By Bill Kammer
Reports of breaches and exploits continue to appear with increasing frequency. There are far too many bad actors and far too many methods they can employ to damage or obtain our confidential information or our money.
This recent headline is a good example: “Personal Information and Financial Data Was Hacked from Almost 20,000,000 Patients of LabCorp and Quest.” Another headline alerts us to “Six Security Scams Set to Sweep This Summer.” The confluence of these events and warnings has produced a cyber security funk. I’ve concluded that it is time to circle the wagons, recognizing that it’s not a question of when our accounts, offices or finances will be compromised, but only a question of when and how great the damages. So let’s engage in some defensive strategy planning.
These thoughts all build on the base assumption that anything ever saved online will inevitably fall into the hands of cyber criminals. With that in mind, let’s adjust our online behavior to limit the value of that information. Hopefully we’re all now using robust passwords and saving them in a reliable password manager. And by now, we should be using two-factor authentication (“2FA”) wherever available or possible for any account that contains financial information and even for lower-level accounts such as Gmail.
When offered, resist the offer of a merchant or application to allow use of our Facebook or LinkedIn credentials to log in to another site. Sounds like an attractive way to avoid having to remember another login or password.But don’t do it because Facebook and LinkedIn will track our behavior and shopping at those other locations and then sell that additional data to their own customers. And, in exchange, the third-party sites can harvest the data and information we may have posted on the social media sites.
We could cease shopping online, but today, that’s an unlikely decision anyone would make. Again, we can minimize the information left behind for hackers to target at a merchant’s location (think Target as an example). Begin with several behavioral changes. First, stop storing credit card information on any merchant’s site. That option is generally available. Second, when possible, buy as a “guest” rather than establish an account. That way you leave less personal identification information in the hands of the merchant.
Merchants and financial institutions often ask for answers to security questions as an aspect of verifying our identity. Advice in recent years has trended toward simply lying and making up fictitious answers. Assume that our biographical information is everywhere on the Internet and realize that it probably has a half-life a little greater than uranium. Though we may prudently avoid posting much personal information, leave it to a young relative to casually annotate family history with photographs and remembrances posted on a variety of social media sites. So when you’re asked your mother’s maiden name, consider responding “Minnie Duck.” When asked where you were born, lived in while in the eight grade or where you were married, try “Slovakia” or “Pluto.” We should use our imaginations to come up with many similar examples and responses.
In the same sense, many commentators suggest that we never post our head shots on a site and use instead a distant shot, a pet’s photo or some other image. Unfortunately for lawyers, it’s hard to avoid the reality that our photos are all over the internet. Just go to Google Images and search on your name. You’ll probably find a variety of photos culled from the pages of our law schools, our offices, our professional associations and our MCLE providers. If someone wants to use our head shot to facilitate an identity theft, it’s probably too late to bar that door.
Finally, take advantage of some internet tools to watch for possible compromises of names and Social Security numbers.
You can set up a Google search on your name and the names of your family members, and on any Social Security number. Then ask Google to save that search and send you an alert if those search terms ever appear in Google’s constant crawling of the internet’s multitude of websites. Adjust the frequency of their email alerts if they occur too frequently.
Implementation of all these techniques and devices will never stop the inevitable hacks, but they will minimize the damage and even provide early warnings that would allow preventive measures that avoid the most disastrous outcomes.
Bill Kammer is a Partner with Solomon Ward Seidenwurm & Smith, LLP.