Company Products Downloads Topics Contact

Frequently Ask Questions (FAQ)

If you desire answers to questions which have not been included please forward your questions to info@acapsecurity.com.

1. What does the acronym ACAP mean? 28

2. What is cyber-crime and cyber-theft? 27

3. Why are cyber-crime activities increasing? 26

4. Is my organization, business or government agency a cyber-crime target? 25

5. What information are cyber-criminals seeking? 24

6. How do cyber-criminals convert credit card and debit card information into cash? 23

7. How do cyber-criminals convert bank account information into cash? 22

8. How do cyber-criminals convert Identity (ID) information into cash? 21

9. What information does a cyber-criminal need to perpetuate an ID Theft? 20

10. What forces or events are causing this new major increase in cyber-crime liability exposure to my organization? 19

11. Can an organization be held liable for the failure of another organization to provide adequate cyber-security of protected information? 18

12. Can a director, trustee, officer, or staff member of an organization be held personally liable for financial losses to a damaged-victim of a cyber-crime attack on their employer’s organization? 17

13. Can a professional advisor, consultant, contactor, vendor or supplier be held liable for the failure of a customer or client organization to provide adequate cyber-security of protected information? 16

14. What are the typical losses to a victim of an Identify Theft? 15

15. How can an organization or individual avoid liability? 14

16. What is the ACAP System Standard-of-Care defense or the “Safe Harbor” defense and how is compliance measured or established? 13

17. What is the ACAP System “Assumption-of-the-Risk” defense or the “Risk Diversion” defense and how is compliance measured or established? 12

18. Does the ACAP System support fulfillment of FISMA requirements? 11

19. Does the ACAP System support fulfillment of HIPPA requirements? 10

20. Does the ACAP System support fulfillment of the Gramm-Leach-Bliley (GLB) Act? 9

21. Can the ACAP System be used by Federal agencies to comply with FISMA and OMB Circular No. A-130 requirements? 8

22. Can the ACAP System be used by State and local governments and agencies? 7

23. What amount of commitment is required to install and operate the ACAP System? 6

24. What are the typical costs and financial benefits of implementing the ACAP System? 5

25. Does general liability insurance provide protection against cyber-crime losses and damage claim liabilities? 4

26. Does a Directors and Officers (D&O), or a Professional Errors and Omissions (E&O)
insurance policy provide protection against cyber-crime losses and damage claim liabilities? 3

27. Since Credit Card companies and the banks significantly limit the credit losses that are suffered by an individual victim who is the true damaged-victim of a ID theft or a credit or debit card information cyber-theft, who are the damaged claimants that will be seeking recovery from the organization? 2

28. Does the ACAP System allow an organization to control the piracy and the confidential nature of its cyber-security operations? 1

29

1.What does the acronym ACAP mean?
The acronym ACAP stands for Advanced Cyber-crime Attack Protection.
[back to top]

2. What is cyber-crime and cyber-theft?
Cyber-crime is the use of computers and communication systems to commit a criminal act which involves the use of information in electronic format. The term cyber-crime refers to acts of cyber-theft, cyber-manipulation, cyber-extortion or cyber-terror.
Cyber-theft is the use of computers and communication systems to steal information in electronic format.

Cyber-theft usually involves the extraction of a copy of the electronic information. By taking only a copy of the protected information the cyber-thief often remains undetected, the crime remains unreported and the criminal is never apprehended.

An expanded discussion of this subject is available. See the Home page, click on the “Cyber Security Report.”
[back to top]

3. Why are cyber-crime activities increasing?
It is much easier for a criminal to “rob” computer system than to “rob” a bank and conveyance store. Computers now store identity information and financial information, both provide cyber-criminals with large financial rewards for committing a cyber-theft. Cyber-based crime has grown significantly and is forecast to continue its accelerated growth.
[back to top]

4.Is my organization, business or government agency a cyber-crime target?
Yes. Historical evidence has proven that no organization, business or government agency is exempt from being targeted for a cyber-crime attack. Crime syndicates do not discriminate in their cyber-crime activities. They are just as willing to seal valuable electronic information from a one-man home-office, as they are from a large multi-national corporation.
[back to top]

5. What information are cyber-criminals seeking?
Cyber-criminals are seeking information which will allow them to steal an individual’s or an organization’s: (a) identity information, (b) credit information, (c) credit card account information, (d) debit card account information, (e) retirement or pension fund account information, (f) bank, savings or credit union account information, (g) stocks, bonds, annuity, and investment account information, and (h) other protected information.
[back to top]

6. How do cyber-criminals convert credit card and debit card information into cash?
The cyber-criminals simply order merchandise with the stolen credit card, (such as diamonds or jewelry) and immediately sell the purchased items at a discounted price for quick cash. They also make direct cash withdrawals from the victim’s existing credit card accounts. The same approach is used with a debit card, however with a debit card it is usually easier to withdraw cash directly from the victim’s bank account.
[back to top]

7. How do cyber-criminals convert bank account information into cash?
They use the account information to obtain new credit, to expand existing credit limits, and sometimes-even print and use fraudulent checks. A single fraudulent check submitted to the victim’s bank for cash could empty the victim’s bank account. A single fraudulent on-line banking funds transfer can totally empty a victim’s bank, savings or credit union account and even take the victim’s overdraft protection funds associated with the account.
[back to top]

8. How do cyber-criminals convert Identity (ID) information into cash?
Once a cyber-criminal has assembled the minimum information to apply for a credit card, a debit card or any merchant offered credit the cyber-criminal rapidly proceeds to apply for new credit from every source possible. Once the credit is obtained the cyber-criminal simply orders merchandise with the newly acquired credit, (such as diamonds or jewelry) and immediately sells the purchased items at a discounted price for quick cash. He will also make direct cash withdrawals against these new credit accounts. Normally the cyber-criminal can accumulate a significant amount of cash within 30 to 45 days. The FBI estimates the typical cyber-crime cash losses to a victim from a cyber-crime Identity-theft at between $45,000 and $250,000. To accomplish this the cyber-criminal may acquire 15 new credit cards. If the an average credit limit is $7,500 per card, the total cash the cyber-criminal can grab is $112,500. A good crime syndicate will ensure all of this cash is in their hands in less than 30 days from the date of the cyber-crime attack.
[back to top]

9. What information does a cyber-criminal need to perpetuate an ID Theft?
The cyber-criminal usually needs, as a minimum, the victim’s name, address, date of birth and social security number. Any additional information about the victim makes the conversion to cash simpler and usually faster. Normally if a cyber-criminal obtains a few of these key items he can obtain the balance of the identity information from many freely accessible on-line sources, such as public records.
[back to top]

10. What forces or events are causing this new major increase in cyber-crime liability
exposure to my organization?
There are three major forces or events which are causing your organization to be exposed to the new enormous damage claim liability exposure. They include: 1) the entry of organized crime syndicates into cyberspace crime; 2) the enactment of the Federal Information Security Management Act (FISMA); and 3) the continued propensity of Americans to initiate damage claim litigation
A detailed discussion of each of these three subjects and their potential impact on your organization is available. See the Home page, click on the “Cyber Security Report.”
back to top]

11. Can an organization be held liable for the failure of another organization to provide adequate cyber-security of protected information?
Absolutely, liability can exists under a number of established legal duties owed to a damaged-victim. Your organization may owe a duty to warm of the risk, a duty to supervise or manage another organization to comply with FISMA or similar duty. Your organization may have access rights to the protected information stored and maintained at the other organization and thereby be jointly responsible for the security of the protected information.
These are just a few examples. An expanded discussion of this subject is available. See the Home page, click on the “Cyber Security Report.”
[back to top]

12. Can a director, trustee, officer, or staff member of an organization be held personally liable for financial losses to a damaged-victim of a cyber-crime attack on their employer’s organization?
Absolutely. That is why it is very important that every director, trustee, officer, or staff member of an organization, by written notice, advise their employer of the need to acquire an ACAP System and comply with FISMA requirements. ACAP offers two important defenses: 1) the standard-of-care” defense and 2) the “assumption-of-the-risk” defense.
To protect yourself, your employer organization needs to establish and maintain both of these important defenses. An expanded discussion of this subject is available. See the Home page, click on the “Cyber Security Report.”
[back to top]

13 . Can a professional advisor, consultant, contactor, vendor or supplier be held liable for the failure of a customer or client organization to provide adequate cyber-security of protected information?
Absolutely. Anyone with access rights to a customer or client organization’s protected information can be the actual or alleged access pathway used by a cyber-criminal to enter the customer or client organization’s computer system and commit the cyber-crime. You are then the alleged facilitator of the crime, without your negligence the crime could not have happened and the damaged-victim would not have suffered any financial losses.

That is why it is very important that every professional advisor, consultant, contactor, vendor and supplier associated with an organization, by written notice, advise the customer or client organization of their need to acquire an ACAP System and comply with FISMA requirements. ACAP offers two important defenses: 1) the standard-of-care” defense and 2) the “assumption-of-the-risk” defense.

To protect yourself, all of your customer and client organizations needs to establish and maintain both of these important defenses. An expanded discussion of this subject is available. See the Home page, click on the “Cyber Security Report.”
[back to top]

14. What are the typical losses to a victim of an Identify Theft?
Available statistics from the Secret Service, the FBI organization responsible for pursuing Identity Theft cases, regarding its identity-theft related cases for fiscal years 1998-2000, shows the actual losses to victims in the cases where the FBI was able to quickly pursue the criminals averaged $46,119 and the potential total loss to the victim if the criminal was not apprehended averaged $263,815. For risk management purposes the ACAP System damage assessment function allows analysis using various values. Commonly used analysis values are between $20,000 and $80,000 per stolen individual’s identity.
Source: United States General Accounting Office (GAO) Report to U. S. Congress, GAO-02-363, March 2002, Subject: IDENTITY THEFT: Appendix II - Identity Theft Prevalence and Cost.
[back to top]

15. How can an organization or individual avoid liability?
An organization can mitigate the liability exposure by 1) reducing the chance of a cyber-crime attack penetration of the organization’s computer systems and 2) preparing effective responses to a successful cyber-crime attack. The ACAP System provides an organization with the capabilities to accomplish both of these important objectives. In addition to providing products with advanced attack defense technology, ACAP provides the elements and foundation for your organization to prepare effective damage claim liability defenses.
An individual can mitigate the liability exposure by notifying the associated organization of the risk of cyber-crime attack and the very high damage claim liability exposure. If the organization fails to heed the notice and warning an individual may be required to take additional action to avoid potential liability and should seek the advice of legal counsel.
[back to top]

16. What is the ACAP System Standard-of-Care defense or the “Safe Harbor” defense and how is compliance measured or established?
The ACAP System Standard-of-Care defense is one of the potential means of avoiding liability for the losses suffered by the damaged-victims of a cyber-crime attack. The defense is obtained by an organization meeting or exceeding the duty-of-due-care or the standard-of-care in the cyber-security of sensitive, confidential and trade secret information, defined as protected information, as established by the Federal Information Security Management Act (FISMA). The ACAP System provides an organization with the guidance and capabilities to facilitate compliance with FISMA and thereby the “safe harbor” from liability which compliance creates.

Compliance can be determined or measured by many means. The ACAP aScore service is possibly the most efficient. It provides upon demand an aScore measurement which numerically measures an organization’s compliance with the standard-of-care requirements established by FISMA. To determine this compliance value it utilizes information which the organization develops as part of the ACAP System risk management services.

No liability defense is effective without credible evidence to substantiate compliance with FISMA prior to, during and after an alleged cyber-crime attack. Frequently obtained aScore measurements provide an independent source of evidence as to compliance with FISMA and support the effectiveness of the “safe harbor” defense
[back to top]

17. What is the ACAP System Assumption-of-the-Risk defense or the “Risk Diversion” defense and how is compliance measured or established?
The Assumption-of-the-Risk defense is a potential means of avoiding damage claim liability that could result from a cyber-crime attack. This “risk diversion” defense is founded upon the concept of notice and acceptance. The organization provides notice of the risk to all potential damage-victims of a cyber-crime attack and the potential damage claimant accepts the noticed risk, thereby releasing or waving any and all rights to claim damages against the organization. It is not a perfect defense but as discussed in the ACAP Liabilities and Defense Book, Book Eight of the ACAP System Reference Book Library, it is effective at times and worth including as part of an organization’s liability defense preparedness activities.

The ACAP System provides both general and targeted risk notice, releases, compliance demand notices, contact compliance clauses and guidance on the procedures required to establish an Assumption-of-the-Risk defense.
[back to top]

18. Does the ACAP System support fulfillment of FISMA requirements?
Yes. The ACAP System provides all of guidance, materials, products, support and services needed by any organization to fulfill the requirements established by Federal Information Security Management Act (FISMA) and the related regulations, including, in particular, the OMB Circular No. A-130, including Appendix III.
[back to top]

19. Does the ACAP System support fulfillment of HIPPA requirements?
Yes. The ACAP System is focused on fulfillment of the FISMA requirements but because the Act utilizes a very broad definition of protected information, which includes patient and medical information, compliance with FISMA ensures fulfillment of many of the HIPPA requirements associated with the protection of medical information that is in electronic format. .
[back to top]

20. Does the ACAP System support fulfillment of the Gramm-Leach-Bliley (GLB) Act?s?
Yes. The ACAP System is focused on fulfillment of the FISMA requirements but because the Act utilizes a very broad definition of protected information, which includes client and customer financial information, compliance with FISMA ensures fulfillment of many of the GLB Act requirements associated with the protection of financial information that is in electronic format.
[back to top]

21. Can the ACAP System be used by Federal agencies to comply with FISMA and OMB Circular No. A-130 requirements?
Yes. The ACAP System is focused on fulfillment of the FISMA requirements, therefore it provides a superb set of products and services for compliance with FISMA and OMB Circular No. A-130 by every Federal government agency. It is simple to use, provides the controls and security required, and supplies the automated reports and performance tracking of compliance required of the Act. It does include a few features, such as the liability defense elements of the System, which may not be utilized by some Federal agencies.

The ACAP System is the miracle that every government supervisor, manager, and director of an agency have been requesting. Annual reports, semi-annul reports, monthly reports and even daily cyber-security reports can be provided on any or all computer systems within the agency. The ACAP System can be specified as a requirements for use by all government contactors and subcontractors allowing the federal agency by receiving regular ACAP reports to assure interface security and contactor compliance with FISMA.

Furthermore, the ACAP System is very affordable, easy to install, and is noninvasive to existing government or contactor systems and operations. See, it is a miracle! If your organization is a government agency you need the ACAP System.

Sign-up and try it. If your organization’s time and resources committed to FISMA compliance are not reduced, or if organization does not receive a “Great Job” award from OMB for fulfilling the FISMA and OMB Circular No. A-130 annual reporting requirements cannel your subscription. But I can assure you, because of the continued pressure by OMB to assure compliance with FISMA, once the management of your agency becomes fully aware of all of the great features offered to aid them in both assuring compliance and reporting on compliance of the various computer system, both GSS and MAS, and all of the organizational components of the agency they will be elated, if not ecstatic.

We are a service oriented company dedicated to supporting your organization in successfully complying with FISMA. Should you require special services or require assistance in any manner please contact me personally at: glenn_gearahart@acapsecurity.com. You have my assurance your request will be promptly addressed.
[back to top]

22. Can the ACAP System be used by State and local governments and agencies?
Yes. The ACAP System is focused on fulfillment of the FISMA and OMB Circular No. A-130 requirements, which have been defined to apply to State and local governments and agencies:

Thus, because FISMA applies to both information and information systems used by the agency, contractors, and other organizations and sources, it has somewhat broader applicability than that of prior security law. That is, agency IT security programs apply to all organizations (sources) which possess or use Federal information – or which operate, use, or have access to Federal information systems – on behalf of a Federal agency.

Such other organizations may include contractors, grantees, State and local governments, industry partners, etc. FISMA therefore underscores longstanding OMB policy concerning sharing government information and interconnecting systems, i.e., Federal security requirements continue to apply and the agency is responsible for ensuring appropriate security controls see OMB Circular A-130, Appendix III).
Source: OMB Memo on FISMA, M03-19, August 6, 2003. Underline added.



The ACAP System products and services are very affordable, simple to use, provide the controls and security required, and supply the automated reports and performance tracking of compliance required of the Act.

Sign-up and try it. If your organization’s time and resources committed to FISMA compliance are not reduced, or if organization does not receive a “Well Done” award from senior management cannel your subscription. But I can assure you, once the management of your organization becomes fully aware of all of the great features offered to aid them in both assuring compliance and reporting on compliance of the various computer system and all of the organizational components they will be elated, if not ecstatic.

We are a service oriented company dedicated to supporting your organization in successfully complying with FISMA. Should you require special services or require assistance in any manner please contact me personally at: glenn_gearahart@acapsecurity.com. You have my assurance your request will be promptly addressed.
[back to top]

23. What amount of commitment is required to install and operate the ACAP System?
The degree of difficulty and the amount of resources required to install, operate and maintain an ACAP System is somewhat a function of the size of the organization and number of computer systems. However, the System has been designed to be operated effectively by a one person, one man office; therefore, as an overlay onto your organization’s existing cyber-security defense system and activities the additional resources required to implement the ACAP System is minimal.
[back to top]

24.What are the typical costs and financial benefits of implementing the ACAP System?
The ACAP System with all of its products and services are very affordable. Pricing is based upon the number of computers that are operated by the organization and is only $14.95 plus $5 per computer per month. As an example, that means an ACAP System subscriber with 50 computers receives full service and capabilities for only $265 per month.
Would you be willing to expend $265 per month to reduce or possibly eliminate $5 million, $20 million or $100 million in damage claim liability exposure? Are you prepared to commit to a small monthly service fee in return for reducing and possibly even eliminating your organization’s significant liability exposure?
[back to top]

25. Do general liability insurances provide protection against cyber-crime losses and damage claim liabilities?
Some do and some do not. It is important that coverage terms, coverage limits and coverage exclusions are clear and concise. It is advisable that each existing policy be carefully reviewed with your agent and any discrepancies be addressed in writing and attached to the policy as an addendum or clarification amendment. If coverage is provided, and in many cases it is NOT, carefully consider the policy dollar amount limits. Even a small one-man office can be exposed to liabilities of from $1 million to $50 million. An ACAP System can provide the capability to significantly mitigate this large potential risk exposure such that a cyber-security insurance policy can actually offer relevant and beneficial protection.
[back to top]

26. Does a Directors and Officers (D&O), or a Professional Errors and Omissions (E&O), insurance policy address these potential cyber-crime liabilities?
Many do not or if they do the coverage limits are normally far below the potential damage claim liability exposure created by one’s association with an organization that could become the target of a serious cyber-crime attack. It is important that coverage terms, coverage limits and coverage exclusions be determined and the results be factored into an individual’s personnel risk management decisions.

Clearly the commitment and the diligent implementation of an ACAP System by the organization to which the individual is affiliated or associated can aid in mitigating the risk exposure, but the liability is personnel and each individual must address their acceptable degree of risk exposure and take those actions necessary to mitigate the risk. Because of the magnitude of the potential damage liability one may desire to seek advice of legal counsel and notify the management of the associated organization of the individual’s desire for the organization to acquire and implement the ACAP System.
[back to top]

27. Since Credit Card companies and the banks significantly limit the credit losses that are suffered by an individual victim who is the true damaged-victim of a ID theft or a credit or debit card information cyber-theft, who are the damaged claimants that will be seeking recovery from the organization?
By statute most credit card customers are limited in the losses, which they can suffer from the fraudulent use of their credit card. That is now beginning to be extended to many debit cards. But these loss limits associated with the use of the cards do not reimburse the victim for the damages which occur from the resulting destruction of a victim’s previously “good” credit as reported at the three major credit reporting agencies. They often do not address newly established credit, direct withdrawals from a victim’s bank, savings or credit union account and many other types of losses. It is true that in many situations the three large 900-pound gorillas, MasterCard, Visa and American Express, are the organizations that absorb the majority of the losses from credit card theft and debit card theft. Furthermore, they also experience significant losses from identity theft. But they are also assignees, the recipients, of the victim’s right to pursue legal redress of the losses. So whether it is the actual individual victim, the 900-pound gorillas or a combination of both, one can be very assured that as these cyber-crime losses continue to increase, the class action trial lawyers and the 900-pound gorillas will be seeking redress from many organizations who are not diligent in cyber-securing their protected information
[back to top]

28. Does the ACAP System allow an organization to control the piracy and the confidential nature of its cyber-security operations?
Yes. The information collection structure, the access controls and the control of the management and information tacking and operational performance systems support full privacy and confidentiality of an organization’s cyber-security operations and data archiving activities while greatly enhancing the organization’s liability defenses and risk mitigation capabilities.
[back to top]

This material is provided solely to support cyber-security educational and awareness in the use and benefits of the ACAP System and the products and services. No intention or direction is made that any of the materials provided become legal advice or binding documents, terms, conditions or sources for the management decisions or operational actions of an organization. The included discussions, topics and guidance are not intended to be all-inclusive and they are subject to change without notice.

 
contact privacy FAQ legal patents