According to a recent story in Bloomberg, some of America’s largest and most well-known technology companies have responded to emergency legal requests from what they believed to be law enforcement agencies but were actually from cybercriminals. The information that the tech giants provided were used to “harass and even sexually exploit women and minors.”
While complying with emergency requests — which typically do not include a court order — is not typically legally required, companies wish to cooperate and support law enforcement and therefore quite often comply with such requests. But when criminals impersonate law enforcement officials and agencies, does a company have a process for verifying requests and ensuring their legitimacy? Or are responses simply sent to whomever the request designates?
Compliance professionals, working with and on the advice of counsel, are in a great position to help management assure that there is a working process in place to verify that emergency legal requests are real.
This is not a problem that should be the sole responsibility of corporations. After all, by impersonating law enforcement agents and agencies, those initiating falsified requests are already in violation of criminal laws. So ultimately, there is a need for an authentication system that can provide a corporation with the assurance that a request is authorized. But until such a system exists, there are several steps that a company can take to protect itself.
First, an authentication process is needed. Think of it as a “verify then trust” arrangement. Every request specifies the requestor. It likely provides a way for the recipient to contact the individual who sent it. Our experience in online fraud strongly indicates that such contact information should not be trusted. In cases of falsified requests, using the contact instructions provided will put you in touch with the cybercriminal or their organization. Just as we recommend that consumers receiving requests for credit card information call the telephone number on the back of their credit card (rather than any information provided in the information request), corporate procedures should require validation through a source assured to be real.
So, if a request were received from a particular field office of the FBI, there should be a designated contact there who can verify that the request was authorized. Until federal law enforcement agencies develop a uniform validation procedure, it may be necessary to work with your local FBI, U.S. Attorney, Secret Service or other agencies to provide an interim point givenof contact for validation of requests. Companies with a global footprint must determine how to handle equivalent requests that come in from foreign law enforcement organizations, as well as their legal obligations in response to such requests.
A formal procedure that provides guidance to the organization on dealing with emergency requests is needed. As a start, consider the following guidance:
- Review company position on dealing with emergency legal requests. This should cover the company’s policy. Does the company respond where there is no legal obligation to do so?
- Who handles the requests and how do you contact them? Criminals will look for a “weak link” to exploit to respond to their falsified requests. They may use various techniques to pressure their target. For example, telling the person that if they don’t comply immediately, or tell anyone else in the company about the request, they will be immediately arrested and charged with “interfering in a federal investigation” or “interfering with a federal officer.” Companies should arm employees with a strong statement pointing out that these requests cannot order them not to notify corporate counsel of a request and that there is a specific person that must be contacted. Preferably, there should be a mechanism that can be used 24 hours a day, seven days a week to help counteract the pressure that can be brought to bear on an employee.
- What are the verification procedures? Should all requests be entered into a register? Does the company have contacts at agencies that send such requests? If not, there should be policy requiring that inquiries go to publicly posted phone numbers. Are there circumstances in which verification procedures could be short-circuited (such as a request characterized as “life or death”—which could also be fake) and if so, what process would be used?
- Who responds to the request? Does a validated request get returned to the person to whom it was sent for response or are all responses handled centrally? Decentralization provides the possibility of variance in response or in dealing with follow-up responses.
- The procedure should provide a defined role for the compliance function to regularly review the documentation and to provide reports to the General Counsel on any issues identified.
There is also a need for corporations — perhaps through corporate counsel organizations — to recognize this issue and work with law enforcement to develop the procedures on the part of the government to enable and encourage request validation.
Given the liabilities associated with responding to falsified emergency legal requests, the one thing that should be unacceptable is ignoring the problem, and the role of the compliance professional should be seen as central and vital.
Alan Brill is Senior Managing Director, Kroll Cyber Risk Practice, and Kroll Institute Fellow.