of the same place individual consumers shop, and the protections offered to businesses do not match those offered to private consumers.
According to Regulation E of the Electronic Fund Transfer Act, banks are required to bear the burden of fraudulent transfers from bank accounts for individuals. But that protect does not exist for small businesses.
The Federal Bureau of Investigation reports that more than 8,000 small businesses have been victimized by cyber-crime over the past two years, and have lost almost $800 million as a result.
And the danger is greater for businesses, because when a cyber-thief hacks an account, it can get into very delicate areas of a company’s electronic communication, such as inter-office emails, electronic calendars and the like.
“They knew exactly how I had communicated with our bookkeeper,’’ said Stuart Rolfe, who works for Wright Hotels, a company that invests in and develops hotel properties, in an interview with National Public Radio. “They knew exactly what kinds of things that I said.”
By accessing his calendar, the cyber-thieves knew when he was in meetings, and could respond to emails sent from his bookkeeper to respond to transfer requests while he was otherwise occupied. They could then delete the messages before he saw them.
Rolfe contacted his bank, JP Morgan, upon realizing the crime was taking place, and had been going on for several weeks. JP Morgan’s response was within the rules of law when it stated “they were terribly sorry for our loss, but that they could not accept responsibility nor offer any reimbursement to us for the loss,’’ Rolfe said.
The law in question is the Uniform Commercial Code, which says banks are required to offer business customers a “commercially reasonable’’ security protocol. If the bank follows that protocol, it cannot be held liable for fraudulent money transfers and does not need to reimburse businesses in those cases.
The thinking among the banking industry is that companies should bear the weight of protecting their accounts as much as banks do.
The law does not appear to be anywhere near being changed, so the FBI and the Internet Crime Complaint Center (www.IC3.gov) has several tips for businesses needing to protect its accounts from fraudulent transfers:
1. Fully train employees in security principles and procedures.
2. Go the extra mile in purchasing firewall security and other computer protections for company systems.
3. Control physical access to computers and network equipment.
4. Make sure your Wi-Fi connect is secured, and the passcode protected.
5. Limit employee access to password information and limit the authority to download software.
If victimized, businesses can protect themselves by taking immediate action:
· Contact your financial institution immediately.
· Request that your financial institution contact the financial institution where the fraudulent transfer was sent.
· Contact the local FBI office; the FBI works with the U.S. Department of Treasury Financial Crimes Enforcement Network, which might be able to freeze funds.
· File a complaint with the IC3.
Kent McDill is a staff writer for Millionaire Corner. McDill spent 30 years as a sports writer, working for United Press International and the Daily Herald of Arlington Heights, Ill. From 1988-1999, he covered the Chicago Bulls for the Daily Herald, traveling with them every day through the nine-month season. He also covered the Bulls for UPI from 1985-88, and currently covers the team for www.nba.com. He has written two books on the Bulls, including the new title “100 Things Bulls Fans Should Know And Do Before They Die’, published by Triumph Books. In August 2013, his new book “100 Things Bears Fans Should Know And Do Before They Die” gets published.
In 2008, he resigned from the Herald and became a freelance writer. The Herald hired him to write business features and speeches for the Daily Herald Business Conferences and Awards presentations.
McDill also writes a monthly parenting column for the Herald’s Suburban Parent magazine.
McDill is the father of four children, and an active fan of soccer, Jimmy Buffett and all things Disney.