The United States Indicts Members of One of the Largest Cyber-Fraud Organizations

Thirty-six individuals from across the globe were indicted by a Las Vegas, Nevada grand jury this past Wednesday, February 7, 2018, for their alleged roles in a cyber-criminal enterprise known as the Infraud Organization (short for “In Fraud We Trust”), one of the longest-running “one-stop shops for cybercriminals worldwide.”

Infraud was an online community engaged in the large-scale acquisition, sale, and dissemination of stolen identities, debit and credit cards, personally identifiable information, financial and banking information; computer malware; and other contraband. The United States Justice Department alleges that Infraud caused more than $530 million in actual losses, and had intended to cause more than $2.2 billion in losses. Among the stolen items were HSBC bank logins, PayPal logins and credentials, and credit card numbers. Infraud also provided escrow services to facilitate its members’ illicit transactions and employed screening protocols to ensure that its vendors were of “high quality.”

As of March 2017, the organization’s forums hosted 10,901 member accounts. The website has since been taken down and replaced with a seizure notice.

Infraud founder Svyatoslav Bondarenko of Ukraine allegedly went missing in 2015, and has yet to be apprehended. Co-founder Sergey Medvedev, also of Ukraine, allegedly took over Bondarenko’s role as administrator in 2015 when Bondarenko went missing; Medvedev was apprehended earlier this month in Thailand while on holiday. Four other alleged, higher-ranking members of the organization still remain at large.

Overall, at least thirteen of the thirty-six defendants have been apprehended, including all five defendants from the United States: Frederick Thomas of Alabama; John Telusma of Brooklyn, New York; Jose Gamboa of Los Angeles, California; David Jonathan Vargas of San Diego, California; and Pius Sushil Wilson of Flushing, New York. Allegedly, Thomas, Telusma, Gamboa, and Vargas were vendors who sold illicit products and services to the organization’s members, while Wilson was allegedly a “VIP member” of the organization that purchased compromised credit cards and repeatedly solicited sales for more compromised credit cards. Others who were apprehended abroad are awaiting extradition.

While it may be unlikely that the shutdown of Infraud will significantly curb cyber-fraud crimes in the future, it has disrupted one of the largest cyber-fraud organizations, and may potentially lead to other “busts” should the multi-national law enforcement agencies involved here track other Infraud members as they flee to different communities.

Although this news may be encouraging to all potential victims of cyber-fraud, consumers and businesses should still remain vigilant about protecting themselves from cybercrime.

The U.S. Department of Justice news release is located here: https://www.justice.gov/opa/pr/thirty-six-defendants-indicted-alleged-roles-transnational-criminal-organization-responsible

Privacy Risks with Snail Mail

With all (or most) eyes on privacy issues in cyberspace, companies can lose sight of traditional methods of violating privacy rights.

A recent example is Aetna’s late July mailing of 12,000 letters where the large windowed envelopes easily revealed the recipients’ names, addresses, and HIV status and/or prevention information. While the number of affected individuals may seem comparatively low, this incident nevertheless garnered negative publicity and attention.

Since privacy violations can lead to lawsuits, heavy fines, or even criminal penalties, companies—especially those that handle protected information—should review their mailing policies. If third-party mailing companies are used, those companies’ policies should also be reviewed.

Some policies that may help reduce potential privacy breaches for snail mail include:

  • Using heavier-stock or security envelopes with no windows
  • NOT using envelopes with pre-printed sender information if the sender information would reveal private information (for example, if your organization name reveals the specific type of medical condition suffered by your patients)
  • Having someone spot check the final product
  • Making sure that addresses are up-to-date
  • Using a form letter that only provides generalized information and instead requiring the patient to contact your office for particularly sensitive information, such as test results
  • Eliminating unnecessary confidential information (such as Social Security Numbers)
  • Shredding and/or proper disposal of misprinted mail
  • Training employees or vendors regularly

If you need further or specific guidance, or guidance on other media, please do not hesitate to speak to an attorney.

Five Steps to Lower the Risk of Trade Secret Theft from Business Partners

As stories of international and domestic hacking and espionage dominate the news cycle, it’s easy to forget that when it comes to trade secrets, employees and business partners—not hackers—pose the biggest threat. See David S. Almeling et al., A Statistical Analysis of Trade Secret Litigation in Federal Courts, 45 Gonz. L. Rev. 291 (2009/2010).

In a recent webinar, Gordon & Rees addressed protection of trade secrets and proprietary information from employee theft. Here, we address some steps to help prevent business partners from misusing your trade secrets.

  1. Identify your trade secrets and control access to them

Before any agreements are drafted or any information or documents are exchanged, be sure you have identified your trade secrets (see also the definition under the Uniform Trade Secrets Act). You can’t protect them unless you know what they are. This sounds like common sense, but surprisingly, in the hustle and bustle of everyday work, not all companies take the time to do this until they’ve realized their trade secrets have ended up in the wrong hands. (Unless it is appropriate for your industry, referring to everything as a “trade secret” is not helpful, either—for example, your business partners are less likely to take your actual trade secrets seriously if you claim that information you have made public are also trade secrets.)

A trade secret “registry” could be considered favorable evidence in court—as long as it is timely updated and actually distributed to employees. See Schalk v. State, 823 S.W.2d 633, 643 (Tex. Crim. App. 1991). This registry will also help your own employees with the marking the proper designations when such information is exchanged with a business partner.

Securing your trade secrets in-house will not only help your case in court, it also helps when it comes to disclosure to third parties, particularly inadvertent disclosure. Chances are, not every employee will require access to every trade secret. Secure physical and electronic access to the appropriate trade secrets to the appropriate personnel.

What measures are appropriate will depend on the circumstances and will likely evolve with time and technology. Information stored on secure servers that had three layers of physical security passwords, 256-character PuTTY keys, with portions possessed by only a single person was found by a court sufficient evidence for a jury to conclude that a trade secrets owner took appropriate measures to protect its trade secrets. Xtec, Inc. v. CardSmart Techs., Inc., No. 11-22866-CIV-ROSENBAUM, 2014 U.S. Dist. LEXIS 184604, at *26 (S.D. Fla. May 15, 2014).

On the other hand, where information was distributed to 600-700 people where at most only 190 people signed confidentiality agreements, and where that same information was not stamped as “confidential,” a court found that no reasonable jury could conclude that “reasonable efforts” were made. Tax Track Sys. Corp. v. New Inv’r World, Inc., 478 F.3d 783, 788 (7th Cir. 2007).

  1. Draft tailored non-disclosure agreements (“NDAs”)

Before any information is exchanged with a business partner, have your attorneys help you draft a non-disclosure/confidentiality agreement tailored to the arrangement. Not only will this agreement help you in case you need to litigate the matter, it will provide the protocols for your business partner to follow.

Some provisions you and your attorneys will want to consider are the return/destruction of trade secrets at certain stages (and certainly when the relationship is terminated), a perpetual non-disclosure and non-use clause when it comes to trade secrets (as opposed to an expiring one), how trade secrets will be identified/marked (and the ability to later identify/mark previously exchanged documents), and requirements for the business partner’s employees to sign individual NDAs and/or obtain training on how to handle trade secrets.  This is not an exhaustive list—work with your attorney to flesh out the agreement.

Be wary of stock or template agreements; many of them may not contemplate the specific issues that may arise in your situation. Many “standard” agreements also contain language that relieve the business partner of its contractual obligations of non-disclosure and non-use as soon as the trade secrets are made public—without specifying that such public disclosure must have been authorized by the owner of the trade secret, and without giving the owner the chance to mitigate the effects and damage of the unauthorized disclosure.

But no matter how perfect the agreement, it won’t matter if it isn’t properly implemented.

  1. Train your own employees

Identify all the employees who will be corresponding with the business partner and make sure you train them. Let them know what information can be exchanged, what cannot, which individuals from the business partner they can exchange information with. Provide them with a written checklist and designate a person most knowledgeable—or better yet, a specialized team to direct their questions to. This team should also conduct some “spot checks” throughout the relationship to make sure protocols are being followed.

If the relationship with the business partner will span more than a couple months, also have a plan in place to retrain your employees in regular intervals.

  1. Train the business partner’s employees

Even if you require individuals from the business partner’s company to sign an NDA, that may not be enough. You may want to provide the partner’s employees with the necessary training, or at least provide the partner with the necessary materials to provide the training themselves (and require them to do so as part of the NDA). Regularly communicate with the partner to make sure they are protecting your trade secrets, and have your employees and your specialized team pay attention to how the business partner is using this information as well.

  1. Create a contingency/emergency plan

Did an employee send a trade secret to the business partner without marking it as such? Has the business partner communicated plans that may violate the NDA?  Has the relationship with the business partner begun to go sour?

Your team should already have a contingency plan in place to deal with these—and other—situations, and protocols to continually improve security and access. Make sure you follow through on enforcing contractual provisions, and make sure you act swiftly.

In closing, remember that when dealing with trade secrets or handling other proprietary, confidential or otherwise private information, nothing beats being prepared.