ID Theft: Courts Cracking DownEx-Prosecutor Says Courts Are Sending Message to Hackers
The trial and conviction of Albert Gonzalez, the mastermind behind the cybertheft of millions of credit and debit card numbers from U.S. retailers, represented the largest hacking and identity theft case ever prosecuted by the Department of Justice. Since the Gonzalez case, the courts and regulatory bodies have been stiffening their penalties for those convicted of cyberbreaches that compromise U.S. cardholders' identities. The prevalence and growth of international crimes rings, such as the Gonzalez ring, are getting more attention, and prosecutors and law enforcement are putting into practice the lessons learned from Gonzalez.
In this interview, Peretti, the former lead prosecutor in U.S. v. Gonzalez trial, who now serves as the director of PricewaterhouseCoopers' U.S. Forensic Technology Solutions Practice, discusses:
- The lessons law enforcement learned during the Gonzalez case about fighting and thwarting international cybercrime;
- Why judges are passing down stiffer sentences for those convicted of cybercrimes, more closely mirroring sentences historically only handed down for convictions of high-profile white-collar crimes;
- How financial-services providers should work to stay informed about emerging threats and approach security from a risk-based perspective.
Peretti helps clients respond to significant cyberattacks and breaches, as well as advise clients on how to reduce risks related to cybersecurity.
Before joining PwC, Peretti was a senior counselor with the Department of Justice's Criminal Division in the Computer Crime and Intellectual Property Section. She brings extensive experience in investigating, prosecuting, managing, coordinating, and advising organizations on issues related to multi-district, multi-agency computer crimes both domestically and internationally.
While with the DOJ, Peretti was lead prosecutor in U.S. v. Gonzalez, et al., the largest hacking and identity theft case ever prosecuted by the DOJ, in which more than 170 million credit and debit card numbers were stolen from more than 14 major U.S. retailers by an international hacking ring. Peretti successfully convicted the ringleader and several foreign defendants in four districts. Recognition for this case included Director's Award for Outstanding Assistance and Support from the United States Secret Service.
Prior to joining the DOJ, Peretti practiced law in Brobeck, Phleger & Harrison's Technology division. There she formed one of the first information security and privacy practice groups. She also was previously with Mayer, Brown & Platt's Financial Regulatory Practice Division, where she advised financial institutions about electronic commerce issues and migrating to the Internet.
Peretti holds a bachelor's degree from the University of Wisconsin-Madison and a Juris Doctorate from Georgetown University Law Center. She also holds a master's in law from the Ludwig Maximilians University in Munich and is a Certified Information Systems Security Practitioner.
TRACY KITTEN: Are sentences for those convicted of crimes related to identity theft, such as data breech hacks and card skimming, becoming more severe? Hi, I'm Tracy Kitten with Information Security Media Group. I'm here today with Kimberly Peretti, director of PricewaterhouseCoopers U.S. Forensic Technology Solutions Practice. Peretti formally served as the senior counsel with the Department of Justice's Criminal Division in the Computer Crime and Intellectual Property Section. She also was the lead prosecutor in the U.S. versus Gonzales trial, the largest hacking and identity theft case ever prosecuted by the DOJ. Kim, during your time with the DOJ, as I just mentioned, you served as the lead prosecutor in the federal hacking and identity theft case against Albert Gonzales, the mastermind behind the theft of millions of credit and debit card numbers from U.S. retailers. You now have moved into the private sector. Could you please tell us a little bit about your new role?
KIM PERETTI: Sure, as you mentioned, I'm a director in the Forensics Services Group at PricewaterhouseCoopers. Here, in this group, I focus on the prevention, response and remediation of all different types of data breaches, including those involving payment card information, PCI, personally identifiable information, PII, and personal health information, PHI. They also service a wide range of our clients in matters of cyberintrusions, cyberinvestigations, cybersecurity, financial crime, fraud and regulation, payment card systems, compromise and risk mitigation, as well as economic espionage and intellectual property theft.
KITTEN: OK, going back to the Gonzales case, can you tell us, the prosecutions of identity-theft-related crimes, have they been impacted by that case and what type of precedent did it set?
PERETTI: Sure. I sort of see three fundamental areas of its impact, and ultimately this was an enormous success for law enforcement, in particular, because of the element of international cooperation. It demonstrated the ability of law enforcement to investigate crimes where the bulk of the evidence, the witnesses, the individuals, the targets, are overseas; and the ability of law enforcement to catch those very sophisticated criminals wherever they are located. So, that is one area that had a particular impact -- the degree of international connection of this particular prosecution. The second area is the really significant impact in the sentencing of these computer criminals, in particular. I prosecuted these types of cases for eight years, and earlier on when we would get to the sentencing stage for these particular cases of credit- and debit-card theft, we would see the judge have a particular sentencing range before him or her and emphasize special deterrence rather than general deterrence. In emphasizing special deterrence earlier on, the individuals were more likely to get very, very light sentences or probation. Where as in this particular round of cases, each judge made it very clear, on the record, the importance of sending a message to the community that cybercrimes by their very nature allow offenders to commit offense without leaving their homes, and with an veil of anonymity; and as a result, we need to punish the appropriate punishment for these particular cybercriminals, in order to supply the perspective cybercriminals with the information they need to have a real deterrence. The third area was the sentences. When you have a 20-year sentence that was given to the ring leader for these particular cases, that's comparable to some of the most significant non-cyber white-collar criminal cases we've seen, and it really put cybercrimes on the same level as the other types of serious white-collar crimes.
KITTEN: From your perceptive, looking at an identity-theft cases versus a data-breach case, could one be deemed a less punishable offense than another? How do the courts differentiate those types of crimes?
PERETTI: Well, I sort of differentiate them between identity-theft cases that involve new account creations; so maybe an individual's information is stolen and used to open up new accounts and really has a significant financial impact on that individual, versus some of the data breach cases, where it's just an account-takeover using someone's stolen credit-card information. As far as they are differentiated legally, often at the department, when I was prosecuting, we would use the same statutes to prosecute these types of crimes -- the wire fraud, identity theft, access device fraud, computer fraud, so the same statutory analysis would apply. The difference was really in the actual financial loss suffered by a particular individual. In the credit-card data case, the individuals are reimbursed, often by their issuing banks. In the other cases, the new-account-creation victims can suffer a much more significant financial loss. At the end of the day, in the sentencing analysis, as a default, if it's an access-device fraud case, a credit card case, you'll have a baseline of $500 per access device in a monetary value assigned. But the differentiator, when you get to the sentencing stage, is that it has a more significant impact to the court if you have individuals in the courtroom whose lives have been ruined, versus a case where it is credit card and the individuals haven't faced as much financial loss. In the latter case, it's more difficult to get, these recent cases aside, a more significant sentence. That said, we've seen, you know, recent statutes address the issue, and acknowledging the fact that even if an individual doesn't suffer financial loss, there are other types of loss that are important to recognize, as you know, more of the indirect cost -- the cost you paid because you had to take off time working to solve the particular case against you, or to identity what had happened and restore yourself to a particular state. So we had a recent statute pass that expands the definition of loss to account for some of those other intangible indirect costs with recovering from identity theft loss.
KITTEN: And that is a nice segue: Talking about the financial institutions, specifically, you've mentioned card issuers, and I'm wondering what trends you see in the financial space regarding some of these data breaches, where we look at legal liability, responsibility. Where does some of that fall, when we look at financial institutions and retailers?
PERETTI: Well, if you look at the legal liability analysis for the particular retail victims, I mean, for the most part, the plaintiff class action lawsuits against these corporate victims of data bases have largely been unsuccessful, due, really, to the difficultly of proving injury or a proof of harm. In these cases, they are still requiring the damages. And this is in contrast to the recent lawsuits we've seen in the area of the corporate account takeover/online banking ACH fraud cases, where there is that actual financial loss, that injury, in fact, that is easily provable. So, in lawsuits, when it comes to the liability for merchants, the plaintiffs are either lacking standing, because there is no injury, or they are not able to state a claim of action. That said, you know certainly, the area to watch out for that remains uncertain is the state statutes. Several years ago, Minnesota passed a statute that was one of the first states to statutorily impose liability on negligent merchants. And we've seen Washington in March of this year become the second state to enact a statute in this area. Of course, there have been other states, like California, whose attempts have failed; but the state statute area is an area to watch out for.
KITTEN: Now, moving into a little bit more about what you are doing in the private sector, can you help us understand how your experience with the DOJ is benefiting some of the clients that you are working with now at PricewaterhouseCoopers?
PERETTI: What I see is, security is ultimately a risk-based approach, and you need to understand, up front, the threats to your organization, the threats to your industry; and so what I believe I can bring to the private sector from my experience at DOJ is really inside three different types of data leakage or information theft. One is the organized criminal groups that are stealing our financial data from our financial-services sector; the second is insiders stealing basically all different types of information, and understanding how to protect against an insider threat; and then third are the nation-states engaged in more of the economic espionage. For a company to implement a risk-based security approach, the first step is really to understand what those threats are. Then, secondly, the other thing is the perception of the importance of the collaborative approach into understanding the threat. One thing I worked on at DOJ was really bridging law enforcement in the private industry and information-sharing endeavors, and what I hope to bring to the private sector is to continue to engage in the established information-sharing vehicles we have like the financial-services information sharing advisory center, FS-ISAC. As well as some of the law enforcement, run information sharing groups, the Secret Service Electronic Crimes Task Force and InfraGard by the FBI; and look for opportunities to continue to develop new ways that we can engage in this collaborative approach.
KITTEN: What are you learning from some of the new clients that you meet? What are they bringing to those discussions and what are you bringing from your experience?
PERETTI: I'm learning quite a bit about the difficulties, you know, clients and companies face in addressing the issue. Where to put their resources, how to make the correct pitch upwards to management, and why it is important to have certain security practices in place. And what I try to bring is an understanding of the nature and the scope of the attack. You know, often, that is not reported -- how extensive a particular set of breaches is, or particular set of attacks -- and understanding that message can make it easier for companies to pitch to management, to get the positive response back of, "Yes, we need to invest in our security practices. We need to be more aware of this. We need to really bring people together at a management level in our incident-response planning," for example.
KITTEN: And, finally Kim, as we wrap up, I'd like to ask you, over the next 12months, what are the primary privacy concerns institutions and the industry, generally, should be concerned about?
PERETTI: Well, two I will mention are not particularly new, but financial institutions should continue to be concerned with the ACH-wire fraud/corporate account takeovers. That seems to be affecting institutions -- small, mid range and large; and as a financial-services sector, we need to be aware of those attacks and how they change over time. The second one is the continued exploitation of vulnerable point-of-sale systems, particularly at smaller restaurants, smaller retails, hotel properties and other types of small- to mid-size establishments. And, finally, don't let your guard down. Always be aware of new types of attacks that are the latest and greatest. You know, the sooner you can see those types of attacks, you can mitigate them. I just read recently about a new threat where we have Botnets being used in the check-counterfeiting area, where a Botnet might be used to scrape check images from sites that are archiving processed checks and digital formats. So, always be aware of the new types of attacks. Don't hear about them 12 months later; try to hear about them right away so you can implement the mitigation techniques to help your company.