Information Security Breaches, Unauthorized Transactions, and Account Takeovers...or "What You Missed"

 

On Friday, I had the honor to join some distinguished speakers for an all-day continuing legal education seminar on computer technology and the law.  My fellow presenters were:

• Clark Walton, former CIA forensic computer analyst, lawyer with Alexander Ricks, and founder of computer forensic firm Reliance Forensics (and formerly Chair of the NCBA Young Lawyers Division and the American Bar Association's Young Lawyer of the Year).
• Ashden Fein, lead prosecutor of Private Bradley Manning in the WikiLeaks trial and now lawyer with Covington & Burling in Washington, D.C.
• Chris Swecker, former Assistant Director of the FBI, lawyer, and security consultant.
• Kim Korando, employment lawyer with Smith Anderson.
• Joyce Brafford, law practice technology guru with the NCBA's Center for Practice Management.

It was a fascinating day, and I enjoyed hearing from these great speakers more than I enjoyed speaking myself. 



In the course of my presentation, we discussed the various legal response requirements following a data security breach, as well as liability for unauthorized transfers in consumer and commercial accounts. 



The program was well-attended in person and by webinar, but if you missed the opportunity to attend, I am providing a link to my slideshow here.  I hope you find it useful.

Legal Aspects of Security Breaches, Unauthorized Transfers, and Corporate Account Takeovers

Last month, the CEO of BNY Mellon told the American Banker that his bank's greatest single concern is cybersecurity.  We live in an era where a security breach can be devastating to a variety of businesses, whether through a direct loss of funds, civil liability, or massive reputational harm to a brand.

Some of the fastest-developing topics I encounter in my law practice involve security breaches, unauthorized transactions, and corporate account takeovers.  Several weeks ago, I addressed the legal aspects of these issues in a presentation delivered at the North Carolina Bankers Association's Security Summit.  Some of the questions addressed in the presentation included the following:

• What obligations under federal and North Carolina law do businesses have when there has been a security breach involving customer information?
  
• At what point does an incident involving customer information rise to the level of a "security breach" for which the applicable laws require specific responses? 
  
• Who must bear the loss when there is an unauthorized transfer of funds in a consumer's bank account?
  
• If a company's bank account is compromised (hacked) in a "corporate account takeover" and funds are transferred from the account without authorization, is the bank required to refund the company's money?

I am posting the slides from my presentation here so those who were not able to attend the Security Summit will be able to see the highlights of the talk.*  I hope you find this information helpful.  (Please feel free to share this blog post with others who might benefit from this information.)

The importance of these issues continues to grow, and I intend to speak and write more about these and related topics in the coming days. 

 

[*As with all of the information I post here on the blog, this is shared for general educational purposes only, and does not constitute legal advice.  I will not be updating this information as the law develops, and I reserve the right to change my position on any issue addressed in these materials in the future.]