LEGAL CORNER: Cybercrime and Ransomware Are Very Real and Costly Threats!
John Dolgetta, Esq. | December 2018
During the holiday season, it is important for individuals and companies alike to be aware of the extensive array of cyberthreats that exist. A presentation on cybersecurity threats and related issues was made in Boston at this year’s National Association of Realtors’ Legal Conference held on Nov. 1. The panel provided invaluable insight on the dangers and issues surrounding cybersecurity and cyber-attacks and the importance of having the right insurance coverage in place in the event a cyber breach takes place.
The FBI’s IC3 Report on Internet Crimes
In 2017, common Internet crimes included, among others, business e-mail compromise and e-mail account compromise (BEC/EAC), ransomware, and extortion. The Internet Crime Complaint Center reported that victims’ losses in 2017 alone exceeded $1.42 billion (see 2017 Internet Crime Report, Internet Crime Complaint Center, Federal Bureau of Investigation, at https://bit.ly/2wAuPoE). The 2017 Internet Crime Report provides invaluable information that individuals, companies and organizations should review in detail. Real estate brokers and firms, should provide this report to their employees, staff, independent contractors and agents, as all of these individuals have access to and receive e-mails in connection with the networks operated by these entities. According to the report, Business E-mail Compromise and E-mail Account Compromise cybercrimes suffered the highest amount of losses (i.e., $676,151,185) in 2017 and Personal Data Breach claims came in fifth at $77,134,865 in losses.
In 2017, the IC3 received more than 300,000 complaints. Since its inception in 2000, through 2017, it has received more than four million complaints. From 2013 through 2017, IC3 received a total of 1,420,555 complaints, and a total reported loss of $5.52 billion. Individuals over the age of 50 years old suffered the highest amounts of victim losses at more than $342 million. California, Florida, Texas, New York and Pennsylvania were the top five states by number of victims and California, Texas, Florida, New York and Arizona were the five top states in the amount of victim losses.
Business E-Mail and E-Mail Account Compromise
According to the FBI, Business E-mail Compromise (BEC) is a scam initiated by hackers who target businesses which work with foreign suppliers, which regularly perform wire transfer payments. The E-mail Account Compromise (EAC), is similar to BEC, but targets individuals who regularly perform wire transfer payments. The EAC is the one that most commonly affects the real estate industry (see article “Beware of Cyber Threats: The Importance of Implementing Data Security and Privacy Policies” (March 2016) at https://bit.ly/2JwP6h7).
Most of the fraudulent wire transfers are funneled through an account set up in the U.S. and then quickly transferred to foreign bank accounts. The FBI points out that a majority go through Asia. In 2017, the real estate sector was heavily targeted with many victims reporting losses during real estate transactions. Once the funds are wired to the cybercriminal’s account, it is difficult to get the funds back. However, if the FBI and the banking institution are notified immediately—within 48 to 72 hours from the time the funds were wired—the funds may be able to be recovered. In 2017, the IC3 received 15,690 BEC/EAC complaints with losses of more than $676 million.
Ransomware: A Growing Threat
The FBI defines “ransomware” as “a form of malware targeting both human and technical weaknesses in an effort to make critical data and/or systems inaccessible.” Ransomware is primarily implemented through “Remote Desktop Protocols” (which allows computers to connect to each other across a network) and phishing. For example, a phishing e-mail is sent to a targeted individual or organization and once the e-mail is opened, the malware sends a virus that encrypts all of the files on the end-user’s network. Once the victim realizes that he is no longer able to access the data on the network, the cyber-criminal makes a ransom payment demand. The payment is usually required to be made in “virtual” currency (e.g., Bitcoin).
The cybercriminal will then provide the victim with a “key” to regain access to the data once the ransom is paid. However, the FBI strongly advises against a victim paying any requested ransom because (1) it does not guarantee that a “key” will be provided to the victim; and (2) even if provided, there is no guarantee that the access “key” will work.
The FBI points out that paying a ransom only “emboldens the adversary to target other organizations for profit, and provides for a lucrative environment for other criminals to become involved.” Nevertheless, sometimes an organization or company must weigh the risks and decide whether they should submit to the criminal’s demands. However, before any decision is made, the FBI’s local field office (visit https://bit.ly/2GfjQ4x) should be contacted immediately and the victim should reach out to its insurance carrier. In 2017, the IC3 received 1,783 complaints identified as ransomware with adjusted losses of more than $2.3 million, and while this is not one of the top crimes in terms of losses and claims, it is on the rise.
“Ransomware-as-a-Service” (also known as “RaaS”) has also emerged as a result of this growing threat. RaaS is a “profit-sharing model” whereby hackers subscribe to purchase certain services (free or fee-based models), which include online support, monitoring software and more, provided by other criminals on the “dark web” who develop and provide the malware and ransomware to these hackers. In addition to payments received by the subscribers, some of these software developers also require they receive a share of the ransom paid.
Extortion as a Cybercrime
Cyber “extortion” is also a rapidly growing threat. Cybercriminals threaten victims with physical or financial harm unless they pay a ransom or other item of value. These criminals usually threaten they will release sensitive information unless a payment is made. According to the FBI’s report, cybercriminals engage in various types of extortion schemes, such as “Hitman,” “Sextortion,” “Loan” and “High Profile Data Breach.” Again, payments are usually required to be made by virtual currency because of the difficulty in tracing payments and identity. While this form of cybercrime did not make the top 10, the IC3, in 2017, received 14,938 extortion-related complaints with losses totaling more than $15 million. Extortion is a growing target area.
The Anne Arundel County Association of Realtors Attack
At the 2018 NAR Legal Conference, Robert Johnston, CEO of the Anne Arundel County Association of Realtors, provided a firsthand account of a ransomware attack suffered by his association. Johnston explained that the attack took place on a Friday afternoon, which is very common for ransomware attacks, as the victim would not know that an attack has occurred until Monday morning. Johnston, and the other panelists, explained that the malware was likely introduced into the association’s computer system several weeks or months before the attack took place. It was strongly recommended that companies have both physical and cloud backups.
In the case of the Anne Arundel County Association, Johnston stressed the importance of reaching out to the FBI and local authorities, as well as NAR and its insurance carrier, immediately. He highlighted the invaluable guidance and assistance received from NAR staff. Immediately, the insurance carrier was contacted and within hours began to address the breach. The carrier engaged a computer forensic firm to investigate the breach and determine the origin of the attack.
After a full investigation and audit, the forensic computer firm determined that no personally identifiable information was compromised. This is important because if there was a breach and PII was compromised, the data breach notification laws require that the affected parties be notified immediately. It is important to note that each state has different data breach notification laws and that the laws of the state in which the individual resides must be followed and not the laws of state in which the breach occurred (see article “Beware of Cyber Threats: The Importance of Implementing Data Security and Privacy Policies” (March 2016) at https://bit.ly/2JwP6h7).
The computer forensics firm also attempts to determine whether or not the information is still available or recoverable. If the data is not recoverable, it is important to stress that the victim should never attempt to pay any ransom, unless it is left with no other choice and then, only if it is guided by advice from experts and/or law enforcement professionals. Many times, it is unknown whether the “key” provided by the cybercriminal will actually work. Again, anyone affected should contact the FBI and local authorities first, and then the insurance carrier.
NAR’s and Chubb’s Cyber Coverage
The potential for a cyberattack should never be taken lightly. Individuals and companies must put in place adequate measures in order to ensure that they are protected, especially in this fast-paced, everchanging technological environment. Lauren Gorte, a vice president of Financial Lines, a subsidiary of Chubb, described some of the protections afforded under Chubb’s “cyber” insurance coverage:
The insurance covers the costs to engage a computer forensics firm to determine the scope of a breach, comply with privacy regulations, notify and provide credit monitoring services to affected individuals and obtain legal, public relations or crisis management services to restore the company’s reputation.
Under the Cyber Incident Response Coverage
Victims can call a crisis hotline in order to report urgent events at any time, response coaches are available to triage the cyber event, and a variety of response specialists are utilized, including forensics, public relation specialists, notification service specialists, call centers, cyber extortion and business interruption specialists.
Digital Data Recovery Costs
It also covers network extortion protection, which would cover any payments to the cybercriminals in connection with a ransom request.
Covers loss arising out of the organization’s failure or alleged failure to protect sensitive personal or corporate information in any format.
Covers liability of the organization arising out of the failure of network security, including unauthorized access or use of corporate systems, a denial of service attack or transmission of malicious code.
Provides coverage for fines and penalties due to the loss of payment card data, subject to applicable state law.
Includes coverage for regulatory proceedings brought by a government agency alleging the violation of any state, federal, or foreign identity theft or privacy protection legislation, subject to applicable law.
While Realtor Associations and MLSs are covered under NAR’s policy, which provides the extensive coverages above, most individuals, organizations, and companies, including real estate brokerage firms, do not have such comprehensive coverages. In fact, many may not have any coverage at all. It is highly recommended that all individuals and companies review their insurance policies and contact their carriers to ascertain what coverage, if any, they have in the event of a cyber-attack. Prevention and “planning ahead” are critical because once a breach or attack happens, it is too late. An attack could cause damage that is irreparable, and the liability and expense incurred could be in the thousands, hundreds of thousands or even millions of dollars depending on the extent of the attack.
Editor’s Note: The foregoing article is for informational purposes only and does not confer an attorney-client relationship.