Law.com Subscribers SAVE 30%
Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
Man-in-the-Middle Attacks
During the last week of December 2015, several law firms in New Jersey were the victims of non-trivial data breaches. While three involved real estate closings and the rest involved commercial transactions, all resulted in funds being wired to an Internet hacker. Each firm was a victim of “man-in-the-middle” attacks, whereby a hacker first acquires access to a firm's server, then, using said access, the hacker redirects all e-mails associated with the firm's server to a hacker's server and subsequently changes payment information and other information in those e-mails to defraud the firm and others working with the firm.
Keeping Data Safe
While the Fair Credit Reporting Act (FRCA), 15 U.S.C. '1681 et seq. (1970), and other federal laws encourage the implementation of policies, programs and procedures to keep data safe by requiring entities to maintain reasonable procedures designed to avoid the disclosure of information, not all entities are covered, and the obligations imposed on covered entities is not specific. Even covered entities may not be required to protect themselves from man-in-the-middle attacks, because typically regulations implementing these obligations primarily detail disposal obligations, such as implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing information so that the information cannot practicably be read or reconstructed. See, 16 C.F.R. '682.3(b)(2).
States also encourage the implementation of policies, programs and procedures to keep data safe by requiring the imposition of another layer of data security requirements on entities that collect and maintain information. Typically, states have general data security laws in place that require businesses to act reasonably so as to maintain data safely within their possession. See, e.g., Md. Code Ann. Comm. Law '14-3503 (2013), and Cal. Civ. Code '1798.81.5(b) (2013). Regrettably, reasonable data security normally lags data breach activities.
Once a data breach has been discovered, reasonable firms must both combat future technological and procedural exposures and assess responsibility for liability. Internet enabled wire transfers were an element of each of the transactions connected to the New Jersey firm data breaches noted above.
U.C.C. '4A-202(b), “Authorized and Verified Payment Orders,” is applicable to Internet enabled wire transfers. It provides an incentive to the bank that receives a payment order from an account holder to create a security procedure to ensure that the payment order is authorized. If the receiving bank puts in place “a commercially reasonable method of providing security against unauthorized payment orders” and “complies with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer,” even an unauthorized payment order will be treated as if it were authorized. However, if the receiving bank did not use a commercially reasonable security procedure, it would have the evidentiary burden of proving that an allegedly unauthorized payment order was in fact authorized. Thus, a bank acts at its peril in accepting a payment order that may be unauthorized.
The customer is strictly liable to supervise its employees. In particular, according to the UCC, the customer is to supervise its employees to ensure compliance with security procedures and to safeguard confidential security information and access to transmitting facilities so that the security procedure cannot be breached. Thus, the account holder cannot argue that all the appropriate measures to prevent an unauthorized transaction were taken. In addition, it is no longer the bank's burden to prove that the account holder was negligent.
It should be noted that '4A-203(a)(2) offers another way to hold the bank liable. The comment notes indicate that the confidential information necessary to institute an unauthorized payment order must be obtained either from a source controlled by the customer or from a source controlled by the receiving bank. The customer can shift the liability for loss if it can be proved that the person committing the fraud did not obtain the confidential information from an agent or former agent of the customer or from a source controlled by the customer.
Internet breaches are not limited to man-in-the-middle attacks. Such breaches include phishing, IP spoofing, denials-of-service and distributed denials-of-service. While some breaches result in financial fraud, others are undertaken purely for the publicity.
Protection Against Attacks
Effectively, combating man-in-the-middle attacks and other Internet breaches can be as simple as calling a party to confirm wiring instructions prior to wiring funds. Substantial compliance may also require a firmwide memo. A memo, such as the following, is likely to be sufficient:
Before wiring any funds from this office, you must call the recipient's law firm, identify the person you are speaking with, and confirm the wire information that you received. This information should then be noted on the wire transfer document before it is signed by an authorized person here to initiate the wire. Do not merely rely on written wire information that you received previously.
Such a memo would be useful for protecting the firm from some liability due to the activities of a rogue employee.
Equally effective technological changes may be implemented, such as specifying that transmission of data take place over a connection protected by 128-bit Secure Sockets Layer (SSL), which is a standard security technology for establishing an encrypted link between a server and a client ' typically a Web server and a browser; or a mail server and a mail client. SSL certificates are widely and cheaply available, and root certificates are built into all major browsers. While man-in-the-middle attacks against an SSL are still theoretically possible, firms are typically sophisticated enough to take steps such as verifying certificate signatures to safeguard against such hacks.
Additionally, firms should not only attempt to prevent loss but should also take steps to reduce its effects. One effective process for reducing the effects of lost data is to require firm servers to automatically log transactions that provide access to sensitive data. This process cannot prevent a hacker from copying information displayed on a computer monitor, but can aid an institution to detect what has been revealed in the breach, and perhaps to minimize its spread.
In Sovereign Bank v. BJ's Wholesale Club, 533 F.3d 162 (3d Cir. 2008), and Hammond v. Bank of N.Y. Mellon Corp., 2010 WL 2643307 (S.D.N.Y. June 25, 2010), courts have interpreted the causation requirements built into tort law to exempt data owners or storehouses from liability. This interpretation has acted as a disincentive to take precautions.
Jonathan Bick is Of Counsel at Brach Eichler LLC in Roseland, NJ. A member of our Board of Editors, he is also an adjunct professor at Pace and Rutgers law schools, and the author of 101 Things You Need to Know about Internet Law (Random House 2000) (available from Amazon at http://amzn.to/TUbFM2). He can be reached at [email protected].
This premium content is locked for Entertainment Law & Finance subscribers only
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
- Stay current on the latest information, rulings, regulations, and trends
- Includes practical, must-have information on copyrights, royalties, AI, and more
- Tap into expert guidance from top entertainment lawyers and experts
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
COVID-19 and Lease Negotiations: Early Termination Provisions
During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.
How Secure Is the AI System Your Law Firm Is Using?
What Law Firms Need to Know Before Trusting AI Systems with Confidential Information In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.
Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support
The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.
Authentic Communications Today Increase Success for Value-Driven Clients
As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.
The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.