Introduction to Corruption, definition, types, impact and conclusion
Bank of Nations vs. Border Insurance
1.
2. How many of you have been the
victims of a data breach?
Most Americans have had their data compromised in one form or another
• FTC states 143 million American consumers’ personal information
was exposed in the recent Equifax Data Breach.
3. What This
Case Is About….
• Whether Border Insurance committed
a breach of contract by denying Bank
of Nation’s claims.
• Whether Border Insurance was liable
for negligence by not preventing the
data breach
5. Let’s Look at the Facts....
Border Insurance’s defense rests upon the following
contract language:
Our liability “does not cover malware
attacks if any evidence suggests that the
source of an IP could be related to a
company’s employee either by information
found in databases, or by other means.”
6. Continued....
● Bank of Nations claims for reimbursement were denied
○ Border Insurance claims malware originated from an IP address associated with Bank of
Nations - an IP address is NOT a reliable way of establishing identity
○ Border Insurance explicitly stated that “it was unknown if an employee created the virus”
- demonstrates their investigation findings were inconclusive
● No evidence that the IP address presented by the malware was not spoofed
○ IP Spoofing is a commonly used to obscure the true origin of a communication, especially to
hide criminal and malicious activity
No proof of origin established in the malware attack
7. Cybersecurity failures caused excessive
harm to numerous parties
● Border Insurance had an obligation to Bank of Nations to adequately protect the
bank’s IT infrastructure
○ Bank of Nations’ international operation meant a significant amount of sensitive information
relied upon this protection
● Border Insurance breached that obligation by failing to adhere to standards
○ Malware entered network undetected by Border’s security
○ Malware actively operated on network for 30+ days without Border Insurance recognizing infection
● Border Insurance's negligence has caused Bank of Nations and its customers
around the world to suffer economic losses
Continued....
8. What Does the
Law State?
• AF holdings v. Rogers
• “Due to the risk of ‘false positives,’” an IP
Address alone cannot be used as a method
of identification
• Manny Films, LLC v. John Doe
• “...An IP address is not a definitive way to
identify the individual who is using the IP
at the time.”
• Lone Star Bank v. Heartland Payment Systems
• “The issuing banks had a valid negligence
claim against Heartland for its
cybersecurity failures and that, if proven,
they could recover their consequential
damages from Heartland.”
9. What Does the
Law State?
•Requirements for Negligence:
Duty is owed to the plaintiff by
the defendant
Breach of the Duty
Injury: The plaintiff suffers harm
Causation: The defendant caused
the harm to occur
10. What does this mean?
● Border Insurance’s conclusion that the malware was of internal origin,
self-admittedly, cannot be validated
● IP addresses cannot be used as proof of identification
● Claims cannot be denied based upon unverifiable assumptions
● Therefore, not paying the claim would constitute a breach of
contract
11. What does this mean?
● Duty owed - Border Insurance was tasked with protecting Bank of Nations’ IT
infrastructure
● Breach of duty - Border Ins. failed to protect Bank of Nations by enabling malware to
enter into and reside on their network for greater than 30 days
● Injury - Bank of Nations has incurred significant financial losses internationally related
to the reimbursement of affected customers, as well as damage to their public image
● Causation - Systems implemented by Border Ins. were insufficient to prevent such an
attack
Therefore, Border Insurance was negligent in their practice
and should be held liable for damages incurred
12. AF Holdings v. Rogers. Case No. 12cv1519 BTM(BLM) (United States District Court, S.D. California. (January 23, 2013)
Federal Trade Commission. (2017, 11 26). The Equifax Data Breach. Retrieved from Federal Trade Commission: https://www.ftc.gov/equifax-data-breach
Identity Theft Resource Center. (2017, 11 22). Data Breaches. Retrieved from Identity Theft Resource Center: http://www.idtheftcenter.org/Data-Breaches/data-breaches
Lone Star National Bank, N.A.; Amalgamated Bank; First Bankers Trust Company, National Association; Pennsylvania State Employees Credit Union; Elevations Credit Union; O Bee
Credit Union;
Seaboard Federal Credit Union v. Heartland Payment Systems, Inc. Case No. 12-20648 (United States Court of Appeals, Fifth Circuit September 3, 2013)
Manny Film, LLC v. John Doe, subscriber assigned IP address 66.229.140.101 Case No. 0:15-cv-60446 (U.S. Civil Court Records for the Southern District of Florida March 5, 2015)
References