Hot Topics

Dec 8, 2017 | 0 comments

Article 1: “Atlanta Cybercrime Experts Investigating Equifax Hack”

According to the article, the U.S. Attorney’s office has confirmed that, along with the FBI, it is investigating the breach at Atlanta-based Equifax, which the company said lasted from mid-May to July and exposed the data of 145 million Americans.

Neither agency would discuss Equifax, but their cybercrime teams shared insights about the difficulties of cybercrime cases.

“They are challenging, and the success stories are rare,” said prosecutor Steven Grimberg, who leads the Atlanta U.S. attorney’s office cybercrime unit, created last year to fight the growing threat. For every conviction there may be 10 times as many that don’t end successfully, he said.

Atlanta has become a hub for cybercrime prosecution in large part because of a proactive and aggressive local FBI team, and because U.S. attorneys have committed the necessary resources in recent years, Grimberg said.

Who’s behind the keyboard?

Identifying who’s responsible is a key difficulty: Cybercriminals use aliases and operate on the dark web, in corners of the internet reached using special software, where access is invite-only.

Investigators have infiltrated some of these online forums and can sometimes engage cybercriminals there, said FBI Supervisory Special Agent Chad Hunt, who oversees one of FBI Atlanta’s cyber investigation squads. Once they obtain some information, they can use search warrants to get other data, such as business records or credit card transactions, to match the online alias to a real person.

Even extremely sophisticated cybercriminals sometimes slip up or collaborate with someone who’s less careful, Hunt said.

“If we’re looking at somebody for a while, eventually they’ll make a mistake,” he said. “So even if they are using high-quality encryption, eventually they’ll do something stupid.”

Uncooperative foreign governments

Even when a cybercriminal’s identity is pinpointed, arrests can take time. Many operate in countries that won’t extradite to the U.S. But the FBI continues monitoring these suspects and can catch them if they travel, said Assistant Special Agent in Charge Ricardo Grave de Peralta, who oversees the Atlanta office’s cyber investigation squads.

“A lot of these people are in places that aren’t so great and they like to go on vacation, and we’re happy to meet them in a third location and perhaps bring them to a second vacation here in the United States, all expenses paid,” he said with a smile.

Even with friendly foreign governments, extraditions can take time: Often, the merits of a case are essentially litigated in the process, so that authorities in the other country are satisfied the incriminating evidence is solid, Grimberg said.

Deals and cooperation

Once confronted with evidence against them, some cybercriminals decide to plead guilty and work with prosecutors instead of going to trial.

Their language skills, technical expertise and ability to communicate on online forums and sites open exclusively to cybercriminals make their cooperation invaluable, sometimes leading directly to new prosecutions, Grimberg said.

The government is committed to being as transparent as possible about that cooperation, especially when people get lighter sentences as a result, Grimberg said, but details are often sealed because cooperators fear repercussions.

Meaningful sentences

Prosecutors said the SpyEye malware caused close to $1 billion and Citadel more than $500 million in harm to individuals and financial institutions worldwide.

Because the scope of harm can be huge, federal sentencing guidelines often allow for a life-in-prison sentence.

Prosecutors ask for sentences tough enough to send a warning to others, and to discourage the person from returning to cybercrime when they get out. But because cybercriminals are frequently young, have no criminal history and the crimes aren’t violent, prosecutors rarely ask for life, Grimberg said.

One hacker involved in SpyEye’s development got nine-plus years in prison while another got 15 when sentenced last year, and a Citadel developer got five in July. They weren’t ordered to reimburse victims.

That highlights another challenge: Despite financial losses, prosecutors frequently ask judges to find that it is impractical or overly cumbersome to impose restitution. Tracing the affected IP addresses to identify possible victims would be difficult, Grimberg said, and U.S. authorities can’t force them to pay once they return to their home countries.

Working with the private sector

Investigators and prosecutors in Atlanta work to establish relationships with companies before anything bad happens, which can make them more comfortable if there is a problem. But companies may hesitate to contact law enforcement because they worry about reputational damage, actions from civil authorities, lawsuits, and the exposure of trade secrets or sensitive information.

The former head of Equifax told members of Congress last month that the company was cooperating with the FBI and state agencies, but Equifax has suffered at least some of these consequences after failing to repair a known security weakness for months this year. Digital burglars had access to the company’s computer systems for 11 weeks before Equifax discovered the hack July 29. The company then waited until Sept. 7 before issuing a public alert, saying they hadn’t understood until then just how much information had been stolen.

Discussion Questions

1. Define cybercrime.

A cybercrime is a criminal activity carried out by means of a computer and/or the internet.

2. As the article indicates, cybercrime cases “are challenging, and the success stories are rare.” Further, for every cybercrime conviction, there might be ten times as many cases that do not end successfully. Are you surprised that the success rate for cybercrime prosecutions is so low? Explain your response.

This is an opinion question, so student responses may vary. In your author’s opinion, given the surreptitious nature of the internet, it is not surprising that the “solve” rate for cybercrimes is extremely low.

3. As the article indicates, federal sentencing guidelines allow for as much as a life sentence for the commission of a cybercrime. Define “federal sentencing guidelines.” Are you surprised that the punishment for the commission of a cybercrime can be as severe as life imprisonment? Why or why not?

Federal sentencing guidelines dictate the maximum and minimum punishment for the commission of a particular crime. They are designed to lend stability, predictability, and fairness to the sentencing of criminal defendants. In your author’s opinion, it is not surprising that the punishment for the commission of a cybercrime can be as severe life imprisonment, given the potential harm that can result from the commission of such an offense.

Article 2: "Senate Passes Mandatory Sexual Harassment Training"

According to the article, just before the United States Senate adjourned for the Veterans Day holiday weekend, the upper chamber passed a resolution mandating that sexual harassment training will be mandatory for senators, staff, and interns of the U.S. Senate.

“Making harassment training mandatory in the Senate sends a clear message: Harassment of any kind is not and will not be tolerated in Congress. Period,” Sen. Amy Klobuchar, D-Minn., said in a press release.

Klobuchar and Sen. Chuck Grassley, R-Iowa Republican, who is chairman of the Senate Judiciary Committee, co-authored the legislation.

“No place of work is immune to the all-too-prevalent scourge of sexual harassment, but we in Congress have a particular duty to set high standards of conduct,” Grassley said in a statement.

“In the wake of so many scandals and reports of sexual harassment around the country, it’s critical that we continue do everything we can to prevent it,” he said.

The bipartisan resolution requires all Senate members, staff, and interns to complete the sexual harassment prevention training offered by the Office of Compliance or the Office of the Senate Chief Counsel for Employment.

The training must be completed within 60 days, and each office would be required to submit certification of completed training, which would be published on the public website of the Secretary of the Senate.

The resolution also calls for an anonymous survey to be administered by the Sergeant at Arms that will gather information about instances of sexual harassment or related behavior in the Senate.

Note: In addition to the article, please see the video included at the above-referenced internet address.

Discussion Questions

1. What is sexual harassment?

According to the Equal Employment Opportunity Commission (EEOC):

It is unlawful to harass a person (an applicant or employee) because of that person’s sex. Harassment can include “sexual harassment” or unwelcome sexual advances, requests for sexual favors, and other verbal or physical harassment of a sexual nature.

Harassment does not have to be of a sexual nature, however, and can include offensive remarks about a person’s sex. For example, it is illegal to harass a woman by making offensive comments about women in general.

Both victim and the harasser can be either a woman or a man, and the victim and harasser can be the same sex.

Although the law does not prohibit simple teasing, offhand comments, or isolated incidents that are not very serious, harassment is illegal when it is so frequent or severe that it creates a hostile or offensive work environment or when it results in an adverse employment decision (such as the victim being fired or demoted).

The harasser can be the victim’s supervisor, a supervisor in another area, a co-worker, or someone who is not an employee of the employer, such as a client or customer.

2. As the article indicates, the United States Senate has passed a resolution mandating that sexual harassment training will be mandatory for senators, staff, and interns of the U.S. Senate. Should not professionals already know that sexual harassment is inappropriate and illegal? Explain your response.

As stewards of the law, all senators, staff, and interns of the United States Senate should already know that sexual harassment is inappropriate and illegal. As an unfortunate reality, however, sexual harassment training should be mandatory for them, particularly in light of the spate of sexual harassment controversies currently plaguing the United States.

3. In your reasoned opinion, is the mandatory sexual harassment training referenced in the article substantive, or is it merely “political posturing” in light of the overwhelming number of sexual harassment scandals surfacing in the United States recently? Explain your response.

This is an opinion question, so student responses may vary.

Article 3: “Jury Awards $7.5M to Man for Walmart Injury”

According to the article, an Alabama jury has awarded $7.5 million to a man who says he broke his hip buying a watermelon at Walmart.

Henry Walker, 61, says his foot became trapped in a pallet beneath a box of watermelons as he reached for one in 2015. He fell and sustained the injury. His attorney argued the retail giant should have covered the pallet, making the display safer.

Walmart, however, maintains the display is not dangerous and the injury was the fault of the customer. The retailer added it was disappointed in the verdict, feels it was an excessive amount and plans to appeal. In court documents during the trial, it said the same displays are still being used in stores around the country.

“Walmart continues to display watermelons in the same manner as it did on June 25, 2015,” the company said in a recent court filing. “These displays come to the store from the producer already packaged and ready to be dropped and displayed.”

Note: In addition to the article, please see the video included at the above-referenced internet address.

Discussion Questions

1. Define negligence.

Negligence is the failure to do what a reasonable person would have done under the same or similar circumstances. In order to establish negligence, a plaintiff must prove four elements: a) the defendant owed a duty of care to the plaintiff; b) the defendant violated the duty of care; c) the defendant proximately caused the plaintiff’s harm; and d) the plaintiff experienced damages (physical and/or economic) as a result.

2. Describe the defenses to negligence liability, including contributory negligence, comparative negligence and assumption of the risk

Contributory negligence doctrine dictates that if the plaintiff’s negligence, however slight, contributed to her own injury, the plaintiff cannot recover anything from the defendant, even if the defendant’s negligence substantially contributed to the plaintiff’s injury. Currently, four (4) states recognize the contributory negligence defense to negligence liability, including Alabama, North Carolina, Maryland, and Virginia.

Comparative negligence doctrine states that if the plaintiff’s negligence contributed to his own injury, the plaintiff can nevertheless recover from the defendant; however, the plaintiff’s recovery is reduced by the percentage his negligence contributed to his own harm. The defendant is then held responsible for the percentage that her negligence contributed to the defendant’s injury. Currently, forty-six (46) states recognize some version of the comparative negligence doctrine.

Assumption of the risk is a situation where the plaintiff voluntarily and willingly proceeds in the face of danger, knowing that injury may result. This doctrine is recognized in all fifty (50) states. If a trial jury concludes, based on the evidence presented, that the plaintiff assumed the risk, the jury is duty-bound to return a verdict entirely in favor of the defendant.

3. Based on your review of the article and related video, was the jury verdict sound in terms of a) liability and b) verdict amount? Do you need more information in order to assess the propriety of the jury verdict? Explain your response.

These are opinion questions, so student responses may vary.