11/11/2019 Da ta Bre a c h! No w Wha t? Jo hn E . L a nde , CIPP/ US Sha re ho lde r Dic kinso n, Ma c ka ma n, T yle r & Ha g e n, P.C. E thic s Compe te nc e A la wye r sha ll pr ovide c ompe te nt r e pr e se ntation to a c lie nt. Compe te nt re pre se ntation re quire s the le g a l knowle dg e , skill, thoroug hne ss, a nd pre pa ra tion re asonably ne c e ssary for the re pre se ntation. Iowa R. Civ. P. 32:1.1 1
11/11/2019 Confide ntia l (a) A lawye r shall not r e ve al infor mation r e lating to the re pre se ntation of a c lie nt . . . . (d) A lawye r shall make r e asonable e ffor ts to pr e ve nt the inadve rte nt or unauthorize d disc losure of, or unauthorize d ac c e ss to, infor mation r e lating to the r e pr e se ntation of a c lie nt. Iowa R . Civ. P. 32:1.6 Sa fe ke e ping of Prope rty (a) A lawye r shall hold prope rty of c lie nts or thir d pe r sons that is in a la wye r's posse ssion in c onne c tion with a re pre se nta tion se par ate fr om the la wye r's own prope rty. F unds shall be ke pt in a se par ate ac c ount. Othe r pr ope r ty shall be ide ntifie d as suc h and appr opr iate ly safe guar de d. Comple te re c ords of suc h a c c ount funds and othe r pr ope r ty shall be ke pt by the lawye r and shall be pr e se r ve d for a pe r iod of six ye ar s a fte r te rmina tion of the re pre se nta tion. Iowa R. Civ. P. 32:1.15 Sa fe ke e ping o f Pro pe rty 2
11/11/2019 e Inde mnity (N.D. Ga. 2016) PSG v. Ir onshor PSG: we a lth ma na g e me nt c ompa ny 9:10 a m: c ontr olle r re c e ive d fraudste r e mail 10:15 a m: “la wye r ” c a lle d c ontr olle r “L a wye r” c la ime d dire c tor a uthorize d wire tra nsfe r PSG v. Ir onshor e Inde mnity “L a wye r ” e ma ile d wir e instr uc tions Contr olle r for wa r de d e ma il to ba nk Ba nk r e quir e d online submission Contr olle r pr e pa r e s wir e via online syste m F r a ud pr e ve ntion unit a t the ba nk c onta c ts c ontr olle r Contr olle r c a lls “la wye r ” to c onfir m a uthor ity Ba nk re le a se d $1.7 million How did this ha ppe n? F r audste r ’s fault? Controlle r’s fault? Ma na g ing dire c tor’s fa ult? Bank’s fault? 3
11/11/2019 Pr e ve nting PSG v. Ir onshor e “L a wye r ” se nt a n e ma il with wir e instr uc tions Controlle r forwa rde d e ma il to ba nk Bank r e quir e d online submission Contr olle r pr e par e s wir e via online syste m F ra ud pre ve ntion unit a t the ba nk c onta c te d c ontr olle r Contr olle r c alle d “lawye r ” to c onfir m author ity Ba nk r e le a se d $1.7 million Pre ve nting PSG v. Ir onshor e Se g re g a te dutie s Contr olle r c an’t wir e mone y if the c ontr olle r doe sn’t have the sole a uthority T hre shold for approval: Controlle r ha s a uthority for wire s be low a c e rtain amount Sa fe g ua rding Prope rty De sig n c ontrols so e mploye e s don’t work a r ound Re quir e dua l a uthoriza tion for c r itic a l func tions L e a st privile g e a c c e ss: only g ra nt a uthority ne c e ssa ry for job dutie s 4
11/11/2019 Re g ula tion E E le c tronic F unds T ransfe r Ac t (“E F T A”) Doe s not a pply to ac c ounts for: Ope ra tions T r ust/ F iduc iar y Busine ss UCC: L e g a l F ra me work Gove r ns non-E F T A and r e mittanc e tra nsfe r s De fa ult: Ba nks a re lia ble for loss Ba nks c a n shift lia bility to a c c ount holde r s Ba nk & a c c ount holde r a g r e e to ve r ify a uthe ntic ity of pa yme nt or de rs using a c omme r c ia lly r e a sona ble se c ur ity pr oc e dur e Ba nk follows the pr oc e dur e in g ood fa ith Ke ys for L iability Agr e e me nt with Custome r Waive r of Pr oc e dur e Comme r c ially r e asonable se c ur ity pr oc e dur e Ac c e ptanc e of payme nt or de r in good faith 5
11/11/2019 Sig na ture Not E noug h Compar ison of a signatur e on a payme nt or de r or c ommunic ation with an author ize d spe c ime n signatur e of the c ustome r is not by itse lf a se c ur ity pr oc e dur e . UCC § 4A-201 Wa ive r: Choic e E sc r ow (8th Cir . 2014) Choic e E sc r ow, a r e al e state e sc row c ompany Use d online wir e tr ansfe r syste m provide d by bank Se nt ma ny wir e s on ir r e gular basis— no pa tte r n to use F raudste rs took $440,000 Choic e E sc r ow Se c urity Proc e dure Use r 1 e nte r s use r ID and pa ssword Use r 1 author ize s wir e tra nsfe r via online porta l Use r 2 e nte r s use r ID and pa ssword Use r 2 author ize s tr ansfe r via online por tal Da ily limits for e a c h use r Da ily limits for tota l a c tivity 6
11/11/2019 Choic e E sc r ow Ag re e me nt Choic e E sc r ow didn’t opt for any of the daily limits Choic e E sc r ow didn’t want to use “dual c ontr ol” Pr oble matic for its busine ss Choic e E sc r ow e xe c ute d a waive r Par k Ste r ling Bank v. Wallac e & Pittman L aw fir m had ke ylogge r installe d afte r c lic king on a phishing e mail Use rna me , pa ssword, pin, a nd c ha lle ng e que stion c ompromise d for online E F T $337,000 tr ansfe r r e d fr om tr ust a c c ount Bank ar gue d that it c omplie d with se c urity proc e dure so the risk should re st with the law firm Co nfide ntia lity 7
11/11/2019 State Bank of Be llingham (8th Cir . 2016) Ba nk’s c ompute r for initia ting wir e tra nsfe rs wa s c ompromise d Ha c ke r s tr a nsfe r r e d $940,000 fr om ba nk to a c c ounts in Pola nd F ra udste rs initia te d DDOS a tta c k whe n bank e mploye e s ide ntifie d fr aud Afte r r e ve r sing some of the tr a nsa c tions the ba nk lost $485,000 How did the ha c ke rs g e t in? F aile d to imple me nt automatic se c ur ity update s; Clic ke d on spam that downloade d malwar e ; Malwar e allowe d hac ke r s to obtain passwor ds/ use r name s; Bank e mploye e s le ft se c ure toke n in c ompute r; Antivir us softwar e de te c te d malwar e ; bank e mploye e s faile d to r e move it; Compute r was ac c e ssible by any e mploye e be c ause the c ompute r was not passwor d pr ote c te d. Offic e 365 E xploits Phishing e mail le ads to c ompr omise d c r e de ntia ls F r audste r s gain ac c e ss to mailbox Re - dir e c t e ma il c ommunic a tion L imite d logging by de fault; Diffic ult to know wha t fra udste rs we re inte r e ste d in Mailboxe s ofte n massive r e positor y of se nsitive information 8
11/11/2019 Da ta Bre a c h Notic e Data Br e ac h Notic e : 50 state s, D.C., Pue r to Ric o, and Vir gin Isla nds ha ve notic e sta tute s Alpha be t Soup of F e de r a l Rule s: HIPAA, GL BA, F E RPA, F T C Inc onsiste nt r e quir e me nts Some re quir e ide ntity the ft monitor ing to be offe r e d if SSNs a re c ompromise d Ra nsom Atta c k 4:30 pm on F rida y use r log s in a nd finds da ta e nc rypte d Ba c kups v. Re plic a s E ng a g e Attorne y E ng a g e F ore nsic T e a m Obsta c le s to Ne g otia tion/ Pa yme nt Communic ation with F r audste r s Colle c ting Bitc oin T r uste d Bitc oin Colle c tor s T r ansmission to Right Walle t F BI Involve me nt 9
11/11/2019 I nsura nc e : L a st L ine o f De fe nse State Bank of Be llingham E ig hth Circ uit: “‘ [T ]he e ffic ie nt a nd pro xima te c a use ’ o f the lo ss in this situa tio n wa s the ille g a l tra nsfe r o f the mo ne y a nd no t the e mplo ye e s' vio la tio ns o f po lic ie s a nd pro c e dure s. . . . [B]a se d o n ‘ the c lima te o f Minne so ta , wa te r infiltra tio n is c e rtain whe n no t pre ve nte d b y pro pe r c o nstruc tio n,’ a nd the re fo re the wa te r da ma g e . . . wa s ‘ the ine vita ble physic al lo ss.’ . . . Unlike the wa te r da ma g e . . . an ille gal wir e tr ansfe r is not a “for e se e able and natur al c onse que nc e ” of the bank e mploye e s' failur e to follow pr ope r c ompute r otoc ols .” se c ur ity polic ie s, pr oc e dur e s, and pr Insur anc e Compute r F r aud Soc ial E ngine e r ing E ve nt Manage me nt / Inc ide nt Re sponse Ra nsomwa r e 10
11/11/2019 Ke y Insuranc e Cove rage F ir st- par ty loss T hird- party loss F ore nsic inve stig a tion Re gulatory re sponse Da ta bre a c h notic e Voluntary ac ts Cr ime / F r aud/ Ransom Que stions? John L ande jlande @dic kinsonlaw.c om 515.246.4509 11
Recommend
More recommend
