Data has become one of the world’s greatest commodities as technology becomes increasingly sophisticated. With innovation comes potential dangers, however, as the risk to personal or business data seems to be at an all-time high.
Data breaches have come into the forefront of the news cycle, as major companies, local businesses and municipalities all seem susceptible to cyberattacks.
In Arizona alone, 8,027 victims of cybercrimes filed complaints in 2018 to the Internet Crime Complaint Center, a reporting mechanism through the FBI, and suffered a collective loss of more than $45 million as a result of cyberattacks.
Cybercrimes can take the form of email/phone scams, phishing attempts, cybersquatting, breeches, identity theft and a growing number of other attacks.
For local law enforcement agencies, resolving the many calls they receive from citizens reporting cybercrimes can be difficult.
Oro Valley Police Department Public Information Officer Sgt. Carmen Trevizo said the department takes these calls on a regular basis.
“What we see quite a bit of is the identity theft related scams,” Trevizo said. “Somebody’s information has been breached and a lot of times they don’t even know how their information got out but then they start seeing fraud on their credit, charges being made to their accounts…That’s one way we see that mechanism of cybercrime. Now there’s been so many data breaches that often times its nexus is a cyber origin, so to speak.”
As far as what the department can do to address these cases, it depends on the presence of any local leads, and includes educating the victim.
If the fraud occurred in Oro Valley or the victim lives in Oro Valley, an officer will make a report and try to find an immediate remedy and take measures “then and there to try and prevent it from happening again,” Trevizo said.
“Where it becomes really difficult for us to do anything other than just document it is if someone says ‘I got a phone call, never gave them any money, hung up on them,’ but there’s really no follow up we can do on that because typically callers are from another country.”
Trevizo added that once an individual has actually occurred a loss as a result of a cyberattack, they should seek out assistance.
“You always want someone to call us if they’ve actually encountered some kind of loss on it, and certainly if there’s information we can follow up on locally then we want that kind of information as well,” she said. “If someone is asking you to send a gift card to a local address we could actually follow up on that.”
Officer Frank Magos, a spokesperson for Tucson Police Department, said that while the department doesn’t have a cybercrime unit, the department often receives calls about fraud related cybercrimes.
“What we are seeing more of are emails telling people that someone’s been kidnapped or a loved one is in the hospital, send us money type of deal,” Magos said. “The quickest and easiest way to dispel those reports, is to call the loved one they are talking about.”
He said the majority of these calls, or other common ones like IRS scams, come from other countries and it is difficult to pinpoint where the attacker is.
“There are a lot of call centers mass randomly calling people and saying the federal government wants to give you a check, all I need is your debit or credit card number,” Magos said. “It’s quick, its fast, they don’t leave you any time to step in and ask questions.”
Often times, the elderly in particular are targeted for these crimes.
According to the 2018 Crime Complaint Center report, residents over 60 made up the bulk of the state’s cyber-crime victims (1,700), accounting for the most adjusted losses at almost $12.5 million.
Trevizo said most people are simply trying to follow the rules and become scared by attackers’ tactics, so they comply.
“Most people are law abiding citizens and rule followers so if they hear it’s a legitimate government agency name they’re making some assumptions there, but unfortunately in this day and age you can’t assume its legitimate,” she said. “Now what’s happening is we’re seeing more sophisticated cyber related crime, you name it, they can do it.”
While the individual faces cyber and digital privacy threats on a regular basis, businesses face the challenge of protecting their own data—as well as the data of their customers.
John Rhodes is an attorney and chief privacy officer of Fennemore Craig, a law firm that serves clients on the west coast. Much of his work consists of helping businesses create digital privacy policies and making sure they comply with state and federal laws.
“Data is the new currency,” he said. “It’s the biggest commodity out there and every business, regardless of what business you are in, if you are serving customers and clients you’re going to have to comply with some kind of data rules and regulations, and what those rules and regulations are depend on where your customers are based.”
One of the challenges is many companies that work in the digital sphere serve customers in more than one state, and different privacy regulations and laws exist in each.
“We’re probably some number of years away from some federal privacy law which I think would be really important because internet-based business consumers could be anywhere and potentially those laws would apply to you,” Rhodes said. “Be aware of rules that apply to you they may vary state by state and from industry to industry.”
If a business experiences a data breach, they are required to notify their clients and often state law prescribes what the content of that notification will include. Along with that, some states require additional reporting to an agency like the state Attorney General’s office.
Rhodes said that privacy laws and cyber security standards are changing around the country, and are poised to give consumers and businesses more recourse with their data.
“Technology evolves so fast and privacy and security laws have a tough time catching up with that so it’s rife for these types of attacks and ends up being profitable for scammers,” he said. “I think with respect to legal recourse and laws and standards prescribed by law, historically with legal recourse it’s been difficult.” Courts normally require proof of harm and damages when claims are made, and for a business that might be easy, Rhodes said. For instance, if an internet business that’s incurred a cyberattack or breech which causes their site shut down for a certain amount of time, that may equate to a business loss and show harm.
Recourse for the consumer is more challenging, as being part of a data breach doesn’t necessarily spell out damages.
Rhodes pointed to the California Consumer Privacy Act, enacted the first of this year, as a model for how other state’s laws may evolve over time.
“With the newly amended laws this year [California] can impose statutory damages for breaches if you can show the breach occurred because a business didn’t meet privacy standards or had negligent or lax standards that can be cause for statutory damages,” he said.
Rhodes said it’s important for businesses to be comprehensive in the formation of their digital privacy policies and cyber security measures, but if they receive information about a data breach, they should seek quick assistance.
What can you do
Rhodes said some common cybercrimes include phishing (scam emails or texts designed to look like they are from a legitimate person or organization) and ransomware (when a database or system is held hostage until a fee is paid).
He’s also seen an increase in attacks on mobile devices, an easy target since everyone carries one.
Along with creating good policies and being informed of the applicable laws, Rhodes recommends businesses stay vigilante in staying up to date on the changing technology.
“We always advise businesses to have sound policies and procedures with respect to privacy and security,” he said. “Many state privacy laws actually require that if there’s a breach you’re offered a year of free credit monitoring services so I think that’s important. It’s important for consumers to explore that and make sure they are taking advantage of that and are alerted.”
Officer Magos said the best thing for people to do if they receive a scam call is to hang up.
“A scammer will tell you don’t go to the police and they want to keep you on the phone,” he said. “They won’t let you get off the phone, they’ll say wire me money and you’ll get your loved one back. Always remember that we’re not asking for payment over the phone and we don’t call people asking for payment or saying we will arrest you.”
Threatening arrest or requiring an immediate payment are common red flags of a scammer.
Sgt. Trevizo echoed the advice to hang up and remember that legitimate agencies will never ask you to make a payment through bitcoin, transfer, gift cards or cryptocurrency.
“Overall, the best advice we can give… is if it seems too good to be true it probably is,” she said. “If it’s something that is unexpected, someone claiming you have a warrant or you owe them money, don’t ever do a transaction on the phone then and there. Say thank you, I will research that and you find on your own the independent number of what organization is calling you and you make a follow up phone call. Don’t call the number that called you.”
Lisa Lovallo, Southern Arizona market vice president for Cox Communications, made additional recommendations for individuals to protect their digital privacy.
She recommended using two-factor authentication for logins, keeping antivirus software up to date, avoiding emails that ask you to click a link, using a safe WIFI environment and limiting the information you reveal on social media.
“Make it harder for hackers by not sharing personal identifying information through sites like Facebook, Twitter and Instagram,” she wrote. “Such information can be used as answers to security questions on banking and other sites where you want your data protected.”
Digital attacks will only continue to evolve and cyber attackers continue to become more sophisticated in their methods. It’s important to remain mindful for both the consumer and business.
If you are concerned you’ve been victim to a cyber-attack, you can file a complaint to the FBI online at the Internet Crime Center at ic3.gov.