Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Cyber Fraud, Data Breaches, Corporate Espionage: Their Impact on Your Law Practice

Shawn Tuma's presentation at the Collin County Bench Bar Conference on data breach, hacking, corporate espionage, misappropriation of trade secrets, and their risk to lawyers, their clients, and their law practice.
by

Shawn Tuma

on 9 February 2015

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Cyber Fraud, Data Breaches, Corporate Espionage: Their Impact on Your Law Practice

Cyber Fraud, Data Breaches & Corporate Espionage:
Appreciating the Cyber Security Risk
Prepare
Respond - Defensively
(Mandatory)
Respond - Offensively
(Courts)
www.brittontuma.com
www.shawnetuma.com
Shawn E. Tuma
d. 469.635.1335
m. 214.726.2808
stuma@brittontuma.com
@shawnetuma
Copyright 2014
How They Impact Your Law Practice
Data is the currency of the 21st Century
Everybody wants it

Google, Facebook, $.99 Apps ... seriously?

Big Data, Reward Cards, Surveys, etc.
9 Patterns of Data Breaches
35% = web application attacks
22% = cyber-espionage
14% = point of sale intrusions
9% = card skimmers
8% = insider misuse
4% = crimeware
2% = miscellaneous errors
<1% = denial of service attacks
<1% = physical theft / loss
The "Dark Net"
The black market of the Internet
what can you find for sale?
human beings
military weapons - the real ones like army tanks and rocket launchers
fake identification documents
illegal drugs
prostitution and gambling
STOLEN DATA!
How does the Dark Net work
for stolen data?
Dark Net uses the "Tor network" which allows for concealed identity (i.e., IP addresses) and anonymous transfers of money

Stolen data is packaged in bulk and sold in a single "dump" without knowing what it is or how valuable it may be

Bulk sales mean all data has some value

What does this mean for your clients -- and YOU?
Who is doing this?
State Sponsored Organizations
Chinese, Russia, Iran

Organized crime

"Cause" Hacking groups (Anon, LuzSec)

Individuals (i.e., kids in their parents' basements)
How do they make
money from it?
YOUR DATA HAS VALUE!
CEOs surveyed say their company experiences cyber attacks hourly or daily
(Ponemon Institute)
It is not a matter of if,
but
when
General Data Breach Laws and Rules
International laws vary

No Federal general breach notification law (yet)

Texas law
Notification Required Following Breach of Security of Computerized Data (Tex. Bus. Comm. Code sec. 521.053)

State laws
47 States have general breach notification laws
Massachusetts is an oddball

Agency Rules and Regulations

Industry standards (FINRA, PCI, Merchant Bank)
Texas' Notification Required Following Breach of Security of Computerized Data
"Sensitive Personal Information" (SPI) means:

[
first name
] or [
first initial
]
+

[
last name
]
+

Social Security number
,
driver’s license numbe
r or other government issued
identification number
,
or
[
account
] or [
card numbers
]
+
[
access/security codes
]

information that
identifies
an individual
+

concerns health condition, provision of healthcare, or payment for healthcare

a
compromise of computerized data
that is SPI is a "breach of system security" and requires notification to all consumer data subjects

breach means taking, accessing, or compromising confidentiality or integrityThe notification must be given to all individual data subjects

Penalty is up to
$100.00 per individual per day
for the delayed time but not to exceed
$250,000
for single breach

if the SPI is encrypted there is no breach unless the person breaching has the decryption key
Responding to a Breach
(
ideally
, just
execute
the Breach Response Plan)
Contact attorney (privilege)
Assemble the Response Team
Contact Merchant Bank (if payment card)
Contact forensics
Contact notification vendor
Investigate breach
Remediate responsible vulnerabilities
Reporting and notification
Law enforcement
Individuals, AGs, Sec. of HHS, agencies, indust. groups, credit reporting
51%
"An ounce of prevention is cheaper than the first day of litigation [or reporting to individuals, the AGs, the media, SEC, HHS, DOL, FTC ...]" -
me
Cost of Data Breach in 2013
$194.00 per lost record
$194.00 x "X" = $$$$$$$
"an ounce of prevention ... "
Computer Fraud and Abuse Act
Primary law for misuse of computers

"computer" is anything that
has a processor, or
stores data

"protected computer" = connected to Internet
"Everything has a computer in it nowadays." - Steve Jobs
CFAA prohibits "access" to a protected computer that is
without authorization, or

exceeds authorized access
when person accessing
obtains information

commits a fraud

obtains something of value

transmits damaging information

causes damage

traffics in passwords

commits extortion
originally a criminal statute
concurrent federal / state jurisdiction

3 interpretations of "access"
Agency Theory
Intended-Use Theory (policies / notice = vital)
Strict Access Theory

limited civil remedy
$5,000 loss

more civil than criminal

used in virtually every insider trade secrets case
Other Federal Laws for Combating Fraud 2.0
Economic Espionage Act (18 USC § 1831)

Electronic Communications Privacy Act (18 USC § 2510)
Wiretap Act (in transit)
Stored Communications Act (at rest)

Fraud with Access Devices 18 USC § 1029
devices to obtain passwords, phishing, counterfeit devices, scanning receivers, drive through swipe cards

Identity Theft 18 USC § 1028
Texas Laws for Combating Cyber Fraud / Fraud 2.0
Breach of Computer Security Act (Tx. Penal Code § 33.02)
knowingly access a computer without effective consent of owner

Fraudulent Use or Possession of Identifying Info (TPC § 32.51)

Unlawful Interception, Use, or Disclosure of Wire, Oral or Electronic Communications (TPC § 16.02)

Unlawful Access to Stored Communications (TPC § 16.04)

Identity Theft Enforcement and Protection Act (BCC § 48.001)

Consumer Protection Against Computer Spyware Act (BCC § 48.051)

Anti-Phishing Act (BCC § 48.003)
Shawn Tuma, Partner
BrittonTuma
Shops at Legacy, Plano, TX
469.635.1335
stuma@brittontuma.com
@shawnetuma
blog: shawnetuma.com
web: brittontuma.com

Shawn Tuma is a lawyer whose business and IP litigation practice is focused on cutting-edge cyber and information law and includes issues like helping businesses defend their data and intellectual property against computer fraud, data breaches, hacking, corporate espionage, and insider theft. Shawn stays active in cyber and information law communities:

Best Lawyers in Dallas -- D Magazine 2014 (Digital Information Law)
Chair, Civil Litigation & Appellate Section, Collin County Bar
College of the State Bar of Texas
Privacy and Data Security Committee, State Bar of Texas
Computer and Technology, Litigation, Intellectual Property Law, and Business Sections, State Bar of Texas
Information Security Committee, American Bar Association
Social Media Committee, American Bar Association
Cybercrime Committee, North Texas Crime Commission
International Association of Privacy Professionals

The information provided is for educational purposes only, does not constitute legal advice, and no attorney-client relationship is created by this presentation
Corporate Espionage
External Threats
Insider Threats
Blended Threats
employee planning departure to competitor
disloyal insider planted

Examples
Motorola
duPont
Chinese Restaurant Menu
(directed theft of intellectual property)
Ready for Some Ethics?
Who knows where I am going with this?

What does lawyer ethics have to do with corporate espionage?
Ethics Opinion 384 (Sept. 1975)
Canon No. 4, Code of Professional Responsibility
Disciplinary Rule (DR) 4-101 (A) and (B)

Ethical Obligations
What about email?
2/15/14 New York Times: "Spying by N.S.A. Ally Entangled U.S. Law Firm"

Australian Signals Directorate spied on communications between Mayer Brown law firm and its client, the Indonesian government, regarding a trade dispute with the US

Offered to share info with the NSA

ABA Ethics Committee issued its Formal Opinion 11-459

"Whenever a lawyer communicates with a client by email, the lawyer must first consider whether, given the client's situation, there is a significant risk that third parties will have access to the communications. If so,
the lawyer must take reasonable care to protect the confidentiality of the communications by giving appropriately tailored advice to the client.
"
Sun Tzu - The Art of War
“In all fighting the direct method may be used for joining battle, but
indirect methods will be needed to secure victory
.”

“You can be sure of succeeding in your attacks if you attack places which are
not defended
.”

CEO of a world-wide company

Breach impacting 110 million customers

$61 million in expenses alone

$5 million investment in cybersecurity coalition

Net earnings down 34.28%

Earnings per share down 44.60%

Non-cash losses up 487.71%

US sales down 6.60%

$400 million - $1.1 billion in possible fines

Lawsuits, other enforcement actions, who knows?

and then you learn …

Have you heard of ...
Agency Guidance on Preparation and Prevention
January '14
-- SEC indicates the new standard of care for companies may require
policies
for vendors
:
Prevention
,
detection
, and
response
to cyber attacks and data breaches,
IT training focused on security, and
Vendor access to company systems and vendor due diligence.

January '14
-- FTC's
GMR Transcription Svcs
case requiring businesses to follow 3 steps when
contracting
with 3rd party service providers
:
Investigate
by exercising due diligence before hiring data service providers.
Obligate
their data service providers to adhere to the appropriate level of data security protections through contractual agreements with provider.
Verify
that the data service providers are adequately protecting data as required by the contractual standards.

Still Not Convinced?
18 mos.
+40
presented by
Shawn E. Tuma
www.brittontuma.com

Collin County Bench Bar Conference
Saturday, May 3, 2014 @ 11:45

#CCBBF
Adviser
Consultant
Coordinator
Attorney
Verizon's 2014 Data Breach Investigations Report
9 Patterns from 10 Years of Breaches (% = 2013 stats)
http://shawnetuma.com/2014/03/13/why-texas-businesses-need-a-guide-to-help-them-identify-and-protect-their-trade-secrets/
The Law
Obligations and Remedies Related to
Data Breaches and Cyber Espionage
$194.00
(Ponemon Institute)
18 U.S.C. § 1030
http://shawnetuma.com/ebook-computer-fraud-and-abuse-act/
Download Me!
www.CFAAdigest.com
Conclusion
all data has value

it will happen to virtually all businesses and probably has to most

you are obligated to protect your clients' data

businesses -- and law firms -- that do not prepare, prevent, and respond will face sever financial and legal consequences

cyber insurance
"A lawyer should preserve the confidences and secrets of a client."
"I always wonder if someone is listening, because you would have to be an idiot not to wonder in this day and age, . . . But I've never really thought I was being spied on." - Duane Layton
Lawyers,
Do I Have Your Attention Yet?
Ethics not doin' it for ya?
How about money?
Now you're speaking my language!
"Law firms are in the front line of cyber security threats, with hackers increasingly targeting the legal profession for a goldmine of sensitive and confidential client data firms hold."
Clients Are Watching!
This Isn't Just Fear -- It Has Already Happened
Cyber Insurance Should Be Considered
Claim Denied
Some Clients Now Have A Duty to Inquire Into Third Party's Cyber Security Practices
Do You or Your Clients Have This Digital Data for Others?
(1) first name or initial
+
last name
+

(2) either
(a) Social Security number
(b) driver’s license number, or
(c) other government issued identification number,
or
(3) account or card numbers
+
access/security codes

or

information that identifies an individual
+

concerns health condition, provision of healthcare, or payment for healthcare

Is this the kind of information a law practice would have if it did ...
family?
criminal?
traffic tickets / dui?
probates / estates?
immigration?
social security / disability?
juvenile?
malpractice?
military?
civil / business litigation?
tax?
workers' compensation?
bankruptcy
employment
real estate?
Wanna Talk About Derby Hats Instead?
got privilege?
Full transcript