data breach! now what? - wordpress.com

John Lande Dickinson, Mackaman, Tyler, & Hagen, P.C.

Data Breach! Now what?

IBA 2017 Annual Convention


Cybersecurity threats

Cybersecurity liability

Cybersecurity insurance issues

Mitigating cybersecurity risks

Agenda

Cybersecurity Threats



Social engineering Using public or non-

public information to trick organizations into providing confidential information or sending money

Hacking Unauthorized access to

organization’s computer network and devices

Two Kinds of Attacks

Social Engineering



Many cases filed around the country Familiar patterns emerge: Employees tricked into initiating wire transfers

from their financial institution to fraudster Employees tricked into changing the target bank

account for their accounts payable

Claims Litigation


Principle Solutions Group v. Ironshore: $1.717 million wired to fraudsters Medidata v. Federal Insurance: $4.7 million wired to fraudsters Maxum Indemnity v. Long Beach Escrow: $250,000 wired to fraudsters

American Tooling v. Travelers: $800,000 wired to fraudsters Apache Corp. v. Great Am. Insurance: $2.4 million in AP sent to fraudsters

Examples


PSG: wealth management company

9:10 am: controller received fraudster email

10:15 am: “lawyer” called controller

“Lawyer” claimed director authorized wire transfer

PSG v. Ironshore Indemnity


“Lawyer” emailed wire instructions Controller forwarded email to bank Bank required online submission Controller prepares wire via online

system Fraud prevention unit at the bank

contacts controller Controller calls “lawyer” to confirm

authority Bank released $1.7 million

PSG v. Ironshore Indemnity


Fraudster’s fault?

Controller’s fault?

Managing director’s fault?

Bank’s fault?

How did this happen?


“Lawyer” sent an email with wire instructions

Controller forwarded email to bank Bank required online submission Controller prepares wire via online

system Fraud prevention unit at the bank

contacted controller Controller called “lawyer” to confirm

authority Bank released $1.7 million

Preventing PSG v. Ironshore


Segregate duties

Controller can’t wire money if the controller doesn’t have the sole authority

Threshold for approval: Controller has authority for wires below a certain amount

Preventing PSG v. Ironshore


Medidata executives informed accounting department that there would be M & A activity on short notice

Medidata routinely did business via email Accounting department received a series of

emails claiming to be from a Medidata executive

“Executive” told employees that a lawyer would be contacting them with wire instructions

Medidata v. Federal Insurance


“Attorney” called accounting department and asked for a wire transfer

Employee informed “attorney” that authorization would need to come from particular executives

Fraudsters sent email on behalf of authorized signatories confirming wire

Employees authorized the wire Wired $4.7 million to China Second request for $4.8 million caused

suspicion

Medidata v. Federal Insurance


Medidata executives informed accounting department that there would be M & A activity on short notice

Medidata routinely did business via email

Accounting department received a series of emails claiming to be from a Medidata executive

“Executive” told employees that a lawyer would be contacting them with wire instructions

Preventing Medidata


“Attorney” called AP department and asked for a wire transfer

Employee informed “attorney” that authorization would need to come from particular executives

Fraudsters sent email on behalf of authorized signatories confirming wire

Employees authorized the wire Wired $4.7 million to China Second request for $4.8 million

caused suspicion

Preventing Medidata


Executives told employees that transactions might occur on short notice

Employees disclosed key individuals who could authorize transactions

Preventing Medidata


Real estate escrow company received email from broker with instructions to send closing proceeds

Email claimed broker was difficult to reach

Real estate escrow company wired the money to fraudster’s bank account

Maxum Indemnity v. Long Beach Escrow


Real estate escrow company received email from broker with instructions to send closing proceeds

Email claimed broker was difficult to reach

Real estate escrow company wired

the money to fraudster’s bank account

Preventing Maxum Indemnity v. Long Beach Escrow


Be suspicious of email requests where the sender claims to be unreachable

Slow down transaction Ask sender for details

that only the real party would know

Preventing Maxum Indemnity


Apache accounts payable employee in Scotland received an email from what appeared to be a vendor

Email requested that Apache send payments to a new bank account

Employee informed “vendor” that request had to come on letterhead

Week later an email came from “petrofacltd.com”

The vendor’s domain was “petrofac.com”

Apache Corp. v. Great Am. Insurance


The “vendor” letter provided the current bank information and new bank information

Apache employee called phone number on the letterhead to verify the request

A different employee switched bank account for payments after receiving email with letterhead attached

Apache transferred $2.4 million to fraudsters

Apache Corp. v. Great Am. Insurance


Apache accounts payable employee in Scotland received an email from what appeared to be a vendor

Email requested that Apache send payments to a new bank account

Employee informed “vendor” that request had to come on letterhead

Week later an email came from “petrofacltd.com”

The vendor’s domain was “petrofac.com”

Preventing Apache Corp.


The “vendor” letter provided the current bank information and new bank information

Apache employee called phone number on the letterhead to verify the request

A different employee switched bank account for payments after receiving email with letterhead attached

Apache transferred $2.4 million to fraudsters



Employees volunteered information about internal processes

Employees called phone number on fraudulent letterhead

No controls to stop other employee from changing target bank account


Hacking



Bank’s computer for initiating wire transfers was compromised

Hackers were able to

transfer $940,000 from bank to accounts located in Poland

After reversing some of

the transactions the bank lost $485,000

State Bank of Bellingham


Failed to implement automatic security updates; Clicked on a spam link that downloaded multiple

pieces of malware; The malware—Zeus—allowed hackers to obtain

all passwords and usernames; Bank employees left secure token in computer; Antivirus software detected the Zeus virus; bank

employees failed to remove the virus; Computer was accessible by any employee

because the computer was not password protected.

How did the hackers get in?


No user interaction necessary Browsing website is enough

Malvertising


Malvertising Targets

Liability Rules



Cases involving money almost always involve wiring money or sending it via ACH

Personally

identifiable information and other data exfiltration

What is the source of the loss?


Regulation E

Generally provides for reimbursement of funds for unauthorized transfers

Limited to consumer accounts which are held directly or indirectly by a financial institution and established primarily for personal, family, or household purposes. 12 C.F.R. Part 205

No Consumer Protection


Default: Banks are liable for loss

Banks have the ability to shift liability to account holders

Bank and account holder must agree to verify the authenticity of payment orders using a commercially reasonable security procedure

The bank must follow the procedure in good faith

Legal Framework


Commercially reasonable security procedure

Acceptance of

payment order in good faith

Agreement on that procedure

Keys for Liability


Do they initiate wire or ACH transfers?

How does your bank

verify authenticity of payment requests?

Bank may be liable if

it approves an unauthorized request

What does that mean for account holders?


Choice Escrow was a real estate escrow company

Company used online wire transfer system provided by bank

Company sent many wire transfers on

irregular basis—no pattern to use Fraudsters took $440,000

Choice Escrow


User 1 enters user ID and password

User 1 authorizes transfer via online portal

User 2 enters user ID and password User 2 authorizes transfer via online portal

Daily limits for each user

Daily limits for total activity

Choice Escrow Security Procedure


Choice Escrow didn’t opt for any of the daily limits

Choice Escrow didn’t want to use “dual control”

Problematic for its business

Choice Escrow executed a waiver

Choice Escrow Agreement


Possible to waive security procedure

Creates increased risk for account holder and bank

Account holders end up relying on insurance for safety net

Lesson


“As long as [Bank] has performed as provided in Section 8 above, the Customer shall indemnify and hold [Bank] harmless from any and all claims, damages, losses, liabilities, and costs and expenses, including reasonable attorney's fees, which relate in any manner to the Services performed under this Agreement.”

Choice Escrow’s Indemnification


Employee Data

Customer Data

Credit Cards

Bank Accounts

Trade Secrets

Third-Party Information

Data Exfiltration


Data Breach Notice: 48 states, D.C., Puerto Rico, and Virgin Islands have notice statutes

Inconsistent requirements

Some require identity theft monitoring to be offered if SSNs are compromised

Data Breach Notice


Indemnification clauses

Non-disclosure agreements

Notice to third-parties of

a breach

Maximum down time

Other contractual obligations

Third-Party Liability

Insurance Coverage



Look for alternative

sources of recovery

Pursue the hacker if you can find him/her/it

Insurance

What happens if no one is liable?


Coverage for hacking: many policies with computer fraud coverage will likely cover hacking

Social engineering: significant disputes between insureds and carriers over coverage

Two Different Issues


Computer fraud provisions in policies “We will pay for loss of, and loss from

damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises . . . ”

Coverage for Hacking


Coverage for the loss?

Yes!

Even though the employee’s conduct was a factor in the loss “an illegal wire transfer is not a ‘foreseeable and natural consequence’ of the bank employees' failure to follow proper computer security policies, procedures, and protocols.”

State Bank of Bellingham (Cont.)


Seems inconsistent with reality—fraud is a foreseeable consequence of poor security

This is also

starting to look like a minority position

No Reason to Worry?


Issue: Whether voluntary employee conduct breaks the chain of causation between computer fraud and the actual fraud loss

No standard policy language yet

Case by case review

Coverage for Social Engineering


Fraudsters inserted code into the email that caused Medidata’s system to populate the executive’s email address and photo

District court ruled that falls within computer fraud coverage

Medidata prevails Appeal

Medidata


Tool & die company Chinese vendor

manufactures Company sends

orders via email Chinese vendor

emails back invoices

American Tooling Center


Fraudsters obtained the legitimate invoices

Sent email to tool and

die company changing the bank account

Company changed the

target bank account $800,000 was lost

American Tooling Center


Medidata v. Am. Tooling

Medidata Am. Tooling Employee receives email

Employee receives email

Fraudsters’ code causes executives name and photo to appear

Fraudsters use “rnould.com” instead of “mould.com”

Made claim under computer fraud provision

Made claim under computer fraud provision

Claim covered Claim denied


Forensics and costs incurred from investigation/ remediation

Data breach notice Losses from third-

party contracts Voluntary employee

acts Crime/Fraud

Key Insurance Coverage

Mitigating Cybersecurity Risk



Best Practices


New Fed Action


Federal Financial Institution Examination Council


Board Involvement CISO Independent Risk

Assessment Regular Audits Ongoing Defense

Assessment Separation of

Duties

Synthesis of NY, Fed, & FFIEC


Design controls so employees don’t work around

Require dual authorization for critical functions

Least privilege access: only grant authority necessary for job duties

Design Controls


Educate Customers


Avoid taking on responsibility to continually update customers—this is not the bank’s “business”

Make clear in a disclaimer

that information is provided to customers as part of the debtor-creditor relationship

Avoid Liability


Develop a data breach security policy Consider who outside counsel will be Consider who your forensic firm will be Consider who your PR team is Have document retention notices prepared

so that employees know to preserve logs Know who has the authority to make

decisions about forensics, counsel, and notices

Post-Breach Response


Take control of internal audits to maintain privilege

Preserve privilege during investigation of cybersecurity incident

Counsel is integrally involved in gathering information

Counsel is the liaison with forensic firm Participate in interviews with employees to

gather information and maintain privilege

Counsel’s Role


Build culture of reporting, don’t shame employees

You may want employees to voluntarily provide information, devices, etc.

Consider what would happen if employees inform you about a suspicious request v. simply following instructions

Have a policy that clearly defines who has authority to wire funds, disclose info, etc.

General Tips


https://www.dickinsonlaw.com/blogs-articles/subscribe

Subscribe to Our Blog


John Lande [email protected]

515.246.4509

Questions?

data breach! now what? - wordpress.com

Documents