The word “hacking” has become a household term. “Hackers” are villains in the news media and when companies are “hacked” they lose public confidence. A hack is not a computer-specific word. Any workaround that does not use the accepted, standard or legal method is a hack. That’s why it used to be an insult to call an amateur a “hack”. They are not doing their job in the traditional way, but instead use shortcuts.
Only a minority of hacking activities are illegal. Many people implement “life hacks” such as tying two extension cords together to prevent them unplugging when pulled. I personally visit Lifehacker.com on a weekly basis. Hacks will either use an item in a way that was not intended, or make an item last longer than originally designed, or allow you to do a task faster than the traditional means.
That is why we call cybercriminals “hackers”: because they are not entering a computer system using a standard interface or with the proper authority. The common person thinks the hacker uses fancy computer programs to circumvent password protections or to disguise their location and identity because that is how it works in the movies.
Some hackers, however, enter those protected systems using the standard procedure because they obtained a password. One way to obtain a password or other information is what is called Phishing which is a kind of Social Engineering or Human Hacking.
Customer service reps and assistants are often targeted by hackers because they are trying to be helpful to hundreds of legitimate requests every day. Once in a while, a call (or email) comes in that looks like a person is in trouble and they just need a bit of information (such as that password, bank account number, or contact name) that would solve their problem. So the hacker gets the information they need without using any programming skills, just a good scam.
Imran Ahmad of Miller Thomson LLP analyzed the case of Apache Corp. v. Great American Insurance Company in an article on Mondaq.com entitled “Does Your Insurance Cover Phishing Scam? It May Not.”
The 5th Circuit reversed the district court’s finding made in favor of Apache. It found that the loss was not the result of a “direct” use of a computer so as to be covered under the “computer-fraud” provision.
Mr. Ahmad makes the case that:
This case underscores the narrow judicial interpretation that may be afforded to crime policy “computer fraud” provisions which effectively constrains the computer-fraud coverage to “hacking” type events. From a Canadian perspective, the question is whether Canadian courts and insurance companies would similarly interpret “computer fraud” provisions of insurance policies if faced with a similar set of facts as in Apache.
Clearly, it is important for a business to have insurance against hacking and other breaches of cybersecurity. However, just because a fraudster uses email does not make it a case of computer fraud; it remains general fraud.
In related news, on January 19, 2017, the Canadian Securities Administrators (CSA) published Multilateral Staff Notice 51-347 — Disclosure of cyber security risks and incidents which was explained by Bradley J. Freedman and Joseph DiPonio in their article “Cyber Risk Management — Regulatory Guidance For Reporting Issuers’ Continuous Disclosure Of Cybersecurity Risks And Incidents” (Mondaq.com)
Under this regime, companies who issue shares to the public are expected to comply with continuous disclosure by issuing quarterly and annual reports, as well as prompt reporting of cybersecurity breaches by issuing press releases.
So, are they going to report phishing? The employee who accidentally leaked the information wouldn’t know they’d done something wrong until the information was used for theft or fraud, and sometimes not even then. We mainly know that phishing works because security experts have demonstrated it, not because any specific security breach could be shown to be due to a phishing scam.
Hmm. I feel like I missed an opportunity for a pun about holding your breath under water or fishing because it’s mostly sitting in a boat waiting.