in the image library. alliance meeting...in the investigation and prosecution. depending upon the...
TRANSCRIPT
5/17/2018
1
TITLE SLIDE
The image in the frame can be customized for
an industry or topic. To customize:
In a web browser, go to http://imagelibrary
and do a keyword search for an image. Save
desired image to your computer. In
PowerPoint, delete the current image, then
click the icon to insert the image saved from
the library. The image should be cropped to
1.6”h x 1.65”w.
A PowerPoint Toolkit file has also been saved
in the Image Library.
It includes sample tables, charts and
iconography that follow the Foley brand.
Copy/paste from the Toolkit file to include
branded graphics in your presentation.
For Help with Foley PPT templates or
graphics, contact Marketing Central at
1.800.276.6604.
NOTE: Every presentation should
include the “Disclaimer – contact
info” slide layout as well.
May 2018 Midwest Cyber Security Alliance Meeting
Thursday, May 17, 2018
5:00 p.m. – 7:00 p.m. CT
BLANK SLIDE
MidwestCyber.org
5/17/2018
2
TITLE & CONTENT
Full chart available for download at: www.foley.com/state-data-breach-notification-laws
TITLE & CONTENT
5/17/2018
3
TITLE & CONTENT
TITLE & CONTENT
Presenters
Jennifer Rathburn
Partner Foley & Lardner LLP
Michael Chmelar
Senior Litigation Counsel & Assistant U.S. Attorney U.S. Attorney’s Office, Eastern District of Wisconsin
MODERATOR:
Byron Franz
Special Agent Federal Bureau of Investigation
Brian Resler
Assistant Deputy Chief for Litigation Computer Crime and Intellectual Property Section Department of Justice
5/17/2018
4
Meet the Feds
May, 2018
Midwest Cyber Security
Alliance Meeting
1
Michael Chmelar Senior Litigation Counsel and Assistant U.S. Attorney U.S. Attorney’s Office, Eastern District of Wisconsin
Brian Resler Assistant Deputy Chief for Litigation
Computer Crime and Intellectual Property Section Department of Justice
Byron Franz Special Agent
Federal Bureau of Investigation
Who Are We?
5/17/2018
5
2
“Things are bad enough. Do we really need to call ‘the Feds’?” “Who ARE ‘the Feds’ anyway? Is it true that they are all genetic clones of an early proto-bureaucrat?” “I worry that if the Feds are involved, it’ll just cost us a lot of time and money, expose our business to competitors and the world, and the persons responsible won’t even get apprehended/charged/serve prison time.”
Some of the Questions and Concerns
We Hope to Address Today
“Oh $#^%!! We’ve just had a …”
“… cyber intrusion!!” “… theft of trade secrets!!”
Administration
Prosecutors HQ
Prosecutors USAO
Law Enforcement
The Department of Justice at a Glance
3
5/17/2018
6
4
The Federal Bureau of Investigation –
Milwaukee Field Office
• Usually obtains initial complainant information
• Can initiate either a Criminal or National Security Investigation
• Refers complainant information to U.S. Attorney’s office for evaluation
• Possesses dedicated investigated assets geared to the collection of evidence, such as Cyber and Counterintelligence Squads, Computer Analysis and Response Teams (“CART”) or the Evidence Recovery Team (“ERT”)
• Works with U.S. Attorneys to obtain records via criminal legal process (Grand Jury Subpoenas/2703(d) Orders, Warrants, or Title III) or through administrative NSLs/FISA.
5
The United States Attorney’s Office,
Eastern District of Wisconsin
• Approximately 40 AUSAs • Human trafficking, drug trafficking, firearm offenses, all variety of
white collar crimes.
• Work with all federal law enforcement agencies • FBI, IRS, USPIS, DEA, DHS
• Three AUSAs working on cyber related matters, including one CHIP (me)
• Meet routinely with FBI Cyber Crime Task Force • Work with U.S. and foreign law enforcement • Outreach with victims other interested parties • Training for AUSAs and law enforcement
5/17/2018
7
6
The Computer Crime and
Intellectual Property Section
“CCIPS” • Approximately 42 attorneys in one or more specialties:
Computer Crime, Intellectual Property, and Litigation • Engage in Prosecution, Legislation and Policy, International
Enforcement, and Outreach and Training • National CHIP Coordinator • Public website: www.cybercrime.gov
CCIPS Cybercrime Laboratory • Forensic Consultation and Field Support • Forensic and Technical Training • Research and Awareness Training regarding
New Technologies, Software, and Equipment
7
The Computer Hacking and Intellectual
Property (CHIP) Network
o At least one in each 93 USAOs
o 25 specialized CHIP Units
o Over 260 specially trained prosecutors handle cases, and conduct outreach and training in their districts.
o Specialized CHIP Units in:
• Alexandria, Virginia • Atlanta, Georgia • Boston, Massachusetts • Chicago, Illinois • Dallas, Texas • Kansas City, Missouri • Los Angeles, California • Miami, Florida • New York, New York • Brooklyn, New York • Sacramento, California • San Diego, California • San Jose, California
• Seattle, Washington • Nashville, Tennessee • Orlando, Florida • Pittsburgh, Pennsylvania • Washington, D.C. • Austin, Texas • Baltimore, Maryland • Denver, Colorado • Detroit, Michigan • Newark, New Jersey • New Haven, Connecticut • Philadelphia, Pennsylvania
5/17/2018
8
8
National Intellectual Property Rights
Coordination Center (IPR Center)
• Led by DHS/ICE
• 21 Investigative and Regulatory Partners (CCIPS is DOJ Liaison)
• Public website: www.ice.gov/iprcenter
• Investigation – Identifying, disrupting, prosecuting and dismantling criminal organizations involved in the manufacture and distribution of counterfeit products.
• Interdiction – Using focused targeting and inspections to keep counterfeit and pirated goods out of U.S. supply chains, markets and streets.
• Outreach and Training – Providing training for domestic and international law enforcement to build stronger enforcement capabilities worldwide.
9
Criminal Charges – Computer Hacking
and Intellectual Property Offenses
Title 18, United States Code
• Identity Theft (1028, 1028A): Criminalizes conduct involving fraudulent identification documents or the unlawful use of identification information.
• Access Device Fraud (1029): Prohibits the production, use, possession, or trafficking of
unauthorized or counterfeit access devices. Access devices related to network crimes might include passwords, electronic banking account numbers, and credit card numbers.
• Hacking (1030): Criminalizes various federal computer- and network-related criminal activities,
including illegal access, damaging, trafficking in passwords, and trespassing in government computers.
• CAN-SPAM (1037): Prohibits sending email for primarily commercial advertisement purposes and
deceiving intended recipients or Internet service providers as to the source or subject matter of their e-mail messages.
5/17/2018
9
10
Criminal Charges – Computer Hacking
and IP Offenses (con’t)
• Pretexting (1039): Prohibits misrepresenting identity to obtain the confidential and personal information belonging to others without authorization.
• EEA/Trade Secrets (1831, 1832): Criminalizes trafficking in proprietary information (including financial
information, engineering notes, source code, or formula), both domestically and internationally. • Cyberstalking (2261A): Prohibits using a computer to engage in a course of conduct that caused
substantial emotional distress to a person or placed that person in reasonable fear of the death of, or serious bodily injury.
• Copyright (2319): Protects the creative expression of an idea from copying and distributing without the
owner’s permission. • Trademark (2320): Protects the exclusive use of certain names, pictures, and slogans in connection with
goods or services.
Title 18, United States Code
11
Criminal Charges – Computer Hacking
and IP Offenses (con’t)
Illegal Interception (2511): Prohibits any person from intentionally intercepting, or attempting to intercept, any “wire, oral, or electronic communication.” • DMCA (17 U.S.C. 1201-02): Protects copyrighted works from piracy and promotes electronic commerce.
• Also: False Registration of a Domain Name—3559(g): Prohibits falsely registering a domain name and knowingly using it in the course of an offense (enhancement to another felony offense). Forfeiting Domain Names & 981k Seizures: Can be effectively used in IP cases to generate significant public awareness and deterrence.
Title 18, United States Code
5/17/2018
10
§ 2713. Required preservation and disclosure of communications and records
A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.
Quick Legislative Update
The CLOUD Act – March 23, 2018
The Act also establishes procedure for addressing compliance that would conflict with foreign privacy laws: An RCS/ECS can file a motion to quash if:
(1) Customer is not a U.S. person and resides outside U.S. and (2) Disclosure would violate laws of “qualifying foreign government.”
Several other changes contingent on U.S. entering bilateral data access agreements with qualifying foreign governments
12
13
What ideally has occurred beforehand:
Your business has incorporated “best practices.”
1. You’ve identified your “crown jewels.”
2. An “action plan” in case of a cyber or IP theft event.
3. Appropriate technology and services to support your response in place before an incident.
4. Authorization in place for consensual monitoring.
5. Make sure your legal counsel is familiar with the plan to speed response time.
6. Ensure your organization’s policies align with your plan.
7. Establish relationships with law enforcement and other reporting organizations before an incident.
The Federal Criminal Process
5/17/2018
11
14
The Federal Criminal Process
How do we determine whether federal criminal enforcement is appropriate?
Federal Priorities: • Criminal acts that affect public health or safety,
or access to or the reliability of critical infrastructure
• Level of commercial scale or damage
• Foreign/criminal involvement
15
The Federal Criminal Process
How do we determine whether federal criminal enforcement is appropriate? (con’t)
“Traditional” considerations: • Nature and seriousness of the criminal offense
• Sufficient non-criminal alternatives
• Degree of culpability
• Cooperation of subject(s) / organization
• Subject to prosecution in another venue
• Resources
5/17/2018
12
16
Will I or my organization have a chance to be notified about and speak with the agents or prosecutor about charging, bond, plea agreements, sentencing and restitution?
Key Questions You Might Have at the Beginning
Short answer: Yes. If you are a victim, you have a statutory right to notification of certain case developments, and to consult with the prosecutor about your wishes at these stages.
If my organization cooperates with a federal prosecution of a computer-related or IP crime, does this mean our business practices, network and data operations, and trade secrets become public?
Short answer: Not necessarily. The prosecution can and should apply for a protective order where appropriate to limit the information that is revealed publicly, and control the dissemination of that information. Also, the indictment and public documents can be drafted with sensitivity towards that information.
The Federal Criminal Process
17
Upfront: Know that investigations and prosecutions can take a long time. Why?
• Need to obtain and execute legal process, receive and analyze results, and then follow-up with organization, witnesses, and more process – sometimes several times.
• Need to understand and process the organization’s business, networks, practices and trade secrets – often takes the organization time to put together, and several interviews from law enforcement.
• Need to determine proper charges, guideline calculations, prepare discovery, negotiations with defense counsel, and consider AUSA/LE workloads.
• Need for court process –complexity of case, motions and hearings, court calendar. Need to discuss/ prepare for sentencing.
The Federal Criminal Process
A federal investigation involving computer hacking or theft of intellectual property has begun. What should I expect next?
5/17/2018
13
18
The “prosecution team.”
Generally, this will be all agents from all agencies (federal, state and local) participating in the investigation and prosecution. Depending upon the case, may also need to identify other possible victims and witnesses (counterfeit, unknowing participants), experts, custodians of data (cell phone companies, ISPs, etc.) Why is this important?
• Need to establish duties
• Who is covered by grand jury secrecy rules
• Has implications for discovery
The Federal Criminal Process
19
Preparation to be completed before issuing charges:
Generally, prior to charging, the government needs to have all of the evidence needed to prove the charges beyond a reasonable doubt and ready to introduce at trial. Why? • Post-indictment, our use of grand jury subpoenas is limited
• Discovery (all of the evidence to be provided in the case) is generally due within 10 days of the initial appearance
• Speedy Trial Clock – 70 days
• Continuances are not always granted (and rarely granted at United States’ request)
The Federal Criminal Process
5/17/2018
14
20
Preparation to be completed before issuing charges (con’t):
Examples of key information needed: • Documents or digital evidence/reports: need to be in-hand, labeled, accompanied
by records certification (if available); potential live witness identified.
• If experts involved: CVs and detailed report and reasons for conclusions.
• Transactions: audio/video footage or computer activity logs ready to go with witness(es) who can authenticate.
• Technical issues (interstate nature of a wiring, operation of a companies network(s), where a debit card was issued, etc.): Who is the witness?
• For law enforcement: Giglio etc. for all key witnesses.
The Federal Criminal Process
21
What does an AUSA need to do before issuing charges?
• Submit a written prosecution memo and proposed indictment.
• Get answers to follow-up questions – this is where the legal case is fully analyzed and examined.
• Once AUSA has drafted memo, AUSA submits to Deputy Chief to Criminal Chief to U.S. Attorney (and sometimes, depending on the charges, to the appropriate Criminal Division attorneys and Section Chief, and even the Attorney General).
• Schedule and prepare for a grand jury.
The Federal Criminal Process
5/17/2018
15
22
Pre-trial detention or release on bond
Bottom line: Expect that the defendant will not be detained. Exceptions: • Significant history of violent crimes (convictions, not arrests).
• Immigration detainer or extradited defendant.
• Serious risk of danger to the community that cannot be addressed through means other than detention.
Accordingly, in many, many cases, the government will not be able to arrest the defendant or detain him or her.
The Federal Criminal Process
23
E-mail communications with the prosecution team
For purposes of discovery (i.e., turning over to defense counsel) e-mail is not off-limits. So, it is perfectly acceptable: • To ask the agent/victim-witness coordinator/AUSA to call you
• To forward documents
• To forward internal or interview reports
• To discuss scheduling issues
Just keep the e-mails non-substantive, and avoid anything you would not want repeated in court.
The Federal Criminal Process
5/17/2018
16
24
The Federal Criminal Process
Sentencing and the Sentencing Guidelines
Accurately and reasonably determining the amount of damage or loss in a computer or IP-related crime is critical to the guideline range!
25
Last thought:
The successful investigation and prosecution of computer and intellectual property crimes requires a team effort between the AUSAs, the agents, and the injured parties. Every case can and likely will present new concepts and challenges or further develop established ones. Communication is key – no one should be afraid to ask questions about any aspect of the case.
The Federal Criminal Process
5/17/2018
17
26
Questions?
ATTORNEY ADVERTISEMENT. The contents of this document, current at the date of
publication, are for reference purposes only and do not constitute legal advice. Where
previous cases are included, prior results do not guarantee a similar outcome. Images of
people may not be Foley personnel.
© 2018 Foley & Lardner LLP
DISCLAIMER
Note: This slide containing
copyright and disclaimer
MUST be included in all
external presentations.
Utilize this layout to
say “Thank you” and
provide your contact
information.
Thank You