CYBER TRENDS & TIPS: WHAT YOU NEED TO KNOW ABOUT

INFORMATION SECURITY IN 2018

Sponsor: Young Lawyers Division CLE Credit: 1.0

Thursday, June 14, 2018 9:40 a.m. - 10:40 a.m. Bluegrass Ballroom II

Lexington Convention Center Lexington, Kentucky

A NOTE CONCERNING THE PROGRAM MATERIALS

The materials included in this Kentucky Bar Association Continuing Legal Education handbook are intended to provide current and accurate information about the subject matter covered. No representation or warranty is made concerning the application of the legal or other principles discussed by the instructors to any specific fact situation, nor is any prediction made concerning how any particular judge or jury will interpret or apply such principles. The proper interpretation or application of the principles discussed is a matter for the considered judgment of the individual legal practitioner. The faculty and staff of this Kentucky Bar Association CLE program disclaim liability therefore. Attorneys using these materials, or information otherwise conveyed during the program, in dealing with a specific legal matter have a duty to research original and current sources of authority.

Printed by: Evolution Creative Solutions 7107 Shona Drive

Cincinnati, Ohio 45237

Kentucky Bar Association

TABLE OF CONTENTS The Presenters ................................................................................................................. i 2016 Internet Crime Report ............................................................................................. 1 Start with Security: A Guide for Business ..................................................................... 27

THE PRESENTERS

Leanthony Edwards Dinsmore & Shohl, LLP

255 East Fifth Street, Suite 1900 Cincinnati, Ohio 45202

LEANTHONY EDWARDS is an associate in the Cincinnati office of Dinsmore & Shohl, LLP and practices in the areas of intellectual property and data privacy. He received his B.A. from California State University, San Bernardino and his J.D. from the University of Cincinnati College of Law. He is a member of the Ohio Bar Association and the International Association of Privacy Professionals. Michael E. Nitardy Frost Brown Todd, LLC 7310 Turfway Road, Suite 210 Florence, Kentucky 41042 MICHAEL E. NITARDY is a member in the litigation department of Frost Brown Todd LLC in Florence. He represents clients in business and commercial disputes. Mr. Nitardy received his B.B.A., summa cum laude, from Marshall University and his J.D., summa cum laude, from Salmon P. Chase College of Law, where he was a member of the Northern Kentucky Law Review and the Order of the Curia. He is a member of the Ohio and Kentucky Bar Associations, American Health Lawyers Association, and Christian Legal Society. Mr. Nitardy serves as the co-chair of the Cincinnati International Association of Privacy Professionals Cincinnati Knowledge Net Chapter; vice chair of the American Bar Association's TIPS Cybersecurity and Data Privacy Committee; and on the board of directors of Legal Aid of the Bluegrass. He has received CIPP/US Certification from the International Association of Privacy Professionals.

i

Kurt R. Hunt Dinsmore & Shohl, LLP

255 East Fifth Street, Suite 1900 Cincinnati, Ohio 45202

KURT R. HUNT is an associate of counsel in the Cincinnati office of Dinsmore & Shohl, LLP and is the corporate department team leader. He received his B.S. from Eastern Michigan University and his J.D. from the University of Michigan Law School. Mr. Hunt is admitted to practice before the Supreme Court of Ohio, the United States Sixth Circuit Court of Appeals, and the United States District Court for the Southern and Northern Districts of Ohio. He is a member of the Cincinnati and Ohio Bar Associations, as well as the Federal Communications, Energy and Electric Cooperative Bar Associations. Jeffery L. Sallee 102 Lake Park Drive Alexandria, Kentucky 41001 JEFFERY L. SALLEE is a security architect for the Western & Southern Financial Group in Cincinnati. He has several IT certifications: Certified Information Systems Security Professional, Certified Information Systems Auditor and Certified Identity and Access Manager. Mr. Sallee earned both his B.A. in German and his B.S. in Computer Technology from Purdue University. He went on to earn his J.D. from Chase College of Law. Mr. Sallee is a member of the KBA's Small Firm Practice & Management Section where he served as past chair and is the current vice chair. He is also an adjunct professor at the University of the Cumberlands, where he teaches courses relating to legal topics in information technology.

ii

2016 INTERNET CRIME REPORT Federal Bureau of Investigation

TABLE OF CONTENTS Introduction .................................................................................................................... 3 About the Internet Crime Complaint Center .................................................................... 4 IC3 History ..................................................................................................................... 4 The IC3 Role in Combating Cyber Crime ....................................................................... 5 Collection ....................................................................................................................... 5 Analysis .......................................................................................................................... 6 Public Awareness ........................................................................................................... 6 Referrals ........................................................................................................................ 6 Supporting Law Enforcement ......................................................................................... 6 IC3 Database Remote Access ....................................................................................... 6 Testimonials from Law Enforcement Database Users .................................................... 7 Successes ...................................................................................................................... 8 Prosecutions .................................................................................................................. 8 Operation Wellspring (OWS) Initiative ............................................................................ 8 Hot Topics for 2016 ........................................................................................................ 9 Business Email Compromise (BEC) ............................................................................... 9 Ransomware ................................................................................................................ 10 Tech Support Fraud ..................................................................................................... 11 Extortion ....................................................................................................................... 12 2016 Overall Statistics .................................................................................................. 13 2016 Victims by Age Group .......................................................................................... 13 Top 20 Foreign Countries by Victim ............................................................................. 15

1

Top 10 States by Number of Reported Victims ............................................................. 16 Top 10 States by Reported Victim Loss ........................................................................ 16 2016 Crime Types ........................................................................................................ 17 2016 Overall State Statistics ........................................................................................ 19 Appendix A: Crime Type Definitions ............................................................................. 23

2

INTRODUCTION Dear Reader, The FBI is the lead federal agency for investigating cyber attacks by criminals, overseas adversaries, and terrorists. With each passing day, cyber intrusions are becoming more sophisticated, dangerous, and common. We continue to transform and develop in order to address the persistent and evolving cyber threats we face. The FBI's Internet Crime Complaint Center (IC3) provides the public with a trustworthy and convenient reporting mechanism to submit information concerning suspected Internet-facilitated criminal activity. The IC3 also strengthens the FBI's partnerships with our law enforcement and industry partners. The 2016 Internet Crime Report highlights the IC3's efforts in monitoring trending scams such as Business Email Compromise (BEC), ransomware, tech support fraud, and extortion. In 2016, IC3 received a total of 298,728 complaints with reported losses in excess of $1.3 billion. This past year, the top three crime types reported by victims were non-payment and non-delivery, personal data breach, and payment scams. The top three crime types by reported loss were BEC, romance and confidence fraud, and non-payment and non-delivery scams. This year's report features a section on the importance of law enforcement collaboration and partnerships with the private sector and Intelligence Community. For example, the FBI continues to expand Operation Wellspring (OWS), an initiative through which state and local law enforcement officers are embedded in, and trained by, FBI cyber task forces and serve as the primary case agents on Internet-facilitated criminal investigations. Overall, OWS task forces opened 37 investigations in 2016 and have worked 73 total investigations since OWS was launched in August 2013. We hope this report will assist you as we work in partnership to protect our nation and combat cyber threats. Scott S. Smith Assistant Director Cyber Division Federal Bureau of Investigation

3

ABOUT THE INTERNET CRIME COMPLAINT CENTER The mission of the FBI is to protect the American people and uphold the Constitution of the United States. The mission of the Internet Crime Complaint Center (IC3) is to provide the public with a reliable and convenient reporting mechanism to submit information to the FBI concerning suspected Internet-facilitated criminal activity, and to develop effective alliances with industry partners. Information is analyzed and disseminated for investigative and intelligence purposes, for law enforcement and public awareness. In an effort to promote public awareness, the IC3 produces this annual report to aggregate and highlight the data provided by the general public. The quality of the data is directly attributable to the information ingested via the public interface www.ic3.gov. The IC3 attempts to standardize the data by categorizing each complaint based on the information provided. The IC3 staff analyzes the data, striving to identify trends relating to Internet-facilitated crimes and what those trends may represent in the coming year. IC3 History In May 2000, the IC3 was established as a center to receive complaints of Internet crime. There have been 3,762,348 complaints reported to the IC3 since its inception. Over the last five years, the IC3 received an average more than 280,000 complaints per year. The complaints address a wide array of Internet scams affecting victims across the globe.1

1 Accessibility description: Image includes yearly and aggregate data for complaints and losses over the years 2012 to 2016. Over that time period, IC3 received a total of 1,408,849 complaints, and a total reported loss of $4.63 billion.

4

The IC3 Role in Combating Cyber Crime

Central Hub to Partner with Private Host Remote Access Alert the Public Sector and with Local, Database for all Law State, Federal, and

International Agencies Enforcement via the FBI's LEEP2 website

Collection Millions of people in the United States are victims of Internet crimes each year. Detection is the cornerstone of determining the larger Internet crime picture. However, only an estimated 15 percent of the nation's fraud victims report their crimes to law enforcement.3 This 15 percent figure is just a subset of the victims worldwide. Victims are encouraged and often directed by law enforcement to file a complaint online at www.ic3.gov. Complainants are asked to document accurate and complete information related to the Internet crime, as well as any other relevant information necessary to support the complaint. In addition to reporting the crime via www.ic3.gov, complainants should take steps to mitigate further loss. Victims can take actions such as contacting banks, credit card companies, and/or credit bureaus to block accounts, freeze accounts, dispute charges, or attempt recovery of lost funds. Victims should be diligent in reviewing credit reports to

2 Federal Bureau of Investigation. Law Enforcement Enterprise Portal (LEEP). https://www.fbi.gov/services/cjis/leep. 3 The United States Attorney's Office, Western District of Washington; Financial Crime Fraud Victims. http://www.justice.gov/usao-wdwa/victim-witness/victim-info/financial-fraud.

WHAT WE DO

Increase Victim Reporting Via Outreach

Victims Report

Internet Crime to

www.ic3.gov

5

dispute any unauthorized transactions and should also consider credit monitoring services. Analysis The IC3 is well positioned to be the central point for Internet crime victims to report and to alert the appropriate agencies of suspected criminal Internet activity. The IC3 reviews and analyzes data submitted through its website, and produces intelligence products to highlight emerging threats and new trends. Public Awareness Public service announcements (PSAs), scam alerts, and other publications outlining specific scams are posted to the www.ic3.gov website. As more people become aware of Internet crimes and the methods utilized to carry them out, potential victims are equipped with a broader understanding of the dangers associated with Internet activity and are in a better position to avoid falling prey to schemes online. IC3 Core Functions4 Referrals The IC3 aggregates related complaints to build referrals, which are forwarded to local, state, federal, and international law enforcement agencies for potential investigation. If law enforcement conducts an investigation and determines a crime has been committed, legal action may be brought against the perpetrator. Each and every step is necessary to assist law enforcement in stopping Internet crime. SUPPORTING LAW ENFORCEMENT IC3 Database Remote Access A remote search capability of the IC3 database is available to all sworn law enforcement through the FBI's Law Enforcement Enterprise Portal (LEEP). LEEP is a gateway providing law enforcement agencies, intelligence groups, and criminal justice entities access to beneficial resources. These resources strengthen case development for investigators, enhance information sharing between agencies, and are accessible in one centralized location.

4 Accessibility description: image contains the IC3 logo against a digital background. Core functions are listed in individual blocks: mitigation, complaint, analysis, deterrence, investigation, prosecution, prevention, and detection.

6

This web-based access provides users the ability to identify and aggregate victims and losses within a jurisdiction, and to substantiate investigations. The IC3 expanded the remote search capabilities of the IC3 database by granting users the ability to gather IC3 complaint statistics. Users have the ability to run city, state, county, and country reports and sort by crime type, age, and transactional information. The user can also run overall crime type reports and sort by city, state, and country. The report results can be returned as a PDF or exported to Excel. This search capability allows users to better understand the scope of cyber crime in their area of jurisdiction and enhance cases. Testimonials from Law Enforcement Database Users

"I have published several reports based on trends that we were seeing since I was able to see the complaints. There were numerous instances of the quick reporting providing us with an opportunity to quickly mitigate circumstances or begin investigations before evidence was lost.

Thanks for the great service …"

FBI Portland

"I had tremendous success using IC3. Without the availability and unlimited access to IC3 I would never have been able to identify the numerous suspects linked to a transnational criminal enterprise."

Weld County, Colorado

"The remote query is beneficial because it allows me to query potential leads and victim complaints outside of normal business hours." "Since February 2014, I have been investigating an ongoing romance scam investigation. Separate from following fraudulently obtained funds through subjects' bank accounts, IC3 data has enabled me to quickly determine if these funds are derived from a potential victim or possible co-conspirator. In a number of instances, victims making deposits into these accounts have filed complaints through IC3. The basic information provided by victims has given me general background information when conducting an interview. IC3 data has also corroborated information developed during the course of this investigation."

Department of Homeland Security, Wisconsin

"IC3 has served as a centralized intake for Business Email Compromises (BEC) across the United States. Boston Field Office reviews BEC complaints made to IC3 on a daily basis. IC3 has made this process easy through its modifications to the complaint form this year. The information is always up to the minute, which is important in these types of schemes. IC3 also proactively reaches out to the field when large BEC complaints involving recently wired funds are filed. In one instance, IC3 proactively reached out to the Boston Field Office to alert us to a $1.8 million wire. Based on the early notification, Boston was able to take the

7

necessary steps to successfully recover the entire amount on behalf of the victim. Lastly, IC3 continues to be a steady source of intel on the BEC threat."

FBI Boston

SUCCESSES Prosecutions Real Estate/Rental Fraud: FBI San Diego The IC3 provided multiple complaints with a monetary loss of $232,258.58 to FBI San Diego in March 2015. The complaints reported that Geoffrey Paul Moncrief was using properties listed on various vacation home rental websites to defraud victims of money, on an average of $8,000 per person. Subsequent investigation showed that Moncrief took full payment from multiple parties without delivering the real estate. Moncrief was ultimately charged in San Diego Superior Court with 28 Counts of violating California Penal Code section 487(a), Grand Theft. Moncrief entered a guilty plea to 26 counts of [sic] and was sentenced in San Diego Superior Court to 365 days corrective custody, three years of formal probation, and restitution in the amount of $232,258.58. Wire Fraud: FBI San Diego In February 2010, the IC3 provided multiple complaints to FBI San Diego reporting a monetary loss of $279,277. Complainants reported Christopher John Cozzie was selling pirated copies of infra-red imaging systems used in breast exams. Cozzie marketed these infra-red systems to include hardware, software, and training at a cost of approximately $35,000 per system but he either never delivered, or only partially delivered, on the orders. Cozzie was indicted on ten counts of Wire Fraud, 18 U.S.C. 1343. He entered a guilty plea to one count of wire fraud and was sentenced to six months corrective custody, three years supervised release, and restitution in the amount of $279,277. Operation Wellspring (OWS) Initiative OWS builds the cyber investigative capability and capacity of the state and local law enforcement community. Through close collaboration with local field offices, IC3 helps state and local law enforcement partners identify and respond to malicious cyber activity. Key Components: Serves as a national platform to

receive, develop, and refer Internet-facilitated fraud complaints.

Trains state and local law enforcement officers on cyber crime investigations.

Coordinates with FBI Cyber and Criminal Components.

Addresses Internet-facilitated criminal cases not meeting most federal investigative thresholds by utilizing Cyber Task Force (CTF) state and local officers.

8

CTFs The OWS Initiative was launched in August 2013 with the Salt Lake City CTF, in partnership with the Utah Department of Public Safety. OWS has expanded to 11 field offices: Albany, Buffalo, Kansas City, Knoxville, Las Vegas, New York City, New Orleans, Oklahoma City, Phoenix, Salt Lake City, and San Diego.

Total OWS Opened Investigations The IC3 receives, on average, 800 complaints per day, and OWS offers CTFs a consistent resource to identify Internet fraud subjects and victims located throughout the world. Thirty-seven investigations were opened in 2016. Accomplishments included arrests, disruptions, and convictions. Financial restitutions were made and criminals were sentenced.

Victim Complaints The IC3 provided 174 referrals to 11 CTFs based on 2,719 complaints. The total victim loss associated with these complaints was approximately $14.4 million.

HOT TOPICS FOR 2016 Business Email Compromise (BEC) Business Email Compromise (BEC) is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses who regularly perform wire transfer payments. The Email Account Compromise (EAC) component of BEC targets individuals who perform wire transfer payments. The techniques used in both the BEC and EAC scams have become increasingly similar, prompting the IC3 to begin tracking these scams as a single crime type in 2017. The scam is carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. Most victims report using wire transfers as a common method of transferring funds for business purposes; however, some victims report using checks as a common method of payment; The fraudsters will use the method most commonly associated with their victim's normal business practices. Fraudulent transfers have gone through accounts in many countries, with a large majority traveling through Asia. The scam began to evolve in 2013 when victims indicated the email accounts of Chief Executive Officers or Chief Financial Officers of targeted businesses were hacked or spoofed, and wire payments were requested to be

9

sent to fraudulent locations. BEC/EAC continued to evolve, and in 2014 victim businesses reported having personal emails compromised and multiple fraudulent requests for payment sent to vendors identified from their contact list. In 2015, victims reported being contacted by subjects posing as lawyers or law firms instructing them to make secret or time sensitive wire transfers. BECs may not always be associated with a request for transfer of funds. In 2016, the scam evolved to include the compromise of legitimate business email accounts and requests for Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees. The BEC/EAC scam is linked to other forms of fraud, including but not limited to: romance, lottery, employment, and rental scams. The victims of these scams are usually U.S. based and may be recruited to illegally transfer money on behalf of others. In 2016, the IC3 received 12,005 BEC/EAC complaints with losses of over $360 million. Ransomware Ransomware is a form of malware targeting both human and technical weaknesses in an effort to deny the availability of critical data and/or systems. Ransomware is frequently delivered through various vectors, including phishing and Remote Desktop Protocol (RDP). RDP allows computers to connect to each other across a network. In one scenario, spear phishing emails are sent to end users resulting in the rapid encryption of sensitive files on a corporate network. When the victim organization determines they are no longer able to access their data, the cyber actor demands the payment of a ransom, typically in virtual currency such as Bitcoin. The actor will purportedly provide an avenue to the victim to regain access to their data. Recent iterations target specific organizations and their employees, making awareness and training a critical preventative measure. In 2016, the IC3 received 2,673 complaints identified as ransomware with losses of over $2.4 million.

See footnote for accessibility description of image.5

5 Image depicts typical ransomware process: Step One – Installation: victim opens a malicious email or visits a compromised website. Step Two – Contacts Server: malware communicates with

10

Tech Support Fraud Tech support fraud occurs when the subject claims to be associated with a computer software or security company, or even a cable or Internet company, offering technical support to the victim. Phony tech support companies utilize several different methods to contact or lure their victims. This list is not all inclusive, as the subjects are always varying their schemes. 1. Cold call 2. Pop-up or locked screen 3. Search Engine Optimization: The subject pays to have their company websites

appear in the top of search results when a victim searches for technical support. 4. URL Hijacking / Typosquatting: The subject relies on mistakes made by the

victim when entering a URL, which either causes an "error" or redirects to the subject's website.

Once the phony tech support company or representative makes verbal contact with the victim, the subject tries to convince the victim to provide remote access to their device. Once the subject has control, additional criminal activity occurs. For example: The subject takes control of the victim's device and/or bank account, and will not

release control until the victim pays a ransom. The subject accesses computer files containing financial accounts, passwords, or

personal data (health records, social security numbers, etc.). The subject intentionally installs viruses on the device. The subject threatens to destroy the victim's computer or continues to call in a

harassing manner. A variation of the fraud, where the subject contacts the victim offering a refund for tech support services previously rendered, has increased. The victim is convinced to allow the subject access to their device and to log onto their online bank account to process the refund. The subject then has control of the victim's device and bank account. With this access, the subject claims to have "mistakenly" refunded too much money to the victim's accounts, and requests the victim wire the difference back to the subject company. In reality, the subject transferred funds among the victim's own accounts (checking, savings, retirement, etc.) to make it appear as though funds were deposited. The victim wires money to the subject, thereby suffering a loss, and does not find out until later the "overpayment" was simply a shift of funds between the victim's own accounts. The refund and wiring process can occur multiple times, thereby exacerbating the losses.

criminal's server; Step Three – Encryption: malware encrypts victim's files; Step Four – Extortion: Message on victim's computer displays ransom amount, to be paid via virtual currency.

11

The IC3 has received thousands of tech support related fraud complaints. Victims have lost millions of dollars to the perpetrators. In 2016, the IC3 received 10,850 tech support fraud complaints with losses in excess of $7.8 million. While the majority of tech support fraud victims are from the U.S., the fraud was reported by victims in 78 different countries. The fraud affects victims of all ages; however, older victims are often the most vulnerable. Extortion Extortion is defined as an incident when a cyber criminal demands something of value from a victim by threatening physical or financial harm or the release of sensitive data. Extortion is often used in various schemes reported to the IC3, including Denial of Service attacks, hitman schemes,6 sextortion,7 Government impersonation schemes, loan schemes,8 and high-profile data breaches.9 Another tactic exploited in extortion schemes is the use of virtual currency as a payment mechanism. Virtual currency provides the cyber criminal an additional layer of anonymity when perpetrating these schemes. The IC3 continues to receive complaints regarding various extortion techniques. In 2016, the IC3 received 17,146 extortion-related complaints with adjusted losses of over $15 million.

6 Hitman Scheme: Described as an email extortion in which a perpetrator sends a disturbing email threatening to kill a victim and/or their family. The email instructs the recipient to pay a fee to remain safe and avoid having the hit carried out. 7 Sextortion: Described as a situation in which someone threatens to distribute your private and sensitive material if you don't provide them images of a sexual nature, sexual favors, or money. 8 Loan Scheme: Described as a situation in which perpetrators contact victims claiming to be a debt collector from a legitimate company instructing victims to pay fees in order to avoid legal consequences. 9 High Profile Data Breach: Sensitive, protected or confidential data belonging to a well-known or established organization is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.

12

2016 OVERALL STATISTICS

See footnote for accessibility description of image.10 2016 VICTIMS BY AGE GROUP

Victims Age Range11 Total Count Total Loss

Under 20 10,004 $6,698,742 20-29 46,266 $68,015,095 30-39 54,670 $190,095,752 40-49 51,394 $224,322,960 50-59 49,208 $298,145,628 Over 60 55,043 $339,474,918

10 Image depicts several key statistics regarding complaints and victim loss. A bar chart shows total number of complaints and overall victim loss for the years 2010 to 2016. For 2016, 298,728 complaints were received, with a total victim loss of $1.33 billion. The total number of complaints received since the year 2000 is 3,762,348. IC3 receives approximately 280,000 complaints each year, or more than 800 per day. 11 Not all complaints include an associated age range—those without this info are excluded from this table.

IMPORTANT STATS

Approximately 280,000 Average Complaints Received Each Year

Victim Losses in 2016

Over 800 Average

Complaints Received Per Day

13

14

TOP 20 FOREIGN COUNTRIES BY VICTIM Excluding the United States12

1. Canada 3,772 6. Brazil 533 11. Germany 350 16.United Arab Emirates 202 2. India 2,188 7. Mexico 521 12. South Africa 337 17. Malaysia 193 3. United Kingdom 1,509 8. China 473 13. Turkey 286 18. Singapore 192 4. Australia 936 9. Japan 447 14. Spain 229 19. Nigeria 188 5. France 568 10. Philippines 439 15. Hong Kong 223 20. New Zealand 187

12 Accessibility description: image includes a world map with circles corresponding in size to the total number of reports received from specific countries. The top twenty countries are included. Specific stats for each country can be found in the text table immediately below the image.

15

Top 10 States by Number of Reported Victims13

Top 10 States by Reported Victim Loss14

13 Accessibility description: image depicts the United States, with the top ten states (based on reported victims) highlighted. These include California (39,547), Texas (21,441), New York (16,426), Florida (21,068), Illinois (9,177), Pennsylvania (8,265), Maryland (8,361), Virginia (8,068), Ohio (7,052), and Washington (6,874). 14 Accessibility description: image depicts the United States, with the top ten states (based on reported victim loss). These include California ($255.2M), New York ($106.2M), Florida ($88.8M), Texas ($77.1M), Virginia ($49.2M), Illinois ($32.9M), Colorado ($30.9M), Pennsylvania ($27.4M), Washington ($25.7M), and Georgia ($25.5M)

16

2016 CRIME TYPES

By Victim Count Crime Type Victims Crime Type Victims

Non-Payment/Non-Delivery 81,029 Lottery/sweepstakes 4,231 Personal Data Breach 27,573 Corporate Data Breach 3,403 419/Overpayment 25,716 Malware/Scareware 2,783 Phishing/Vishing/Smishing/Pharming 19,465 Ransomware 2,673

Employment 17,387 IPR/Copyright and Counterfeit 2,572

Extortion 17,146 Investment 2,197 Identity Theft 16,878 Virus 1,498 Harassment/Threats of Violence 16,385 Crimes against Children 1,230 Credit Card Fraud 15,895 Civil Matter 1,070 Advanced Fee 15,075 Denial of Service 979 Confidence Fraud/Romance 14,546 Re-shipping 893 No Lead Value 13,794 Charity 437 Other 12,619 Health Care Related 369 Real Estate/Rental 12,574 Terrorism 295 Government Impersonation 12,344 Gambling 137 BEC/EAC 12,005 Hacktivist 113 Tech Support 10,850 Misrepresentation 5,436 Descriptors* Social Media 18,712 *These descriptors relate to the medium or

tool used to facilitate the crime and are used by the IC3 for tracking purposes only. They are available only after another crime type has been selected.

Virtual Currency 1,904

17

2016 CRIME TYPES CONTINUED

By Victim Loss Crime Type

Loss Crime Type Loss

BEC/EAC $360,513,961 Misrepresentation $13,725,233 Confidence Fraud/Romance 219,807,760 Government Impersonation 12,278,714 Non-payment/Non-Delivery 138,228,282 Denial of Service 11,213,566 Investment 123,407,997 Tech Support 7,806,416

Corporate Data Breach 95,869,990 IPR/Copyright and Counterfeit 6,829,467

Other 73,092,101 Malware/Scareware 3,853,351 Advanced Fee 60,484,573 Ransomware 2,431,261 Personal Data Breach 59,139,152 Re-shipping 1,932,021 Identity Theft 58,917,398 Charity 1,660,452 Civil Matter 57,688,555 Virus 1,635,321 419/Overpayment 56,004,836 Health Care Related 995,659 Credit Card Fraud 48,187,993 Gambling 290,693 Real Estate/Rental 47,875,765 Terrorism 219,935 Employment 40,517,605 Crimes against Children 79,173 Phishing/Vishing/Smishing/ Pharming 31,679,451 Hacktivist 55,500

Harassment/Threats of Violence 22,005,655 No Lead Value 0 Lottery/Sweepstakes 21,283,769 Extortion 15,811,837 Descriptors Social Media $66,401,318 *These descriptors relate to the medium or tool

used to facilitate the crime, and are used by the IC3 for tracking purposes only. They are available only after another crime type has been selected.

Virtual Currency 28,302,365

18

2016 OVERALL STATE STATISTICS

Count by Victim per State* Rank State Victims Rank State Victims

1 California 39,547 30 Oklahoma 2,455 2 Texas 21,441 31 Utah 2,295 3 Florida 21,068 32 Kansa 1,963 4 New York 16,426 33 Arkansas 1,853 5 Illinois 9,177 34 New Mexico 1,702 6 Maryland 8,361 35 Iowa 1,560 7 Pennsylvania 8,265 36 Mississippi 1,467 8 Virginia 8,068 37 Alaska 1,259 9 Ohio 7,052 38 West Virginia 1,153 10 Washington 6,874 39 New Hampshire 1,126 11 Colorado 6,847 40 Idaho 1,120 12 Georgia 6,697 41 Hawaii 1,055 13 New Jersey 6,690 42 Nebraska 1,028 14 North Carolina 6,492 43 District of Columbia 938 15 Michigan 6,384 44 Maine 770 16 Arizona 6,349 45 Montana 744 17 Massachusetts 4,888 46 Puerto Rico 709 18 Tennessee 4,693 47 Delaware 703 19 Indiana 4,658 48 Rhode Island 663 20 Missouri 4,096 49 Vermont 440 21 Oregon 3,947 50 Wyoming 432 22 Nevada 3,775 51 South Dakota 376 23 Alabama 3,726 52 North Dakota 350 24 Wisconsin 3,662 53 Guam 50 25 South Carolina 3,500 54 U.S. Minor Outlying Islands 42 26 Minnesota 3,390 55 Virgin Islands, U.S. 42 27 Louisiana 3,002 56 Northern Mariana Islands 15 28 Kentucky 2,621 57 American Samoa 10 29 Connecticut 2,545 *Note: This information is based on the total number of complaints from each state, American Territories, and the District of Columbia when the complainant provided state information.

19

2016 OVERALL STATE STATISTICS CONTINUED

Loss by Victim per State* Rank State Loss Rank State Loss

1 California $255,181,657 30 Arkansas $7,917,870 2 New York 106,225,695 31 Utah 7,304,226 3 Florida 88,841,178 32 Alabama 7,178,091 4 Texas 77,135,765 33 Kansas 7,011,898 5 Virginia 49,175,677 34 Connecticut 6,960,531 6 Illinois 32,938,414 35 Iowa 5,013,079 7 Colorado 30,893,224 36 Nebraska 4,289,411 8 Pennsylvania 27,432,303 37 Idaho 4,174,839 9 Washington 25,728,634 38 Mississippi 3,473,575 10 Georgia 25,477,413 39 New Hampshire 3,171,083 11 New Jersey 24,500,833 40 Montana 3,052,401 12 North Carolina 24,194,018 41 Hawaii 2,924,323 13 Michigan 24,174,754 42 West Virginia 2,576,787 14 Maryland 23,145,424 43 Alaska 2,276,799 15 Arizona 20,567,423 44 Puerto Rico 2,084,360 16 Ohio 20,410,854 45 District of Columbia 1,921,649 17 Massachusetts 20,324,110 46 Delaware 1,675,255 18 Missouri 15,886,334 47 Rhode Island 1,570,612 19 Oklahoma 15,412,650 48 Maine 1,192,677 20 Nevada 15,246,405 49 South Dakota 933,723 21 Oregon 13,767,261 50 Wyoming 913,941 22 Louisiana 13,290,356 51 North Dakota 859,856 23 Minnesota 12,634,057 52 Vermont 855,007 24 Tennessee 12,557,922 53 Guam 676,443 25 South Carolina 10,860,131 54 Virgin Islands, U.S. 155,114 26 Wisconsin 10,309,552 55 U.S. Minor Outlying Islands 59,066 27 Kentucky 9,381,342 56 Northern Mariana Islands 55,917 28 Indiana 9,266,381 57 American Samoa 300 29 New Mexico 8,701,654 *Note: This information is based on the total number of complaints from each state, American Territories, and the District of Columbia when the complainant provided state information.

20

2016 OVERALL STATE STATISTICS CONTINUED

Count by Subject per State* Rank State Subjects Rank State Subjects 1 California 15,240 30 Minnesota 1,084 2 Texas 11,309 31 Kansas 1,079 3 Florida 8,528 32 Mississippi 1,021 4 New York 7,636 33 Louisiana 919 5 Illinois 3,841 34 Connecticut 794 6 Georgia 3,614 35 Kentucky 777 7 Maryland 3,241 36 Wisconsin 774 8 Washington 2,779 37 Iowa 565 9 Virginia 2,603 38 Montana 547 10 Nebraska 2,444 39 Arkansas 532 11 New Jersey 2,439 40 New Mexico 406 12 Pennsylvania 2,433 41 Idaho 346 13 Ohio 2,414 42 West Virginia 312 14 Arizona 2,226 43 Hawaii 296 15 Michigan 2,178 44 North Dakota 287 16 North Carolina 2,074 45 New Hampshire 250 17 Tennessee 1,814 46 Maine 240 18 Nevada 1,748 47 Alaska 215 19 Colorado 1,628 48 Rhode Island 200 20 Massachusetts 1,443 49 Vermont 186 21 Missouri 1,384 50 Puerto Rico 163 22 South Carolina 1,374 51 South Dakota 146 23 District of Columbia 1,360 52 Wyoming 138 24 Oklahoma 1,283 53 U.S. Minor Outlying Islands 18 25 Utah 1,262 54 Guam 14 26 Indiana 1,246 55 Virgin Islands, U.S. 10 27 Alabama 1,226 56 Northern Mariana Islands 3 28 Delaware 1,149 57 American Samoa 2 29 Oregon 1,109 *Note: This information is based on the total number of complaints from each state, American Territories, and the District of Columbia when the complainant provided state information.

21

2016 OVERALL STATE STATISTICS CONTINUED

Subject Earnings per Destination State* Rank State Loss Rank State Loss

1 California $74,917,042 30 Alabama $4,258,587 2 Texas 57,602,715 31 Connecticut 3,507,155 3 Hawaii 50,893,790 32 Utah 3,322,074 4 New York 46,039,475 33 Louisiana 3,278,684 5 Florida 38,158,286 34 Iowa 2,681,761 6 Georgia 24,821,761 35 Kentucky 2,660,183 7 Colorado 17,735,623 36 Kansas 2,616,821 8 Illinois 12,867,132 37 Delaware 2,560,784 9 Pennsylvania 12,557,106 38 Mississippi 2,428,942 10 New Jersey 11,834,991 39 Arkansas 1,969,540 11 Wisconsin 10,726,136 40 New Mexico 1,850,003 12 Oregon 10,660,242 41 Montana 1,517,688 13 Arizona 10,440,842 42 Idaho 1,347,658 14 Washington 10,215,859 43 Rhode Island 960,607 15 Virginia 9,940,731 44 West Virginia 793,537 16 Oklahoma 7,819,581 45 North Dakota 791,530 17 Ohio 7,651,776 46 Maine 518,573 18 Missouri 7,581,974 47 Alaska 517,609 19 Maryland 7,442,627 48 New Hampshire 484,082 20 Michigan 6,703,012 49 South Dakota 418,626 21 North Carolina 6,314,756 50 Vermont 263,594 22 Nevada 6,272,081 51 Wyoming 261,875 23 Massachusetts 6,119,164 52 Puerto Rico 227,168 24 Nebraska 6,049,631 53 Guam 210,000 25 Minnesota 6,018,709 54 U.S. Minor Outlying Islands 65,723 26 Indiana 5,188,886 55 Northern Mariana Islands 29,832 27 District of Columbia 5,143,770 56 Virgin Islands, U.S. 18,181 28 Tennessee 4,860,522 57 American Samoa 0 29 South Carolina 4,589,415 *Note: This information is based on the total number of complaints from each state, American Territories, and the District of Columbia when the complainant provided state information.

22

APPENDIX A: CRIME TYPE DEFINITIONS 419/Overpayment: "419" is a term that refers to the section in Nigerian law associated with con artistry and fraud, associated with solicitation from individuals requesting help in facilitating the transfer of money. The sender offers a commission or share in the profits, but will first ask that money be sent to pay for some of the costs associated with the transfer. (Overpayment) An individual is sent a payment and instructed to keep a portion of the payment, but send the rest on to another individual or business. Advanced Fee: An individual pays money to someone in anticipation of receiving something of greater in return, but instead, receives significantly less than expected or nothing. Auction: A fraudulent transaction or exchange that occurs in the context of an online auction site. Business Email Compromise/Email Account Compromise: BEC is a scam targeting businesses (not individuals) working with foreign suppliers and/or businesses regularly performing wire transfer payments. EAC is a similar scam which targets individuals. These sophisticated scams are carried out by fraudsters compromising email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds. Charity: Using deception to get money from individuals believing they are making donations to legitimate charities and/or charities representing victims of natural disasters shortly after the incident occurs. Civil Matter: Civil litigation generally includes all disputes formally submitted to a court, about any subject in which one party is claimed to have committed a wrong, but not a crime. In general, this is the legal process most people think of when the word "lawsuit" is used. Confidence Fraud/Romance: An individual believes they are in a relationship (family, friendly, or romantic) and are tricked into sending money, personal and financial information, or items of value to the perpetrator or to launder money or items to assist the perpetrator. This is basically the Grandparent's Scheme and any scheme in which the perpetrator preys on the complainant's "heartstrings." Corporate Data Breach: A leak/spill of business data which is released from a secure location to an untrusted environment. A data breach within a corporation or business where sensitive, protected, or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Credit Card: Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism (ACH, EFT, recurring charge, etc.) as a fraudulent source of funds in a transaction. Crimes against Children: Anything related to the exploitation of children, including child abuse. Criminal Forums: A medium where criminals exchange ideas and protocols relating to intrusion.

23

Denial of Service: An interruption of an authorized user's access to any system or network, typically one caused with malicious intent. Employment: An individual believes they are legitimately employed, and loses money, or launders money/items during the course of their employment. Extortion: Unlawful extraction of money or property through intimidation or undue exercise of authority. It may include threats of physical harm, criminal prosecution, or public exposure. Gambling: Online gambling, also known as Internet gambling and iGambling, is a general term for gambling using the Internet. Government Impersonation: A government official is impersonated in an attempt to collect money. Hacktivist: A computer hacker whose activity is aimed at promoting a social or political cause. Harassment/Threats of Violence: (Harassment) Utilizing false accusations or statements of fact (as in defamation) to intimidate. (Threats of Violence) An expression of an intention to inflict pain, injury, or punishment, which does not refer to the requirement of payment. Health Care Related: A scheme attempting to defraud private or government health care programs which usually involve health care providers, companies, or individuals. Schemes may include offers for (fake) insurance cards, health insurance market place assistance, stolen health information, or various other scams and/or any scheme involving medications, supplements, weight loss products, or diversion/pill mill practices. These scams are often initiated through spam email, Internet advertisements, links in forums/social media, and fraudulent websites. IPR/Copyright and Counterfeit: The illegal theft and use of others' ideas, inventions, and creative expressions—what's called intellectual property—everything from trade secrets and proprietary products and parts to movies, music, and software. Identity Theft/Account Takeover: (Identity Theft) Someone steals and uses personal identifying information, like a name or Social Security number, without permission to commit fraud or other crimes, or a fraudster obtains account information to perpetrate fraud on existing accounts (Account Takeover). Investment: Deceptive practice that induces investors to make purchases on the basis of false information. These scams usually offer the victims large returns with minimal risk (Retirement, 401K, Ponzi, Pyramid, etc.). Lottery/Sweepstakes: An individual is contacted about winning a lottery/sweepstakes they never entered. Malware/Scareware: Software intended to damage or disable computers and computer systems. Sometimes, scare tactics are used by the perpetrators to solicit funds.

24

Misrepresentation: Merchandise or services were purchased or contracted by individuals online for which the purchasers provided payment. The goods or services received were of a measurably lesser quality or quantity than was described by the seller. No Lead Value: Incomplete complaints which do not allow a crime type to be determined. Non-Payment/Non-Delivery: Goods and services are shipped, and payment is never rendered (non-payment). Payment is sent, and goods and services are never received (non-delivery). Other: Other types of Internet/Non-Internet fraud not listed. Personal Data Breach: A leak/spill of personal data which is released from a secure location to an untrusted environment. Also, a security incident in which an individual's sensitive, protected, or confidential data is copied, transmitted, viewed, stolen or used by an unauthorized individual. Phishing/Vishing/Smishing/Pharming: The use of unsolicited email, text messages, and telephone calls purportedly from a legitimate company requesting personal, financial, and/or login credentials. Ransomware: A type of malicious software designed to block access to a computer system until money is paid. Re-shipping: Individuals receive packages at their residence and subsequently repackage the merchandise for shipment, usually abroad. Real Estate/Rental: Loss of funds from a real estate investment or fraud involving rental or timeshare property. Social Media: A complaint alleging the use of social networking or social media (Facebook, Twitter, Instagram, chat rooms, etc.) as a vector for fraud. Social Media does not include dating sites. Tech Support: Attempts to gain access to a victim's electronic device by falsely claiming to offer tech support, usually for a well-known company. Scammer asks for remote access to the victim's device to clean-up viruses or malware or to facilitate a refund for prior support services. Terrorism: Violent acts intended to create fear (terror); are perpetrated for a religious, political, or ideological goal; and deliberately target or disregard the safety of non-combatants. Virus: Code capable of copying itself and having a detrimental effect, such as corrupting the system or destroying data. Virtual Currency: A complaint mentioning a form of virtual/crypto currency (Bitcoin, Litecoin, Potcoin, etc.).

25

26

START WITH SECURITY: A GUIDE FOR BUSINESS LESSONS LEARNED FROM FTC CASES

Federal Trade Commission

1. Start with security. 2. Control access to data sensibly. 3. Require secure passwords and authentication. 4. Store sensitive personal information securely and protect it during transmission. 5. Segment your network and monitor who's trying to get in and out. 6. Secure remote access to your network. 7. Apply sound security practices when developing new products. 8. Make sure your service providers implement reasonable security measures. 9. Put procedures in place to keep your security current and address vulnerabilities

that may arise. 10. Secure paper, physical media, and devices. While managing your network, developing an app, or even organizing paper files, sound security is no accident. Companies that consider security from the start assess their options and make reasonable choices based on the nature of their business and the sensitivity of the information involved. Threats to data may transform over time, but the fundamentals of sound security remain constant. As the Federal Trade Commission outlined in Protecting Personal Information: A Guide for Business, you should know what personal information you have in your files and on your computers, and keep only what you need for your business. You should protect the information that you keep, and properly dispose of what you no longer need. And, of course, you should create a plan to respond to security incidents. In addition to Protecting Personal Information, the FTC has resources to help you think through how those principles apply to your business. There's an online tutorial to help train your employees; publications to address particular data security challenges; and news releases, blog posts, and guidance to help you identify – and possible prevent – pitfalls. There's another source of information about keeping sensitive data secure; the lessons learned from the more than 50 law enforcement actions the FTC has announced so far. These are settlements – no findings have been made by a court – and the specifics of the orders apply just to those companies, of course. But learning about alleged lapses that led to law enforcement can help your company improve its practices. And most of these alleged practices involve basic, fundamental security missteps. Distilling the facts of those cases down to their essence, here are ten lessons that touch on vulnerabilities

27

that could affect your company, along with practical guidance on how to reduce the risks they pose. 1. Start with security.

From personal data on employment applications to network files with customers' credit card numbers, sensitive information pervades every part of many companies. Business executives often ask how to manage confidential information. Experts agree on the key first step: Start with security. Factor it into the decisionmaking in every department of your business – personnel, sales, accounting, information technology, etc. Collecting and maintaining information "just because" is no longer a sound business strategy. Savvy companies think through the implication of their data decisions. By making conscious choices about the kind of information you collect, how long you keep it, and who can access it, you can reduce the risk of a data compromise down the road. Of course, all of those decisions will depend on the nature of your business. Lessons from FTC cases illustrate the benefits of building security in from the start by going lean and mean in your data collection, retention, and use policies. Don't collect personal information you don't need. Here's a foundational principle to inform your initial decision-making: No one can steal what you don't have. When does your company ask people for sensitive information? Perhaps when they're registering online or setting up a new account. When was the last time you looked at that process to make sure you really need everything you ask for? That's the lesson to learn from a number of FTC cases. For example, the FTC's complaint against RockYou charged that the company collected lots of information during the site registration process, including the user's email address and email password. By collecting email passwords – not something the business needed – and then storing them in clear text, the FTC said the company created an unnecessary risk to people's email accounts. The business could have avoided that risk simply by not collecting sensitive information in the first place. Hold on to information only as long as you have a legitimate business need. Sometimes it's necessary to collect personal data as part of a transaction. But once the deal is done, it may be unwise to keep it. In the FTC's BJ's Wholesale Club case, the company collected customers' credit and debit card information to process transactions in its retail stores. But according to the complaint, it continued to store that data for up to 30 days – long after the sale was complete. Not only did that violate bank rules, but by holding on to the information without a legitimate business need, the FTC said BJ's Wholesale Club created an unreasonable risk. By exploiting other weaknesses in the company's security practices, hackers stole the account data and used it to make counterfeit credit and debit cards. The business could have limited its risk by securely disposing of the financial information once it no longer had a legitimate need for it.

28

Don't use personal information when it's not necessary. You wouldn't juggle with a Ming vase. Nor should businesses use personal information in contexts that create unnecessary risks. In the Accretive case, the FTC alleged that the company used real people's personal information in employee training sessions, and then failed to remove the information from employees' computers after the sessions were over. Similarly, in foru International, the FTC charged that the company gave access to sensitive consumer data to service providers who were developing applications for the company. In both cases, the risk could have been avoided by using fictitious information for training or developmental purposes.

2. Control access to data sensibly.

Once you've decided you have a legitimate business need to hold on to sensitive data, take reasonable steps to keep it secure. You'll want to keep it from the prying eyes of outsiders, of course, but what about your own employees? Not everyone on your staff needs unrestricted access to your network and the information stored on it. Put controls in place to make sure employees have access only on a "need to know" basis. For your network, consider steps such as separate user accounts to limit access to the places where personal data is stored or to control who can use particular databases. For paper files, external drives, disks, etc., an access control could be as simple as a locked file cabinet. When thinking about how to control access to sensitive information in your possession, consider these lessons from FTC cases. Restrict access to sensitive data. If employees don't have to use personal information as part of their job, there's no need for them to have access to it. For example, in Goal Financial, the FTC alleged that the company failed to restrict employee access to personal information stored in paper files and on its network. As a result, a group of employees transferred more than 7,000 consumer files containing sensitive information to third parties without authorization. The company could have prevented that misstep by implementing proper controls and ensuring that only authorized employees with a business need had access to people's personal information. Limit administrative access. Administrative access, which allows a user to make system-wide changes to your system, should be limited to the employees tasked to do that job. In its action against Twitter, for example, the FTC alleged that the company granted almost all of its employees administrative control over Twitter's system, including the ability to reset user account passwords, view users' nonpublic tweets, and send tweets on users' behalf. According to the complaint, by providing administrative access to just about everybody in-house, Twitter increased the risk that a compromise of any of its employees' credentials could result in a serious breach. How could the company have reduced that risk? By ensuring that employees' access to the system's administrative controls were tailored to their job needs.

29

3. Require secure passwords and authentication.

If you have personal information stored on your network, strong authentication procedures – including sensible password "hygiene" – can help ensure that only authorized individuals can access the data. When developing your company's policies, here are tips to take from FTC cases. Insist on complex and unique passwords. "Passwords" like 121212 or qwerty aren't much better than no passwords at all. That's why it's wise to give some thought to the password standards you implement. In the Twitter case, for example, the company let employees use common dictionary words as administrative passwords, as well as passwords they were already using for other accounts. According to the FTC, those lax practices left Twitter's system vulnerable to hackers who used password-guessing tolls, or tried passwords stolen from other services in the hope that Twitter employees used the same password to access the company's system. Twitter could have limited those risks by implementing a more secure password system – for example, by requiring employees to choose complex passwords and training them not to use the same or similar passwords for both business and personal accounts. Store passwords securely. Don't make it easy for interlopers to access passwords. In Guidance Software, the FTC alleged that the company stored network user credentials in clear, readable text that helped a hacker access customer credit card information on the network. Similarly, in Reed Elsevier, the FTC charged that the business allowed customers to store user credentials in a vulnerable format in cookies on their computers. In Twitter, too, the FTC said the company failed to establish policies that prohibited employees from storing administrative passwords in plain text in personal email accounts. In each of those cases, the risks could have been reduced if the companies had policies and procedures in place to store credential securely. Businesses also may want to consider other protections – two-factor authentication, for example – that can help protect against password compromises. Guard against brute force attacks. Remember that adage about an infinite number of monkeys at an infinite number of typewriters? Hackers use automated programs that perform a similar function. These brute force attacks work by typing endless combinations of characters until hackers luck into someone's password. In the Lookout Services, Twitter, and Reed Elsevier cases, the FTC alleged that the businesses didn't suspend or disable user credentials after a certain number of unsuccessful login attempts. By not adequately restricting the number of tries, the companies placed their networks at risk. Implementing a policy to suspend or disable accounts after repeated login attempts would have helped to eliminate that risk.

30

Protect against authentication bypass. Locking the front door doesn't offer much protection if the back door is left open. In Lookout Services, the FTC charged that the company failed to adequately test its web application for widely-known security flaws, including one called "predictable resource location." As a result, a hacker could easily predict patterns and manipulate URLs to bypass the web app's authentication screen and gain unauthorized access to the company's databases. The company could have improved the security of its authentication mechanism by testing for common vulnerabilities.

4. Store sensitive personal information securely and protect it during transmission.

For many companies, storing sensitive data is a business necessity. And even if you take appropriate steps to secure your network, sometimes you have to send that data elsewhere. Use strong cryptography to secure confidential material during storage and transmission. The method will depend on the types of information your business collects, how you collect it, and how you process it. Given the nature of your business, some possibilities may include Transport Layer Security/Secure Sockets Layer (TLS/SSL) encryption, data-at-rest encryption, or an iterative cryptographic hash. But regardless of the method, it's only as good as the personnel who implement it. Make sure the people you designate to do that job understand how your company uses sensitive data and have the know-how to determine what's appropriate for each situation. With that in mind, here are a few lessons from FTC cases to consider when securing sensitive information during storage and transmission. Keep sensitive information secure throughout its lifecycle. Data doesn't stay in one place. That's why it's important to consider security at all stages, if transmitting information is a necessity for your business. In Superior Mortgage Corporation, for example, the FTC alleged that the company used SSL encryption to secure the transmission of sensitive personal information between the customer's web browser and the business's website server. But once the information reached the server, the company's service provider decrypted it and emailed it in clear, readable text to the company's headquarters and branch offices. That risk could have been prevented by ensuring the data was secure throughout its lifecycle, and not just during the initial transmission. Use industry-tested and accepted methods. When considering what technical standards to follow, keep in mind that experts already may have developed effective standards that can apply to your business. Savvy companies don't start from scratch when it isn't necessary. Instead, they take advantage of that collected wisdom. The ValueClick case illustrates that principle. According to the FTC, the company stored sensitive customer information collected through its e-commerce sites in a database that used a non-standard, proprietary form of encryption. Unlike widely-accepted encryption algorithms that are extensively tested, the complaint charged that ValueClick’s

31

method used a simply alphabetic substitution system subject to signification vulnerabilities. The company could have avoided those weaknesses by using tried-and-true industry-tested and accepted methods for securing data. Ensure proper configuration. Encryption – even strong methods – won't protect your users if you don't configure it properly. That's one message businesses can take from the FTC's actions against Fandango and Credit Karma. In those cases, the FTC alleged that the companies used SSL encryption in their mobile apps, but turned off a critical process known as SSL certificate validation without implementing other compensating security measures. That made the apps vulnerable to man-in-the-middle attacks, which could allow hackers to decrypt sensitive information the apps transmitted. Those risks could have been prevented if the companies' implementations of SSL had been properly configured.

5. Segment your network and monitor who's trying to get in and out.

When designing your network, consider using tools like firewalls to segment your network, thereby limiting access between computers on your network and between your computers and the internet. Another useful safeguard: intrusion detection and prevention tools to monitor your network for malicious activity. Here are some lessons from FTC cases to consider when designing your network. Segment your network. Not every computer in your system needs to be able to communicate with every other one. You can help protect particularly sensitive data by housing it in a separate secure place on your network. That's a lesson from the DSW case. The FTC alleged that the company didn't sufficiently limit computers from one in-store network from connecting to computers on other in-store and corporate networks. As a result, hackers could use one in-store network to connect to, and access personal information on, other in-store and corporate networks. The company could have reduced that risk by sufficiently segmenting its network. Monitor activity on your network. "Who's that knocking on my door?" That's what an effective intrusion detection tool asks when it detects unauthorized activity on your network. In the Dave & Buster's case, the FTC alleged that the company didn't use an intrusion detection system and didn't monitor system logs for suspicious activity. The FTC says something similar happened in Cardsystem Solutions. The business didn't use sufficient measures to detect unauthorized access to its network. Hackers exploited weaknesses, installing programs on the company's network that collected stored sensitive data and sent it outside the network every four days. In each of these cases, the businesses could have reduced the risk of a data compromise or its breadth by using tools to monitor activity on their networks.

32

6. Secure remote access to your network.

Business doesn't just happen in the office. While a mobile workforce can increase productivity, it also can pose new security challenges. If you give employees, clients, or service providers remote access to your network, have you taken steps to secure those access points? FTC cases suggest some factors to consider when developing your remote access policies. Ensure endpoint security. Just as a chain is only as strong as its weakest link, your network security is only as strong as the weakest security on a computer with remote access to it. That's the message of FTC cases in which companies failed to ensure that computers with remote access to their networks had appropriate endpoint security. For example, in Premier Capital Lending, the company allegedly activated a remote login account for a business client to obtain consumer reports, without first assessing the business's security. When hackers accessed the client's system, they stole its remote login credentials and used them to grab consumers' personal information. According to the complaint in Settlement One, the business allowed clients that didn't have basic security measures, like firewalls and updated antivirus software, to access consumer reports through its online portal. And in Lifelock, the FTC charged that the company failed to install antivirus programs on the computers that employees used to remotely access its network. These businesses could have reduced those risks by securing computers that had remote access to their networks. Put sensible access limits in place. Not everyone who might occasionally need to get on your network should have an all-access, backstage pass. That's why it's wise to limit access to what's needed to get the job done. In the Dave & Buster's case, for example, the FTC charged that the company failed to adequately restrict third-party access to its network. By exploiting security weaknesses in the third-party company's system, an intruder allegedly connected to the network numerous times and intercepted personal information. What could the company have done to reduce that risk? It could have placed limits on third-party access to its network – for example, by restricting connections to specified IP addresses or granting temporary, limited access.

7. Apply sound security practices when developing new products.

So you have a great new app or innovative software on the drawing board. Early in the development process, think through how customers will likely use the product. If they'll be storing or sending sensitive information, is your product up to the task of handling that data securely? Before going to market, consider the lessons learned from FTC cases involving product development, design, testing, and roll-out.

33

Train your engineers in secure coding. Have you explained to your developers the need to keep security at the forefront? In cases like MTS, HTC America, and TRENDnet, the FTC alleged that the companies failed to train their employees in secure coding practices. The upshot: questionable design decisions, including the introduction of vulnerabilities into the software. For example, according to the complaint in HTC America, the company failed to implement readily available secure communications mechanisms in the logging applications it pre-installed on its mobile devices. As a result, malicious third-party apps could communicate with the logging applications, placing consumers' text messages, location data, and other sensitive information at risk. The company could have reduced the risk of vulnerabilities like that by adequately training its engineers in secure coding practices. Follow platform guidelines for security. When it comes to security, there may not be a need to reinvent the wheel. Sometimes the wisest course is to listen to the experts. In actions against HTC America, Fandango, and Credit Karma, the FTC alleged that the companies failed to follow explicit platform guidelines about secure development practices. For example, Fandango and Credit Karma turned off a critical process known as SSL certificate validation in their mobile apps, leaving the sensitive information consumers transmitted through those apps open to interception through man-in-the-middle attacks. The companies could have prevented this vulnerability by following the iOS and Android guidelines for developers, which explicitly warn against turning off SSL certificate validation. Verify that privacy and security features work. If your software offers a privacy or security feature, verify that the feature works as advertised. In TRENDnet, for example, the FTC charged that the company failed to test that an option to make a consumer's camera feed private would, in fact, restrict access to that feed. As a result, hundreds of "private" camera feeds were publicly available. Similarly, in Snapchat, the company advertised that messages would "disappear forever," but the FTC says it failed to ensure the accuracy of that claim. Among other things, the app saved video files to a location outside of the app's sandbox, making it easy to recover video files with common file browsing tools. The lesson for other companies: When offering privacy and security features, ensure that your product lives up to your advertising claims. Test for common vulnerabilities. There is no way to anticipate every threat, but some vulnerabilities are commonly known and reasonably foreseeable. In more than a dozen FTC cases, businesses failed to adequately assess their applications for well-known vulnerabilities. For example, in the Guess? case, the FTC alleged that the business failed to assess whether its web application was vulnerable to Structured Query Language (SQL) injection attacks. As a result, hackers were able to use SQL attacks to gain access to databases with consumers' credit card

34

information. That's a risk that could have been avoided by testing for commonly-known vulnerabilities, like those identified by the Open Web Application Security Project (OWASP).

8. Make sure your service providers implement reasonable security measures.

When it comes to security, keep a watchful eye on your service providers – for example, companies you hire to process personal information collected from customers or to develop apps. Before hiring someone, be candid about your security expectations. Take reasonable steps to select providers able to implement appropriate security measures and monitor that they're meeting your requirements. FTC cases offer advice on what to consider when hiring and overseeing service providers. Put it in writing. Insist that appropriate security standards are part of your contracts. In GMR Transcription, for example, the FTC alleged that the company hired service providers to transcribe sensitive audio files, but failed to require the service provider to take reasonable security measures. As a result, the files – many containing highly confidential health-related information – were widely exposed on the internet. For starters, the business could have included contract provisions that required service providers to adopt reasonable security precautions – for example, encryption. Verify compliance. Security can't be a "take our word for it" thing. Including security expectations in contracts with service providers is an important first step, but it's also important to build oversight into the process. The Upromise case illustrates that point. There, the company hired a service provider to develop a browser toolbar. Upromise claimed that the toolbar, which collected consumers' browsing information to provide personalized offers, would use a filter to "remove any personally identifiable information" before transmission. But, according to FTC, Upromise failed to verify that the service provider had implemented the information collection program in a manner consistent with Upromise's privacy and security policies and the terms in the contract designed to protect consumer information. As a result, the toolbar collected sensitive personal information – including financial account numbers and security codes from secure web pages – and transmitted it in clear text. How could the company have reduced that risk? By asking questions and following up with the service provider during the development process.

9. Put procedures in place to keep your security current and address vulnerabilities that may arise.

Securing your software and networks isn't a one-and-done deal. It's an ongoing process that requires you to keep your guard up. If you use third-party software on your networks, or you include third-party software libraries in your applications, apply updates as they're issued. If you develop your own software,

35

how will people let you know if they spot a vulnerability, and how will you make things right? FTC cases offer points to consider in thinking through vulnerability management. Update and patch third-party software. Outdated software undermines security. The solution is to update it regularly and implement third-party patches. In the TJX Companies case, for example, the FTC alleged that the company didn't update its anti-virus software, increasing the risk that hackers could exploit known vulnerabilities or overcome the business's defenses. Depending on the complexity of your network or software, you may need to prioritize patches by severity; nonetheless, having a reasonable process in place to update and patch third-party software is an important step to reducing the risk of a compromise. Heed credible security warnings and move quickly to fix them. When vulnerabilities come to your attention, listen carefully and then get a move on. In the HTC America case, the FTC charged that the company didn't have a process for receiving and addressing reports about security vulnerabilities. HTC's alleged delay in responding to warnings meant that the vulnerabilities found their way onto even more devices across multiple operating system versions. Sometimes, companies receive security alerts, but they get lost in the shuffle. In Fandango, for example, the company relied on its general customer service system to respond to warnings about security risks. According to the complaint, when a researcher contacted the business about a vulnerability, the system incorrectly categorized the report as a password reset request, sent an automated message, and marked the message as "resolved" without flagging it for further review. As a result, Fandango didn't learn about the vulnerability until FTC staff contacted the company. The lesson for other businesses? Have an effective process in place to receive and address security vulnerability reports. Consider a clearly publicized and effective channel (for example, a dedicated email address like security@yourcompany.com) for receiving reports and flagging them for your security staff.

10. Secure paper, physical media, and devices.

Network security is a critical consideration, but many of the same lessons apply to paperwork and physical media like hard drives, laptops, flash drives, and disks. FTC cases offer some things to consider when evaluating physical security at your business. Securely store sensitive files. If it's necessary to retain important paperwork, take steps to keep it secure. In the Gregory Navone case, the FTC alleged that the defendant maintained sensitive consumer information, collected by his former businesses, in boxes in his garage. In Lifelock, the complaint charged that the company left faxed documents that included consumers' personal information in an open and easily accessible area. In each case, the business could have reduced the risk to their customers by implementing policies to store documents securely.

36

Protect devices that process personal information. Securing information stored on your network won't protect your customers if the data has already been stolen through the device that collects it. In the 2007 Dollar Tree investigation, FTC staff said that the business's PIN entry devices were vulnerable to tampering and theft. As a result, unauthorized persons could capture consumers' payment card data, including the magnetic stripe data and PIN, through an attack known as "PED skimming." Given the novelty of this type of attack at the time, and a number of other factors, staff closed the investigation. However, attacks targeting point-of-sale devices are now common and well-known, and businesses should take reasonable steps to protect such devices from compromise. Keep safety standards in place when data is en route. Savvy businesses understand the importance of securing sensitive information when it's outside the office. In Accretive, for example, the FTC alleged that an employee left a laptop containing more than 600 files, with 20 million pieces of information related to 23,000 patients, in the locked passenger compartment of a car, which was then stolen. The CBR Systems case concerned alleged unencrypted backup tapes, a laptop, and an external hard drive – all of which contained sensitive information – that were lifted from an employee's car. In each case, the business could have reduced the risk to consumers' personal information by implementing reasonable security policies when data is en route. For example, when sending files, drives, disks, etc., use a mailing method that lets you track where the package is. Limit the instances when employees need to be out and about with sensitive data in their possession. But when there's a legitimate business need to travel with confidential information, employees should keep it out of sight and under lock and key whenever possible. Dispose of sensitive data securely. Paperwork or equipment you no longer need may look like trash, but it's treasure to identify thieves if it includes personal information about consumers or employees. For example, according to the FTC complaints in Rite Aid and CVS Caremark, the companies tossed sensitive personal information – like prescriptions – in dumpsters. In Goal Financial, the FTC alleged that an employee sold surplus hard drives that contained the sensitive personal information of approximately 34,000 customers in clear text. The companies could have prevented the risk to consumers' personal information by shredding, burning, or pulverizing documents to make them unreadable and by using available technology to wipe devices that aren't in use. Looking for more information? The FTC's Business Center (business.ftc.gov) has a Data Security section with an up-to-date listing of relevant cases and other free resources.

37

About the FTC The FTC works for the consumer to prevent fraudulent, deceptive, and unfair practices in the marketplace. The Business Center gives you and your business tools to understand and comply with the law. Regardless of the size of your organization or the industry you're in, knowing – and fulfilling – your compliance responsibilities is smart, sound business. Visit the Business Center at business.ftc.gov. Your Opportunity to Comment The National Small Business Ombudsman and 10 Regional Fairness Boards collect comments from small businesses about federal compliance and enforcement activities. Each year, the Ombudsman evaluates the conduct of these activities and rates each agency's responsiveness to small businesses. Small business can comment to the Ombudsman without fear of reprisal. To comment, call toll-free 1-888-REGFAIR (1-888-734-3247) or go to sba.gov/ombudsman.

38