Articles Posted in Cybersecurity

The Cybersecurity and Infrastructure Security Agency (“CISA”) released the second version of its cloud security Technical Reference Architecture (“TRA”) several months ago. CISA is the country’s cyber defense agency that works with other interagency partners to improve cybersecurity. The purpose of the TRA is to outline the suggested approaches to data protection or cloud migration. The federal government is slowly transitioning to the cloud and the reference architecture is designed to provide guidance. The TRA also explains the considerations for shared services, cloud security posture management, and cloud migration.

It’s important to know how to securely migrate information to the cloud. There are important considerations when transferring information from one database to another one. Data migration can be a multi-faceted process that requires information evaluation. In other words, the information that is being transferred should be categorized based on its sensitivity – e.g., non-confidential, confidential, highly confidential. In that way, the data migration team can implement the necessary safeguards.

President Joseph Biden recently issued Executive Order 14028 called “Improving the Nation’s Cybersecurity” in an effort to support cybersecurity and safeguard critical infrastructures. The key points of the executive order are as follows:

It’s a crime when you use interstate wire communications (e.g., phone, radio, television, internet) to engage in a scheme to defraud or to obtain money by false pretenses. Wire fraud is one type of cybercrime that takes place by using technology. In most cases, the culprit uses some kind of software or hardware technology to inject him or herself into the private computer network of a third party such as an escrow/title company or financial institution. The culprit spies on the third party’s internal communications to gain access to confidential information such as bank wire instructions.

Wire fraud is similar to mail fraud except that it requires the communications to be transmitted by wire rather than conventional mail. Generally, the plaintiff must prove the existence of a fraudulent scheme, usage of wire, radio, television, or internet communications to further that scheme, and intent to commit fraud. The culprit commits the wire fraud by deceiving the victim into thinking that he or she is dealing with a legitimate party. For example, the culprit intervenes in a pending real estate transaction by using a fake email account and sends a message to instruct the victim into transferring the funds to another bank account. The victim, who has been dealing with multiple individuals (e.g., real estate agent, broker) legitimately believes that he is sending the money to the right financial institution. However, unbeknownst to the victim, the culprit’s fraudulent scheme is intended to send the funds to a different bank or financial institution.

These situations are extremely time sensitive and complicated because the victims have a limited time to determine the facts – i.e., who, what, when, where, and how the wire fraud was committed without their authorization. The victims will need to contact law enforcement agencies and a qualified lawyer who know the intricacies of these matters. The government agencies usually collaborate with the victim’s lawyer to locate and identify the culprits. These government agencies include, but are not limited to, the local police, Federal Bureau of Investigation, United States Secret Service, or United States Treasury Department. Nonetheless, a tremendous amount of time and resources are necessary to initiate and finalize the investigations.

Wire fraud can be considered a white-collar crime. The government usually relies on the wire fraud statute if other types of criminal statutes such as healthcare fraud or bank fraud would not be applicable.

There are several prima facie elements for wire fraud as we have discussed in previous articles. These elements must be satisfied before charging the defendant with the specific crime. These elements include the scheme to defraud, the scheme involving false material representations, the intent to defraud, and wire transmission in interstate or foreign commerce.

Wire fraud can be investigated by law enforcement agencies, including, but not limited to, the Federal Bureau of Investigation, United States Secret Service, or Internal Revenue Service. The United States Secret Service has been involved in financial and cybercrime investigations for a long duration. It also participates in other investigations such as counterfeit and cryptocurrency fraud investigations. These federal government agencies may team up with local or state government agencies if necessary.

A person can be prosecuted for wire fraud when there is reliable evidence of a scheme to defraud another by using electronic communications such as wire, radio or television. The defendant must be part of a fraudulent scheme and have a specific intent to commit the fraud. In some cases, it could be enough if the defendant fails to disclose material facts to mislead the plaintiff – i.e., the culprit deceives his or her victim. The defendant may be guilty for wire fraud if he or she shows a reckless indifference through his actions.

For example, the defendant may use wire, radio, or television communication to commit the fraudulent scheme be emailing false or misleading bank statements to clients or investors. Historically, these types of violations include telemarketing fraud or internet scams (e.g., phishing). There have been cases where the culprits hack into the plaintiff’s computer and install keyloggers to track their electronic transactions. Then, they extract personal information that would allow them to log into their bank accounts. Or, they can hack into the escrow company’s network to intercept financial information (e.g., bank account number) that allows them to send false wire instructions. So, thereafter, the hackers provide the false wire instructions to the victim who believes he or she is sending the funds to the correct financial institution.

There have been other instances where the defendant’s action constitutes mail or security fraud. Mail fraud is committed when the defendant uses the mail to commit the fraudulent scheme. Security fraud is committed when the defendant engages in a fraudulent scheme for the sale or purchase of securities which is a violation of state and federal laws. Internet fraud is also referred to as “cybercrime” and may include actions that fall under the definition of hacking or phishing schemes to extract private or confidential information. So, in a nutshell, the culprit uses the internet to lure the victim into believing a false fact. Then, once the victim relinquishes access or discloses the private or confidential information, the culprit uses that information to commit a crime such as identity theft. Also, in other cases, the defendant may be prosecuted for real estate fraud when he or she gains unlawful access to the escrow or title company’s network infrastructure. These types of real estate fraudulent schemes are relatively sophisticated and require the rights tools and resources. The stolen funds are usually sent to another bank account that could be located in another state or country. Obviously, the victims will feel helpless when they face these situations and will reach out to government agencies for assistance. In most cases, the victims should also seek assistance from a private law firm that specializes in these matters.

The United States Department of Commerce has issued a declaration regarding global cross-border privacy rules. These privacy rules are designed to promote data flows with privacy protections. The participants (which include Canada, Japan, Republic of Korea, Philippines, Singapore, Chinese Taipei, and United States of America) have declared that: (1) the establishment of a Global CBPR Forum to promote interoperability and help bridge different regulatory approaches to data protection and privacy; (2) The objectives of the Global CBPR Forum are to: (a) establish an international certification system based on the APEC Cross Border Privacy Rules and Privacy Recognition for Processors Systems; (b) support the free flow of data and effective data protection and privacy through promotion of the Global CBPR and PRP Systems; (c) provide a forum for information exchange and cooperation on matters related to the Global CBPR and PRP Systems; (d) periodically review data protection and privacy standards of members to ensure Global CBPR and PRP program requirements align with best practices; and (e) promote interoperability with other data protection and privacy frameworks.

The Global CBPR Forum is expected to promote expansion and uptake of the Global CBPR and PRP Systems globally to facilitate data protection and free flow of data. It is expected to disseminate best practices for data protection and privacy and interoperability. In addition, it is expected to pursue interoperability with other data protection and privacy frameworks.

The Global CBPR Forum is supposed to facilitate trade and international data flows. It is created to promote global cooperation and to promote protection of data privacy. The forum plans to establish an international certification system based on the existing APEC Cross-Border Privacy Rules and Privacy Recognition for Processors Systems. Cooperation is intended to be based on the principle of mutual benefit and a commitment to open dialogue and consensus-building, with equal respect for the views of all members. It is supposed to be based on consultation and exchange of views among representatives of members, drawing upon research, analysis and policy ideas contributed by members. It is also intended to be based on the active multi-stakeholder participation in appropriate activities.

Cyberstalking takes place when the culprit uses information and communication technologies to initiate the violations. These actions may include harassment, annoyance, attacks, or threats against the victims. The culprits can start the attacks by emails, instant messages, calling, texting, or other communication methods. There have been cases where the culprit has installed a GPS tracking device on the victim’s vehicle or personal belongings. Also, there have been cases where the victim’s computer was hacked with malware so the culprit monitored electronic devices.

We have been able to trace “stalkerware” which is a type of spyware on the victim’s electronic devices. The stalkerware was used to collect and transfer information regarding the victim’s activities. These types of spyware can be used to remotely turn on or off cameras and microphones on the victim’s electronic devices.

Cyberharassment takes place when information and communication technologies are used to intentionally humiliate, annoy, attack, threaten, or abuse the victim for no legitimate purpose. There have been cases where the victim was being targeted by a group of known or unknown individuals on the internet. These so-called “internet trolls” work together to engage in highly offensive and inflammatory comments against their victims. Their systematic actions are designed to provoke the victim to the point where they suffer from severe emotional distress. These actions can be initiated on any website but have become prevalent on Reddit.

In general, there are four categories of identity theft. First, “financial identity theft” takes place when the adverse party uses the victim’s identity to gain access to funds, goods, or services. The adverse party may use the victim’s information to open a bank account, get a debit or credit card, seek a mortgage loan, or purchase a car by obtaining a loan under the victim’s name. Second, “criminal identity theft” takes place when the adverse party acts as the victim to engage in criminal activity. Third, “identity cloning” takes place when the adverse party assumes the victim’s identity in his/her daily life. So, in other words, the adverse party will gain access to the victim’s driver’s license, birth certificate, passport, or other identifying information. Fourth, “business or commercial identity theft” takes place when the adverse party uses another commercial organization’s name to procure credit, money, goods, or services.

Identity theft usually takes place when the adverse party gains access to some type of personal information such as credit card information, social security card, or bank account number. This information can be obtained through clandestine methods such as bribing someone who works at the human resources department. This information can also be obtained by stealing mail such as preapproved credit card forms. The personal information can be obtained by gaining unauthorized access to the victim’s electronic devices – i.e., hacking. Finally, the personal information may be obtained through gaining unauthorized access to a state or federal government agency’s database.

The government prosecutes identity theft and fraud pursuant to state or federal laws. For example, Congress passed the Identity Theft and Assumption Deterrence Act which prohibits “knowingly transferring or using, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.” See 18 U.S.C. § 1028(a)(7). This offense carries a maximum term of 15 years’ imprisonment, a fine, and criminal forfeiture of any personal property used or intended to be used to commit the offense.

It’s important to implement practical corporate cybersecurity measures especially in today’s volatile climate. The number of reported cyber threats are increasing as we progress and it will most likely continue on the same trajectory. All businesses and commercial enterprises are a target especially if they have access or control over valuable information such as trade secrets and intellectual properties.

The common tools or methods of infiltrating the corporation’s cybersecurity infrastructure is by using some form of malicious software (i.e., malware) that’s designed to penetrate the network and cause havoc. Malware includes viruses and ransomware. The hackers can also use other methods to infiltrate the system such as “phishing” which is usually done by sending an email to encourage the recipient to click on the link. Now, once the recipient clicks on the link or opens the attachment, the malicious software is released into the network.

It’s important to have a dedicated team of information technology experts who can evaluate the network and improve the cybersecurity measures. They can use all sorts of tools and techniques (e.g., penetration testing) to evaluate the strengths and weaknesses of the network infrastructure. It is crucial to have a “cybersecurity planning tool” to assist the company with building a robust cybersecurity strategy. There are various governmental tools and resources that the company can use to achieve this goal.

Electronic data has been growing in size and proportion for several decades. The sheer amount of electronic files (e.g., emails, pictures, videos) has consumed local and remote databases. The cloud storage facilities have been put together to hold this information for us. Cloud storage facilities have certain obligations towards their customers which include secure storage of electronic files by using industry-approved protocols. The rules for proper storage should not change based on the particular industry. In fact, the cloud storage facilities are supposed to use similar protection measures for all electronic files – e.g., encryption – to ensure safety.

Encryption is a tool or resource that allows the files to be scrambled and hidden from plain sight. The encrypted data is called “ciphertext” which can only be decrypted with the right key. There are two types of encryption. First, is symmetric encryption. Second, is asymmetric encryption. Symmetric encryption uses one key for encryption and decryption. Asymmetric encryption uses two different keys for encryption and decryption – i.e., the private and public key. The public key can be shared with the general public but the private key remains a secret and is only accessible by the right individual. There are various encryption technologies such as AES, Triple DES, RSA, and Blowfish.

Electronic data retention includes collecting, storing, and managing information. Private and public organizations should have the right rules and regulations that help define how electronic information should be located, identified, and stored. There are government regulations, international standards, industry regulations and internal policies. Government regulations are set by state or federal governmental agencies such as the Federal Trade Commission and Internal Revenue Service. International standards are set by the International Organization for Standardization like ISO/IEC 27040, IS 9001, ISO 17068:2017. Industry regulations include the GDPR, PCI-DSS, and CCPA. Finally, internal policies include data version controls and employee record retention.

Data disposal is a key process in a legal entity’s policies and procedures for managing personal and confidential information. In general, private and public entities store data on their servers. This information may include financial and health information which should not fall into the wrong hands. So, there must be a proper procedure for destroying and disposing that information by using industry approved methods.

The Federal Trade Commission has implemented a data disposal rule in relation to consumer reports and records to prevent unauthorized access to or use of that information. In California, several statutes have been promulgated to address this issue. For example, California Civil Code Sections 1798.81, 1798.81.5, and 1798.84 are applicable. In fact, Civil Code 1798.81 states as follows: “A business shall take all reasonable steps to dispose, or arrange for the disposal, of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by (a) shredding, (b) erasing, or (c) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means.” Therefore, there are standards to follow and implement to avoid unnecessary complications. The state legislature has encouraged the implementation of “reasonable security” for personal information under Civil Code 1798.81.5. Also, Civil Code 1798.84 outlines the legal remedies which include initiating a civil action.

The proper retention of emails is paramount especially if the electronic messages include private, confidential or proprietary information. For example, “email archiving” is one method to retain electronic messages especially if there is the possibility of litigation. The emails should be backed up in a searchable format for practical reasons. Electronic discovery allows the parties to request and obtain electronic documents during litigation. In most cases, the electronic discovery process is time consuming and complicated especially because there is a large volume of data involved in the lawsuit. Also, more importantly, the failure to comply with electronic discovery requests may result in sanctions.