The era of COVID-19 has brought enormous suffering and persistent uncertainty to New Yorkers. Adding to both the financial and psychological pain of the pandemic is a dramatic increase in identity theft during the past year. 

More than 67,000 complaints of identity theft were reported in New York state during 2020, according to the Federal Trade Commission (FTC). That was a record number, up 85 percent from the previous year and more than four times the figure of a decade earlier.

Whether identity theft involves credit cards, bank accounts, business or personal loans, government benefits, or other types of transactions, it carries significant risk of financial loss to the victim. The U.S. Department of Justice reported $15.1 billion in financial losses nationwide in 2018. Even when there is no direct monetary loss, addressing the consequences of stolen personal information can take months of complicated work with banks, utility companies, medical offices, and others. Sometimes the worst damage comes later, when victims have trouble getting a job, renting an apartment, obtaining a tax benefit, or receiving a loan because of a stolen identity.

New York State has taken numerous steps in recent years to address identity theft, which is punishable by up to seven years in prison, and to require that businesses and state agencies safeguard private personal information. But clearly, more must be done.

Each of us can and should take common-sense steps such as making sure to keep Social Security numbers confidential and being careful to limit use of birth dates and other personal information in online communications — including social media.

Governmental and independent consumer advocates offer a number of other recommendations for individuals.

As policy makers at all levels of government consider additional responses to identity theft, private businesses large and small that collect and maintain personal information must redouble their efforts to safeguard such data. Social-media companies, whose business models rely heavily on personal information, should take steps to promote best practices, such as educating users about ways to keep private information confidential. Working together, we can reverse the rising tide of identity theft.          

Thomas P. DiNapoli is the New York State Comptroller. This article is drawn from the executive summary to a report, titled, “The Increasing Threat of Identity Theft,” which his office issued in May. To check out the full report, visit: https://www.osc.state.ny.us/files/reports/pdf/increasing-threat-of-identity-tBheft.pdf      

Cybersecurity breaches are nothing new, but several high-profile cases recently are bringing new attention to a serious and growing problem. Malicious actors are getting more sophisticated in their attempts to subvert systems, using tactics such as spear-phishing to prey upon employees’ willingness and desire to be helpful. 

The average cost of a breach in the U.S. is $242 per record. Regaining trust and repairing a corporate reputation could add on to that expense significantly.

The fact that this is a growing problem is undeniable. There are a lot of reasons for the rise in cybercrime, including the sudden switch to remote work brought about by the COVID-19 pandemic. But even when employees are in the office, it’s easy to fall for a phishing scam, or leave systems vulnerable due to poor password habits. Here are just a few of the top vulnerabilities:

• Weak passwords — Choosing overly simple or easily guessed passwords is a long-standing risk.

• Unrestricted web browsing — Accessing the web is a modern business tool that can have many advantages, but unrestricted web browsing can lead employees to accessing sites riddled with malware, putting your systems at risk.

• Social-engineering scams — Social-engineering scams capitalize on the desire of employees to be helpful. Some of these scams might even happen over the phone, with scammers posing as coworkers or vendors, tricking your employees into disclosing passwords or bank-account numbers.

• Phishing, spear-phishing, and link scams — Email scams are widespread. Typically, an employee will receive an email that appears to be from a trusted source, such as a bank or vendor website, and will ask an employee to click a link to verify their account information. Once this process is complete, the attacker has access to your private information.

• Poor document control — Unlocked file cabinets, post-it notes that contain the latest passwords to systems, storing sensitive information in easily accessible files, discarded paperwork that remains un-shredded, and even documents left on printers are all examples of weak document security that could compromise your systems.

• Outdated or disabled browser-security software — Without the latest versions of anti-virus software in use on every machine, your office could be vulnerable.

Examining this list, it’s clear that malicious actors have two primary means by which to gain access to your systems: through holes in your technology, or by manipulating your employees. Businesses are aware that this is a problem, yet still can struggle to implement measures that will harden their cybersecurity defenses. Why is there such a disconnect?

Cost is frequently mentioned as a factor in delaying cybersecurity improvements. Although it is true that businesses may have additional IT expenses, especially if they are still using outdated hardware and software, the costs of upgrading systems will likely pale in comparison to the financial and reputational costs of a breach.

The most impactful step companies can take in hardening their cybersecurity defenses is training employees. All breaches share one commonality: educating people can reduce the rate of these attacks.

Cybersecurity training is not a one-time event. Rather, it is ongoing learning that will make the biggest difference. Short, frequent training will have a lasting impact — and, recurrent lessons allow for changes to be made in training, to adapt as malicious actors change their tactics. I’m reminded of Ben Franklin’s quote: “Tell me and I forget, teach me and I may remember, involve me and I learn.” 

You’ll need to involve every employee. Each person who has access to email or who uses your computers must be trained — including interns, and all the way up to the CEO. Malicious actors have become very adept at mimicking legitimate websites, and whether it is through a lack of understanding, carelessness, or unfamiliarity with the risks, employees are putting companies at risk.

Training doesn’t have to be expensive. Leaders should look to third parties to conduct training as threats and tactics so quickly evolve. Video training is available at a reasonable dollar amount, and the Center for Internet Security has a list of free resources. 

Cybersecurity training is one of the most essential steps you can take to protect your business. If you need help, reach out to your financial institution for recommendations. It, along with organizations such as the Cybersecurity and Infrastructure Security Agency (CISA), the Small Business Administration (SBA), and the Department of Homeland Security (DHS) have resources and help for companies of all sizes.        

Terra Carnrike-Granata is senior VP and director of information security at NBT Bank. She is responsible for designing and implementing sophisticated controls to prevent loss and mitigate risk, while also developing innovative ways to educate consumers and businesses on cyber threats — helping to keep companies and consumers protected. For more information, visit www.nbtbank.com/businessfraudinfo.

Booming internet usage means that virtually every company has a website, and many companies use their website to enhance the user experience and collect information about their users. As a result, company websites have terms of use and privacy policies that were developed to govern the interaction between the user and the company through its website. 

Many businesses, however, developed their website’s terms of use and privacy policy when their websites were last substantially revised, and no one has paid attention to them since. Of more concern, some companies “cut and pasted” terms of use and privacy policies from other websites or used template forms available on the internet. While these may be a good start, they may miss some key provisions that should be included to protect your company and comply with the law.

This article reviews what needs to be included in terms-of-use agreements and privacy policies for company websites so that you can determine whether your company needs to review and update any of the provisions in them to better protect your company. 

Terms-of-use agreements

These provisions are typically included in a hyperlink at the bottom of a webpage. They can also be named terms of service, terms and conditions, conditions of use, or similar phrases. The first rule about these provisions is that they should be easy to read and understand. The provisions are intended to be a legal agreement binding on the website user which establish the terms a user must abide by to use the website.

Terms-of-use provisions generally include:

• Agreement to use the website only for lawful purposes (prohibits use of malware or other software that interferes with the content or use of the website);

• Disclaimer that the information on the site is for general information purposes and there is no warranty regarding the accuracy, completeness, or usefulness of the information. The disclaimer should extend to third-party content if used on website;

• Acknowledgement that website content is owned by the company and is protected by copyright, trademark, and other intellectual-property laws, and the material cannot be reproduced or modified;

• If the website contains message boards, chat rooms, or other interactive features, terms governing user-generated content so that user-posted material does not violate laws or company standards;

• An explanation of what information the company may collect from its website users and a link to the company’s privacy policy;

• Notice that the terms of use may be revised and updated from time to time and that all changes are effective immediately upon posting; 

• Email address for feedback or comments relating to the website; and

• Traditional contract provisions such as disclaimer of warranties, limitations on liability, governing law, and indemnification.

Note that the terms-of-use agreement for your website should be tailored to fit your website, its functionality and your company. Terms of use are important if accounts can be created on your company’s website because they set the rules about how the account system operates. Moreover, if there are links to social-media features, specific concerns about copyright infringement (especially if there is user-generated content), concerns about collecting personal information of children using a site or industry-specific regulations (e.g. banking and financial services), there may be additional language that should be added to the terms-of-use agreement to protect your company.

“Browsewrap” vs. “clickwrap” agreements

A browsewrap terms-of-use agreement exists when the terms of use are referenced on the website’s main page by a hyperlink to the complete provisions where there is a conspicuous notice that, by using the website, the user agrees to the terms of use. The website user must click on the hyperlink to see the terms that bind the user. Generally, courts have held that browsewrap agreements will be binding on the user when the user is encouraged by the design and content of the website to examine the terms available through the hyperlink. However, courts have taken disparate views on whether a website is, in fact, appropriately designed to encourage the user to click on the terms-of-use hyperlink. If your company is using a browsewrap terms of use, a message should be displayed in a prominent position on the site’s pages, notifying users that the website is governed by the terms of use and that users who do not agree to the terms must not access or use the site. This message should provide a link to the full terms of use and be located so that users can see the notice without having to scroll down the page. 

A clickwrap terms-of-use agreement exists when a pop-up, or series of pop-ups, appear when users visit the website that informs them that they must review and agree to the terms of use to use the site by clicking to indicate agreement. This is a clearer means to show user agreement to the terms of use and are more likely to be found enforceable by a court than browsewrap terms. E-commerce sites where users are purchasing products or services and websites where social media is being uploaded or posted are advised to use clickwrap terms-of-use agreements to ensure enforceability of their terms.

Privacy policies

Your privacy policy should disclose your practices for the collection, use, handling, and sharing of data from your users. Privacy policies are now required by several federal, state, and foreign laws, particularly if your company is collecting data to identify individuals (e.g. email address, name, mailing address, social-media information, etc.). Any third-party advertising or analytics provider that your company engages to help optimize website use will require an acceptable privacy policy be posted by your company before it will integrate their services on your website.

It is a good practice to have a privacy policy even if your company is not collecting data that could identify individuals, if for no other purpose than to inform your users that you are not collecting any individually identifying data.

Your privacy policy should be easy for users to read and understand. It should be clearly and conspicuously accessible on the website. A link to the policy must be conspicuously placed wherever personal information is collected. It should truly reflect the company’s actual business practices. The policy should not make any statements about the company’s privacy practices that may turn out to be untrue.

A privacy policy that meets the requirements of most data privacy-laws should include the following provisions:

•  A description of what kind of information you collect from users, why you collect it, how you use it, how long you store it, and what information is shared with third parties;

• Disclosure on whether and how you use cookies or other tracking technology;

• Disclosure that the company may have to release collected user information in response to warrants, subpoenas, or other legal process;

• How to request changes to, or a review of, any information of the user that is collected and stored;

• An opt-out procedure for users who do not want their information shared with third parties or used by the company;

• The method that will be used by the company to notify users of any changes to its privacy policy; and

• The policy should identify the date it was last revised.

The word “privacy” should be used in the title of the policy and any links to the policy. 

Note that if your company sells advertising for its website that has click-through features or uses a vendor’s technology for analytics, those third parties may be collecting user data as well and your privacy policy also needs to disclose the privacy practices of those third parties.

Template privacy policy should not be used for most websites. Instead, a privacy policy should be carefully drafted that is informed by the company’s actual information collection and privacy practices.

Importantly, as technology evolves, so does the information that might be mined from company websites. Your company should periodically audit its compliance with its posted privacy policy and confirm that its practices, such as allowing users to opt-out of certain uses or disclosures (for example, to unsubscribe to a mailing list), are being followed. Failure to comply with what you have promised to do in your privacy policy exposes the company to potential liability.

While provisions in terms-of-use agreements and privacy policies on company websites may look “boilerplate,” they are not. These must be tailored to the capabilities and functions of your website and to the specific information that is being collected and stored from user use.        

Gail M. Norris is a senior counsel in the Rochester office of the Syracuse–based law firm of Bond, Schoeneck & King PLLC. She works in Bond’s Cybersecurity and Data Privacy practice. Contact Norris at gnorris@bsk.com. This article is drawn from the law firm’s Cybersecurity and Data Privacy Information Memo.