BankBryanCave.com

Bank Bryan Cave

Data Breach

Main Content

Do you get Bragging Rights if the Malware Infecting your Computer was Named after Zeus?

Over the last decade as the specter of cyber attacks has increased dramatically, financial institutions have been encouraged to look into the use of cyber fraud insurance as one means of minimizing risk. A recent decision by the 8th Circuit provides an interesting opportunity to see how such policies are going to be interpreted by the courts.

In 2011, an employee at Bellingham State Bank in Minnesota initiated a wire transfer through the Federal Reserve’s FedLine Advantage Plus system (FedLine). Wire transfers were made through a desktop computer connected to a Virtual Private Network device provided by the Federal Reserve. In order to complete a wire transfer via FedLine, two Bellingham employees had to enter their individual user names, insert individual physical tokens into the computer, and type in individual passwords and passphrases. In this instance the employee initiated the wire by inputting the passwords both for herself and the other employee and inserted both of the physical tokens. After initiating the wire the employee left the two tokens in the computer and left it running overnight. Upon returning the next day the employee discovered that two unauthorized wire transfers had been made from Bellingham’s Federal Reserve account to two different banks in Poland. Kirchberg was unable to reverse the transfers through the FedLine system. Kirchberg immediately contacted the Federal Reserve and requested reversal of the transfers, but the Federal Reserve refused. The Federal Reserve, however, did contact intermediary institutions to inform them that the transfers were fraudulent, and one of the intermediary institutions was able to reverse one of the transfers. The other fraudulent transfer was not recovered.

Bellingham promptly notified BancInsure of the loss and made a claim under their financial institution bond which provided coverage for losses caused by such things as employee dishonesty and forgery as well as computer system fraud. After an investigation, it was determined that a “Zeus Trojan horse” virus had infected the computer and permitted access to the computer for the fraudulent transfers. BancInsure denied the claim based on several exclusions in the policy including employee-caused loss exclusions, exclusions for theft of confidential information, and exclusions for mechanical breakdown or deterioration of a computer system. In essence, the policy does not cover losses whose proximate cause was employee negligence or a failure to maintain bank computer systems. Bellingham contested the denial and brought suit in federal court for breach of contract.

Read More

What Will The Proposed New York Cybersecurity Requirements For Financial Institutions Really Make Companies Do?

In early September 2016, the New York Department of Financial Services (“DFS”) proposed a set of data security regulations (the “Proposal”) that would govern financial institutions, banks, and insurance companies subject to the jurisdiction of the agency (“covered entities”).  After receiving public comments, DFS revised and resubmitted the Proposal on December 28, 2016.  If the Proposal ultimately goes into effect it would require that covered entities have a written information security policy (“WISP”) and outline specific provisions (substantive and procedural) that must be contained in that document.  While the Proposal has garnered a great deal of public attention, the majority of the provisions in the latest version are not unique.

Prior to the Proposal at least four states already required that if a company collected financial information about consumers within their jurisdiction some, or all, of the company’s security program must be reduced to writing; three states required that an employee be specifically designated to maintain a security program.  More importantly, the Federal Gramm Leach Bliley Act (“GLBA”) contains broad requirements that mimic many of the Proposals provisions.  This includes, for example, the requirement that a financial institution conduct a risk assessment and maintain data breach response procedures.

Read More

Preventing Your Own Peach Breach

Preventing Your Own Peach Breach

November 24, 2015

Authored by: Bryan Cave

A Crash Course on Data Breach and Cyber Security

The recent disclosure by the Georgia Secretary of State of voter’s Social Security Numbers has caused a number of our clients – particularly those based in Georgia – to request additional information concerning how to prevent and respond to data security incidents.

To that end we have gathered together our recorded materials on effective breach prevention and response into a suggested week long training program with one suggested hour of programming every day the week following Thanksgiving. Celesq, the company that maintains the recordings of our programs, has agreed to waive the fee for any of our clients that wish to access them during the week.

  • Monday, November 30th: Data Security Boot Camp: A Crash Course in the Law
  • Tuesday, December 1st: Investigating Data Breaches: A Guide for In-House Counsel
  • Wednesday, December 2nd: Cyber-Insurance
  • Thursday, December 3rd: Data Breach Litigation
  • Friday, December 4th: Ethics and Data Breach Investigation

To receive a registration waiver, email Audrey Brekel at audrey.brekel@bryancave.com. To sign up for any, or all, of the days, please follow the directions here.

Read More

Georgia Secretary of State’s Office Has An “Oops Moment” Over Personal Identifying Information

The Georgia Secretary of State posted a letter on its website on November 18, 2015 admitting that, on October 13, the office inadvertently released personal identifying information on registered voters in Georgia. While the letter does not actually spell out what information was released, a lawsuit filed in Fulton County Superior Court this week alleges that the information on the 6,184,281 Georgia voters includes:

  • voters full name
  • residential address or mailing address if that is different
  • race
  • gender
  • voter registration date
  • last date the person voted
  • their social security number
  • driver’s license number
  • date of birth.

The information had been provided on CDs to 12 groups, including political parties and journalists, in a release that normally would only include basic information, such as names, addresses, registration and the last time the person voted. Under normal circumstances, the Secretary of State makes such information available for $500 to interested individuals and entities.

The Secretary of State letter indicates that the office has retrieved all of the CDs that contained the information and has confirmed that none of the data was retained by or disseminated to any third parties. In a day and time when state and federal governments have aggressively pursued private companies for similar inadvertent disclosures, the Secretary of State may still face liability.

Read More
The attorneys of Bryan Cave LLP make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.