Financial Fraud Law Report An A.S. Pratt & Sons PublicatioN february 2014 Editor s Note: Corruption Compliance Steven A. Meyerowitz Anti-Corruption Compliance in 2013: Post-Guidance Trends and Signals for the Future Paul R. Berger, Sean Hecker, Andrew M. Levine, Bruce E. Yannett, Steven S. Michaels, Philip Rohlik, Noelle Duarte Grohmann, and Jane Shvets Compliance Issues Arising out of the Target Data Breach H. David Kotz Cybersecurity: Amid Increasing Attacks and Government Controversy, a Framework to Reduce Risk Emerges Stuart D. Levi Know Your Customer : OFAC Raises Due Diligence Expectations of Non-US Banks Sean M. Thornton Dodd-Frank Wall Street Reform and Consumer Protection Act Update David A. Elliott, Rachel Blackmon Cash, Kristen Peters Watson, and E. Jordan Teague
Editor-in-chief Steven A. Meyerowitz President, Meyerowitz Communications Inc. Board of Editors Frank W. Abagnale Author, Lecturer, and Consultant Abagnale and Associates Stephen L. Ascher Jenner & Block LLP Thomas C. Bogle Dechert LLP David J. Cook Cook Collection Attorneys David A. Elliott Burr & Forman LLP William J. Kelleher III Corporate Counsel People s United Bank James M. Keneally Kelley Drye & Warren LLP H. David Kotz Director Berkeley Research Group, LLC Richard H. Kravitz Founding Director Center for Socially Responsible Accounting Frank C. Razzano Pepper Hamilton LLP Sareena Malik Sawhney Director Marks Paneth & Shron LLP Mara V.J. Senn Arnold & Porter LLP John R. Snyder Bingham McCutchen LLP Jennifer Taylor McDermott Will & Emery LLP Bruce E. Yannett Debevoise & Plimpton LLP The Financial Fraud Law Report is published 10 times per year by Matthew Bender & Company, Inc. Copyright 2014 Reed Elsevier Properties SA., used under license by Matthew Bender & Company, Inc. All rights reserved. No part of this journal may be reproduced in any form by microfilm, xerography, or otherwise or incorporated into any information retrieval system without the written permission of the copyright owner. For permission to photocopy or use material electronically from the Financial Fraud Law Report, please access www.copyright. com or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750- 8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For subscription information and customer service, call 1-800-833-9844. Direct any editorial inquires and send any material for publication to Steven A. Meyerowitz, Editor-in-Chief, Meyerowitz Communications Inc., PO Box 7080, Miller Place, NY 11764, smeyerow@optonline.net, 631.331.3908 (phone) / 631.331.3664 (fax). Material for publication is welcomed articles, decisions, or other items of interest. This publication is designed to be accurate and authoritative, but neither the publisher nor the authors are rendering legal, accounting, or other professional services in this publication. If legal or other expert advice is desired, retain the services of an appropriate professional. The articles and columns reflect only the present considerations and views of the authors and do not necessarily reflect those of the firms or organizations with which they are affiliated, any of the former or present clients of the authors or their firms or organizations, or the editors or publisher. POSTMASTER: Send address changes to the Financial Fraud Law Report, LexisNexis Matthew Bender, 121 Chanlon Road, North Building, New Providence, NJ 07974. Direct inquiries for editorial department to catherine. dillon@lexisnexis.com. ISBN: 978-0-76987-816-4
Compliance Issues Arising out of the Target Data Breach H. DAVID KOTZ The author of this article discusses the recent data breach at Target and offers data breach prevention advice to companies and consumers. By now, everyone has likely heard about Target s December 19, 2013 announcement that hackers had gained unauthorized access to approximately 40 million Target credit and debit accounts, which would include information such as customers names, credit or debit card numbers, card expiration dates, and three-digit CVV security codes. In January, Target reported that the data breach was even more massive, with at least 70 to 110 million customers being affected. Because of the breach, Target has warned customers to beware of the fraudulent use of their credit and debit card numbers, suggesting that if they notice a charge that appears fraudulent, they should contact Target or their bank. But many card owners do not regularly check on charges posted, and may not be aware that their credit card is being used improperly for some time. Major Data Breaches While receiving a lot of publicity, the Target breach is not the only major incident that has occurred in recent years. In July 2013, federal prosecutors charged five men responsible for a hacking and credit card fraud spree that H. David Kotz presently serves as a director at Berkeley Research Group, where he focuses on internal investigations and matters relating to Foreign Corrupt Practices Act and anti-money laundering regulations. Published by Matthew Bender & Company, Inc. in the February 2014 issue of Financial Fraud Law Report. Copyright 2014 Reed Elsevier Properties SA. 161
Financial Fraud Law Report cost companies more $300 million in the biggest cyber crime case filed in U.S. history. According to the indictment, companies targeted by the hackers included NASDAQ, Visa Inc., J.C. Penney Co, JetBlue Airways Corp, and a French retailer called Carrefour SA. Prosecutors estimated that the group of five men from Russia and Ukraine stole 160 million payment card numbers. According to the indictment, they then sold the payment card numbers to resellers, who then sold them on online forums or to cashers who encoded the numbers onto blank plastic cards. In addition, in January 2007, the parent entity to the clothing retailer, TJ Maxx, announced in an SEC filing that more than 45 million credit and debit card numbers had been stolen from its IT systems. Eventually, there were reports that the data breach affected nearly 90 to 100 million cards. TJ Maxx s parent reported that its full-year profit was reduced 25 cents a share due simply to charges tied to the breach. These incidents have worried retailers that they may be the next ones to be hacked. The Target Data Breach Lawsuits have already been filed against Target alleging negligence, fraud, breach of contract, breach of fiduciary duty, invasion of privacy and conversion. Some complaints have claimed that Target s actions were deceptive and willful and are seeking punitive damages. A spokesman for the U.S. Secret Service has confirmed that it is investigating the Target data breach. A Target spokesperson has also said that Target retained a third-party forensic firm to conduct an investigation as well. The results of these investigations will be very important for the industry. The forensic investigation should reveal how the attackers got into the network and how they bypassed any security countermeasures. There are legitimate questions to be answered about the extent to which Target had stored the credit card data in encrypted format, and whether its systems had been certified by a major compliance standard. The forensic investigation should be conducted thoroughly and comprehensively and there should not be any limits placed upon the investigator s authority. Resources should not be an issue and evidence should be identified as soon as possible. Relevant data should be acquired, authenticated and analyzed. Most importantly, the results should be 162
Compliance Issues Arising out of the Target Data breach released to the public. Historically, there has not been a great deal of sharing among companies of ideas on how to protect this type of data and prevent breaches. One curious aspect is that Target issued its announcement on December 19, 2013, but the breach took place between November 27 and December 15, 2013. The reason for the delay is unclear but it is more reason for consumers to be extra vigilant with confirming purchases on credit and debit cards on an ongoing basis. Preventing Data Breaches The Target data breach is just another reminder that companies must not allow themselves to become complacent when it comes to compliance and IT security. Many U.S. companies have balked at the costs associated with adopting EMV chip technology for credit and debit card payments, a standard widely used in Europe. EMV, named after its developers, Europay, Mastercard and Visa, features encrypted chips and technology that evidently makes them harder to reproduce than the magnetic strip technology most U.S. credit cards use today. A cardholder s confidential data is considered by many to be significantly more secure on a chip-enabled payment card than on a magnetic stripe card. The EMV cards have reportedly been adopted in about 80 countries; yet, some studies show that only about one percent of the U.S. market uses the technology. Retailers should use the Target incident as a learning opportunity to examine their own compliance systems and points of potential breaches. They should investigate whether their password-protected systems are sufficient and engage in the appropriate and continuous monitoring of their systems for suspicious activity. Companies often focus on ensuring adherence to regulatory compliance mandates rather than considering the best strategies for protecting their data. In addition, many companies view the regulatory compliance requirements as a one-time project, rather than an ongoing effort to ensure data protection. Many compliance officials also see technology as a panacea for all concerns and fail to appreciate the human element of IT security and understand and analyze how the technology is utilized. Companies would be well-served 163
Financial Fraud Law Report spending significant amounts of time engaging in brainstorming sessions to evaluate IT solutions to potential vulnerabilities. These sessions should include operational executives in addition to IT experts. Company security and risk professionals should also raise the Target incident as a reminder to business executives that security and compliance breaches can have serious repercussions to a company s bottom line. The business impact on Target from the data breach is a strong example of how companies may be penny-wise and pound-foolish by not investing sufficiently in IT security and expending enough time and human resources to analyze potential problems. What Can Consumer do? Consumers should also be reminded of the importance of remaining watchful and closely monitor their transactions. Passwords should be changed frequently and folks should not be shy about challenging suspicious charges, even if they are of small amounts. Credit card statements should be shredded and consumers should be careful about making too many online purchases, particularly with obscure websites. Individuals should consider switching from debit cards to credit cards, as debit cards have fewer protections than credit cards when it comes to fraud. There can be positives that come from the Target data breach in terms of increased awareness and vigilance on the part of companies and customers if the breach can serve as a much needed wake-up call for industry officials and consumers. 164