In the face of continuing attacks by computer hackers, some firms that store their customers' personal data are adopting a defensive tactic: if your information is stolen, they're not legally responsible.
Across the internet, retailers and other service providers that handle consumer transactions are requiring customers to agree to waive any right to sue the companies if the businesses are hacked, regardless of how secure their systems are. The waivers are contained in lengthy terms- of-use agreements that consumers often click to accept without reading closely.
"You agree to assume all risk and liability arising from your use of Verizon Wireless's online services, including the risk of breach in the security" of its system, according to the mobile phone giant's use agreement, if you choose to use its online billing system.
These waivers are yet another sign of the struggle to provide reliable online commerce in the face of increasingly sophisticated and organised computer criminals intent on making money, not just mischief.
Firms said that, despite their best efforts, they cannot guarantee that personal data will be secure and don't want to get sued over intrusions. And they fear the Federal Trade Commission (FTC), which has actively pursued cases in which firms have failed to live up to security assurances made to customers.
But consumer advocates say firms should be held accountable. "If companies are willing to derive the benefit of information collection, but not the responsibility to secure it ... it won't be difficult for consumer attorneys to invalidate these provisions as being unfair," said Mr Chris Jay Hoofnagle, associate director of the US Electronic Privacy Information Centre.
Firms with extensive databases of consumers' credit card numbers, social security numbers or other identifying information are prime targets, experts said. Lax internal controls also have led to customers' data being exposed at several companies. A robust market for stolen credit card numbers can easily be found on the internet.
Meanwhile, identity theft cases continue to grow, jumping 40 per cent last year over 2002 in the US, according to the FTC, though not all those resulted from hacking.
Whereas a fraudulent charge on a credit card is generally covered by the credit card firm, a hacker gleaning enough data to create new accounts by posing as someone else can inflict long-lasting damage to the victim's credit rating.
No one knows how much of the supply of such data results from attacks on corporate networks, as opposed to online scams that trick consumers into providing information, or thieves sifting through garbage for credit card receipts or other personal documents.
But security experts say firms are attacked by hackers far more often than is ever reported. According to a 2003 industry survey by the California-based Computer Security Institute and the FBI, only 30 per cent of companies that said they suffered security breaches reported them to law enforcement agencies.
Often, attacks on networks fail. If they succeed, some firms inform the affected customers, as several major US banks and credit card firms have done in the past year. But for most industries, there are no national disclosure requirements.
"It's a convoluted system," said Dan Clements, chief executive of Cardcops.com, a firm devoted to helping consumers determine whether their credit cards have been compromised. "No one has taken the lead in informing the consumer that their information has been exposed. Everyone is pointing to someone else." The result is that consumers have little means of evaluating the vigilance of a particular vendor when it comes to security.
Many firms make little or no mention of their security efforts.
"To make any statements about the quality of your data protection efforts is dangerous," said Mr Charles Kennedy, a Washington lawyer who advises companies on their internet policies. Mr Kennedy blames the FTC for the emerging trend of firms disclaiming liability for security breaches.
Many firms insist they take the strongest security measures possible, no matter what their liability policies say. "Verizon Wireless is very concerned with customer security and privacy," said a spokesman. "But we are trying to be fiscally responsible to protect the company from lawsuits." - (Washington Post Service)
