Stop the bleeding: "Heartbleed" bug means Facebook, Google and maybe you aren't secure

According to CNet, late on Monday, April 7, 2014, a very serious security vulnerability was revealed to web users who utilize the OpenSSL security protocol. OpenSSL is one form of an encryption protocol that tries to keep secret the communications that occur between a web browser and a web server. Google, Facebook, and other major web entities all relied on this seemingly secure protocol. Many online banking sites may face similar vulnerability. The vulnerability discovered on Monday renders the security feature ineffective. This could mean that information such as passwords and account numbers are vulnerable to interception. This blog has previously covered the risks for banks when dealing with corporate accounts. If the bank fails to provide commercially reasonable security procedures, they could ultimately be held responsible for losses experienced by corporate and business customers. In addition to the potential for corporate account losses, banks have significant exposure for consumer account losses. In the wake of security breaches at Target banks should already be aware that Regulation E leads to exposure for losses experienced by consumers. Banks that utilize OpenSSL for their online banking systems should already be in contact with their information technology professionals regarding ways to fix the Heartbleed vulnerability. Banks that don't know whether they are vulnerable should definitely contact their information technology professionals to find out whether they are at risk. Even if your bank's systems are not specifically vulnerable to Heartbleed, there is still reason for concern. With sites like Google and Facebook potentially compromised, banks should recognize that customers and employees may have had their passwords compromised. Despite advice to the contrary, many web users have the same passwords for their email, social media, and banking accounts, so when an email account is compromised all accounts are compromised. Banks should take this opportunity to remind their employees of best practices, and how important it is to have unique passwords for bank systems. Banks may also want to think about informing consumers about the necessity of updating passwords on a regular basis. Banks should also consult with legal counsel regarding the specific rules for liability for consumer and corporate funds because the rules governing accounts can vary. Banks that dawdle may find themselves compensating a lot of account holders for losses. For questions regarding web security and liability, you can contact John Lande.  

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.