Legal Lessons from PATCO Fraud Case
Attorney Reviews Pitfalls of Regulatory MinutiaPATCO Construction's legal triumph in its dispute with People's United Bank over fraudulent wire transfers proves why banking institutions that continue to rely on check-box compliance for assurance of security are setting themselves up for failure, says cybersecurity attorney Joseph Burton, a managing partner at law firm Duane Morris.
"If there's one thing the PATCO case told us, it's that it's not just enough to take a regulation, read it and say that you fulfill the letter of the regulation," says Burton in an interview with Information Security Media Group [transcript below] conducted just before RSA Conference 2013.
In fact, Burton says the PATCO ACH fraud case shows that being in compliance doesn't mean security is being adequately addressed, especially where ACH and wire transactions are concerned. "That's not enough to deal with the nature of the problem that the banking industry is facing right now," he says.
"It's not technical," Burton says. "It's a matter of implementing measures in a way which provide effective security."
Burton says where most banks trip in their security and regulatory compliance strategies in their application of defenses. "It's a business question as to whether or not banks are going to take responsibility for these things and implement procedures that will lesson the risk," he says.
During this interview, Burton discusses:
- How the information security concerns banking institutions face also affect a number of other industries;
- The privacy and legal considerations attorneys must consider when data breaches occur; and
- Why banking institutions, and other industries, have to stop focusing so much on compliance.
Burton, managing partner of the San Francisco office for law firm Duane Morris LLP, is a nationally recognized expert in information security law, with an emphasis on cybercrime and cybersecurity. He is a former assistant U.S. attorney for the Northern District of California, where he handled the first prosecution in the U.S. for criminal copyright infringement of computer code.
RSA Panels
TRACY KITTEN: What can you tell us about the three panels you'll be sitting on and the topics that you expect to explore during RSA?
JOSEPH BURTON: One of the hot topics of the last year, and into this year, is the continuing question of the liability either banking institutions or businesses face when fraud is perpetrated on an account. There has been a little movement since we talked about it last year, and I think that's going to be a very interesting issue.
Another issue that's starting to really seep into the consciousness a little bit more has to do with the legal responsibilities imposed by the ABA [American Bar Association] with respect to how attorneys deal with technical issues. That's something that I think is more and more on the minds of attorneys and we're starting to really address what needs to be done and what responsibilities we have as attorneys to deal with these issues.
It's going to be a very interesting discussion for lawyers and also for non-lawyers. The one thing about RSA is that you have that integration between the technical community and the legal community, and the two communities really do need to communicate in order for us to go forward.
Emerging Regulations, Compliance Mandates
KITTEN: What specific industries will be mentioned during the discussion about emerging regulations and compliance mandates affecting information security.?
BURTON: The banking industry and the healthcare industry. There has been significant activity in healthcare since the release of the new HIPAA regulations. Those two have really shown the greatest movement and probably need to have the most discussion. Banking and healthcare are very important industries - important to the economy of the United States and the health of the nation.
KITTEN: Are there any topics that you think stand out, where regulatory mandates or compliance issues are concerned?
BURTON: There's an issue sometimes of too much emphasis on regulatory mandates, or the minutia of some of the regulations. And if there's one thing that I believe the PATCO case taught us, it's that it's not just enough to take a regulation, read it and say that you fulfill the letter of the regulation. If the implementation of the requirements of the regulation is lax or lacking, that's an important issue that needs to be addressed. Sometimes we focus too much on compliance. It's the old thing that compliance is not security; and right now, particularly in the banking industry, there's this real notion of, "If I can go down the checklist of regulations or requirements, and if I say that I have them, that's going to be enough." But that's not enough to deal with the nature of the problem that the banking industry is facing right now.
Technology Management
KITTEN: What can you tell us about the discussion on techno-ethics, related to technology management and client-facing activities?
BURTON: The issue there will discuss what effect the ABA rules - specifically rule 1.1 and rule 1.6 - will have on an attorney's responsibility to protect the confidentiality of client information. How do attorneys go about doing that? How do law firms, not just individual attorneys, go about doing that? What's the extent of their requirement to do so? What you're starting to see is a number of states having their own rules related to the confidentiality question, so what attorneys should do with that? Are attorneys allowed to use Dropbox, for example? Is that a good idea or is that a bad idea? Is it an idea that's inconsistent with the ABA rules, with respect to confidentiality? Is encryption necessary? And under what circumstance is encryption necessary? How do you do it and what's sufficient encryption?
The cloud is obviously a major issue in computing now. What responsibilities do attorneys have for their clients' information in the cloud, and how do they go about safeguarding it?
Those are all issues that are coming to the floor and will be front and center throughout 2013 and 2014.
KITTEN: Do you think that some of the legal concerns related to technology as its used across various industries will be addressed as well?
BURTON: Yes, to the extent that they have a legal interface, they're going to be addressed. By that I mean, in any instance in which attorneys are involved in interfacing with their clients and various industries, the attorney's responsibility for handling that client information is going to be an issue and one that needs to be discussed. I would say that I don't know that the responsibilities will be different or will vary from industry to industry. I think the attorney responsibility is across industries, and that's the perspective from which it ought to be viewed.
Now there could be circumstances that could be special circumstances, where a particular industry has a nuance or greater need for client confidentiality, and those would have to be addressed. But I think, in general, the principles apply across industries pretty much in the same way.
PATCO Case
KITTEN: The discussion that you'll have with BankInfoSecurity will address legal obligations related to incidents of ACH and wire fraud. Is this discussion of interest to other industries?
BURTON: I think it would be, from the standpoint that compliance is not security; the important issue is figuring out how to implement security measures. It's not technical. It's a matter of implementing measures in a way that provides effective security. In the legal setting, you're going to have to have that in order to have a defense, or you're going to be found liable. That principle is one that applies across industries.
Moreover, one thing about the PATCO case is that it's a case that addressed one of the key issues left open with respect to liability for actions on the Internet. And that's the question of: "What sort of duty or responsibility do users and consumers of information across the Internet have to each other?" What constitutes sufficient damages in order to rise to the level to make a cognizable legal action? If you look across time, there still are very few civil cases that have been brought and have gotten past summary judgment, or some sort of motion to dismiss, and gotten to the point of an actual trial with damages. I'm talking about cases involving some allegation of the misuse of the Internet - of a data breach or a loss of information. There are very, very few cases that have gone all the way through, and in most of the cases, they have died on the question of whether or not there was a duty owed to one of the other parties, and whether or not there were damages shown.
This, by the way, was an issue that came up in recent federal legislation. But this issue is unresolved, and that's one of the reasons that you see very few cases that are successful. There are cases that are often settled; very few go to the jury, where there's a jury finding and there's a payment. That's an issue that the PATCO case raised, discussed to some degree, and is applicable to other cases.
One other thing along that line, and one of the most interesting things about the PATCO case, was the question of whether or not the business had a responsibility, with respect to its security. And, if so, what is the relationship between that business's duty and the duty of the bank to provide security? When the case went back to the lower court, I was at least hoping there would be an opportunity to explore that issue, since the case settled after it went back to the lower court. We've never had any further elucidation of that issue. But I think it's out there, and it's ripe for discussion and presentation in a range of cases involving data loss, information loss.
Account Takeover: Legal Perspectives
KITTEN: We've talked about account takeover incident so much over the last three years, what more do you think needs to be explored, from a technical and legal perspective?
BURTON: It's sometimes too focused on the technical aspect. I'm one to say that I think that this is not a technical problem. There are methodologies to diminish the incidents of account takeover. But I think there are also methodologies which would allow for the reaction, the identification of circumstances, in which account takeover may be occurring, and to take action in response to that. I don't think that it needs to be a legal question, and I don't think it needs to be a technical question. The technical means are there. It's a matter of application. It's a business question as to whether or not banks are going to take responsibility for these things and implement procedures that will lesson the risk.
One of the European banking authorities took the approach to say banks ought to assume their customers' computers are infected and to proceed from that premise, which is interesting, if you think about it. It says, "If I assume that there's malware sitting on my customers' computers, what do I do in order to lesson the chance that there's going to be an account takeover? How do I identify when that may be happening? What do I do when I think it may be happening, in order to protect myself and to protect the customer?" More thinking along that line has to go on if we're going to really get to the heart of the problem. But it's very easy to try to make this a legal question about liability. The legal arena should be the last place we go, not the starting place, for figuring out what we ought to do.
Both sides have to assume responsibility and they're obviously going to do that. But we're really having, in my mind, a wrong discussion when we start saying, "What else do we need technically to figure out?" We have everything we need technically to address this problem, to mitigate the problem. What do we need legally to do it? We have what we need legally to do it. We need to come up with methodologies that apply to the particular circumstances and the particular customers in order to be successful at this.
2013 Legal Concerns
KITTEN: Legal concerns surrounding information security are increasing. What do you see ahead for 2013?
BURTON: I see more of the same in 2013. I think we're going to continue to see activity with respect to account takeover. We've already started to see a little bit of that in the beginning of the year. There were the DDoS [distributed-denial-of-service] attacks on banks in San Francisco, and those attacks resulted in several-hundred-thousand-dollar account takeovers. The bad guys aren't going to stop, and they're going to start to employ even more severe measures to aid them in taking over these accounts. The response of the regulatory community was to say, "Banks have a responsibility to conduct risk assessments, risk analysis, implementing the appropriate types of programs to address these risks and to be aware of the changing nature of the risk." I predict more distributed-denial-of-service attacks on bank accounts. The bad guys are going to keep doing it until we prove that it's not going to be successful. That, to me, is definitely something that we're going to see in 2013.
DDoS Attacks
KITTEN: On that point about the DDoS attacks, institutions have repeatedly said, at least when it comes to some of the hacktivist attacks that we've seen, that they have not seen fraud perpetrated in the background. And there are so many different actors that could be waging these DDoS attacks that it has been a challenge to differentiate what these attacks are really after.
BURTON: But the attacks that I was talking about, they were definitely attacks in which there were account transfers; so I think that if you have one, two or three of those, is that going to be enough for people to say, "We've got to come up with some procedures and some methods to try to recognize and deal with these attacks"? How do we communicate with customers when our website is down? What's our procedure for doing that? What do we do to educate, or what do we tell our customers they should be doing when they run into a situation where they try to log on to the bank's Web account and get a message that seems to indicate the bank's system is down or offline? What should customers do with that? There are a range of things that I think can be done to try to mitigate those circumstances. Should banks have some sort of procedure in place for when they have information - both technical information and information from customers or others - that indicates they're under a DDoS attack? What do they do with respect to outgoing transfers of funds from bank accounts during that time?
I guess I don't believe it's a sufficient answer to say it's difficult to tell whether this is a hacktivism attack or whether or not this is an attack in which they're trying to take money. I think that's not an adequate answer and, certainly, if I'm advising a financial institution and now I'm looking at the potential liability, I certainly want to be in the best position possible to defend that lawsuit. That lawsuit is not the reason I'm doing it, but I certainly want to be in a position to defend that lawsuit if it comes down to taking the appropriate security measures, reasonable measures.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.