da ta bre a c h no w wha t
play

Da ta Bre a c h! No w Wha t? Jo hn E . L a nde , CIPP/ US Sha re - PDF document

Nov 22, 2022 •43 likes •153 views

11/11/2019 Da ta Bre a c h! No w Wha t? Jo hn E . L a nde , CIPP/ US Sha re ho lde r Dic kinso n, Ma c ka ma n, T yle r & Ha g e n, P.C. E thic s Compe te nc e A la wye r sha ll pr ovide c ompe te nt r e pr e se ntation to a c

  1. 11/11/2019 Da ta Bre a c h! No w Wha t? Jo hn E . L a nde , CIPP/ US Sha re ho lde r Dic kinso n, Ma c ka ma n, T yle r & Ha g e n, P.C. E thic s Compe te nc e A la wye r sha ll pr ovide c ompe te nt r e pr e se ntation to a c lie nt. Compe te nt re pre se ntation re quire s the le g a l knowle dg e , skill, thoroug hne ss, a nd pre pa ra tion re asonably ne c e ssary for the re pre se ntation. Iowa R. Civ. P. 32:1.1 1

  2. 11/11/2019 Confide ntia l (a) A lawye r shall not r e ve al infor mation r e lating to the re pre se ntation of a c lie nt . . . . (d) A lawye r shall make r e asonable e ffor ts to pr e ve nt the inadve rte nt or unauthorize d disc losure of, or unauthorize d ac c e ss to, infor mation r e lating to the r e pr e se ntation of a c lie nt. Iowa R . Civ. P. 32:1.6 Sa fe ke e ping of Prope rty (a) A lawye r shall hold prope rty of c lie nts or thir d pe r sons that is in a la wye r's posse ssion in c onne c tion with a re pre se nta tion se par ate fr om the la wye r's own prope rty. F unds shall be ke pt in a se par ate ac c ount. Othe r pr ope r ty shall be ide ntifie d as suc h and appr opr iate ly safe guar de d. Comple te re c ords of suc h a c c ount funds and othe r pr ope r ty shall be ke pt by the lawye r and shall be pr e se r ve d for a pe r iod of six ye ar s a fte r te rmina tion of the re pre se nta tion. Iowa R. Civ. P. 32:1.15 Sa fe ke e ping o f Pro pe rty 2

  3. 11/11/2019 e Inde mnity (N.D. Ga. 2016) PSG v. Ir onshor  PSG: we a lth ma na g e me nt c ompa ny  9:10 a m: c ontr olle r re c e ive d fraudste r e mail  10:15 a m: “la wye r ” c a lle d c ontr olle r  “L a wye r” c la ime d dire c tor a uthorize d wire tra nsfe r PSG v. Ir onshor e Inde mnity  “L a wye r ” e ma ile d wir e instr uc tions  Contr olle r for wa r de d e ma il to ba nk  Ba nk r e quir e d online submission  Contr olle r pr e pa r e s wir e via online syste m  F r a ud pr e ve ntion unit a t the ba nk c onta c ts c ontr olle r  Contr olle r c a lls “la wye r ” to c onfir m a uthor ity  Ba nk re le a se d $1.7 million How did this ha ppe n?  F r audste r ’s fault?  Controlle r’s fault?  Ma na g ing dire c tor’s fa ult?  Bank’s fault? 3

  4. 11/11/2019 Pr e ve nting PSG v. Ir onshor e  “L a wye r ” se nt a n e ma il with wir e instr uc tions  Controlle r forwa rde d e ma il to ba nk  Bank r e quir e d online submission  Contr olle r pr e par e s wir e via online syste m  F ra ud pre ve ntion unit a t the ba nk c onta c te d c ontr olle r  Contr olle r c alle d “lawye r ” to c onfir m author ity  Ba nk r e le a se d $1.7 million Pre ve nting PSG v. Ir onshor e  Se g re g a te dutie s  Contr olle r c an’t wir e mone y if the c ontr olle r doe sn’t have the sole a uthority  T hre shold for approval: Controlle r ha s a uthority for wire s be low a c e rtain amount Sa fe g ua rding Prope rty  De sig n c ontrols so e mploye e s don’t work a r ound  Re quir e dua l a uthoriza tion for c r itic a l func tions  L e a st privile g e a c c e ss: only g ra nt a uthority ne c e ssa ry for job dutie s 4

  5. 11/11/2019 Re g ula tion E  E le c tronic F unds T ransfe r Ac t (“E F T A”)  Doe s not a pply to ac c ounts for:  Ope ra tions  T r ust/ F iduc iar y  Busine ss UCC: L e g a l F ra me work  Gove r ns non-E F T A and r e mittanc e tra nsfe r s  De fa ult: Ba nks a re lia ble for loss  Ba nks c a n shift lia bility to a c c ount holde r s  Ba nk & a c c ount holde r a g r e e to ve r ify a uthe ntic ity of pa yme nt or de rs using a c omme r c ia lly r e a sona ble se c ur ity pr oc e dur e  Ba nk follows the pr oc e dur e in g ood fa ith Ke ys for L iability  Agr e e me nt with Custome r  Waive r of Pr oc e dur e  Comme r c ially r e asonable se c ur ity pr oc e dur e  Ac c e ptanc e of payme nt or de r in good faith 5

  6. 11/11/2019 Sig na ture Not E noug h Compar ison of a signatur e on a payme nt or de r or c ommunic ation with an author ize d spe c ime n signatur e of the c ustome r is not by itse lf a se c ur ity pr oc e dur e . UCC § 4A-201 Wa ive r: Choic e E sc r ow (8th Cir . 2014)  Choic e E sc r ow, a r e al e state e sc row c ompany  Use d online wir e tr ansfe r syste m provide d by bank  Se nt ma ny wir e s on ir r e gular basis— no pa tte r n to use  F raudste rs took $440,000 Choic e E sc r ow Se c urity Proc e dure  Use r 1 e nte r s use r ID and pa ssword  Use r 1 author ize s wir e tra nsfe r via online porta l  Use r 2 e nte r s use r ID and pa ssword  Use r 2 author ize s tr ansfe r via online por tal  Da ily limits for e a c h use r  Da ily limits for tota l a c tivity 6

  7. 11/11/2019 Choic e E sc r ow Ag re e me nt  Choic e E sc r ow didn’t opt for any of the daily limits  Choic e E sc r ow didn’t want to use “dual c ontr ol”  Pr oble matic for its busine ss  Choic e E sc r ow e xe c ute d a waive r Par k Ste r ling Bank v. Wallac e & Pittman  L aw fir m had ke ylogge r installe d afte r c lic king on a phishing e mail  Use rna me , pa ssword, pin, a nd c ha lle ng e que stion c ompromise d for online E F T  $337,000 tr ansfe r r e d fr om tr ust a c c ount  Bank ar gue d that it c omplie d with se c urity proc e dure so the risk should re st with the law firm Co nfide ntia lity 7

  8. 11/11/2019 State Bank of Be llingham (8th Cir . 2016)  Ba nk’s c ompute r for initia ting wir e tra nsfe rs wa s c ompromise d  Ha c ke r s tr a nsfe r r e d $940,000 fr om ba nk to a c c ounts in Pola nd  F ra udste rs initia te d DDOS a tta c k whe n bank e mploye e s ide ntifie d fr aud  Afte r r e ve r sing some of the tr a nsa c tions the ba nk lost $485,000 How did the ha c ke rs g e t in?  F aile d to imple me nt automatic se c ur ity update s;  Clic ke d on spam that downloade d malwar e ;  Malwar e allowe d hac ke r s to obtain passwor ds/ use r name s;  Bank e mploye e s le ft se c ure toke n in c ompute r;  Antivir us softwar e de te c te d malwar e ; bank e mploye e s faile d to r e move it;  Compute r was ac c e ssible by any e mploye e be c ause the c ompute r was not passwor d pr ote c te d. Offic e 365 E xploits  Phishing e mail le ads to c ompr omise d c r e de ntia ls  F r audste r s gain ac c e ss to mailbox  Re - dir e c t e ma il c ommunic a tion  L imite d logging by de fault; Diffic ult to know wha t fra udste rs we re inte r e ste d in  Mailboxe s ofte n massive r e positor y of se nsitive information 8

  9. 11/11/2019 Da ta Bre a c h Notic e  Data Br e ac h Notic e : 50 state s, D.C., Pue r to Ric o, and Vir gin Isla nds ha ve notic e sta tute s  Alpha be t Soup of F e de r a l Rule s: HIPAA, GL BA, F E RPA, F T C  Inc onsiste nt r e quir e me nts  Some re quir e ide ntity the ft monitor ing to be offe r e d if SSNs a re c ompromise d Ra nsom Atta c k  4:30 pm on F rida y use r log s in a nd finds da ta e nc rypte d  Ba c kups v. Re plic a s  E ng a g e Attorne y  E ng a g e F ore nsic T e a m Obsta c le s to Ne g otia tion/ Pa yme nt  Communic ation with F r audste r s  Colle c ting Bitc oin  T r uste d Bitc oin Colle c tor s  T r ansmission to Right Walle t  F BI Involve me nt 9

  10. 11/11/2019 I nsura nc e : L a st L ine o f De fe nse State Bank of Be llingham E ig hth Circ uit: “‘ [T ]he e ffic ie nt a nd pro xima te c a use ’ o f the lo ss in this situa tio n wa s the ille g a l tra nsfe r o f the mo ne y a nd no t the e mplo ye e s' vio la tio ns o f po lic ie s a nd pro c e dure s. . . . [B]a se d o n ‘ the c lima te o f Minne so ta , wa te r infiltra tio n is c e rtain whe n no t pre ve nte d b y pro pe r c o nstruc tio n,’ a nd the re fo re the wa te r da ma g e . . . wa s ‘ the ine vita ble physic al lo ss.’ . . . Unlike the wa te r da ma g e . . . an ille gal wir e tr ansfe r is not a “for e se e able and natur al c onse que nc e ” of the bank e mploye e s' failur e to follow pr ope r c ompute r otoc ols .” se c ur ity polic ie s, pr oc e dur e s, and pr Insur anc e  Compute r F r aud  Soc ial E ngine e r ing  E ve nt Manage me nt / Inc ide nt Re sponse  Ra nsomwa r e 10

  11. 11/11/2019 Ke y Insuranc e Cove rage  F ir st- par ty loss  T hird- party loss  F ore nsic inve stig a tion  Re gulatory re sponse  Da ta bre a c h notic e  Voluntary ac ts  Cr ime / F r aud/ Ransom Que stions? John L ande jlande @dic kinsonlaw.c om 515.246.4509 11

Recommend

More recommend