Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Cyber Fraud, Data Breaches, Corporate Espionage: Their Impact on Your Law Practice
Transcript of Cyber Fraud, Data Breaches, Corporate Espionage: Their Impact on Your Law Practice
Appreciating the Cyber Security Risk
Respond - Defensively
Respond - Offensively
Shawn E. Tuma
How They Impact Your Law Practice
Data is the currency of the 21st Century
Everybody wants it
Google, Facebook, $.99 Apps ... seriously?
Big Data, Reward Cards, Surveys, etc.
9 Patterns of Data Breaches
35% = web application attacks
22% = cyber-espionage
14% = point of sale intrusions
9% = card skimmers
8% = insider misuse
4% = crimeware
2% = miscellaneous errors
<1% = denial of service attacks
<1% = physical theft / loss
The "Dark Net"
The black market of the Internet
what can you find for sale?
military weapons - the real ones like army tanks and rocket launchers
fake identification documents
prostitution and gambling
How does the Dark Net work
for stolen data?
Dark Net uses the "Tor network" which allows for concealed identity (i.e., IP addresses) and anonymous transfers of money
Stolen data is packaged in bulk and sold in a single "dump" without knowing what it is or how valuable it may be
Bulk sales mean all data has some value
What does this mean for your clients -- and YOU?
Who is doing this?
State Sponsored Organizations
Chinese, Russia, Iran
"Cause" Hacking groups (Anon, LuzSec)
Individuals (i.e., kids in their parents' basements)
How do they make
money from it?
YOUR DATA HAS VALUE!
CEOs surveyed say their company experiences cyber attacks hourly or daily
It is not a matter of if,
General Data Breach Laws and Rules
International laws vary
No Federal general breach notification law (yet)
Notification Required Following Breach of Security of Computerized Data (Tex. Bus. Comm. Code sec. 521.053)
47 States have general breach notification laws
Massachusetts is an oddball
Agency Rules and Regulations
Industry standards (FINRA, PCI, Merchant Bank)
Texas' Notification Required Following Breach of Security of Computerized Data
"Sensitive Personal Information" (SPI) means:
] or [
Social Security number
driver’s license numbe
r or other government issued
] or [
concerns health condition, provision of healthcare, or payment for healthcare
compromise of computerized data
that is SPI is a "breach of system security" and requires notification to all consumer data subjects
breach means taking, accessing, or compromising confidentiality or integrityThe notification must be given to all individual data subjects
Penalty is up to
$100.00 per individual per day
for the delayed time but not to exceed
for single breach
if the SPI is encrypted there is no breach unless the person breaching has the decryption key
Responding to a Breach
the Breach Response Plan)
Contact attorney (privilege)
Assemble the Response Team
Contact Merchant Bank (if payment card)
Contact notification vendor
Remediate responsible vulnerabilities
Reporting and notification
Individuals, AGs, Sec. of HHS, agencies, indust. groups, credit reporting
"An ounce of prevention is cheaper than the first day of litigation [or reporting to individuals, the AGs, the media, SEC, HHS, DOL, FTC ...]" -
Cost of Data Breach in 2013
$194.00 per lost record
$194.00 x "X" = $$$$$$$
"an ounce of prevention ... "
Computer Fraud and Abuse Act
Primary law for misuse of computers
"computer" is anything that
has a processor, or
"protected computer" = connected to Internet
"Everything has a computer in it nowadays." - Steve Jobs
CFAA prohibits "access" to a protected computer that is
without authorization, or
exceeds authorized access
when person accessing
commits a fraud
obtains something of value
transmits damaging information
traffics in passwords
originally a criminal statute
concurrent federal / state jurisdiction
3 interpretations of "access"
Intended-Use Theory (policies / notice = vital)
Strict Access Theory
limited civil remedy
more civil than criminal
used in virtually every insider trade secrets case
Other Federal Laws for Combating Fraud 2.0
Economic Espionage Act (18 USC § 1831)
Electronic Communications Privacy Act (18 USC § 2510)
Wiretap Act (in transit)
Stored Communications Act (at rest)
Fraud with Access Devices 18 USC § 1029
devices to obtain passwords, phishing, counterfeit devices, scanning receivers, drive through swipe cards
Identity Theft 18 USC § 1028
Texas Laws for Combating Cyber Fraud / Fraud 2.0
Breach of Computer Security Act (Tx. Penal Code § 33.02)
knowingly access a computer without effective consent of owner
Fraudulent Use or Possession of Identifying Info (TPC § 32.51)
Unlawful Interception, Use, or Disclosure of Wire, Oral or Electronic Communications (TPC § 16.02)
Unlawful Access to Stored Communications (TPC § 16.04)
Identity Theft Enforcement and Protection Act (BCC § 48.001)
Consumer Protection Against Computer Spyware Act (BCC § 48.051)
Anti-Phishing Act (BCC § 48.003)
Shawn Tuma, Partner
Shops at Legacy, Plano, TX
Shawn Tuma is a lawyer whose business and IP litigation practice is focused on cutting-edge cyber and information law and includes issues like helping businesses defend their data and intellectual property against computer fraud, data breaches, hacking, corporate espionage, and insider theft. Shawn stays active in cyber and information law communities:
Best Lawyers in Dallas -- D Magazine 2014 (Digital Information Law)
Chair, Civil Litigation & Appellate Section, Collin County Bar
College of the State Bar of Texas
Privacy and Data Security Committee, State Bar of Texas
Computer and Technology, Litigation, Intellectual Property Law, and Business Sections, State Bar of Texas
Information Security Committee, American Bar Association
Social Media Committee, American Bar Association
Cybercrime Committee, North Texas Crime Commission
International Association of Privacy Professionals
The information provided is for educational purposes only, does not constitute legal advice, and no attorney-client relationship is created by this presentation
employee planning departure to competitor
disloyal insider planted
Chinese Restaurant Menu
(directed theft of intellectual property)
Ready for Some Ethics?
Who knows where I am going with this?
What does lawyer ethics have to do with corporate espionage?
Ethics Opinion 384 (Sept. 1975)
Canon No. 4, Code of Professional Responsibility
Disciplinary Rule (DR) 4-101 (A) and (B)
What about email?
2/15/14 New York Times: "Spying by N.S.A. Ally Entangled U.S. Law Firm"
Australian Signals Directorate spied on communications between Mayer Brown law firm and its client, the Indonesian government, regarding a trade dispute with the US
Offered to share info with the NSA
ABA Ethics Committee issued its Formal Opinion 11-459
"Whenever a lawyer communicates with a client by email, the lawyer must first consider whether, given the client's situation, there is a significant risk that third parties will have access to the communications. If so,
the lawyer must take reasonable care to protect the confidentiality of the communications by giving appropriately tailored advice to the client.
Sun Tzu - The Art of War
“In all fighting the direct method may be used for joining battle, but
indirect methods will be needed to secure victory
“You can be sure of succeeding in your attacks if you attack places which are
CEO of a world-wide company
Breach impacting 110 million customers
$61 million in expenses alone
$5 million investment in cybersecurity coalition
Net earnings down 34.28%
Earnings per share down 44.60%
Non-cash losses up 487.71%
US sales down 6.60%
$400 million - $1.1 billion in possible fines
Lawsuits, other enforcement actions, who knows?
and then you learn …
Have you heard of ...
Agency Guidance on Preparation and Prevention
-- SEC indicates the new standard of care for companies may require
to cyber attacks and data breaches,
IT training focused on security, and
Vendor access to company systems and vendor due diligence.
GMR Transcription Svcs
case requiring businesses to follow 3 steps when
with 3rd party service providers
by exercising due diligence before hiring data service providers.
their data service providers to adhere to the appropriate level of data security protections through contractual agreements with provider.
that the data service providers are adequately protecting data as required by the contractual standards.
Still Not Convinced?
Shawn E. Tuma
Collin County Bench Bar Conference
Saturday, May 3, 2014 @ 11:45
Verizon's 2014 Data Breach Investigations Report
9 Patterns from 10 Years of Breaches (% = 2013 stats)
Obligations and Remedies Related to
Data Breaches and Cyber Espionage
18 U.S.C. § 1030
all data has value
it will happen to virtually all businesses and probably has to most
you are obligated to protect your clients' data
businesses -- and law firms -- that do not prepare, prevent, and respond will face sever financial and legal consequences
"A lawyer should preserve the confidences and secrets of a client."
"I always wonder if someone is listening, because you would have to be an idiot not to wonder in this day and age, . . . But I've never really thought I was being spied on." - Duane Layton
Do I Have Your Attention Yet?
Ethics not doin' it for ya?
How about money?
Now you're speaking my language!
"Law firms are in the front line of cyber security threats, with hackers increasingly targeting the legal profession for a goldmine of sensitive and confidential client data firms hold."
Clients Are Watching!
This Isn't Just Fear -- It Has Already Happened
Cyber Insurance Should Be Considered
Some Clients Now Have A Duty to Inquire Into Third Party's Cyber Security Practices
Do You or Your Clients Have This Digital Data for Others?
(1) first name or initial
(a) Social Security number
(b) driver’s license number, or
(c) other government issued identification number,
(3) account or card numbers
information that identifies an individual
concerns health condition, provision of healthcare, or payment for healthcare
Is this the kind of information a law practice would have if it did ...
traffic tickets / dui?
probates / estates?
social security / disability?
civil / business litigation?
Wanna Talk About Derby Hats Instead?