Internet Lawyer Blog

Business email compromise (“BEC”) is a type of cyberattack that targets businesses and organizations by manipulating email accounts to conduct fraudulent activities. This type of attack has been on the rise in recent years, with the FBI reporting that BEC scams have cost businesses over $26 billion in losses since 2016. In this article, we will explore what business email compromise is, how it works, and what businesses can do to protect themselves from this growing threat.

What is Business Email Compromise?

BEC is a type of cyberattack that involves the use of email to trick businesses and individuals into transferring money or sensitive information to the attacker. Typically, the attacker will first gain access to a business email account, either through a phishing scam or by exploiting a vulnerability in the email system. Once they have access to the account, the attacker will use it to send fraudulent emails to other employees, customers, or vendors, often impersonating a high-level executive or trusted partner.

Artificial intelligence (“AI”) technology has been rapidly advancing in recent years, with many new and exciting applications emerging in various fields. However, the use of AI also raises important legal questions and challenges. In this article, we will explore some of the key legal implications and challenges associated with AI technology.

Intellectual Property

One of the most significant legal implications is in the area of intellectual property. AI technology can be used to generate creative works, such as music, art, and writing, which raises questions about who owns the copyright to these works. In some cases, the copyright may belong to the person or organization that created the AI system, while in other cases, the copyright may belong to the person or organization that provided the data or training that the AI system used to generate the work.

Artificial intelligence technology is growing in an exponential speed. It is arguable that it has great potentials but there could be a downside. Nevertheless, the private and public sectors are looking to maximize their profits by using this new and emerging technology.

What is Google Bard?

Google’s Bard is a generative artificial intelligence chatbot that is powered by LaMDA. It gets its geeky name based on the search engine giant’s marketing strategies. This platform is able to accept prompts and conduct text-based tasks such as giving answers to questions or creating content. It can summarize information that can be found on the internet and provide links to explore websites with additional information.

Artificial intelligence is here and will continue to grow across various industries. This type of technology allows intelligent machines to think like humans and take over human-like tasks. The fact that intelligent machines can conduct human-like tasks such as answer phone calls, quickly analyze complex information, drive vehicles, or fly airplanes – is a remarkable phenomenon.

What is ChatGPT?

Wikipedia has described ChatGPT (a/k/a “Chat Generative Pre-trained Transformer”) as an artificial-intelligence chatbot developed by OpenAI which was launched last year. It is built on top of OpenAI’s GPT-3.5 and GPT-4 families of large language models and has been fine-tuned using both supervised and reinforcement learning techniques. This technology allows having natural conversations with users. So, in other words, it’s an intelligent chatbot that can assist with automating chat tasks. It can answer questions and assist the user with writing emails, essays, and software programs. It’s the fastest growing application of all time according to analysts since it had 100 million active users two months after being launched.  The application can be accessed by visiting chat.openai.com where users can create their accounts. Then, once you create the account, you can start your conversation and ask questions.

The Computer Fraud and Abuse Act (“CFAA”) amends the federal criminal code to change the scienter requirement from “knowingly” to “intentionally” for certain offenses regarding accessing the computer files of another. It revises the definition of “financial institution” to which the financial record provisions of computer fraud law apply. It applies such provisions to any financial records, including, but not limited to, those of corporations and small businesses, not just those of individuals and certain partnerships. It modifies existing federal law regarding accessing federal computers. It makes the basic offense trespass. The federal statute removes criminal liability for exceeding without the intent to defraud authorized access to a federal computer in one’s own department or agency. This law creates new federal criminal offenses of: (1) property theft by computer occurring as part of a scheme to defraud; (2) altering, damaging, or destroying information in, or preventing the authorized use of, a federal interest computer; and (3) trafficking in computer access passwords. It eliminates the special conspiracy provisions for computer crimes. These conspiracies shall be treated under the general federal conspiracy statutes. It amends penalty provisions to remove the cap on fines for certain computer crimes. Finally, it exempts authorized law enforcement or intelligence activities.

Whoever (1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains:

Ireland’s Data Protection Commission (“DPC”) has reached its final decision related to Meta Platforms Ireland Limited (“MPIL”) which is Facebook’s data controller in that country. The DPC announced last month that it will be imposing a fine of €265 million against the company and will issue a set of corrective measures.

The investigation was instigated last year based on reports of published personal data on the internet that Facebook controlled and managed. In fact, there was a report of a data leak involving the personal information of 533 million users around the world. The investigation started by examining and assessing Facebook’s search, messenger contact importer, and Instagram contact importer tools. The main issue was whether Facebook complied with the GDPR obligation for data protection by design and default. Therefore, the investigating body – i.e., DPC – examined the technical and organizational measures under Article 25 of the GDPR and determined that MPIL had infringed Articles 25(1) and 25(2) of the GDPR and imposed a reprimand and order compelling the company to remedy the issues within certain deadlines.

Articles 25, and its subparts, were drafted to address data protection by design and default. These articles state as follows:

The Cybersecurity and Infrastructure Security Agency (“CISA”) released the second version of its cloud security Technical Reference Architecture (“TRA”) several months ago. CISA is the country’s cyber defense agency that works with other interagency partners to improve cybersecurity. The purpose of the TRA is to outline the suggested approaches to data protection or cloud migration. The federal government is slowly transitioning to the cloud and the reference architecture is designed to provide guidance. The TRA also explains the considerations for shared services, cloud security posture management, and cloud migration.

It’s important to know how to securely migrate information to the cloud. There are important considerations when transferring information from one database to another one. Data migration can be a multi-faceted process that requires information evaluation. In other words, the information that is being transferred should be categorized based on its sensitivity – e.g., non-confidential, confidential, highly confidential. In that way, the data migration team can implement the necessary safeguards.

President Joseph Biden recently issued Executive Order 14028 called “Improving the Nation’s Cybersecurity” in an effort to support cybersecurity and safeguard critical infrastructures. The key points of the executive order are as follows: