With hackers on the loose, and wire transfers as a place for them to gain unauthorized access to bank accounts, it is no wonder that when it comes to potentially intercepted wires, customers and banks are playing hot potato with who to blame. Typically, banks bear the risk of loss for unauthorized wire transfers. The Electronic Fund Transfer Act (“EFTA”) for consumer accounts and Article 4A of the Uniform Commercial Code (“UCC”) for business accounts, are two entities that govern these transfers. Both have opposing interests considering that the EFTA attempts to shield customers from paying unauthorized charges whereas the UCC has a framework in place that protects the banks and shifts the risk of loss to the customer if the bank can show that (1) a commercially reasonable security procedure was in place and, (2) the bank accepted the payment order in good faith and in compliance with the security procedure and any other written agreement or customer instruction.
Due to the flexibility of the UCC and the fact that “commercial reasonability” is a question of law, some factors that pertain to it have been interpreted differently by the judicial system. These interpretations have established divergent norms. Some factors that courts look to in their decision making are the customer’s instructions to the bank, the bank’s understanding of the customer’s situation, alternative security procedures offered to the customer, and security procedures in general that are typical of the industry.
With these criterions, courts have been able to judge bank security procedures and assess whether their efforts were adequate. For example, the Eighth Circuit found that where a customer refuses commercially reasonable security procedures such as “dual control,” which requires two independent authorized users to approve the wire transfer, the customer, in effect, assumed the risk of failure. The bank’s procedure was considered adequate because they had the security measures in place in order to protect against cyberattacks. Conversely, in a case heard in the First Circuit, Comerica was found to have failed to satisfy its burden because it did not discover that unusual activity was happening with multiple accounts when a bank dealing fairly with a customer “would have detected and/or stopped the fraudulent wire activity earlier.” The court notes some of the factors that led to this decision such as: the volume and frequency of the wire transfers when there had previously been very low activity, the fact that the destinations of the funds were in Russia, and that Comerica had knowledge of current and prior phishing attempts.
Even the most sophisticated security systems—typically found in banks—are vulnerable to hacking. With the divergence of opinions within the law about who should bear the risk when something goes wrong, customers and banks alike should make sure to take the proper precautions while making transactions of any sort.
After a Cyberattack
This blog post is the sixth and final entry of a six-part series discussing the best practices relating to cyber security. The previous post discussed the individuals and organizations that should be notified once a cyberattack occurs. This post will focus on what a business should not do after a cyberattack. Key points include (1) not using the network, (2) not sharing information with unconfirmed parties, and (3) not attempting to retaliate against a different network.
Do Not Search Through the Network
Once a cyberattack has been identified, most individuals may feel compelled to immediately examine their network and search through all of their system’s files. This sudden reaction can cause further damage and may result in a total system failure. Some hackers rely on the natural inclination to examine a network in order to cause more destruction. They may install dormant malware that is triggered after an authorized user accesses the network to survey the damage. If the hackers are monitoring the network after the attack, they may also be able to steal additional information such as passwords and usernames if individuals attempt to log on.
The better option is to immediately suspend all use of the network and commence the action plan. By limiting network activity, a business may be able to contain the attack and safeguard unaffected systems. Furthermore, suspending the network will help preserve evidence of the attack for law enforcement officials. As a last resort, a business should be prepared to shut its entire system down in order to contain the attack if it is still active.
Do Not Release Information to Unconfirmed Parties
After a cyberattack, a business should be very careful to only communicate information to credible sources. Some hackers will pose as law enforcement officials and send inquiring messages to the business after the attack. These messages are sent in an attempt to gain information from the business. The hackers may use this information to launch a second cyberattack on the already damaged network. All communication should be via the telephone or in person if possible. It is important that a business designate one individual to communicate on behalf of the business. This individual should not share information with anyone until he or she has confirmed the identity of the other party.
Do Not Attempt to Retaliate Against Other Networks
If a business is able to determine the source of the cyberattack, it may be tempted to retaliate with cyber warfare against the source. Not only is this tactic illegal under U.S. and foreign cybersecurity laws, but it may also cause further damage to a business’ system or provoke a second attack. Additionally, many cyberattacks originate from innocent networks that have previously been hacked. Retaliation against these networks would only hurt a previous victim and would not impact the hackers. Remaining calm and following the action plan is always the best course of action after a business has been impacted by a cyberattack.
This blog post is the fifth entry of a six series discussing the best practices relating to cyber security. The previous post discussed the important steps that a business should take to preserve evidence and information once a cyberattack has been identified. This post will discuss the individuals and organizations that should be notified once a cyberattack occurs. The four most important groups to contact are (1) individuals within the business, (2) law enforcement officials, (3) The Department of Homeland Security, and (4) other possible victims.
Individuals within the Business
A business’ Response Plan should list the specific employees to be contacted once a business has been attacked. These employees normally include the senior executives, information technology officers, public affairs officials, and a business’ legal counsel. Multiple methods of communication for each employee, including cell phone numbers, home phone numbers, and personal email addresses, should be listed in the Response Plan. These critically important individuals should be contacted at the first sign of a cyber incident.
Law Enforcement Officials
Law enforcement officials should be contacted once a business suspects that its cyber incident is a result of criminal activity. A business should not hesitate to contact law enforcement even if it fears that its business operations will be disrupted. Both the FBI and the U.S. Secret Service prioritize their ability to work around a business’ normal operations when conducting an investigation. These government organizations will work with a business to ensure that sensitive information is not released and that the business’ reputation is not unnecessarily tarnished. Both groups will help the company release a press statement and decide what information is necessary to disclose to shareholders. In addition, law enforcement officials are able to receive support from international counterparts in order to track stolen data around the globe.
The Department of Homeland Security
The National Cybersecurity & Communications Integration Center (NCCIC) is a branch of the Department of Homeland Security that provides continuous updates on cyber incidents, cybersecurity information, and recovery efforts. By alerting the NCCIC to a cyber incident, a business is able to share and receive information that may be beneficial in its recovery efforts. A business should keep in regular contact with the NCCIC, even if it is not experiencing a cyber incident, in order to stay alert to the latest trends in cyberattacks.
Other Potential Victims
After a business discovers a cyberattack it should alert other businesses in its network because they are potential victims. Cyberattacks often use network communications between businesses to spread malware and disrupt work flow. Notifying other businesses may allow them to take preventative measures and insulate themselves from possible attacks. If a business does not feel comfortable contacting other potential victims it should communicate through law enforcement officials. Victims may also be able to share information to assist each other in managing the cyber incident and discovering the source of the cyberattack.
The next blog post will discuss what a business should not do after a cyberattack and how a business should begin to recover.
Preservation of Evidence
This blog post is the fourth entry of a six-part series discussing the best practices relating to cyber security. The previous post discussed the initial steps that a business should take once a cyberattack has been identified. This post will discuss further steps that a business should take after an attack.
Preservation is critical when responding to a cyberattack, the more evidence that a business is able to preserve, the greater the chance that the business will be able to determine how its system was hacked. “Forensic imaging” is a useful way to preserve a system because it is an exact copy of a computer’s hard disk. A forensic image will capture all of the deleted files, the system’s files, and any other information that may be necessary for a detailed analysis of the attack.
After the necessary information and evidence of an attack has been preserved, the business should begin to transfer its information onto a clean system. It is important to ensure that the new data is completely free of any impacted documents when transferring information. The business should write-protect the transferred data to ensure that it is unable to be altered by other corrupted documents. In order to maintain authenticity of the documents, access to the documents should be restricted and a chain of custody should be used.
All personnel involved with the response to the attack should keep detailed records of their actions. This will not only help when modifying the Response Plan in the future, but may also be useful for law enforcement during its investigation. Preferably, one employee should be in charge of coordinating and maintaining each individual’s information. This ensures organization and continuity between employees’ responsibilities. Important information to record includes (1) a description of all incident-related events, (2) details of all communications regarding the incident, (3) a description of each employee’s duties in response to the attack, (4) a listing of how each network system was impacted by the cyberattack, and (5) the version of software on the network.
If an attack is continuous, like a worm circulating through the network, a business should attempt to record the attack’s actions. A business may be able to use network monitoring devices, like a “sniffer,” to intercept and note communications between the cyberattack and the business’ servers. This type of monitoring is usually lawful if it is done to protect the business’ property or if network users have previously given consent. However, a business should consult its legal counsel if it plans to engage in this type of monitoring because it may implicate the Wiretap Act or impact the business’ employment agreements. A business should also ensure that is has enabled the ability to log on an impacted server if it has not previously done so. Finally, increasing the default size of the log files can help to prevent data loss and defeat the cyberattack.
The following blog post will discuss which individuals and organizations a business should contact after a cyberattack.
Executing an Response Plan
This blog post is the third installment of a six-part series discussing the best practices relating to cyber security. The first two blog posts discussed the best practices for preparing a business in case of a cyberattack. This post will discuss the initial steps that a business should take after a cyberattack occurs.
Once an employee discovers a cyber incident, the business should immediately assess the nature and range of the situation. It is important to determine whether the disruption is a purposeful cyberattack or a system accident. This determination will assist a business in executing the appropriate Response Plan. If the incident is a malicious cyberattack, the business may need to disengage its entire system and shut down its technological operations. If the incident is a product of faulty software, the business may be able to take less extreme measures.
Gathering the correct information as quickly as possible will not only help defend the system from additional attacks, but also provide law enforcement with information to begin its investigation. The system administrator should survey the network to determine which computer systems were impacted, where the incident originated, and what malware may have been installed on the network. Additional information concerning which users were logged onto the network and which programs were running on the network is also useful in determining the source of the attack.
During the initial assessment it is important to determine if data was exported from the system. The data trail may illustrate the possible motive behind the attack and where it could strike next. If a business can identify other networks that are impacted by the attack it should alert those networks’ administrators. This may help to weaken the attack and increase the chance of retrieving stolen data.
After the initial assessment is complete, the business may need to employ preventative measures in order to stop the loss of data. Common approaches to prevent additional attacks include (1) redirecting network traffic, (2) segregating all or part of a network, or (3) filtering all messages and communications on the network. If a specific user or network terminal is identified as being the root of the attack, it should be blocked and disabled immediately. In more extreme cases, an entire network may need to be shut down if an attack persists. A business should store backup copies of critical data if its Response Plan calls for the network to be shut down. This allows the business to continue some operations from a remote network while its main network is disabled.
It is important that all steps taken to gather information and diminish damages are recorded accurately. This information will be useful in law enforcement’s efforts to bring criminal charges and for a business’ insurance claims.
The following blog post will discuss the next steps for a business to take once these initial steps are complete.
On July 20, 2015, in Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (7th Cir. 2015), the Seventh Circuit held that the United States District Court for the Northern District of Illinois wrongfully dismissed a class action suit brought against Neiman Marcus after hackers stole their customers’ data and debit card information. The District Court originally dismissed the plaintiffs’ claims because they had not alleged sufficient injury to establish standing. The District Court based its ruling on a United States Supreme Court decision, Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138 (2013), which held that to establish Article III standing, an injury must be “concrete, particularized, and actual or imminent.”
However, the Seventh Circuit clarified that Clapper “does not, as the district court thought, foreclose any use whatsoever of future injuries to support Article III standing.” Rather, “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” are sufficient to confer standing.
In Remijas, the Seventh Circuit explained that there is a reasonable likelihood that the hackers will use the plaintiffs’ information to commit identity theft or credit card fraud. “Why else would hackers break into a store’s database and steal consumers’ private information?” – the Seventh Circuit asked. The Seventh Circuit held that the plaintiffs should not have to wait until the hackers commit these crimes to file suit.
The Seventh Circuit also considered that some of the plaintiffs have already paid for credit monitoring services to protect their data, which it held is a concrete injury. Neiman Marcus also offered one year of credit monitoring services to its customers affected by the breach, which the Seventh Circuit considered an acknowledgment by the company that there was a likelihood that their customers’ information would be used for fraudulent purposes.
Ultimately, this decision may serve to soften the blow dealt by Clapper to data breach plaintiffs. Specifically, based on this ruling, plaintiffs who have not incurred any fraudulent charges, but have purchased credit monitoring services, or have spent time and money protecting themselves against potential fraud may argue that they have standing.
PREVENTING A CYBERATTACK (Part 2)
This is the second installment in a six-part discussion on the best practices to prevent a cyberattack. The first part discussed four critical steps to prepare a business in the case of a cyberattack. These included: (1) identifying the crucial assets and functions a business, (2) creating an Response Plan, (3) installing the appropriate technology, and (4) obtaining authority for network monitoring. This article builds on those steps by suggesting further best practices in order to prevent a cyberattack.
5. Align Business Policies with the Response Plan
When an organization creates an Response Plan in the event of a cyberattack, it must ensure that the plan is cohesive with preexisting business policies within the organization. In order for the Response Plan to be implemented effectively, it cannot clash with any of the business’ standard operating procedures. For example, if the Response Plan states that whoever discovers the cyberattack must alert the entire organization, but the organization’s policy prevents an employee from emailing the entire company, there is a problem. By testing the Response Plan, organizations can locate these potential problems before a credible cyberattack occurs. Another important practice is to suspend the network access of former employees as soon as they are terminated. This practice guards against the liability of an angry employee seeking revenge via a cyberattack.
6. Ensure Legal Counsel Understands the Legal Response to Cyber Incidents
Cyberattacks create unique legal situations that may be unfamiliar to a business’ legal counsel. An organization should rely on its legal counsel for assistance in creating its Response Plan. A legal counsel’s understanding of its client’s Response Plan can save valuable time and resources in the event of a cyberattack. Legal counsel can instruct a business on its obligations to report breaches to customers, its ability to terminate employees based on cyber incidents, and its privacy concerns associated with network monitoring. A business should also ensure that its legal counsel understands possible legal action that it can take, both in the short term and the long term, in the event of a cyberattack. Legal counsels that are familiar with cyber security laws will be better equipped to immediately assist clients if a cyberattack occurs.
7. Cultivate Relationships with Cyber Incident Information Centers
Access to a network of cyber intrusion news and information can be a valuable resource for a business in order to keep ahead of the latest threats. Organizations that collect and disseminate cyber security information exist in every market sector and are commonly referred to as ISACs (Information Sharing and Analysis Centers). A business that is committed to maintaining a strong cyber security network should subscribe to the appropriate ISACs for its market sector. This will enable the business to prepare for possible threats and share helpful information. Businesses in niche sectors can rely on government created ISAOs (Information Sharing and Analysis Organizations) for their cyber security information.
8. Establish Connections with the Appropriate Authorities
Businesses should establish a working relationship with local law enforcement and cybercrime units before a cyberattack occurs. Familiarity between law enforcement and a business will allow for a more accurate and efficient response in the event of a cyberattack. On the federal level, the Federal Bureau of Investigation and the U.S. Secret Service frequently deal with cyberattacks. Each agency has a department that conducts outreach to private businesses. The departments are the FBI’s Cyber Task Force and the Secret Service’s Electronic Crimes Task Force. A business should contact these agencies to review its Response Plan and seek support prior to a cyberattack.
PREVENTING A CYBER ATTACK (Part 1)
Cyber-attacks can impact any business regardless of size, sector, or level of cyber security. The best way to minimize damages from a cyber-attack is to plan ahead and prepare for a possible attack. Forward thinking can minimize damages and shorten the process of recovery from a cyber-attack. The following suggestions are important steps that every business should take to prepare for a cyber-attack.
1. Identify the Crucial Assets and Functions
When determining how to secure a business against cyber-attacks it is important to first identify what parts of a business’s operation are most vital to its success. These components should receive the most attention to ensure that the business is able to function as close to normal as possible during an attack. For example, if communication with clients is the key component of a business’s operation, its ability to send and receive email would be the most important segment for protection. Additionally, if a business’s core strength is its ability to store and retrieve data, the security surrounding the business’s data storage system should receive the most attention. Once the business’s core operations have been identified, attention can be focused accordingly.
2. Create an Response Plan
A business should plan the steps that it will take once a cyber-attack occurs on its system. By creating an Response Plan before an attack occurs organizational leaders are able to address all possible responses and discuss different options without the external pressure of an existing cyber security threat. It should provide clear directions and action items for each individual involved with the plan. The Response Plan should be discussed and explained to any employee who may be impacted by it. It is important that the plan be routinely modified and updated as business assets and key personal change. Testing the plan by using a fake cyber-attack will allow the deficiencies in the plan to be exposed and corrected before a credible threat occurs. The Response Plan should include the following items:
- • the responsibilities of each individual involved with the Response Plan;
- • how individual involved with the Response Plan should be contacted;
- • which business operations should receive the most attention during an attack;
- • the procedures to determine if clients should be notified of the attack;
- • the procedures for notifying law enforcement or cyber security support; and
- • the ways to preserve evidence of the cyber-crime for law enforcement.
3. Install Appropriate Technologies and Services
Businesses should purchase and install the appropriate level of defense systems that fit its needs and supports its Response Plan. These systems may include off-site data backup, data loss prevention systems, devices for traffic filtering, and programs to detect intrusions. These technologies should be routinely tested as part of the Response Plan.
4. Obtain Authority for Network Monitoring
A business is typically allowed to monitor its own network if it has obtained prior approval from the network users. This can be accomplished by a “banner” or warning message when users log onto the network stating that it is being monitored. Consent can also be obtained during employee training programs and disclosures in the organization’s Employee Manual. Once a business has the authority to monitor its own network, it is more equipped to detect and respond to cyber incidents in real time.
This is part one of a six-part series discussing the best practices to prevent cyber-attacks.
Jeffrey M. Friedman, Andrew M. Halbert and Joseph Superstein write:
What has generally been common practice for thousands of companies may present an opportunity for identity thieves. When a company takes steps to “administratively dissolve” by failing to comply with certain legal or fiduciary duties such as filing timely annual reports, following certain procedural requirements, or paying its taxes, the state in which the company is incorporated may revoke or dissolve the noncompliant company. This approach opens the possibility of a number of problems, including (but not limited to) identity theft.
With proper guidance and advice, the practice of administratively dissolving a company may eliminate several potential vulnerabilities. One of the most overlooked and growing areas of concern is that thieves are targeting “dormant” entities at an increasing rate. Criminals realize that these entities may be vulnerable because they are less likely to be monitored for any business registration activity. The risks associated with not properly dissolving a state registered company may quickly amount to hundreds of thousands of dollars.
Identity theft trends indicate that criminals are looking to exploit state filing systems and business registration websites for financial gain. By filing bogus reports with Secretary of State offices or altering online business records, these criminals have been able to steal considerable amounts of cash and property using fraudulently obtained lines of credit. By altering business records, criminals may appear to have the authority to act on behalf of a victim entity, which in turn, enables them to apply for credit accounts with various lenders, retailers, and suppliers. In one case, according to an Atlanta TV news segment, a Georgia-based music company became the victim of a corporate identity theft scheme similar to that described above in which the thieves ran up nearly $300,000 in fraudulent credit card transactions. Creditors attempting to verify application information may face difficulties immediately detecting fraudulent activity because the business records on file with the state have been altered to match the fraudulent credit application.
To avoid the unnecessary exposure and risk of identity theft, we are now advising our clients to take the appropriate affirmative steps in order to voluntarily and safely dissolve their business without being left vulnerable to such criminal activity.
Jeffrey M. Friedman is a partner, Andrew M. Halbert is an associate and Joseph Superstein is a summer associate in Fox Rothschild’s Chicago, IL office.
Guest Blogger: Violetta Abinaked, Summer Associate
As noted in Dittman et al. v. The University of Pittsburgh Medical Center, Case No. GD-14-003285, previously reported on here, Pennsylvania has firmly adopted the approach that the Risk of Harm is Not Enough in Data Breach Actions. Still, data breaches have become some of the most noteworthy headlines in recent news. An increase in litigation has brought with it efforts to shrink the case load through the Article III requirement of standing. This means that courts are finding that the plaintiffs have not sufficiently established a concrete injury in order to seek remedies from the court. One of the main issues with data breaches is that once the data has been extracted or accessed, it is not necessarily always true that tangible harm will follow. Due to that nature, the Third Circuit established that when it comes to data breach actions, simply the risk of future harm does not suffice to save the claim. The seminal case of Reilly v. Ceridian Corp. held that where no actual misuse is alleged, “allegations of hypothetical, future injury do not establish standing under Article III.” 664 F. 3d 38 at 41 (3rd Circuit 2011).
The courts are making it tougher to carry out a data breach claim if the plaintiff can’t show actual or certainly impending misuse of the information. Reilly’s narrow definition of standing is leading the courts’ decisions in dismissing cases. A defendant will likely have a higher chance of getting a dismissal in a data breach action if the plaintiff is not able to provide any actual misuse of the information—at least in the Third Circuit. As a company which may be at risk for a data breach, this heightened need for tangible damage from the plaintiff may be a saving grace if future litigation arises.