Combating Cyber Fraud, Data Breaches & Corporate Espionage

Digital Business Risk

www.brittontuma.com © 2014 Shawn E. Tuma 1

Combating Cyber Fraud, Data Breaches & Corporate Espionage

Shawn Tuma, PartnerBrittonTumaShops at Legacy, Plano, [email protected]@shawnetumablog: shawnetuma.comweb: brittontuma.com

Shawn Tuma is a lawyer whose practice is focused on cutting-edge cyber and information law and includes issues like helping businesses defend their data and intellectual property against computer fraud, data breaches, hacking, corporate espionage, and insider theft. Shawn stays very active in the cyber and information law communities:

Best Lawyers in Dallas 2014, D Magazine (Digital Information Law)

Chair, Collin County Bar Association Civil Litigation & Appellate Section

College of the State Bar of Texas

Privacy and Data Security Committee of the State Bar of Texas

Computer and Technology, Litigation, Intellectual Property Law, and Business Sections of the State Bar of Texas

Information Security Committee of the Section on Science & Technology Committee of the American Bar Association

Social Media Committee of the American Bar Association

North Texas Crime Commission, Cybercrime Committee

International Association of Privacy Professionals

The information provided is for educational purposes only, does not constitute legal advice, and no attorney-client relationship is created by this presentation.



What is My Role?

Adviser Consultant Relationships Coordinator Attorney


www.brittontuma.com © 2014 Shawn E. Tuma

Why Information Security Matters To You!





Deception, through the use of a computer

“old crimes committed in new ways … using computers and the Internet to make the task[s] easier”

computer hacking, data theft, breaches of data security, corporate espionage, privacy breaches, computer worms, Trojan horses, viruses, malware, denial of service attacks

mouse and keyboard = modern fraudster tools of choice

Computer Fraud = Fraud 2.0



Data – 21st Century CurrencyEverybody wants itGoogle, Facebook, $.99 Apps …

seriously?Big Data, Reward Cards, Surveys, etc.



9 Patterns of Data BreachesVerizon’s 2014 Data Breach Investigations Report9 Patterns from 10 Years of Breaches (% = 2013 stats)

1. 35% = Web Application Attacks

2. 22% = Cyber-Espionage

3. 14% = Point of Sale Intrusions

4. 9% = Card Skimmers

5. 8% = Insider Misuse

6. 4% = Crimeware

7. 2% = Miscellaneous Errors

8. <1% = Denial of Service Attacks

9. <1 % = Physical Theft/Loss



The “Dark Net”The Black Market of the InternetWhat Can You Find for Sale?

human beingsmilitary weapons – the real ones! fake identification documents illegal drugsprostitution and gamblingSTOLEN DATA!



How Does the Dark Net Work for Stolen Data?Dark Net uses the “Tor Network” which allows for

concealed identity and anonymous transfers of money

Stolen data is packaged in bulk and sold in a single “dump” without knowing what it is or how valuable it may be

All data has some value

What does this mean for YOU?



Corporate EspionageCompetitive and State Sponsored Threats

External Threats Insider Threats Blended Threats

employee planning departure to competitor disloyal insider planted

Examples Motorola duPont Chinese Restaurant Menu



How Do You Identify and Protect Your Trade Secrets?



Story Time• you were CEO of a world-wide company• breach impacting 110 million customers• $61 million in expenses alone• 10% discount to all shoppers• $5 million investment in cybersecurity coalition• offer “free” identity theft and credit monitoring to all affected

customers• Net earnings down 34.28%• Earnings per share down 44.60%• Non-cash losses up 487.71%• US sales down 6.60%• Lawsuits, possible enforcement actions, who knows?• and then you learn …



Have you ever heard of …



Will There Be More?

18 / 40

DOJ / US Atty (ND & ED) DEA

FBI IRS

Secret Service Dallas DA, Police Cyber Unit

Homeland Security Collin Police Cyber Unit

NSA Fusion Centers – Dallas / Collin

ATF Universities’ Cyber Depts.



Sun Tzu – The Art of War

“In all fighting the direct method may be used for joining battle, but indirect methods will be needed to secure victory.”

“You can be sure of succeeding in your attacks if you attack places which are not defended.”


www.brittontuma.com © 2014 Shawn E. Tuma

The Law!Obligations and Remedies Related to Data Breaches and Cyber Espionage



“Authority” Related to Data Breach

• Laws• Types

• Common Law (courts)• Statutory Law (legislatures)

• Sources• International• Federal• State (47 States)• Local

• Agency Rules & Regulations

• Industry Standards



Guidance on Preparation and Prevention January 2014: SEC indicates that the new standard of care for

companies may require policies in place for:

1. Prevention, detection, and response to cyber attacks and data breaches,

2. IT training focused on security, and

3. Vendor access to company systems and vendor due diligence.

• January 31, 2014: GMR Transcription Svcs – FTC case – is requiring businesses to follow 3 steps when contracting with 3rd party service providers:

1. Investigate by exercising due diligence before hiring data service providers.

2. Obligate their data service providers to adhere to the appropriate level of data security protections through contractual agreements with provider.

3. Verify that the data service providers are adequately protecting data as required by the contractual standards.



Allocating risk and mitigating risk by contract• Allocating risk

• designate duties & responsibilitiesA party bears the risk when the agreement allocates the risk to that party. TEX. JUR. 3d Contracts § 123

• indemnify“An undertaking against loss or damage amounts to a guaranty of reimbursement on a payment by the indemnitee. With respect to a promise to indemnify against damages, a right to bring suit does not accrue until the indemnitee has suffered damage or injury by being compelled to pay the judgment or debt.” 14 TEX. JUR. 3d Contribution § 24

• Mitigating risk• require mandatory policies, procedures, and security

standards for third parties



But all are just contractual obligations

• Look to you for relief, you must then go enforce your contractual remedies

• Breach of Contract

• Inability to perform

• Unwillingness to perform

• Efficient breach theory

• Insolvency / bankruptcy

• Cost of litigation to enforce



The contractual obligations are important and needed

• Show diligence and taking data security more serious than most

• FTC – looking at 3rd party contracts

• SEC – looking at policies and 3rd party contracts

• Post-breach = helpful for attorneys general

• But more is required



Ronald Reagan, in dealing with Soviets, said…

“Trust, but verify.”

How do you verify?

Audit!



Responding -- Defense (Mandatory)

Execute Breach Response Plan

General Steps contact attorney (privilege) assemble your Response Team contact forensics contact notification vendor investigate breach remediate responsible vulnerabilities reporting & notification



What does “reporting & notification” mean?

• Law Enforcement

• State Attorneys General

• Federal Agencies

• FTC, SEC, HHS, etc.

• Industry Groups

• PCI, FINRA, FDIC

• Credit Bureaus

• Professional Vendors & Suppliers

• Consumers



Cost of a Data Breach!

• (pre-Target)

• $188.00 per lost record

• $188.00 x “X” - $$$$$$$$



Responding -- Offense

Computer Fraud and Abuse ActFederal Law – 18 U.S.C § 1030



What Is A Computer?

Under the CFAA, a “computer” is anything that

has a processor, or

stores data

It is a “protected computer” if connected to the Internet



TI-99 3.3 MHz

Processor 16 KB of RAM

Leap Frog Leapster 96 MHz Processor 128 MB of RAM

iPhone 5 1.02 GHz

Processer 1 GB of RAM

Perspective



The CFAA access of or transmission to a protected computer that is

What Does the CFAA Prohibit?

Without authorization, or

Exceeds authorized access



Where the person accessing Obtains information Commits a fraud Obtains something of value Transmits damaging information Causes damage Traffics in passwords Commits extortion

What Does the CFAA Prohibit?



Wrongful Access

Establishing limits for Intended-Use Theory Contractual

Policies: computer use, employment & manuals

Website Terms of Service

Technological Login and access restrictions

System warnings

Training and other evidence of notification

Notices of intent to use CFAA



Economic Espionage Act - 18 U.S.C. § 1831 Electronic Communications Privacy Act - 18 U.S.C. § 2510

Wiretap Act ≠ intercept communications Stored Communications Act ≠ comm. at rest

Fraud with Access Devices - 18 U.S.C. § 1029 devices to obtain passwords, phishing, counterfeit devices,

scanning receivers, drive through swipe cards

Identity Theft – 18 U.S.C. § 1028

More Federal Laws for Combating Fraud 2.0



Breach of Computer Security Act (Tx. Penal Code § 33.02)

knowingly access a computer without effective consent of owner

Notification Required Following Breach of Security of Computerized Data (Tex. Bus. Comm. Code sec. 521.053) amended by SB 1610 (eff. 6/14/13)

Fraudulent Use or Possession of Identifying Info (TPC § 32.51)

Unlawful Interception, Use, or Disclosure of Wire, Oral or Electronic Communications (TPC § 16.02)

Unlawful Access to Stored Communications (TPC § 16.04)

Identity Theft Enforcement and Protection Act (BCC § 48.001)

Consumer Protection Against Computer Spyware Act (BCC § 48.051)

Anti-Phishing Act (BCC § 48.003)

Texas Laws for Combating Fraud 2.0



All data has value

It will happen to virtually all businesses and probably already has to most

The threats will continue to evolve

The laws will continue to evolve

Businesses that do not prepare, prevent, and respond will face severe financial and legal consequences

Cyber Insurance

Conclusion

Date post:	13-Dec-2014
Category:	Technology
Upload:	shawn-tuma
View:	214 times
Download:	2 times