New Jersey federal court dismisses lawsuit against TD Bank that alleged its failure to protect against online theft

On May 24, 2022, U.S. District Judge Karen M. Williams for the District of New Jersey dismissed all claims brought by Moore Capital Holdings LLC (Moore Capital) against TD Bank, NA (TD Bank). 1:21-cv-15029-KMW-AMD, Document 22, Moore Capital Holdings v. TD Bank, available here. The lawsuit alleged that Moore Capital suffered economic loss due to TD Bank’s failure to maintain proper cybersecurity. Judge Williams’ decision effectively ends Moore Capital’s attempts to pursue its case at the district court level.

In the previous year, Moore Capital filed a lawsuit against TD Bank for its “total and systemic failure to respond” against a cyber fraud scheme that led to a series of fraudulent wire transfers totaling nearly $300,000. Issue 10: CLCT Cybersecurity and Information Security Newsletter – TD Bank sued by a customer for failure to protect against online theft, available here. The cause of the incident was a business email compromise attack that induced a Moore Capital employee to share the company’s TD Bank account credentials with an unknown threat actor. As the result of the attack, multiple unauthorized wire transfers were initiated from Moore Capital’s account. The company alerted TD Bank to stop the unauthorized transfers, but TD Bank allegedly failed to implement proper procedures to stop or reverse the wire transfers.

In response, TD Bank asked the Court to dismiss Moore Capital’s lawsuit due to insufficient legal claims. Specifically, it accused Moore Capital of providing “irrelevant allegations and generalities in a circuitous attempt to . . . blame [TD Bank] for its employee’s act of providing third party hackers with . . . banking login credentials.” Agreeing with TD Bank, Judge Williams dismissed all of Moore Capital’s claims based on its failure to meet the required legal conditions to move forward.

Although a Moore Capital representative stated that the company is reviewing potential appeal options, the dismissal absolves TD Bank of liability stemming from the fraudulent wire transfer incident.

Analysis

This case illustrates the difficulty of assigning liability to third parties when the initial cause of a cyber attack was the victim itself. Based on Moore Capital’s provided timeline of events, TD Bank may have had several moments of opportunity to minimize the harm caused by the fraudulent wire transfers, even, perhaps, reversing some of the transactions. Nevertheless, TD Bank’s alleged inaction still does not rise to legal liability for Moore Capital’s claims.

This incident also highlights the risk of relying on third parties to limit the effects of a cyber attack. Unless there are explicit legal agreements that require the third party to intervene in response to a cyber attack, organizations should not rely on anyone to help them, even if they are customers of third-party businesses. Instead, they should focus on implementing a resilient cybersecurity strategy that incorporates a defense-in-depth approach to security, emphasizing cyber and information security training for all employees.

Former employee of a major NFT marketplace charged with wire fraud and insider trading

On June 1, 2022, the U.S. Department of Justice (DOJ) announced an unsealed indictment against Nathan Chastain, charging him with wire fraud and money laundering related to Non-Fungible Tokens (NFTs). The indictment stemmed from a grand jury in the Southern District of New York. Former Employee Of NFT Marketplace Charged In First Ever Digital Asset Insider Trading Scheme [DOJ], available here. Wire fraud is a federal crime that involves any scheme or deception to defraud others using electronic communication. 18 U.S. Code § 1343 - Fraud by wire, radio, or television, available here. Money laundering is a crime that involves any scheme to conceal the identity, source, and destination of money obtained by illegal means. Money Laundering, available here.

According to the indictment, Chastain was charged based on his alleged insider trading scheme involving NFTs on OpenSea, currently the world’s largest NFT marketplace. U.S. v. Chastain, Sealed Indictment, 22 Crim 305, available here. An arrest warrant for Chastain has been issued.

NFTs are a unique set of “tokens” on the blockchain that function to represent ownership of unique items. Non-fungible tokens (NFT), available here. Commonly, users trade NFTs in an online NFT marketplace to exchange, in return for digital currencies, “ownership” of digital assets often existing outside the blockchain, such as digital artwork or sports video footage. See, e.g., NBA Top Shot, available here. Although there are unresolved legal issues surrounding property rights afforded to NFT ownership, the number of NFT transactions within OpenSea has risen significantly since March 2021. The NFT Market Report [Chainalysis] at 4, available here.

Chastain was an employee of OpenSea, where he was responsible for selecting NFTs to be featured on the company’s webpage. Before featuring one, OpenSea did not disclose which NFTs were chosen to be showcased next. NFTs that OpenSea featured tended to gain substantial attention among NFT buyers, which temporarily increased the price of both featured NFTs and other NFTs from the same creator.

Chastain took advantage of OpenSea’s confidential business practice by purchasing secretly the next NFTs to be featured on OpenSea’s website. Shortly after those NFTs were showcased, Chastain sold those NFTs at a profit using anonymous digital wallets. His conduct was in breach of his confidentiality agreement with OpenSea, where he was obligated to “maintain the confidentiality of confidential business information received in connection with [his] work for OpenSea,” and not use such information except to perform his work for the company. U.S. v. Chastain, Sealed Indictment, 22 Crim 305, supra at 4.

Analysis

In its press release, the DOJ highlighted the indictment as the first-ever digital asset insider trading scheme. U.S. Attorney Damian Williams remarked that while “NFTs might be new . . . this type of criminal scheme is not.” Although NFTs are recent innovations within blockchain technology, current criminal laws are broad enough to hold individuals accountable even if the alleged criminal conduct is commenced via a novel virtual marketplace.

However, a grand jury indictment alone does not indicate guilt, and Chastain is presumed innocent until proven guilty beyond a reasonable doubt at a criminal trial. See Charging [DOJ], available here. Pending the outcome of Chastain’s upcoming criminal trial, the legal question of wire fraud and money laundering applicability within the NFT marketplace is arguable. As of this newsletter publication, no date for Chastain’s criminal trial has been disclosed.

European Council and the European Parliament agree provisionally on an enhanced cybersecurity Directive

On May 13, 2022, the European Council and the European Parliament agreed provisionally on the Network and Information Security 2 (NIS2) Directive, which aims to provide baseline cybersecurity risk management measures and reporting requirements across all identified sectors in the European Union (EU). Strengthening EU-wide cybersecurity and resilience – provisional agreement by the Council and the European Parliament, available here. NIS2 is designed to replace the Network and Information Security (NIS) Directive, which was the first EU legislation on cybersecurity that sought to implement high common level cybersecurity across EU member states. The NIS2 Directive: A high common level of cybersecurity in the EU, available here. Although NIS set a higher level of cybersecurity across the EU, implementation fragmentation provided difficulties at national levels. Id. at 10. Problems in implementations are a byproduct of the rules being embodied in a Directive. Unlike Regulations that are directly effective and enforceable across the EU, Directives bind EU member states to the objectives that need to be achieved by the end of the transition period but leave states free to use any means that they see fit for implementation. This can result inconsistency in the implementation of a Directive.

The NIS2 proposal has three objectives. First, the proposal would mandate enhanced cybersecurity measures for all EU-based public and private entities that are identified as playing a critical function for the economy and society as a whole. Specifically, the NIS2 framework extends this requirement to new sectors, such as telecoms, social media platforms, and public administration.

Second, the NIS2 would harmonize existing cybersecurity rules across the EU, including (1)  security and incident reporting requirements and (2) the provisions governing national supervision and enforcement. The framework includes a two-stage mandatory cyber incident response rule: in the first stage, certain entities must submit their initial incident report within 24 hours of incident discovery; in the second stage, those entities must submit their final incident report no later than one month later.

Third, the NIS2 proposal aims to improve inter-cooperation among different EU and national authorities to improve large-scale incident or crisis response. The framework would establish an EU-Cyber Crises Liaison Organisation Network (EU-CyCLONe) that would coordinate EU-wide cybersecurity incident response and facilitate information-sharing across the Union.

The European Council and the European Parliament are expected to review and potentially, approve the NIS2 framework within the coming months.