20 September 2007

A Defensible Standard of Care: Six Million Reasons...

There are 6,000,000 reasons why Operational Risk at TD Ameritrade is in the Red Zone this week as a result of what seems to be a case of malicious code discovered last week, or over a year ago.

This author received a recent letter from TD Ameritrade regarding their so called pseudo "breach". And we quote:

"While investigating client reports about the industry-wide issue of investment-related SPAM, we recently discovered and eliminated unauthorized code from our systems. This code allowed certain information stored in one of our databases, including email addresses, to be retrieved by an external source."

What is absolutely amazing is the request to visit www.amtd.com for more information and a list of Frequently Asked Questions (FAQs) and an additional message from me, (The CEO Joe Moglia). The link to this message requires you to run Windows Media Player for what must be a sincere apology. However, the PR department must not know how many malicious code exploits are associated with .wmv files. Nor, how many people still do not have broadband connections as a consumer.

But that is not even the most fascinating aspect of this whole incident. The story gets even more disturbing if it is indeed true:

Scott Kamber of Kamber & Associates, a New York law firm that sued Sony BMG last year for its use of a rootkit, told InformationWeek on Monday that the lawsuit initially claimed that Ameritrade knew about the data breach last November. However, he says he now has information that the company knew about the ongoing breach a full year ago.

Kamber, who filed the suit this past May, had recently filed a preliminary injunction asking the court to compel Ameritrade to disclose the data breach and the compromised information to current and prospective customers. The company was given a two-week adjournment and made the public announcement during that recess.

"I am glad customers finally know of the compromise of their personal information," said Kamber. "I'm not pleased it took the company so long to do that."

Hillyer said she could not comment on ongoing litigation but said, "As soon as we discovered it, we stopped it. And as soon as we had gathered enough information, we notified our clients."

Ameritrade notified the FBI and the U.S. Securities and Exchange Commission last week, according to the spokeswoman.

It's apparent that the nexus of Information Security, Digital Forensics, eDiscovery, Legal Risk and Reputation Management have imploded in Bellevue, NE yet this will not be the last place we hear about this kind of incident. If a Rootkit is on a server there, you can be sure that there are others at a another broker or investment management firm near you.

Being vigilant about protecting privacy and doing the right thing with customers in the event of a breach has significant legal ramifications, that is for certain. What is less known at this point are the processes and corporate behavior that could be even more of a source of liability for TD Ameritrade. Who what how and why is now under investigation and will play out in a court room again soon.

The degree that any firm in the industry is "Litigation Ready" or has adequately prepared for this particular nexus between the elements of Information Security and the Law will determine the amount of Operational Risk they are potentially exposed to in incidents like this one. How can any firm prepare for an event similar to this?

1. Conduct a Litigation Readiness Audit of the firm.

2. Develop a strategic plan for achieving a "Defensible Standard of Care."

3. Train the stakeholders on Crisis, Command and Control.

4. Implement an early warning data analytics system to preempt potential threats.

Number four on this list pertains to something that is also in the authors letter. "As part of our effort to protect privacy, we have hired ID Analytics, which specializes in identity risk, to investigate and monitor potential identity theft." Let's just hope these guys didn't load up a CD at their shop handed over to them by TD Ameritrade with 6,000,000 records of personal identifiable information on it.

14 September 2007

Privileged Information: The Decision to Cooperate...

True or false: A large corporate private sector company hires an outside counsel to investigate an employee suspected of fraud. The outside counsel hires a fraud examiner to look into the facts. The fraud examiners report to the outside counsel will assist in determining whether a crime has been committed. The report and the communications with the outside counsel are protected confidential work product and is privileged. If you don't know the answer, read on.

Organizations who realize that internal investigations can pose a tremendous risk of litigation are ahead of the Operational Risk Management curve. Being proactive about prudent strategy on how to address the potential internal employee fraud is imperative, especially if you plan to pursue litigation to try and recover the stolen assets.

The two primary areas of emphasis here for the purpose of what information is discoverable is the attorney-client privilege and the work product doctrine: This Texas case from the Texas Bar Journal article by Derek Lisk illustrates the point:

In yet another case in which one party sought to protect documents from an investigation on privilege grounds, the U.S. District Court for the Eastern District of Texas took a more expansive view of the privilege. In-house counsel for Electronic Data Systems (EDS) hired outside attorneys, who in turn hired a consulting firm, to independently analyze and report on alleged misuse and misappropriation of assets by an EDS employee, Mr. Steingraber. In the ensuing litigation, EDS objected to producing documents from the investigation.

Steingraber, like Seibu Corp., argued that the documents were not privileged “because they were made to facilitate a business decision rather than the rendition of professional legal services.” This court, however, sided with the party seeking to protect the documents, finding Steingraber’s interpretation of the privilege “unduly narrow” and disagreeing with Seibu Corporation to the extent it held otherwise. Among other things, the court said, “The fact that the attorneys may have been hired to facilitate a business decision does not mean that such a decision was devoid of legal consequences.” Because EDS hired the outside lawyers to contribute legal expertise, including contract interpretation, risk evaluation, witness interviews, and evidence evaluation, the communications between them were “for the rendition of legal services.”

The status of H.R. 3013 in the US House of Representatives is unknown as it goes to be debated in committees:
Attorney-Client Privilege Protection Act of 2007 - Amends the federal criminal code to prohibit any U.S. agent or attorney, in any federal investigation or criminal or civil enforcement matter, from demanding, requesting, or conditioning treatment on the disclosure by an organization (or affiliated person) of any communication protected by the attorney-client privilege or any attorney work product.
Prohibits a U.S. agent or attorney from conditioning a civil or criminal charging decision relating to an organization (or affiliated person) on one or more specified actions, or from using one or more such actions as a factor in determining whether an organization or affiliated person is cooperating with the government.
The question on the table here is how much as a corporation do you want to cooperate to prosecute the employee? It may make sense as a corporation to waive some rights to help recover your losses. How you architect a process for engaging outside counsel, independent investigators and fraud examiners in order to mitigate Legal Risk is crucial. The information exchanged, obtained in the process and communicated between parties must be done correctly. Not only to protect the information under the new Federal Rules of Civil Procedure but to insure the integrity and trust of the information itself.

A Board of Directors that oversees the governance of hundreds or thousands of employees is going to be continuously subjected to corporate malfeasance and white collar crime matters. The rule of law within the halls of the organization must be clear and precise. The mechanisms for the company to cooperate with investigators may mean the difference between an employee that creates irreversible economic damage to the enterprise or even worse. Our national security.

07 September 2007

BMPE: Internal Audit Awareness...

Risk in the supply chain may not always come from that vendor who provides your power, water or telecommunications. Black Market Peso Exchange (BMPE) is an Operational Risk that is starting to gain more awareness with Internal Auditors. This has been around since the 1980's yet even today some of our most sophisticated financial services institutions are being subjected to this system of fraud. The BMPE has been another way for money laundering from illicit criminal drug proceeds to impact our risk management controls:
American Express Bank International's anti-money laundering program was deficient in three of the four core elements. Namely, the Bank failed to implement adequate internal controls, failed to conduct adequate independent testing, and failed to designate compliance personnel to ensure compliance with the Bank Secrecy Act. American Express Bank International's high-risk customer base, product lines, and international jurisdiction of operations required elevated measures to manage the risk of money laundering and other financial crimes.

Nevertheless, the Bank conducted business without adequate systems and controls reasonably designed to manage the risk of money laundering, including the potential for Black Market Peso Exchange transactions that may be used by Colombian drug cartels to launder the proceeds of narcotics sales. American Express Bank International's failure to comply with the Bank Secrecy Act and the regulations issued pursuant to that Act were serious, repeated and systemic.

This method of money laundering is effective for the drug traffickers and requires more awareness on the behalf of fraud examiners and independent auditors. The IRS form 8300 requiring companies and financial entities to disclose receipts in excess of $10K in cash or equivalents doesn't work very well as wire transfers are not considered cash or cash equivalents.

Javier Sarmiento with GlassRatner has a substantive article on the subject in the last issue of the ACFE Fraud Magazine.

A point is made that needs to be emphasized here. "Don't rely on banks and financial institutions to conduct anti-money laundering (BSA/AML) procedures on behalf of the company." Is it possible that your organization has purchased inventory with funds that have been utilized as part of the BMPE scheme? What about resellers and distributors that are part of your own revenue supply chain.

In terms of Independent testing, make sure that your Internal Audit department is educated and aware of this particular mechanism for use by money launderers:

American Express Bank International's independent testing of its Bank Secrecy Act program was ineffective. Internal Audit Staff lacked sufficient training and knowledge to facilitate compliance with the Bank Secrecy Act. Audit scopes were not always tailored or designed to capture and test for compliance with certain requirements of the Bank Secrecy Act.

Internal Audit staff also failed to conduct sufficient customer transaction testing to adequately evaluate the overall sufficiency of the anti-money laundering program at the Bank. Furthermore, Internal Audit failed to assist management with tracking and following-up on previously identified regulatory examination deficiencies. In addition, Internal Audit failed to conduct adequate testing of the suspicious activity monitoring system or identify the numerous data integrity concerns associated with this system for an extended period of time. The ineffectiveness of the Internal Audit function at American Express Bank International contributed to the failure to identify significant deficiencies in this system before 2007.

03 September 2007

A-Space: Intel 2.0...

A week or so from now around 8:30AM on the East Coast of the United States there will be many people remembering where they were six years ago. On September 11, 2001 we will stop and observe a minute of silence and reflect on all that has changed and been accomplished and what has stayed the same. It may seem like a distant memory for some, yet a bad dream from last night for so many others.

Sharing intelligence or the valuable aspects of relevance, to you, or your enterprise requires the proper tools and mechanisms. This is a given. However, all the operational risk tools and systems will never be the entire answer to finding the "needle in the haystack" or "connecting the dots". The DNI has been implementing the right kinds of methods and applications to help solve the equation for preventing catastrophic incidents of the magnitude of 9/11 in search of the correct answers:

It's hard to imagine spies logging on and exchanging "whuddups" with strangers, though. They are just not wired that way. If networking is lifeblood to the teenager, it is viewed with deep suspicion by the spy.

The intelligence agencies have something like networking in mind, though, as they scramble to adopt Web technologies that young people have mastered in the millions. The idea is to try to solve the information-sharing problems inherent in the spy world - and blamed, most spectacularly, for the failure to prevent the Sept. 11, 2001, attacks.

In December, officials say, the agencies will introduce A-Space, a top-secret variant of the social networking Web sites MySpace and Facebook. The "A" stands for "analyst," and where Facebook users swap snapshots, homework tips and gossip, intelligence analysts will be able to compare notes on satellite photos of North Korean nuclear sites, Iraqi insurgents and Chinese missiles.

Sharing information is not the hard part. Analyzing it with the "grey matter" necessary to put 2 + 2 together beyond the capability of the algorithms of the software requires training and extreme context. Corporate Enterprises have been utilizing similar systems and tools on their secure Intranet's for years and the agencies are now taking the lessons learned and applying these to the social networking community of their analysts. Smart strategy as many of these "Outsourced" entities are operating from the private sector NOC or SOC and have been delivering intelligence products long before they were hired to do so for the government.

Observing the lessons from the Financial Services Industry on what works and what is treading on thin ice can be a helpful example. Sharing intelligence across organizations, platforms and between competitors has been the norm at SWIFT:

SWIFT is the industry-owned co-operative supplying secure, standardised messaging services and interface software to over 8,100 financial institutions in 208 countries and territories. SWIFT members include banks, broker-dealers and investment managers. The broader SWIFT community also encompasses corporates as well as market infrastructures in payments, securities, treasury and trade. Over the past ten years, SWIFT message prices have been reduced over 80%, and system availability approaches 5x9 reliability — 99.999% of uptime.
Swift is considered the nerve center of the global banking industry, routing trillions of dollars each day between banks, brokerages and other financial institutions. The group's partnership with the U.S. government, first revealed in media reports in June 2006, gave officials at the CIA access to millions of records on international banking transactions in an effort to trace money that investigators believed might be linked to terrorist financing. Swift agreed to turn over large chunks of its database in response to a series of unusually broad subpoenas issued by the Treasury Department beginning months after the attacks of Sept. 11, 2001.

At 8:30AM on 9/11 2007 during our moment of silence we can only pray that our Intel sharing continues and doesn't get strangled by those who have forgotten this day of remembrance.