Da ta Bre a c h! No w Wha t? Jo hn E . L a nde , CIPP/ US Sha re - - PDF document
11/11/2019 Da ta Bre a c h! No w Wha t? Jo hn E . L a nde , CIPP/ US Sha re ho lde r Dic kinso n, Ma c ka ma n, T yle r & Ha g e n, P.C. E thic s Compe te nc e A la wye r sha ll pr ovide c ompe te nt r e pr e se ntation to a c
Jo hn E . L a nde , CIPP/ US Sha re ho lde r Dic kinso n, Ma c ka ma n, T yle r & Ha g e n, P.C.
A la wye r sha ll pr
r e pr e se ntation to a c lie nt. Compe te nt re pre se ntation re quire s the le g a l knowle dg e , skill, thoroug hne ss, a nd pre pa ra tion re asonably ne c e ssary for the re pre se ntation. Iowa R. Civ. P. 32:1.1
Compe te nc e
(a) A lawye r shall not r e ve al infor mation r e lating to the re pre se ntation of a c lie nt . . . . (d) A lawye r shall make r e asonable e ffor ts to pr e ve nt the inadve rte nt or unauthorize d disc losure of, or unauthorize d ac c e ss to, infor mation r e lating to the r e pr e se ntation of a c lie nt. Iowa R . Civ. P. 32:1.6
Confide ntia l
(a) A lawye r shall hold prope rty of c lie nts or thir d pe r sons that is in a la wye r's posse ssion in c onne c tion with a re pre se nta tion se par ate fr
the la wye r's own prope rty. F unds shall be ke pt in a se par ate ac c ount. Othe r pr
ty shall be ide ntifie d as suc h and appr
iate ly safe guar de d. Comple te re c ords of suc h a c c ount funds and othe r pr
ty shall be ke pt by the lawye r and shall be pr e se r ve d for a pe r iod of six ye ar s a fte r te rmina tion of the re pre se nta tion. Iowa R. Civ. P. 32:1.15
Sa fe ke e ping of Prope rty
PSG: we a lth ma na g e me nt c ompa ny 9:10 a m: c ontr
re c e ive d fraudste r e mail 10:15 a m: “la wye r ” c a lle d c ontr
“L a wye r” c la ime d dire c tor a uthorize d wire tra nsfe r
PSG v. Ir
e Inde mnity (N.D. Ga. 2016)
“L a wye r ” e ma ile d wir e instr uc tions Contr
for wa r de d e ma il to ba nk Ba nk r e quir e d online submission Contr
pr e pa r e s wir e via online syste m F r a ud pr e ve ntion unit a t the ba nk c onta c ts c ontr
Contr
c a lls “la wye r ” to c onfir m a uthor ity Ba nk re le a se d $1.7 million
PSG v. Ir
e Inde mnity
F r audste r ’s fault? Controlle r’s fault? Ma na g ing dire c tor’s fa ult? Bank’s fault? How did this ha ppe n?
“L a wye r ” se nt a n e ma il with wir e instr uc tions Controlle r forwa rde d e ma il to ba nk Bank r e quir e d online submission Contr
pr e par e s wir e via online syste m F ra ud pre ve ntion unit a t the ba nk c onta c te d c ontr
Contr
c alle d “lawye r ” to c onfir m author ity Ba nk r e le a se d $1.7 million Pr e ve nting PSG v. Ir
e
Se g re g a te dutie s Contr
c an’t wir e mone y if the c ontr
doe sn’t have the sole a uthority T hre shold for approval: Controlle r ha s a uthority for wire s be low a c e rtain amount
Pre ve nting PSG v. Ir
e
De sig n c ontrols so e mploye e s don’t work a r
Re quir e dua l a uthoriza tion for c r itic a l func tions L e a st privile g e a c c e ss: only g ra nt a uthority ne c e ssa ry for job dutie s
Sa fe g ua rding Prope rty
E le c tronic F unds T ransfe r Ac t (“E F T A”) Doe s not a pply to ac c ounts for: Ope ra tions T r ust/ F iduc iar y Busine ss Re g ula tion E
Gove r ns non-E F T A and r e mittanc e tra nsfe r s De fa ult: Ba nks a re lia ble for loss Ba nks c a n shift lia bility to a c c ount holde r s Ba nk & a c c ount holde r a g r e e to ve r ify a uthe ntic ity of pa yme nt or de rs using a c omme r c ia lly r e a sona ble se c ur ity pr
e Ba nk follows the pr
e in g ood fa ith
UCC: L e g a l F ra me work
Agr e e me nt with Custome r Waive r
e Comme r c ially r e asonable se c ur ity pr
e Ac c e ptanc e of payme nt
de r in good faith
Ke ys for L iability
Compar ison of a signatur e on a payme nt or de r
c ommunic ation with an author ize d spe c ime n signatur e of the c ustome r is not by itse lf a se c ur ity pr
e . UCC § 4A-201
Sig na ture Not E noug h
Choic e E sc r
e al e state e sc row c ompany Use d online wir e tr ansfe r syste m provide d by bank Se nt ma ny wir e s on ir r e gular basis— no pa tte r n to use F raudste rs took $440,000
Wa ive r: Choic e E sc r
. 2014)
Use r 1 e nte r s use r ID and pa ssword Use r 1 author ize s wir e tra nsfe r via online porta l Use r 2 e nte r s use r ID and pa ssword Use r 2 author ize s tr ansfe r via
tal Da ily limits for e a c h use r Da ily limits for tota l a c tivity
Choic e E sc r
Choic e E sc r
for any of the daily limits Choic e E sc r
want to use “dual c ontr
Pr
its busine ss Choic e E sc r
a waive r
Choic e E sc r
L aw fir m had ke ylogge r installe d afte r c lic king on a phishing e mail Use rna me , pa ssword, pin, a nd c ha lle ng e que stion c ompromise d for online E F T $337,000 tr ansfe r r e d fr
ust a c c ount Bank ar gue d that it c omplie d with se c urity proc e dure so the risk should re st with the law firm
Par k Ste r ling Bank v. Wallac e & Pittman
Ba nk’s c ompute r for initia ting wir e tra nsfe rs wa s c ompromise d Ha c ke r s tr a nsfe r r e d $940,000 fr
ba nk to a c c ounts in Pola nd F ra udste rs initia te d DDOS a tta c k whe n bank e mploye e s ide ntifie d fr aud Afte r r e ve r sing some of the tr a nsa c tions the ba nk lost $485,000
State Bank of Be llingham (8th Cir . 2016)
F aile d to imple me nt automatic se c ur ity update s; Clic ke d on spam that downloade d malwar e ; Malwar e allowe d hac ke r s to obtain passwor ds/ use r name s; Bank e mploye e s le ft se c ure toke n in c ompute r; Antivir us softwar e de te c te d malwar e ; bank e mploye e s faile d to r e move it; Compute r was ac c e ssible by any e mploye e be c ause the c ompute r was not passwor d pr
How did the ha c ke rs g e t in?
Phishing e mail le ads to c ompr
e de ntia ls F r audste r s gain ac c e ss to mailbox Re - dir e c t e ma il c ommunic a tion L imite d logging by de fault; Diffic ult to know wha t fra udste rs we re inte r e ste d in Mailboxe s ofte n massive r e positor y of se nsitive information
Offic e 365 E xploits
Data Br e ac h Notic e : 50 state s, D.C., Pue r to Ric o, and Vir gin Isla nds ha ve notic e sta tute s Alpha be t Soup of F e de r a l Rule s: HIPAA, GL BA, F E RPA, F T C Inc onsiste nt r e quir e me nts Some re quir e ide ntity the ft monitor ing to be offe r e d if SSNs a re c ompromise d
Da ta Bre a c h Notic e
4:30 pm on F rida y use r log s in a nd finds da ta e nc rypte d Ba c kups v. Re plic a s E ng a g e Attorne y E ng a g e F
e a m
Ra nsom Atta c k
Communic ation with F r audste r s Colle c ting Bitc oin T r uste d Bitc oin Colle c tor s T r ansmission to Right Walle t F BI Involve me nt
Obsta c le s to Ne g otia tion/ Pa yme nt
E ig hth Circ uit: “‘ [T ]he e ffic ie nt a nd pro xima te c a use ’ o f the lo ss in this situa tio n wa s the ille g a l tra nsfe r o f the mo ne y a nd no t the e mplo ye e s' vio la tio ns o f po lic ie s a nd pro c e dure s. . . . [B]a se d
c e rtain whe n no t pre ve nte d b y pro pe r c o nstruc tio n,’ a nd the re fo re the wa te r da ma g e . . . wa s ‘ the ine vita ble physic al lo ss.’ . . . Unlike the wa te r da ma g e . . . an ille gal wir e tr ansfe r is not a “for e se e able and natur al c onse que nc e ”
bank e mploye e s' failur e to follow pr
se c ur ity polic ie s, pr
e s, and pr
State Bank of Be llingham
Compute r F r aud Soc ial E ngine e r ing E ve nt Manage me nt / Inc ide nt Re sponse Ra nsomwa r e
Insur anc e
F ir st- par ty loss T hird- party loss F
Re gulatory re sponse Da ta bre a c h notic e Voluntary ac ts Cr ime / F r aud/ Ransom Ke y Insuranc e Cove rage
John L ande jlande @dic kinsonlaw.c om 515.246.4509
Que stions?