Cybersecurity & Computer Fraud - The Convergence
-
Upload
shawn-tuma -
Category
Law
-
view
644 -
download
0
Transcript of Cybersecurity & Computer Fraud - The Convergence
www.solidcounsel.com
The Convergenc
e!
Cybersecurity & Computer
Fraud
“There are only two types of companies: those that have been hacked, and those that will
be.” –Robert Mueller
43% Business had Data Breach in 2014
62% of Cyber Attacks SMBs
TargetHome DepotNeiman MarcusMichael’sSpecsTJ MaxxeBaySally BeautyPF Chang’sUPSDairy QueenJimmy John’sJP Morgan ChaseKmartStaplesSonyAshley Madison
Yes, Legal
www.solidcounsel.com
Computer Fraud & CybersecurityWhat is fraud?Fraud 2.0Intersection between computer fraud & cybersecurity / data breach
The irony of all of this …
www.solidcounsel.com
Malicious
• compete• newco• sabotage• disloyal insider
Negligence• email• usb• passwords
Blended
• foot out the door• misuse of network• stealing data• negligence with data• violate use policies
Hacking / Cracking
Social Engineer
Malware
StealingPlanting
Corrupting
Outsider & Insider Threats
www.solidcounsel.com
DataSources
Company Data
Workforce Data
Customer / Client Data
Other Parties’
Data
3rd Party Business
Associates’ Data
Outsiders’ Data
www.solidcounsel.com
Threat Vectors
Network
Website
BYOD
USBGSM
Internet Surfing
Bus. Assoc.
People
www.solidcounsel.com
Legal Obligations International
Laws Safe Harbor Privacy Shield
Federal Laws & Regs
HIPAA, GLBA, FERPA
FTC, FCC, SEC State Laws
47 states (Ala, NM, SD)
Fla (w/in 30 days) OH & VT (45 days)
Industry Groups PCI, FINRA, etc.
Contracts Vendors & Suppliers Business Partners Data Security
Addendum
www.solidcounsel.com
ACC Study (Sept ‘15)
What concerns keep Chief Legal Officers awake at night?
#2 = Data Breaches
82% consider as somewhat, very, or extremely important
www.solidcounsel.com
Cost of a Data Breach – US2013 Cost
• $188.00 per record• $5.4 million = total average cost paid by organizations
2014 Cost• $201 per record• $5.9 million = total average cost paid by organizations
2015 Cost• $217 per record• $6.5 million = total average cost paid by organizations
(Ponemon Institute Cost of Data Breach Studies)
www.solidcounsel.com
thinking about security …
tactics change … Water shapes its course according to the nature of the ground over which it flows; the soldier works out his victory in relation to the foe whom he is facing.”
-Sun Tzu, The Art of War
www.solidcounsel.com
Latest TrendsRansom WareEpidemic
Healthcare IndustryEvolving Threat
www.solidcounsel.com
Latest Trends
www.solidcounsel.com
Latest Trends
Litigation
www.solidcounsel.com
Consumer LitigationGot
Standing?
No
Yes
Peters v. St. Joseph Services, 74 F.Supp.3d 847 (S.D. Tex. Feb. 11, 2015)
Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 693 (7th Cir. 2015)
Whalen v. Michael Stores Inc., 2015 WL 9462108 (E.D.N.Y. Dec. 28, 2015)
In re SuperValu, Inc., 2016 WL 81792 (D. Minn. Jan. 7, 2016)
In re Anthem Data Breach Litigation, 2016 WL 589760 (N.D. Cal. Feb. 14, 2016) (J. Lucy Koh)
Regulatory & Administrative
www.solidcounsel.com
Regulatory & Administrative – SEC S.E.C. v. R.T. Jones Capital Equities Management, Consent Order (Sept. 22, 2015). “Firms must adopt written policies to protect
their clients’ private information” “they need to anticipate potential cybersecurity
events and have clear procedures in place rather than
waiting to react once a breach occurs.” violated this “safeguards rule 100,000 records (no reports of harm) $75,000 penalty
www.solidcounsel.com
Regulatory & Administrative – FTC In re GMR Transcription Svcs, Inc., 2014 WL 4252393 (Aug. 14, 2014). FTC’s Order requires business to follow 3 steps when contracting with third party service providers:
1. Investigate before hiring data service providers.
2. Obligate their data service providers to adhere to the appropriate level of data security protections.
3. Verify that the data service providers are complying with obligations (contracts).
www.solidcounsel.com
Regulatory & Administrative - FTCF.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug. 24, 2015). The FTC has authority to regulate cybersecurity
under the unfairness prong of § 45(a) of the Federal Trade Commission Act.
Companies have fair notice that their specific cybersecurity practices could fall short of that provision. 3 breaches / 619,000 records / $10.6 million
in fraud Rudimentary practices v. 2007 guidebook Website Privacy Policy misrepresentations
Jurisdiction v. set standard?
www.solidcounsel.com
Regulatory & Administrative FCC - fined AT&T $25,000,000 CFPB - fined Dwolla, Inc. $100,000 FDIC - new cybersecurity
framework DOJ - Yates Memo
Officer & Director Liability
www.solidcounsel.com
Officer & Director Liability“[B]oards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.” SEC Commissioner Luis A. Aguilar, June 10, 2014.
Heartland Payment Systems, TJ Maxx, Target, Home Depot, Wyndham
Derivative claims premised on the harm to the company from data breach.
Caremark Claims: Premised on lack of oversight = breach of the duty of loyalty
and good faith Cannot insulate the officers and directors = PERSONAL
LIABILITY! Standard:
(1) “utterly failed” to implement reporting system or controls; or
(2) “consciously failed” to monitor or oversee system.
www.solidcounsel.com
Officer & Director LiabilityPalkon v. Holmes, 2014 WL 5341880, *5-6 (D. NJ Oct. 20, 2014). Derivative action for failing to ensure Wyndham
implemented adequate security policies and procedures. Order Dismissing: The board satisfied the business
judgement rule by staying reasonably informed of the cybersecurity risks and exercising appropriate oversight in the face of the known risks.
Well-documented history of diligence showed Board Discussed cybersecurity risks, company security policies
and proposed enhancements in 14 quarterly meetings; and
Implemented some of those cybersecurity measures.
www.solidcounsel.com
Key Computer Fraud Laws Computer Fraud and Abuse Act
Fed Criminal Law – 18 USC § 1040 Inspired by War Games
Civil Claim (1994 Amend) Most important computer fraud /
cybersecurity law Texas: Computer Crimes
www.solidcounsel.com
Protected Computer“If a device is ‘an electronic … or other high speed data processing device performing logical, arithmetic, or storage functions,’ it is a computer. This definition captures any device that makes use of an electronic data processor, examples of which are legion.”
United States v. Kramer, 631 F.3d 900, 901 (8th Cir. 2011)
Protected = connected to the Internet
www.solidcounsel.com
Access CrimeCFAA prohibits the access of a protected computer that is: Without authorization, or Exceeds authorized access, Where the person accessing:
Obtains information Causes damage Commits a fraud Traffics in
passwords Obtains something of
value Commits extortion
Transmits damaging info
www.solidcounsel.com
Elements: Easiest CFAA Claim1. Intentionally access computer;2. Without authorization or
exceeding authorized access;3. Obtained information from any
protected computer; and4. Victim incurred a loss to one or
more persons during any 1-year period of at least $5,000
www.solidcounsel.com
Key Issues: Circuit SplitTrilogy of Access Theories
Strict Access (2nd, 4th & 9th Cir.) Agency (7th Cir) Intended-Use (1st, 3rd, 5th, 8th, 11th)
Policy Essentials: limit authorization Cover use of computer and data Restrict duration (i.e., terminate
right) Restrict purpose (i.e., business use)
www.solidcounsel.com
Key Issues: Civil RemedyLoss $5,000 jurisdictional threshold Damage ≠ damages ≠ loss
(or)Interruption of service
www.solidcounsel.com
Texas: Computer Crimes Breach of Computer Security Ch. 33 Texas Penal Code
Civil cause of action in TCPRC Generally follows CFAA Broader language
Attorney’s fees recoverable
www.solidcounsel.com
Breach of Computer SecurityElements
knowingly accesses a computer, computer network, or computer system;
without the effective consent of the owner
Consent is not effective if: induced by deception or coercion; used for a purpose other than that for
which the consent was given; (others excluded)
www.solidcounsel.com
Pros & Cons Pros
Federal court (if you want) Injunctive relief The dude who cried
Cons Focus on computer, not data (TUTSA) Non-Competes = data Must have policy language Complex & exotic
Virtually all companies will be breached. Will they be liable?It’s not the breach; it’s their diligence and response that matters most.Companies have a duty to be reasonably informed of and take reasonable measures to protect against cybersecurity risks.
Shawn TumaCybersecurity PartnerScheef & Stone, [email protected]@shawnetumablog: www.shawnetuma.comweb: www.solidcounsel.com
This information provided is for educational purposes only, does not constitute legal advice, and no attorney-client relationship is created by this presentation.
Shawn Tuma is a cyber lawyer business leaders trust to help solve problems with cutting-edge issues involving cybersecurity, data privacy, computer fraud, and intellectual property law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full service commercial law firm in Texas serving clients throughout the US. Board of Directors, North Texas Cyber Forensics Lab Board of Directors & General Counsel, Cyber Future
Foundation Texas SuperLawyers 2015-16 (IP Litigation) Best Lawyers in Dallas 2014-16, D Magazine (Digital
Information Law) Council, Computer & Technology Section, State Bar of
Texas Chair, Civil Litigation & Appellate Section, Collin County
Bar Association College of the State Bar of Texas Privacy and Data Security Committee, Litigation,
Intellectual Property Law, and Business Sections of the State Bar of Texas
Information Security Committee of the Section on Science & Technology Committee of the American Bar Association
North Texas Crime Commission, Cybercrime Committee Infragard (FBI) International Association of Privacy Professionals (IAPP) Information Systems Security Association (ISSA) Board of Advisors, Optiv Security Editor, Business Cybersecurity Business Law Blog