data breach! now what? - wordpress.com
TRANSCRIPT
John Lande Dickinson, Mackaman, Tyler, & Hagen, P.C.
Data Breach! Now what?
IBA 2017 Annual Convention
IBA 2017 Annual Convention
Cybersecurity threats
Cybersecurity liability
Cybersecurity insurance issues
Mitigating cybersecurity risks
Agenda
IBA 2017 Annual Convention
Social engineering Using public or non-
public information to trick organizations into providing confidential information or sending money
Hacking Unauthorized access to
organization’s computer network and devices
Two Kinds of Attacks
IBA 2017 Annual Convention
Many cases filed around the country Familiar patterns emerge: Employees tricked into initiating wire transfers
from their financial institution to fraudster Employees tricked into changing the target bank
account for their accounts payable
Claims Litigation
IBA 2017 Annual Convention
Principle Solutions Group v. Ironshore: $1.717 million wired to fraudsters Medidata v. Federal Insurance: $4.7 million wired to fraudsters Maxum Indemnity v. Long Beach Escrow: $250,000 wired to fraudsters
American Tooling v. Travelers: $800,000 wired to fraudsters Apache Corp. v. Great Am. Insurance: $2.4 million in AP sent to fraudsters
Examples
IBA 2017 Annual Convention
PSG: wealth management company
9:10 am: controller received fraudster email
10:15 am: “lawyer” called controller
“Lawyer” claimed director authorized wire transfer
PSG v. Ironshore Indemnity
IBA 2017 Annual Convention
“Lawyer” emailed wire instructions Controller forwarded email to bank Bank required online submission Controller prepares wire via online
system Fraud prevention unit at the bank
contacts controller Controller calls “lawyer” to confirm
authority Bank released $1.7 million
PSG v. Ironshore Indemnity
IBA 2017 Annual Convention
Fraudster’s fault?
Controller’s fault?
Managing director’s fault?
Bank’s fault?
How did this happen?
IBA 2017 Annual Convention
“Lawyer” sent an email with wire instructions
Controller forwarded email to bank Bank required online submission Controller prepares wire via online
system Fraud prevention unit at the bank
contacted controller Controller called “lawyer” to confirm
authority Bank released $1.7 million
Preventing PSG v. Ironshore
IBA 2017 Annual Convention
Segregate duties
Controller can’t wire money if the controller doesn’t have the sole authority
Threshold for approval: Controller has authority for wires below a certain amount
Preventing PSG v. Ironshore
IBA 2017 Annual Convention
Medidata executives informed accounting department that there would be M & A activity on short notice
Medidata routinely did business via email Accounting department received a series of
emails claiming to be from a Medidata executive
“Executive” told employees that a lawyer would be contacting them with wire instructions
Medidata v. Federal Insurance
IBA 2017 Annual Convention
“Attorney” called accounting department and asked for a wire transfer
Employee informed “attorney” that authorization would need to come from particular executives
Fraudsters sent email on behalf of authorized signatories confirming wire
Employees authorized the wire Wired $4.7 million to China Second request for $4.8 million caused
suspicion
Medidata v. Federal Insurance
IBA 2017 Annual Convention
Medidata executives informed accounting department that there would be M & A activity on short notice
Medidata routinely did business via email
Accounting department received a series of emails claiming to be from a Medidata executive
“Executive” told employees that a lawyer would be contacting them with wire instructions
Preventing Medidata
IBA 2017 Annual Convention
“Attorney” called AP department and asked for a wire transfer
Employee informed “attorney” that authorization would need to come from particular executives
Fraudsters sent email on behalf of authorized signatories confirming wire
Employees authorized the wire Wired $4.7 million to China Second request for $4.8 million
caused suspicion
Preventing Medidata
IBA 2017 Annual Convention
Executives told employees that transactions might occur on short notice
Employees disclosed key individuals who could authorize transactions
Preventing Medidata
IBA 2017 Annual Convention
Real estate escrow company received email from broker with instructions to send closing proceeds
Email claimed broker was difficult to reach
Real estate escrow company wired the money to fraudster’s bank account
Maxum Indemnity v. Long Beach Escrow
IBA 2017 Annual Convention
Real estate escrow company received email from broker with instructions to send closing proceeds
Email claimed broker was difficult to reach
Real estate escrow company wired
the money to fraudster’s bank account
Preventing Maxum Indemnity v. Long Beach Escrow
IBA 2017 Annual Convention
Be suspicious of email requests where the sender claims to be unreachable
Slow down transaction Ask sender for details
that only the real party would know
Preventing Maxum Indemnity
IBA 2017 Annual Convention
Apache accounts payable employee in Scotland received an email from what appeared to be a vendor
Email requested that Apache send payments to a new bank account
Employee informed “vendor” that request had to come on letterhead
Week later an email came from “petrofacltd.com”
The vendor’s domain was “petrofac.com”
Apache Corp. v. Great Am. Insurance
IBA 2017 Annual Convention
The “vendor” letter provided the current bank information and new bank information
Apache employee called phone number on the letterhead to verify the request
A different employee switched bank account for payments after receiving email with letterhead attached
Apache transferred $2.4 million to fraudsters
Apache Corp. v. Great Am. Insurance
IBA 2017 Annual Convention
Apache accounts payable employee in Scotland received an email from what appeared to be a vendor
Email requested that Apache send payments to a new bank account
Employee informed “vendor” that request had to come on letterhead
Week later an email came from “petrofacltd.com”
The vendor’s domain was “petrofac.com”
Preventing Apache Corp.
IBA 2017 Annual Convention
The “vendor” letter provided the current bank information and new bank information
Apache employee called phone number on the letterhead to verify the request
A different employee switched bank account for payments after receiving email with letterhead attached
Apache transferred $2.4 million to fraudsters
Preventing Apache Corp.
IBA 2017 Annual Convention
Employees volunteered information about internal processes
Employees called phone number on fraudulent letterhead
No controls to stop other employee from changing target bank account
Preventing Apache Corp.
IBA 2017 Annual Convention
Bank’s computer for initiating wire transfers was compromised
Hackers were able to
transfer $940,000 from bank to accounts located in Poland
After reversing some of
the transactions the bank lost $485,000
State Bank of Bellingham
IBA 2017 Annual Convention
Failed to implement automatic security updates; Clicked on a spam link that downloaded multiple
pieces of malware; The malware—Zeus—allowed hackers to obtain
all passwords and usernames; Bank employees left secure token in computer; Antivirus software detected the Zeus virus; bank
employees failed to remove the virus; Computer was accessible by any employee
because the computer was not password protected.
How did the hackers get in?
IBA 2017 Annual Convention
Cases involving money almost always involve wiring money or sending it via ACH
Personally
identifiable information and other data exfiltration
What is the source of the loss?
IBA 2017 Annual Convention
Regulation E
Generally provides for reimbursement of funds for unauthorized transfers
Limited to consumer accounts which are held directly or indirectly by a financial institution and established primarily for personal, family, or household purposes. 12 C.F.R. Part 205
No Consumer Protection
IBA 2017 Annual Convention
Default: Banks are liable for loss
Banks have the ability to shift liability to account holders
Bank and account holder must agree to verify the authenticity of payment orders using a commercially reasonable security procedure
The bank must follow the procedure in good faith
Legal Framework
IBA 2017 Annual Convention
Commercially reasonable security procedure
Acceptance of
payment order in good faith
Agreement on that procedure
Keys for Liability
IBA 2017 Annual Convention
Do they initiate wire or ACH transfers?
How does your bank
verify authenticity of payment requests?
Bank may be liable if
it approves an unauthorized request
What does that mean for account holders?
IBA 2017 Annual Convention
Choice Escrow was a real estate escrow company
Company used online wire transfer system provided by bank
Company sent many wire transfers on
irregular basis—no pattern to use Fraudsters took $440,000
Choice Escrow
IBA 2017 Annual Convention
User 1 enters user ID and password
User 1 authorizes transfer via online portal
User 2 enters user ID and password User 2 authorizes transfer via online portal
Daily limits for each user
Daily limits for total activity
Choice Escrow Security Procedure
IBA 2017 Annual Convention
Choice Escrow didn’t opt for any of the daily limits
Choice Escrow didn’t want to use “dual control”
Problematic for its business
Choice Escrow executed a waiver
Choice Escrow Agreement
IBA 2017 Annual Convention
Possible to waive security procedure
Creates increased risk for account holder and bank
Account holders end up relying on insurance for safety net
Lesson
IBA 2017 Annual Convention
“As long as [Bank] has performed as provided in Section 8 above, the Customer shall indemnify and hold [Bank] harmless from any and all claims, damages, losses, liabilities, and costs and expenses, including reasonable attorney's fees, which relate in any manner to the Services performed under this Agreement.”
Choice Escrow’s Indemnification
IBA 2017 Annual Convention
Employee Data
Customer Data
Credit Cards
Bank Accounts
Trade Secrets
Third-Party Information
Data Exfiltration
IBA 2017 Annual Convention
Data Breach Notice: 48 states, D.C., Puerto Rico, and Virgin Islands have notice statutes
Inconsistent requirements
Some require identity theft monitoring to be offered if SSNs are compromised
Data Breach Notice
IBA 2017 Annual Convention
Indemnification clauses
Non-disclosure agreements
Notice to third-parties of
a breach
Maximum down time
Other contractual obligations
Third-Party Liability
IBA 2017 Annual Convention
Look for alternative
sources of recovery
Pursue the hacker if you can find him/her/it
Insurance
What happens if no one is liable?
IBA 2017 Annual Convention
Coverage for hacking: many policies with computer fraud coverage will likely cover hacking
Social engineering: significant disputes between insureds and carriers over coverage
Two Different Issues
IBA 2017 Annual Convention
Computer fraud provisions in policies “We will pay for loss of, and loss from
damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises . . . ”
Coverage for Hacking
IBA 2017 Annual Convention
Coverage for the loss?
Yes!
Even though the employee’s conduct was a factor in the loss “an illegal wire transfer is not a ‘foreseeable and natural consequence’ of the bank employees' failure to follow proper computer security policies, procedures, and protocols.”
State Bank of Bellingham (Cont.)
IBA 2017 Annual Convention
Seems inconsistent with reality—fraud is a foreseeable consequence of poor security
This is also
starting to look like a minority position
No Reason to Worry?
IBA 2017 Annual Convention
Issue: Whether voluntary employee conduct breaks the chain of causation between computer fraud and the actual fraud loss
No standard policy language yet
Case by case review
Coverage for Social Engineering
IBA 2017 Annual Convention
Fraudsters inserted code into the email that caused Medidata’s system to populate the executive’s email address and photo
District court ruled that falls within computer fraud coverage
Medidata prevails Appeal
Medidata
IBA 2017 Annual Convention
Tool & die company Chinese vendor
manufactures Company sends
orders via email Chinese vendor
emails back invoices
American Tooling Center
IBA 2017 Annual Convention
Fraudsters obtained the legitimate invoices
Sent email to tool and
die company changing the bank account
Company changed the
target bank account $800,000 was lost
American Tooling Center
IBA 2017 Annual Convention
Medidata v. Am. Tooling
Medidata Am. Tooling Employee receives email
Employee receives email
Fraudsters’ code causes executives name and photo to appear
Fraudsters use “rnould.com” instead of “mould.com”
Made claim under computer fraud provision
Made claim under computer fraud provision
Claim covered Claim denied
IBA 2017 Annual Convention
Forensics and costs incurred from investigation/ remediation
Data breach notice Losses from third-
party contracts Voluntary employee
acts Crime/Fraud
Key Insurance Coverage
IBA 2017 Annual Convention
Board Involvement CISO Independent Risk
Assessment Regular Audits Ongoing Defense
Assessment Separation of
Duties
Synthesis of NY, Fed, & FFIEC
IBA 2017 Annual Convention
Design controls so employees don’t work around
Require dual authorization for critical functions
Least privilege access: only grant authority necessary for job duties
Design Controls
IBA 2017 Annual Convention
Avoid taking on responsibility to continually update customers—this is not the bank’s “business”
Make clear in a disclaimer
that information is provided to customers as part of the debtor-creditor relationship
Avoid Liability
IBA 2017 Annual Convention
Develop a data breach security policy Consider who outside counsel will be Consider who your forensic firm will be Consider who your PR team is Have document retention notices prepared
so that employees know to preserve logs Know who has the authority to make
decisions about forensics, counsel, and notices
Post-Breach Response
IBA 2017 Annual Convention
Take control of internal audits to maintain privilege
Preserve privilege during investigation of cybersecurity incident
Counsel is integrally involved in gathering information
Counsel is the liaison with forensic firm Participate in interviews with employees to
gather information and maintain privilege
Counsel’s Role
IBA 2017 Annual Convention
Build culture of reporting, don’t shame employees
You may want employees to voluntarily provide information, devices, etc.
Consider what would happen if employees inform you about a suspicious request v. simply following instructions
Have a policy that clearly defines who has authority to wire funds, disclose info, etc.
General Tips
IBA 2017 Annual Convention
https://www.dickinsonlaw.com/blogs-articles/subscribe
Subscribe to Our Blog