Issue link: https://nebusinessmedia.uberflip.com/i/1103838
16 Hartford Business Journal • April 15, 2019 • www.HartfordBusiness.com By Gregory Seay gseay@hartfordbusiness.com O perators of Con- necticut's banks, credit unions and thrifts es- sentially wear two hats. As investors, they leverage collected deposits into loans. As financial fiduciaries, they, too, accept responsibility for protecting deposi- tors' private information and shielding accounts from thieves and hackers. It's with their fiduciary hats on that Connecticut's deposit-collecting institu- tions, with support from state bank regu- lators and law enforcement, are promot- ing legislation — Senate Bill 811 — that would substantially raise state penalties for those convicted of depositor scams. It, too, is but the latest example of Connecticut's determination to crack down on cybercrime. Just over a year ago, State Police formed the state's first investigations unit devoted exclu- sively to cybercrimes. And Connecti- cut is one of a handful of states with a cybersecurity czar and statewide cyber-defense plan. Still, Connecticut residents and businesses remain vulnerable to cy- berattacks, officials say, with the pace of data breaches in the state increas- ing in recent years. It was just over a year ago, for example, that a weekend cyberattack infected 160 computers across 12 state agencies. In Febru- ary, UConn Health disclosed that an unauthorized third party had accessed its employee email accounts, poten- tially breaching the privacy of 326,000 patients and others. Protecting money managers Currently, deposit scams against financial institutions in Connecticut are a Class D felony with a maximum penalty of five years in prison and a $5,000 fine — too lax, the state's bank- ers insist. That would jump under S.B. 811 to become a Class A felony, bearing a maximum 25 years behind bars and a $25,000 fine per violation. Thomas Mongellow, executive vice president of the Connecticut Bankers Association, said increasing the state's bank-deposit fraud penalties could help act as a deterrent. "No. 1, what we'd like to do is give a clear road map for prosecutors … and send a message out there,'' said Mon- gellow, who in June ascends as CEO of the state's leading banker lobby. "If you're destroying somebody's financial well-being, it should be a stiff penalty.'' He also noted that S.B. 811's penalties would extend beyond cyberthieves to family members and other caregivers who exploit physically or mentally debili- tated depositors for financial gain. The bill has received unani- mous approval in the Banking Committee and is now awaiting further action in the Senate. According to an American Bankers Associa- tion survey, fraud against bank deposit accounts cost the banking industry and their customers $2.2 billion in 2016. Under Con- necticut law, companies operating in this state must report any data breaches or other illegal access to consumer information to the state at- torney general's office, which handles civil prosecutions only. There were 801 data breaches report- ed in Connecticut last year, up 3 percent from 2017, the AG's office said. Meantime, there have been 27 charges under the state computer crimes statutes since fiscal 2014, but all cases have been dismissed, accord- ing to the Office of Fiscal Analysis. It's not clear why no cases have been fully prosecuted in the last five-plus years. Policy, technology gaps Connecticut's cybersecurity chief Arthur House says the state is ahead, not only of other states, but other countries, when it comes to plotting strategies for thwarting harmful in- cursions into the etherspace of agen- cies, businesses and residents. For instance, House said that amid allegations that Russian operatives pen- etrated much of America's social-media and other online portals, to sway the 2016 election, an inspection of Connecti- cut's digital elections setup uncovered Russian fingerprints. But there were no signs the operatives penetrated this state's digital-elections firewall, he said. Still, House said lingering policy and technology gaps and inconsisten- cies are the real threats to states' and the nation's ability to shield themselves against cyberattacks and must be dealt with. House helped lead development of Connecticut's first-ever cyber- security defense plan last May, which called for extensive security in state gov- ernment agencies, municipalities, the General Assembly and judicial branch. It also called for engaging the busi- ness community to encourage risk assessment and security. While S.B. 811 raises penalties for cybercriminals who target banks operating in Connecticut, what about those who victimize insurers or small businesses? House asked. He suggested the tougher penal- ties should be instituted more broadly. "I applaud pay- ing attention to cyberissues,'' he said. "But I'd feel better if we took a comprehensive look at it.'' Mongellow ac- knowledged bank- ers share many of the same cyber- security concerns with other indus- tries. However, he said this bill is targeted specifically at deposit-taking institutions. Matthew Smith, general counsel for the state Department of Banking, said his agency's limited enforcement powers do not extend to criminal matters, but it supports anything that helps the state's financial institutions avoid data breach- es like ones that comprised personal credit and other information for millions at Equifax and others in recent years. "The department wants to partner with institutions it regulates to ensure there's a robust cybersecurity pro- gram in place,'' Smith said. State police boost cyber presence Just over a year ago, the State Police formed its first investiga- tions unit devoted exclusively to cybercrimes. State Police Sgt. Bryan Ferrucci supervises three detectives in the unit he was assigned to create, after a decade investigating online child pornography cases. Cybercrimes committed against Connecticut residents and business- es are growing, Ferrucci said. "We're definitely on an upswing,'' the 19-year trooper said. "The need for us is increasing every day.'' Ferrucci said that, for now, his office has adequate manpower and other resources to probe cyberfraud, often in conjunction with the FBI, Secret Service and other state and federal law enforcement agencies. Once his unit is notified of a financial cybercrime, Ferrucci says his team's first priority is "to stop the bleeding'' of a victim's bank ac- count — cutting the cybercriminal's digital umbilical cord. As for the potential impact of Connecticut raising penalties for cy- bercriminals, Ferrucci is optimistic about their potential for deterrence. "I don't think you'll ever stop [cybercrimes]," he said. "It may help to deter some people.'' Digital Firewall CT's latest cyber-defense mechanism is stiffening penalties against financial scammers, hackers CT data breaches By law, companies in Connecticut that experience data breaches, which can run the gamut from a mis- delivery of personal information to compromised email accounts up through major cyberattacks, are supposed to report them to the state attorney general's office. The number of reported breaches has been increasing in recent years. 2017 2018 2019* Data breaches reported 778 801 68 *Through January and February. Source: CT Attorney General's Office ILLUSTRATION | AURIELAKI, SHUTTERSTOCK.COM Arthur House, Chief Cyber Security Risk Officer, Connecticut