Speaker 1: Welcome to The Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, CEO of Cyber Risk Opportunities and Jake Bernstein, cybersecurity council at the law firm of Newman Du Wors. Visit them at cyberriskopportunities.com and Newmanlaw.com.

Kip Boyle: Hi everyone. Before we get started with this episode, we have a special announcement. As a regular listener, you know that the same technology that makes our jobs easier can also make things easier for cyber criminals. Given this, it's not surprising that enhancing cybersecurity is near the top of many organizations' to-do lists. What is surprising is how many businesses approach cyber risk management the wrong way. We want to help fix that at two lunch and learn webinars. So join us for the 10 biggest mistakes you are making with cyber risk and how to fix them. On the East Coast, we'll start on Wednesday June 26th at noon, and on the West Coast, we'll start on Thursday, June 27th at noon. Invite your team members to join you in the conference room for this lunch and learn webinar. Registration to this exclusive 45 minute webinar and the Q&A session is free, but space is limited. Visit cyberriskmistakes.com to reserve your spot today. Now on with the show.

Jake Bernstein: So Kip, what are we going to talk about today?

Kip Boyle: Hey, Jake, today, we're going to talk about how there's a company in Scotland, they're suing an ex-employee because she was tricked into wiring over, get this, $260,000 to online criminals.

Jake Bernstein: Well, that's interesting. So, what's the specific charge there?

Kip Boyle: Right. So, she's in court, or she's been in court, and they're actually hearing the case now. And so I read these BBC news articles, I don't actually have any access to the court documents, so I'm getting this from the media, but apparently there was this woman, her name is Patricia Riley, and the charges that she acted negligently when she made unauthorized payments to these online criminals, while she was working as a credit controller at a company called Peebles Media, which is a magazine publisher based in Scotland. And the news article specifically said that the lawyers for Peebles, again, this is the employer, they claimed that Mrs. Riley's actions were, and here's the quote, "careless and in breach of the duties, including the duty to exercise reasonable care in the course of the performance of her duties as an employee, which she owed to her employer."

Jake Bernstein: Interesting, interesting. So what does the company allege were the facts? And the reason that I ask that right away is negligence as a legal doctrine is almost entirely based on facts. The simple version of negligence is what you just read, which is someone has a duty, they've breached it, they caused damage.

Kip Boyle: Yeah. Okay. So there were two BBC news articles that I read and there were just swimming in details. And so rather than read the articles to you, I just picked out the high points. So, here's the stuff that stuck out to me as a chief information security officer. I wonder if you had read the articles, if different things might have stuck out to you, but here's what I saw. So first of all, this all went down in October of 2015, which I thought was interesting. That's quite a delay, but this is Scotland, and I don't really understand the legal system, but in October of 2015, Mrs. Riley, she's the one being accused of negligence. She received a number of email messages, which appeared to come from her boss and her boss's name is Yvonne Bremner.

And Yvonne Bremner is the managing director of Peebles Media. So Riley's the employee, Bremner's the boss. And all these fake emails came in saying, hi, this is Yvonne, please transfer money. All right. So it's a classic business email compromise attack.

Jake Bernstein: Yep.

Kip Boyle: And as is often the case, these emails came in to Mrs. Riley when Ms. Bremner was on vacation in the Canary Islands. So it's like, obviously this company was being surveilled by the cyber criminals for them to attack while the managing director was physically thousands of miles away. And this works a lot, because we know from the FBI, the statistics are over $12 billion in worldwide losses since 2013 to this kind of attack. Now it's interesting that the articles didn't actually say business email compromise, didn't really focus on the actual style of the attack. Really didn't talk about the classic pattern of the attack, but that's absolutely what's going on here. So, that's the larger context. So Mrs. Bremner, the managing director said in court that Mrs. Riley was not authorized to make payments on behalf of the company. And the managing director said she never knew that Mrs. Riley was able to make payments. So, the boss is alleging, how could she possibly issue these payments when nobody ever granted her access to the banking account?

Jake Bernstein: Yeah. That doesn't make a great deal of sense.

Kip Boyle: No, it's really strange, but here's an interesting point, Mrs. Riley is also alleged, when she was doing the online banking transfers, that she checked a box during, in the web browser, as she was authenticating to the bank and preparing the transactions, that there was a box that said, essentially check here to acknowledge. We are warning you as your bank, that there are actively con artists attempting to fool employees into making false payments. And so, apparently they've got evidence that Mrs. Riley, or somebody using her credential checked that box. And so that's another piece of evidence that the company's bringing in here. And so the specific amount of the suit is a $140,000, because apparently the bank reimbursed some of the losses, the article doesn't really say why, but then there's these comments from the managing director, Bremner, for example, she says, "I didn't particularly trust her. She was the office gossip. And that's why she was privy to nothing." This is starting to sound very personal.

Jake Bernstein: I was going to say, this is very interesting. And you said there were 12 billion in losses from the business email compromise and she's responsible for what? 250,000?

Kip Boyle: Uh-huh (affirmative).

Jake Bernstein: So, she at least has a lot of company in her misery. Okay.

Kip Boyle: Now, the facts are, I'm almost done. I just want to say two more things about what the company is saying in court about Mrs. Riley. Okay. So the other two things are, is that the managing director, Bremner, said that Mrs. Riley was an under performer at her job, and allegedly did not bother chasing debtors who continually failed to pay Peebles Media. So, it's not just, hey, you screwed up and you sent money that you were never supposed to send, using credentials that you were never supposed to have, but you're also untrustworthy. You're an office gossip. You never did your job correctly. And ultimately Mrs. Riley was fired from all of this, fired from her company for all of this.

Jake Bernstein: Which I understand, but what does she say? What's her story?

Kip Boyle: Okay. So Mrs. Riley isn't saying nearly as much as the company, which I think is interesting, but what she is saying is, first she's saying that she never received any training from the company, Peebles Media, about how to spot an online fraud. And so she's like, well, if you'd wanted me to be aware of this risk, you should have told me, I should have received training. So I'm not negligent, because you never told me what to do. So that's one thing she's saying. The other thing her lawyers are saying is, I thought this was an interesting statement, "It is not known and not admitted that she was presented with that warning screen from the bank.' So she's saying, I never saw it.

Jake Bernstein: Yeah. And that, to me, sounds like a almost ritualistic type of statement. We have that in American law, they have it a lot more over in Britain. So, that's almost certainly something that is said on a regular basis.

Kip Boyle: Ah, okay.

Jake Bernstein: And all it means is, no, that's crosstalk.

Kip Boyle: That's playground talk.

Jake Bernstein: Yeah. That's how I read that.

Kip Boyle: Okay. And then the last thing that she says is that she was so freaked out by what had happened, this loss of money when it actually was disclosed that the money was gone. She testified, "I was driving to work the following morning, and I started to panic. I had to stop the car and I almost passed out. I had to go to the doctors and I was prescribed diazepam."

Jake Bernstein: Which, of course, is an interesting fact, but probably totally irrelevant to the lawsuit.

Kip Boyle: Well, I thought that, again, it's like I'm reading this article and it almost sounds like a soap opera.

Jake Bernstein: Oh yeah.

Kip Boyle: And I'm struggling to understand, what are the facts here? And what is essentially, to my way of thinking, sand thrown in people's eyes, to get them off the trail. But, so I was really, I'm really glad we're talking about this during this episode, because as a lawyer, I'm hoping that you're going to help me sift through all this and not only figure out, what's legit in this particular case? But there's a bigger question too, which is, is it a good idea for companies to sue their employees after a business email compromise? That's just one question I have, but take it away, Jake, what are you seeing here?

Jake Bernstein: So, one, with the caveat that we only have a handful of BBC articles and I found some additional reporting on it and we have a limited view of the facts. So, let's just, there's our disclaimer for this conversation.

Kip Boyle: Okay.

Jake Bernstein: But based on what is in these articles, and there's quite a bit, it seems to me that, I think you said it earlier, there's a little bit of its personal issues going on here. I don't think that generally speaking, it's a good idea for companies to sue their employees after a BEC. The fact is that business email compromise is a, or certainly can be a highly sophisticated attack that is very convincing. And you don't get to 12 billion in BEC damages by being obvious or easy to spot. So I think that there is very much, hindsight is 2020. You can always Monday morning quarterback, pick whatever metaphor you inaudible, but it is, once you learn that something is a scam, it's obviously very easy to go back and say, well, you should have known that was a scam.

Well, really, should they have? And who's responsible here? She could say, well, one of her defenses is you didn't train me, which I suppose is a reasonable defense. Another one is, you let me do this. Where were the systems and procedures in place to prevent money from being sent out in this type of instance? So, you just can't blame, a BEC is not one person's fault, really. After all, who are the bad guys targeting? They're targeting people, and they're going to try to find people who are most susceptible to this.

Kip Boyle: And they're going to use, and again, just to remind listeners, a business email compromise is not an attack against a technological defense. It's not about compromising a firewall, or any real technology. It's really about the oldest attack in the book, which is a con, this is just a flat out con conducted through electronic means. But the basic premise of this is, I'm going to emotionally manipulate somebody.

Jake Bernstein: Yeah. And they trick you. And let's be honest, even the smartest people can fall for scams. They're good at what they do.

Kip Boyle: Yeah. Well, I don't know if we've talked about it here on this podcast. I don't think so. But recently I saw an article that there was a fellow in Europe and he conned over a multi-year period something like a hundred million dollars of money from the likes of Google and Facebook. He scammed them by setting up a fake company and sent fake invoices for high end servers and other networking equipment and never delivered any of it. And all these bills were paid. If you can scam Google and Facebook, what is poor Mrs. Riley? How could she possibly defend herself?

Jake Bernstein: Well, that's the good point. And I think that there's a real issue, I think, with this negligence claim, because what it says is employee you have a duty to exercise "reasonable care under the circumstances to prevent scam artists from stealing money." And if you think about what that really is saying, it's putting the entirety of the defense against this form of cyber attack, the BEC, on one person, and collapsing it down to a simple negligence theory. And I think that's unreasonable, because I know that the level of sophistication of these types of attacks is high, that things that we say all the time, cybersecurity is a team sport crosstalk.

Kip Boyle: Mm-hmm (affirmative).

Jake Bernstein: ... single person's duty. And really, this woman here was at least three layers down, just reading the facts and the articles,

Kip Boyle: In the management.

Jake Bernstein: In the management. And is this the person that you're going to put in charge of defending the entire company from cybersecurity scams? Because that's really what they're saying. You had a duty to not be tricked by any scam, this type of scam in particular, and you didn't exercise reasonable care. I just find that to be a very unrealistic and unreasonable standard to put on a possibly low level, I can't quite tell, I don't know how big this company is, low to mid-level person. Where was the CISO? Why isn't the CISO responsible for this, the BEC?

I think this is a really dangerous case, because if the employer wins, fortunately it's over in Scotland and the US courts don't have to pay even the slightest attention to it, but let's just say that if the defendant, or if the defendant loses, so if the employer wins, then you have at least one more international case precedent that says it is the employee's fault for not spotting a business email compromise. And to me, that is, one thing that we talk about in first amendment law, which of course they don't have over in Britain, is the idea of chilling speech.

And one of the things that the first amendment is meant to do is protect speech, almost always. Very, very strong level of protection because we're very scared of chilling speech, chilling discussion. Well, this is going to be chilling all business activity ever, because what employee is going to take the risk of paying a bill or responding to an email, if they think, oh, well, if I'm wrong, then I could get sued for whatever loss I cause. And you're setting up all the wrong things here.

Kip Boyle: Well, and that would effectively throw a lot of sand in the gears of commerce, because crosstalk.

Jake Bernstein: Oh, it would.

Kip Boyle: ... people would be stepping back from taking on that responsibility. And so as companies are invoicing each other for legitimate stuff, because business email compromises is some percentage of a larger, legitimate commercial activity, but those bills aren't going to get paid very quickly and it's going to slow everything down.

Jake Bernstein: It will slow everything down. It puts the responsibility on the wrong party. You can't reasonably request every person in an organization to spot every scam, every attack. So here's a question. If I take this to the next step, then wouldn't it be the IT department's negligence if someone gets in and inaudible data? They have ability to stop that from happening and they breached it, and they caused me damage. So I'm going to hold those IT guys personally liable. And as a business, I'm going to sue my own employees. I think this is just a terrible idea. The more I talk about it, the more convinced I am that this is perhaps one of the worst ideas I have ever heard.

Kip Boyle: Well, it's interesting because we've had years and years and years of data breaches, credit card compromises. Think about Target, think about Home Depot. And nobody on any of those teams, to the best of my understanding, that there was any attempt to hold them legally accountable in a civil action, and certainly not a criminal action, to hold them accountable for what happened. And I think using this case, you could say, well, we could have tried to sue employees or entire teams of people who had been given hundreds of millions of dollars in budget to buy firewalls and all kinds of technological defenses to become PCI compliant. But none of that stuff actually prevented those credit card compromises. And so, there certainly has been plenty of opportunity for a suit like this to arise, but this is the first one I've heard of.

Jake Bernstein: Well. So in America, and I don't know what the law is over in Europe, or Britain, but one of the things that may, and I'm not an employment lawyer, keep that in mind. But one of the things that I do know is that, under agency theory, let's say if a UPS driver in his UPS truck is driving along and gets into a car accident, then the person who was hit can sue UPS, because the driver of the truck was acting on company orders.

Kip Boyle: Mm-hmm (affirmative). As an agent.

Jake Bernstein: As an agent. It was in the course of employment. So I think that one of the reasons you've never seen this before is that there's really no mechanism to hold an employee accountable like this when they're just doing their job. I also think that it would be, I think there's a lot of reasons it would be very hard to do an under American law, but I'm not a hundred percent confident in that. So I just crosstalk.

Kip Boyle: So, we could see a suit like this in the Unites States.

Jake Bernstein: You could, you could see a suit like this in the United States. I think it's a bad idea. I think that the risk of people becoming extremely paranoid and being unwilling to take any useful action would shut down commerce, or at the very least as you put it, throw quite a bit of sand into the crosstalk.

Kip Boyle: Yeah. Okay. So, you think the chilling effect on the overall economy, and a reticence by individuals who put themselves in jeopardy, you think that would be consequences that are unacceptable as a result of holding a few individuals accountable, even if they were, even if they weren't negligent

Jake Bernstein: Well, and I think at the bottom line is, is that, the way you'd have to state the duty to claim a breach is just not reasonable. You would, in order to make this case, you would have to say that every individual employee has an individual duty to spot and defend against cyber attacks.

Kip Boyle: Yeah.

Jake Bernstein: Right. And as security professionals that's, to us, that's just nuts.

Kip Boyle: Well, but I don't know. Let me challenge that for a second, because we have talked about cyber is a team sport. We do have a whole segment of the cybersecurity market space that is devoted to training individual people about how to spot and not fall for phishing attacks. There's a whole sub-industry around training people in this way. So, we do expect them. We do train them and we do expect them to not click on links. So I'm wondering, where's the line between, well, we're going to train you and we're going to expect this from you, but if you end up doing it anyway, well, we're not going to sue you. We could sanction you with some internal company disciplinary process.

Jake Bernstein: You could get fired, and that's fine. But I think the line between suing someone for the damages and discipline, or terminating their employment is a pretty thick one. And I'm not saying that we shouldn't train people. In fact, I would say that you must train your employees, but even if they're fully trained, nothing is full proof. And how do you determine, I suppose if you really wanted to, if you could show a factual record full of training and that the person understood it and did it and took little tests. And then if you could show that the specific phishing attempt that led to the BEC was so obvious that no reasonable person would fall for it, maybe you could make a case. A different factual pattern, by the way, that I think might change my decision somewhat is let's say the company mandates training, but what if a person doesn't do it, or they were behind in their training and the system hadn't caught up to them yet.

There are factual patterns you can conceive of where this becomes more appropriate than it is right now. But overall, not to continue to beat this horse, is that businesses probably should not be suing their employees for business email compromises. Defending against that is, like everything it's defense in depth, need to have a multi-layered approach, putting the entire duty of care on every individual line employee, not only is it not realistic, but this particular BEC wasn't that much money. Maybe she has that much money that could be recovered. But what if it's a million dollar BEC?

Kip Boyle: Mm-hmm (affirmative). Or a hundred million dollars.

Jake Bernstein: Or a hundred million dollars crosstalk. How many line employees could afford to crosstalk.

Kip Boyle: Well, nobody.

Jake Bernstein: Nobody.

Kip Boyle: Nobody really. And it's really not about getting the money back. I think in this case, it's really about, it's about sending a message, a deterrent, like you said, a chilling effect. But to send a deterrent message like, hey, all of you who didn't get sued, be careful, be on notice that you could. And Mrs. Riley, one of the things I didn't mention yet, but she was also quoted as saying that ever since she was fired from her job, she hasn't been able to become gainfully employed because she is responsibly disclosing that she is the subject of a lawsuit and nobody will take her on. And so, economically, her life is in a really bad situation. So, as an employee, if I was an employee, I would be looking at this and I would say, even if I'm vindicated in a court of law, I don't want to spend three to four years going to the food pantry because I can't get a job.

Jake Bernstein: Well, and let's face it. If you know your employer is potentially going to sue you for this, you're going to find a different job.

Kip Boyle: Well, I would think so. But it's rough, it's hard to wait this out. Okay. So the conclusion that you are at is, companies don't sue your employees. That's the message you're sending to our audience of senior decision makers, this is not a good idea. You're encouraging them not to do it. And my bottom line is, but that doesn't mean you shouldn't have expectations of them. You should, you should still train them. You should still, think of this cyber risk management as a team sport. But I think what we are saying is, is that the line that you should be drawing when you sanction somebody for not protecting the company against a business email compromise, is going to be some internal disciplinary manner up to, and including termination of employment. We just don't think that these people should be drug into a court of law. Does that pretty much sum it up?

Jake Bernstein: That sums it up pretty well.

Kip Boyle: Okay. Well, that wraps up this episode of The Cyber Risk Management Podcast. Today, we talked about how a company in Scotland is suing an ex-employee because she was tricked into wiring over $260,000 to online criminals. We'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on The Cyber Risk Management Podcast. Remember that cyber risk management is a team sport and should incorporate management, your legal department, HR, and IT for full effectiveness. Management's goal should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee. So if you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our cyber risk business strategy program. Find out more by visiting us at cyberriskopportunities.com and newmanlaw.com. Thanks for tuning in. See you next time.