Date post: | 13-Dec-2014 |
Category: |
Technology |
Upload: | shawn-tuma |
View: | 214 times |
Download: | 2 times |
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 1
Combating Cyber Fraud, Data Breaches & Corporate Espionage
Shawn Tuma, PartnerBrittonTumaShops at Legacy, Plano, [email protected]@shawnetumablog: shawnetuma.comweb: brittontuma.com
Shawn Tuma is a lawyer whose practice is focused on cutting-edge cyber and information law and includes issues like helping businesses defend their data and intellectual property against computer fraud, data breaches, hacking, corporate espionage, and insider theft. Shawn stays very active in the cyber and information law communities:
Best Lawyers in Dallas 2014, D Magazine (Digital Information Law)
Chair, Collin County Bar Association Civil Litigation & Appellate Section
College of the State Bar of Texas
Privacy and Data Security Committee of the State Bar of Texas
Computer and Technology, Litigation, Intellectual Property Law, and Business Sections of the State Bar of Texas
Information Security Committee of the Section on Science & Technology Committee of the American Bar Association
Social Media Committee of the American Bar Association
North Texas Crime Commission, Cybercrime Committee
International Association of Privacy Professionals
The information provided is for educational purposes only, does not constitute legal advice, and no attorney-client relationship is created by this presentation.
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 2
What is My Role?
Adviser Consultant Relationships Coordinator Attorney
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma
Why Information Security Matters To You!
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 4
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 5
Deception, through the use of a computer
“old crimes committed in new ways … using computers and the Internet to make the task[s] easier”
computer hacking, data theft, breaches of data security, corporate espionage, privacy breaches, computer worms, Trojan horses, viruses, malware, denial of service attacks
mouse and keyboard = modern fraudster tools of choice
Computer Fraud = Fraud 2.0
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 6
Data – 21st Century CurrencyEverybody wants itGoogle, Facebook, $.99 Apps …
seriously?Big Data, Reward Cards, Surveys, etc.
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 7
9 Patterns of Data BreachesVerizon’s 2014 Data Breach Investigations Report9 Patterns from 10 Years of Breaches (% = 2013 stats)
1. 35% = Web Application Attacks
2. 22% = Cyber-Espionage
3. 14% = Point of Sale Intrusions
4. 9% = Card Skimmers
5. 8% = Insider Misuse
6. 4% = Crimeware
7. 2% = Miscellaneous Errors
8. <1% = Denial of Service Attacks
9. <1 % = Physical Theft/Loss
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 8
The “Dark Net”The Black Market of the InternetWhat Can You Find for Sale?
human beingsmilitary weapons – the real ones! fake identification documents illegal drugsprostitution and gamblingSTOLEN DATA!
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 9
How Does the Dark Net Work for Stolen Data?Dark Net uses the “Tor Network” which allows for
concealed identity and anonymous transfers of money
Stolen data is packaged in bulk and sold in a single “dump” without knowing what it is or how valuable it may be
All data has some value
What does this mean for YOU?
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 10
Corporate EspionageCompetitive and State Sponsored Threats
External Threats Insider Threats Blended Threats
employee planning departure to competitor disloyal insider planted
Examples Motorola duPont Chinese Restaurant Menu
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 11
How Do You Identify and Protect Your Trade Secrets?
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 12
Story Time• you were CEO of a world-wide company• breach impacting 110 million customers• $61 million in expenses alone• 10% discount to all shoppers• $5 million investment in cybersecurity coalition• offer “free” identity theft and credit monitoring to all affected
customers• Net earnings down 34.28%• Earnings per share down 44.60%• Non-cash losses up 487.71%• US sales down 6.60%• Lawsuits, possible enforcement actions, who knows?• and then you learn …
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 13
Have you ever heard of …
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 14
Will There Be More?
18 / 40
DOJ / US Atty (ND & ED) DEA
FBI IRS
Secret Service Dallas DA, Police Cyber Unit
Homeland Security Collin Police Cyber Unit
NSA Fusion Centers – Dallas / Collin
ATF Universities’ Cyber Depts.
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 15
Sun Tzu – The Art of War
“In all fighting the direct method may be used for joining battle, but indirect methods will be needed to secure victory.”
“You can be sure of succeeding in your attacks if you attack places which are not defended.”
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma
The Law!Obligations and Remedies Related to Data Breaches and Cyber Espionage
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 17
“Authority” Related to Data Breach
• Laws• Types
• Common Law (courts)• Statutory Law (legislatures)
• Sources• International• Federal• State (47 States)• Local
• Agency Rules & Regulations
• Industry Standards
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 18
Guidance on Preparation and Prevention January 2014: SEC indicates that the new standard of care for
companies may require policies in place for:
1. Prevention, detection, and response to cyber attacks and data breaches,
2. IT training focused on security, and
3. Vendor access to company systems and vendor due diligence.
• January 31, 2014: GMR Transcription Svcs – FTC case – is requiring businesses to follow 3 steps when contracting with 3rd party service providers:
1. Investigate by exercising due diligence before hiring data service providers.
2. Obligate their data service providers to adhere to the appropriate level of data security protections through contractual agreements with provider.
3. Verify that the data service providers are adequately protecting data as required by the contractual standards.
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 19
Allocating risk and mitigating risk by contract• Allocating risk
• designate duties & responsibilitiesA party bears the risk when the agreement allocates the risk to that party. TEX. JUR. 3d Contracts § 123
• indemnify“An undertaking against loss or damage amounts to a guaranty of reimbursement on a payment by the indemnitee. With respect to a promise to indemnify against damages, a right to bring suit does not accrue until the indemnitee has suffered damage or injury by being compelled to pay the judgment or debt.” 14 TEX. JUR. 3d Contribution § 24
• Mitigating risk• require mandatory policies, procedures, and security
standards for third parties
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 20
But all are just contractual obligations
• Look to you for relief, you must then go enforce your contractual remedies
• Breach of Contract
• Inability to perform
• Unwillingness to perform
• Efficient breach theory
• Insolvency / bankruptcy
• Cost of litigation to enforce
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 21
The contractual obligations are important and needed
• Show diligence and taking data security more serious than most
• FTC – looking at 3rd party contracts
• SEC – looking at policies and 3rd party contracts
• Post-breach = helpful for attorneys general
• But more is required
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 22
Ronald Reagan, in dealing with Soviets, said…
“Trust, but verify.”
How do you verify?
Audit!
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 23
Responding -- Defense (Mandatory)
Execute Breach Response Plan
General Steps contact attorney (privilege) assemble your Response Team contact forensics contact notification vendor investigate breach remediate responsible vulnerabilities reporting & notification
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 24
What does “reporting & notification” mean?
• Law Enforcement
• State Attorneys General
• Federal Agencies
• FTC, SEC, HHS, etc.
• Industry Groups
• PCI, FINRA, FDIC
• Credit Bureaus
• Professional Vendors & Suppliers
• Consumers
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 25
Cost of a Data Breach!
• (pre-Target)
• $188.00 per lost record
• $188.00 x “X” - $$$$$$$$
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 26
Responding -- Offense
Computer Fraud and Abuse ActFederal Law – 18 U.S.C § 1030
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 27
What Is A Computer?
Under the CFAA, a “computer” is anything that
has a processor, or
stores data
It is a “protected computer” if connected to the Internet
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 28
TI-99 3.3 MHz
Processor 16 KB of RAM
Leap Frog Leapster 96 MHz Processor 128 MB of RAM
iPhone 5 1.02 GHz
Processer 1 GB of RAM
Perspective
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 29
The CFAA access of or transmission to a protected computer that is
What Does the CFAA Prohibit?
Without authorization, or
Exceeds authorized access
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 30
Where the person accessing Obtains information Commits a fraud Obtains something of value Transmits damaging information Causes damage Traffics in passwords Commits extortion
What Does the CFAA Prohibit?
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 31
Wrongful Access
Establishing limits for Intended-Use Theory Contractual
Policies: computer use, employment & manuals
Website Terms of Service
Technological Login and access restrictions
System warnings
Training and other evidence of notification
Notices of intent to use CFAA
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 32
Economic Espionage Act - 18 U.S.C. § 1831 Electronic Communications Privacy Act - 18 U.S.C. § 2510
Wiretap Act ≠ intercept communications Stored Communications Act ≠ comm. at rest
Fraud with Access Devices - 18 U.S.C. § 1029 devices to obtain passwords, phishing, counterfeit devices,
scanning receivers, drive through swipe cards
Identity Theft – 18 U.S.C. § 1028
More Federal Laws for Combating Fraud 2.0
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 33
Breach of Computer Security Act (Tx. Penal Code § 33.02)
knowingly access a computer without effective consent of owner
Notification Required Following Breach of Security of Computerized Data (Tex. Bus. Comm. Code sec. 521.053) amended by SB 1610 (eff. 6/14/13)
Fraudulent Use or Possession of Identifying Info (TPC § 32.51)
Unlawful Interception, Use, or Disclosure of Wire, Oral or Electronic Communications (TPC § 16.02)
Unlawful Access to Stored Communications (TPC § 16.04)
Identity Theft Enforcement and Protection Act (BCC § 48.001)
Consumer Protection Against Computer Spyware Act (BCC § 48.051)
Anti-Phishing Act (BCC § 48.003)
Texas Laws for Combating Fraud 2.0
Digital Business Risk
www.brittontuma.com © 2014 Shawn E. Tuma 34
All data has value
It will happen to virtually all businesses and probably already has to most
The threats will continue to evolve
The laws will continue to evolve
Businesses that do not prepare, prevent, and respond will face severe financial and legal consequences
Cyber Insurance
Conclusion