Wireless Liabilities
Wireless devices pose costly security risks for corporations and their legal departments.
December 31, 2005 at 07:00 PM
6 minute read
Danger lurks quietly in the airport. It floats silently in the air at many coffee shops. Even entire cities have become hazards for the unwary.
This is the new world of security threats, a world created by an ever-increasing implementation of public wireless networks. For many traveling corporate executives, laptops, cell phones and BlackBerries are an indispensable part of their jobs, and therefore exposure to security breaches and information theft has never been more prevalent. And it is only going to get worse.
Take for example the “evil twin” phenomenon. First reported a year ago, this novel hacking approach has the potential to steal sensitive information from dozens of users at once. Hackers create a wireless access point in the middle of an airport or a coffee shop. They give the point an innocuous name such as Caf?? 1/2 Hotspot. Then, they wait. Users unknowingly log onto the shadow network, allowing the hackers to access their laptops. From here hackers can tap into a company's private network, potentially stealing everything from trade secrets to customer credit card information.
“Laptops are a huge security risk,” says Joel Smith, chief technology officer of AppRiver, a Florida-based company specializing in technology security solutions. “There is always the scenario of the man in the middle who can sit there and watch the packets.”
With the prevalence of public hotspots, wireless office tools and organized hacking circles, companies need to take a hard look at how employees are using wireless gadgets. The consequences of not doing so can be staggering.
“Many companies say they protect all their wireless access points and have everything firewalled,” says Ross Kodner, president of MicroLaw Inc., a firm that specializes in legal technology consulting. “That doesn't do any good if you are sending people out with laptops that are connecting from an unsecured hotspot.”
Wireless World
Wireless hardware is fast changing from an amenity to a necessity in the corporate world. According to Business Communications Review, North American businesses purchased more than 16 million Wi-Fi equipped laptops in 2003.
These laptops aren't just being used in the office. According to Gartner Group, a technology research firm, 4.5 million people will regularly use public hotspots next year. As the usage grows, so do the security risks.
“Employees who have access to company laptops need to abide by certain personnel procedures,” says Steve Wu, a partner at Cooke Kobrick & Wu. “For example, they may allow someone to audit what they do at home.”
Even if employers keep tabs on employees' laptop usage, they may not be able to catch a hacker in the act. This is because hackers can break into a network under the guise of the employee.
“If somebody exploits the unsecure connection, they effectively become the laptop user and can enter right through onto the corporate network,” Kodner says. “And worse, if they do something insidious, it looks like the employee did it.”
But it's not only outside the office that laptops create security holes. Bringing a laptop onto a corporation's premises creates vulnerable access points.
“Bringing in a completely unsecure wireless access point and plugging it into the secure corporate network is like putting a 30-foot lit neon sign on top of the corporate headquarters saying, 'Confidential information available here for free. Come and get it,'” Kodner says.
And it's not just laptops that pose a threat. Cell phones and other wireless devices create similar exposures. This came to light after hackers accessed Paris Hilton's T-Mobile Sidekick and posted its contents online. Bluetooth technology, which comes standard with most new wireless devices, creates additional inroads for hackers as well.
“Even with secured wireless connections, they forget that there is Bluetooth that is sitting wide open,” Kodner says.
Costly Breaches
Kodner's words ring true. With recent reports of security breaches at big-name companies such as LexisNexis and Bank of America, it seems that any company is susceptible. But what's worse than the actual hacking are the legal consequences of not stopping the hackers.
Retail giant Designer Shoe Warehouse (DSW) is learning this the hard way. In late 2004 and early 2005, war drivers, hackers who cruise in cars looking for open access points, tapped into a DSW store in Dadeland, Fla. Over a four-month period, they stole more than a million consumers' credit information from the company's network.
No consumers have stepped forward to file class actions against DSW. However, many consumers may not even know their information was stolen. DSW has been slow to inform consumers about the break-in–so slow in fact that the state of Ohio is suing DSW to force it to expedite the process.
“There are grounds for negligence claims,” Wu says. “Also, if a company claims to have policies to protect customer information and they fail to take care of that information, then there may be an unfair trade practices claim.”
But besides litigious consumers, companies have to worry about legislation as well. A bill proposed by Andy Spano, county executive of Westchester County, N.Y., would force companies to establish security procedures, including a firewall, on their wireless networks.
“We want to bring public awareness that businesses need to protect data they are capturing,” says Andrew Neuman, senior assistant to Spano. “Clearly this isn't the silver bullet to eliminate the problem. But we want to send a wake-up call.”
Although the so-called wakeup call consists of a measly fine of $250 to $500, if passed, the bill may encourage other jurisdictions to pass similar legislation and may eventually lead to national regulations of wireless networks.
Educating The Uneducated
Aside from litigation and new laws, the old standby compliance issues under HIPAA and SOX also demand attention. If a hacker steals corporate HR records or tampers with financial data, the targeted company could face hefty fines. For example, if hackers tapped into a company's network and made employee health-related information public, a company could potentially face a fine of $25,000 per incident. For large companies with hundreds of employees, such sanctions could be crippling.
“If adequate security precautions aren't taken to protect health care information, there is certainly significant exposure of the company to HIPAA suits,” Kodner says. “Also, allowing corporate records to be subject to data poisoning or alteration could be peripherally violative of the spirit of SOX.”
Education is a company's main line of defense from break-ins. In the hands of the ignorant, wireless hardware is a wide-open portal begging for hackers to enter. If a company fails to educate employees or understand its liabilities, it will find that cyberspace is a dangerous, untrustworthy universe.
“These are not issues that are so geeky that you could never understand them if you didn't own a pocket protector,” Kodner says. “There is no excuse for companies to be ignorant of these issues.”?
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Coinbase Hit With Antitrust Suit That Seeks to Change How Crypto Exchanges Operate
3 minute read
Baker Botts' Biopharma Client Sues Former In-House Attorney, Others Alleging Extortion Scheme
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
