5/17/2018

1

TITLE SLIDE

The image in the frame can be customized for

an industry or topic. To customize:

In a web browser, go to http://imagelibrary

and do a keyword search for an image. Save

desired image to your computer. In

PowerPoint, delete the current image, then

click the icon to insert the image saved from

the library. The image should be cropped to

1.6”h x 1.65”w.

A PowerPoint Toolkit file has also been saved

in the Image Library.

It includes sample tables, charts and

iconography that follow the Foley brand.

Copy/paste from the Toolkit file to include

branded graphics in your presentation.

For Help with Foley PPT templates or

graphics, contact Marketing Central at

marketingcentral@foley.com or

1.800.276.6604.

NOTE: Every presentation should

include the “Disclaimer – contact

info” slide layout as well.

May 2018 Midwest Cyber Security Alliance Meeting

Thursday, May 17, 2018

5:00 p.m. – 7:00 p.m. CT

BLANK SLIDE

MidwestCyber.org

5/17/2018

2

TITLE & CONTENT

Full chart available for download at: www.foley.com/state-data-breach-notification-laws

TITLE & CONTENT

5/17/2018

3

TITLE & CONTENT

TITLE & CONTENT

Presenters

Jennifer Rathburn

Partner Foley & Lardner LLP

Michael Chmelar

Senior Litigation Counsel & Assistant U.S. Attorney U.S. Attorney’s Office, Eastern District of Wisconsin

MODERATOR:

Byron Franz

Special Agent Federal Bureau of Investigation

Brian Resler

Assistant Deputy Chief for Litigation Computer Crime and Intellectual Property Section Department of Justice

5/17/2018

4

Meet the Feds

May, 2018

Midwest Cyber Security

Alliance Meeting

1

Michael Chmelar Senior Litigation Counsel and Assistant U.S. Attorney U.S. Attorney’s Office, Eastern District of Wisconsin

Brian Resler Assistant Deputy Chief for Litigation

Computer Crime and Intellectual Property Section Department of Justice

Byron Franz Special Agent

Federal Bureau of Investigation

Who Are We?

5/17/2018

5

2

“Things are bad enough. Do we really need to call ‘the Feds’?” “Who ARE ‘the Feds’ anyway? Is it true that they are all genetic clones of an early proto-bureaucrat?” “I worry that if the Feds are involved, it’ll just cost us a lot of time and money, expose our business to competitors and the world, and the persons responsible won’t even get apprehended/charged/serve prison time.”

Some of the Questions and Concerns

We Hope to Address Today

“Oh $#^%!! We’ve just had a …”

“… cyber intrusion!!” “… theft of trade secrets!!”

Administration

Prosecutors HQ

Prosecutors USAO

Law Enforcement

The Department of Justice at a Glance

3

5/17/2018

6

4

The Federal Bureau of Investigation –

Milwaukee Field Office

• Usually obtains initial complainant information

• Can initiate either a Criminal or National Security Investigation

• Refers complainant information to U.S. Attorney’s office for evaluation

• Possesses dedicated investigated assets geared to the collection of evidence, such as Cyber and Counterintelligence Squads, Computer Analysis and Response Teams (“CART”) or the Evidence Recovery Team (“ERT”)

• Works with U.S. Attorneys to obtain records via criminal legal process (Grand Jury Subpoenas/2703(d) Orders, Warrants, or Title III) or through administrative NSLs/FISA.

5

The United States Attorney’s Office,

Eastern District of Wisconsin

• Approximately 40 AUSAs • Human trafficking, drug trafficking, firearm offenses, all variety of

white collar crimes.

• Work with all federal law enforcement agencies • FBI, IRS, USPIS, DEA, DHS

• Three AUSAs working on cyber related matters, including one CHIP (me)

• Meet routinely with FBI Cyber Crime Task Force • Work with U.S. and foreign law enforcement • Outreach with victims other interested parties • Training for AUSAs and law enforcement

5/17/2018

7

6

The Computer Crime and

Intellectual Property Section

“CCIPS” • Approximately 42 attorneys in one or more specialties:

Computer Crime, Intellectual Property, and Litigation • Engage in Prosecution, Legislation and Policy, International

Enforcement, and Outreach and Training • National CHIP Coordinator • Public website: www.cybercrime.gov

CCIPS Cybercrime Laboratory • Forensic Consultation and Field Support • Forensic and Technical Training • Research and Awareness Training regarding

New Technologies, Software, and Equipment

7

The Computer Hacking and Intellectual

Property (CHIP) Network

o At least one in each 93 USAOs

o 25 specialized CHIP Units

o Over 260 specially trained prosecutors handle cases, and conduct outreach and training in their districts.

o Specialized CHIP Units in:

• Alexandria, Virginia • Atlanta, Georgia • Boston, Massachusetts • Chicago, Illinois • Dallas, Texas • Kansas City, Missouri • Los Angeles, California • Miami, Florida • New York, New York • Brooklyn, New York • Sacramento, California • San Diego, California • San Jose, California

• Seattle, Washington • Nashville, Tennessee • Orlando, Florida • Pittsburgh, Pennsylvania • Washington, D.C. • Austin, Texas • Baltimore, Maryland • Denver, Colorado • Detroit, Michigan • Newark, New Jersey • New Haven, Connecticut • Philadelphia, Pennsylvania

5/17/2018

8

8

National Intellectual Property Rights

Coordination Center (IPR Center)

• Led by DHS/ICE

• 21 Investigative and Regulatory Partners (CCIPS is DOJ Liaison)

• Public website: www.ice.gov/iprcenter

• Investigation – Identifying, disrupting, prosecuting and dismantling criminal organizations involved in the manufacture and distribution of counterfeit products.

• Interdiction – Using focused targeting and inspections to keep counterfeit and pirated goods out of U.S. supply chains, markets and streets.

• Outreach and Training – Providing training for domestic and international law enforcement to build stronger enforcement capabilities worldwide.

9

Criminal Charges – Computer Hacking

and Intellectual Property Offenses

Title 18, United States Code

• Identity Theft (1028, 1028A): Criminalizes conduct involving fraudulent identification documents or the unlawful use of identification information.

• Access Device Fraud (1029): Prohibits the production, use, possession, or trafficking of

unauthorized or counterfeit access devices. Access devices related to network crimes might include passwords, electronic banking account numbers, and credit card numbers.

• Hacking (1030): Criminalizes various federal computer- and network-related criminal activities,

including illegal access, damaging, trafficking in passwords, and trespassing in government computers.

• CAN-SPAM (1037): Prohibits sending email for primarily commercial advertisement purposes and

deceiving intended recipients or Internet service providers as to the source or subject matter of their e-mail messages.

5/17/2018

9

10

Criminal Charges – Computer Hacking

and IP Offenses (con’t)

• Pretexting (1039): Prohibits misrepresenting identity to obtain the confidential and personal information belonging to others without authorization.

• EEA/Trade Secrets (1831, 1832): Criminalizes trafficking in proprietary information (including financial

information, engineering notes, source code, or formula), both domestically and internationally. • Cyberstalking (2261A): Prohibits using a computer to engage in a course of conduct that caused

substantial emotional distress to a person or placed that person in reasonable fear of the death of, or serious bodily injury.

• Copyright (2319): Protects the creative expression of an idea from copying and distributing without the

owner’s permission. • Trademark (2320): Protects the exclusive use of certain names, pictures, and slogans in connection with

goods or services.

Title 18, United States Code

11

Criminal Charges – Computer Hacking

and IP Offenses (con’t)

Illegal Interception (2511): Prohibits any person from intentionally intercepting, or attempting to intercept, any “wire, oral, or electronic communication.” • DMCA (17 U.S.C. 1201-02): Protects copyrighted works from piracy and promotes electronic commerce.

• Also: False Registration of a Domain Name—3559(g): Prohibits falsely registering a domain name and knowingly using it in the course of an offense (enhancement to another felony offense). Forfeiting Domain Names & 981k Seizures: Can be effectively used in IP cases to generate significant public awareness and deterrence.

Title 18, United States Code

5/17/2018

10

§ 2713. Required preservation and disclosure of communications and records

A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.

Quick Legislative Update

The CLOUD Act – March 23, 2018

The Act also establishes procedure for addressing compliance that would conflict with foreign privacy laws: An RCS/ECS can file a motion to quash if:

(1) Customer is not a U.S. person and resides outside U.S. and (2) Disclosure would violate laws of “qualifying foreign government.”

Several other changes contingent on U.S. entering bilateral data access agreements with qualifying foreign governments

12

13

What ideally has occurred beforehand:

Your business has incorporated “best practices.”

1. You’ve identified your “crown jewels.”

2. An “action plan” in case of a cyber or IP theft event.

3. Appropriate technology and services to support your response in place before an incident.

4. Authorization in place for consensual monitoring.

5. Make sure your legal counsel is familiar with the plan to speed response time.

6. Ensure your organization’s policies align with your plan.

7. Establish relationships with law enforcement and other reporting organizations before an incident.

The Federal Criminal Process

5/17/2018

11

14

The Federal Criminal Process

How do we determine whether federal criminal enforcement is appropriate?

Federal Priorities: • Criminal acts that affect public health or safety,

or access to or the reliability of critical infrastructure

• Level of commercial scale or damage

• Foreign/criminal involvement

15

The Federal Criminal Process

How do we determine whether federal criminal enforcement is appropriate? (con’t)

“Traditional” considerations: • Nature and seriousness of the criminal offense

• Sufficient non-criminal alternatives

• Degree of culpability

• Cooperation of subject(s) / organization

• Subject to prosecution in another venue

• Resources

5/17/2018

12

16

Will I or my organization have a chance to be notified about and speak with the agents or prosecutor about charging, bond, plea agreements, sentencing and restitution?

Key Questions You Might Have at the Beginning

Short answer: Yes. If you are a victim, you have a statutory right to notification of certain case developments, and to consult with the prosecutor about your wishes at these stages.

If my organization cooperates with a federal prosecution of a computer-related or IP crime, does this mean our business practices, network and data operations, and trade secrets become public?

Short answer: Not necessarily. The prosecution can and should apply for a protective order where appropriate to limit the information that is revealed publicly, and control the dissemination of that information. Also, the indictment and public documents can be drafted with sensitivity towards that information.

The Federal Criminal Process

17

Upfront: Know that investigations and prosecutions can take a long time. Why?

• Need to obtain and execute legal process, receive and analyze results, and then follow-up with organization, witnesses, and more process – sometimes several times.

• Need to understand and process the organization’s business, networks, practices and trade secrets – often takes the organization time to put together, and several interviews from law enforcement.

• Need to determine proper charges, guideline calculations, prepare discovery, negotiations with defense counsel, and consider AUSA/LE workloads.

• Need for court process –complexity of case, motions and hearings, court calendar. Need to discuss/ prepare for sentencing.

The Federal Criminal Process

A federal investigation involving computer hacking or theft of intellectual property has begun. What should I expect next?

5/17/2018

13

18

The “prosecution team.”

Generally, this will be all agents from all agencies (federal, state and local) participating in the investigation and prosecution. Depending upon the case, may also need to identify other possible victims and witnesses (counterfeit, unknowing participants), experts, custodians of data (cell phone companies, ISPs, etc.) Why is this important?

• Need to establish duties

• Who is covered by grand jury secrecy rules

• Has implications for discovery

The Federal Criminal Process

19

Preparation to be completed before issuing charges:

Generally, prior to charging, the government needs to have all of the evidence needed to prove the charges beyond a reasonable doubt and ready to introduce at trial. Why? • Post-indictment, our use of grand jury subpoenas is limited

• Discovery (all of the evidence to be provided in the case) is generally due within 10 days of the initial appearance

• Speedy Trial Clock – 70 days

• Continuances are not always granted (and rarely granted at United States’ request)

The Federal Criminal Process

5/17/2018

14

20

Preparation to be completed before issuing charges (con’t):

Examples of key information needed: • Documents or digital evidence/reports: need to be in-hand, labeled, accompanied

by records certification (if available); potential live witness identified.

• If experts involved: CVs and detailed report and reasons for conclusions.

• Transactions: audio/video footage or computer activity logs ready to go with witness(es) who can authenticate.

• Technical issues (interstate nature of a wiring, operation of a companies network(s), where a debit card was issued, etc.): Who is the witness?

• For law enforcement: Giglio etc. for all key witnesses.

The Federal Criminal Process

21

What does an AUSA need to do before issuing charges?

• Submit a written prosecution memo and proposed indictment.

• Get answers to follow-up questions – this is where the legal case is fully analyzed and examined.

• Once AUSA has drafted memo, AUSA submits to Deputy Chief to Criminal Chief to U.S. Attorney (and sometimes, depending on the charges, to the appropriate Criminal Division attorneys and Section Chief, and even the Attorney General).

• Schedule and prepare for a grand jury.

The Federal Criminal Process

5/17/2018

15

22

Pre-trial detention or release on bond

Bottom line: Expect that the defendant will not be detained. Exceptions: • Significant history of violent crimes (convictions, not arrests).

• Immigration detainer or extradited defendant.

• Serious risk of danger to the community that cannot be addressed through means other than detention.

Accordingly, in many, many cases, the government will not be able to arrest the defendant or detain him or her.

The Federal Criminal Process

23

E-mail communications with the prosecution team

For purposes of discovery (i.e., turning over to defense counsel) e-mail is not off-limits. So, it is perfectly acceptable: • To ask the agent/victim-witness coordinator/AUSA to call you

• To forward documents

• To forward internal or interview reports

• To discuss scheduling issues

Just keep the e-mails non-substantive, and avoid anything you would not want repeated in court.

The Federal Criminal Process

5/17/2018

16

24

The Federal Criminal Process

Sentencing and the Sentencing Guidelines

Accurately and reasonably determining the amount of damage or loss in a computer or IP-related crime is critical to the guideline range!

25

Last thought:

The successful investigation and prosecution of computer and intellectual property crimes requires a team effort between the AUSAs, the agents, and the injured parties. Every case can and likely will present new concepts and challenges or further develop established ones. Communication is key – no one should be afraid to ask questions about any aspect of the case.

The Federal Criminal Process

5/17/2018

17

26

Questions?

ATTORNEY ADVERTISEMENT. The contents of this document, current at the date of

publication, are for reference purposes only and do not constitute legal advice. Where

previous cases are included, prior results do not guarantee a similar outcome. Images of

people may not be Foley personnel.

© 2018 Foley & Lardner LLP

DISCLAIMER

Note: This slide containing

copyright and disclaimer

MUST be included in all

external presentations.

Utilize this layout to

say “Thank you” and

provide your contact

information.

Thank You