Visual Hacking: Another Challenge for Your Informational Security Program

portfolio_gallery_4The threat posed by computer hackers to consumers’ personal information stored on company servers is all too common, and companies that store such information are obligated to take all reasonable measures to protect it, and to inform affected customers when their protection measures are breached.   California and Florida also require companies to notify affected parties when a username or email address, in combination with other information that would enable access to an online account (i.e., a password or security question) are compromised.  The Golden and Sunshine states will soon be joined by Wyoming, Rhode Island, and Nevada, and this requirement is also being considered at the federal level.

But there’s a hidden threat to data security that is all too often overlooked: the fact that anyone with access to your data and a smartphone can easily steal everything your company is trying to protect.  The sad fact is, regardless of the strength of your security measures, they can be foiled with the click of a button.

This relatively low-tech approach to stealing sensitive information with a camera is certainly nothing new- back in the day, it was SOP for the CIA and the KGB.  Today, this risk to cyber security is known as visual hacking, and it is remarkably effective: a small, powerful smartphone camera can capture everything displayed on a computer screen in an instant without leaving a digital trace. Thieves have used visual hacking to steal bank information for a long time, most often by recording bank customers as they enter their PIN numbers into an ATM machine.

Preventing customers or visitors to your office from snapping photos of computer screens is as simple as not leaving them unattended, but how do you protect yourself against the possibility of a rogue employee with legitimate access from doing the same thing?   Incorporating the following simple protocols into your data security program can help reduce your exposure to the risk of visual hacking.

  • Install cameras to monitor employee activity.  The mere fact that they may be recorded might help unscrupulous employees to resist temptation.
  • Employ an open, cubicle-free office environment to enable supervisors to view activity from a distance.
  • Automatically lock computer stations after short periods of non use, or require employees to log out whenever they leave their desk.
  • Limit the display of sensitive customer information to the smallest amount required to perform a particular task.
  • Restrict employees from using their phones anywhere in the office other than the break room.
  • Limit the printing of documents that contain sensitive information, and post a trusted employee next to a network printer to ensure that unauthorized employees aren’t printing sensitive information.
  • Conduct periodic checks of employees and their workstations to confirm adherence to your visual hacking prevention policies.

Consider having your internal policies and procedures reviewed by your corporate attorney.  He or she can help point out holes in the program that could lead to a breach.

Seth Heyman
Seth D. Heyman is a California attorney with extensive experience in advertising and marketing law, corporate law, contracts, governmental regulations, international business, and Internet law. He has counseled numerous successful companies, both public and private, and was responsible for regulatory compliance, contract management, corporate governance, and HR best practices for multiple organizations in many diverse industries, including marketing, telecommunications, energy, and technology development. He offers insight and guidance on federal and state direct mail, TV, radio, telemarketing, and Internet marketing laws, as well as online promotions, Internet privacy, data protection regulations, and similar matters.