Viruses on rise, but are companies liable?

• Author: Swartz, Nikki
• Position: Computer viruses

Computer viruses designed to steal victims' personal and financial information--names, addresses, and credit card numbers--are becoming increasingly widespread on the Internet, according to an Internet-security trends report by security software maker Symantec Corp. Unfortunately, companies are trying to limit their liability when such online security breaches hijack customer data.

Symantec's study of the 10 most prevalent viruses during the last six months of 2003 shows a 519-percent increase in the volume of virus-laden messages that constituted threats to user privacy and confidentiality compared with the first six months of the year. These infectious programs sought either to expose documents or to filch data like passwords and financial account information, often using programs for logging users' keystrokes and sending the data back to virus authors. There was also a definite increase in viruses and worms that open backdoors to provide hackers with entry into victim PCs at a later date. Backdoors allow hackers to download any program they choose, including those that steal personal information, to turn the PCs into spam relay points, or create foot soldiers to carry out other Internet attacks.

Symantec said it is unclear as to what degree businesses and consumers are being victimized by these malicious viruses or how much damage is being done. Half the companies analyzed by Symantec experienced a serious security breach in the second half of 2003, up significantly from one-sixth in the first half, due mainly to the period's hugely successful viruses and worms. Six of the top-10 attack types Symantec saw, including viruses, worms, and targeted attacks, exploited flaws in Web applications, which are attractive targets because traditional firewalls block traffic in certain applications but allow most Web traffic.

When it came to severe, targeted hacker attacks on corporations, financial services, healthcare, and power and energy companies topped the list of the hardest-hit. The financial services industry experienced 7.8 severe attacks per every 10,000 security events, compared with 1.9 sustained by the 10thranked telecommunications industry. Most of these attacks--58 percent--appeared to originate from the United States.

In the face of these ongoing hacker attacks, some companies that store customers' personal data are adopting a new defensive tactic: They are writing policies specifying that they are not legally responsible if a...