Deepfakes aren’t fringe anymore. The costs associated with deepfake fraud are expected to grow from $12.3 billion in 2023 to $40 billion in 2027. They can range from $243,000.00 to $35 million in individual cases. According to some sources, as many as 92% of companies have suffered financial losses due to deep fake fraud. As a result, CIOs from companies that rely on digital content will need to deal with this issue.
Consider the following hypothetical.
For the past several years, you have been the CIO of Insightful Data LLC, a fictional purveyor of investment data for the financial community.
“Millions of our customer files were breached a few weeks ago. Their trading data was taken. We just discovered it.”
This is the message you will receive when you wake up tomorrow morning.
You know that the strategies are stored according to Social Security number. In your company’s warranties and representations, you state that “clients can rely on the data for their investment decisions” without “worrying about defects.”
Your team of scientists sifts through the data to “ensure accuracy with a .01% error rate.”
These trading strategies are trade secrets. Your clients are upset. You get several e-mails, including “how could this happen” to “you will hear next from our lawyers.”
It turns out that a hacker used spoofed emails to get into your company system, impersonated a vendor, and installed malware.
“Spoofing” is a form of forgery where someone modifies an e-mail address to appear authentic. The address “cio@insightfuldata.com” would be changed to “cioo@insightfuldata.com.” This, then, enabled the culprit to get on Zoom calls using deep fakes of your clients.
Think this is fiction?
It has happened before to companies like U.K.-based engineering firm Arup. An employee of the company made a routine transfer of millions after a video call with senior management. The participants were deep fakes of the employees’ managers, not real management.
“Deep fakes”
“Deep fakes” are digital counterfeits. Stanford’s IT department explains that “deep fakes” are “fabricated hyper-realistic digital media, including video, image, and audio content.” Similarly, MIT Sloan defines deep fakes as a “specific kind of synthetic media where a person in an image or video is swapped with another person’s likeness.”
As seen in the example above, deep fakes have been used for nefarious purposes to defraud. But they are also used by some executives to create digital versions of themselves, known as “avatars”.
Legalities
CIO’s personal liability to the company:
CIOs are corporate officers. They have fiduciary duties to their companies. In this hypothetical case, your fiduciary duty would be to Insightful Data. Among other things, according to the Delaware Chancery Court, “an indispensable part of an officer’s job is to gather information and provide timely reports to the board about the officer’s area of responsibility.”
In conjunction, the officer’s duty includes identifying “red flags… and to address them” when they “fall within the officer’s responsibility.”
This duty likely includes keeping abreast of data privacy laws.
They have sprung up throughout the country. According to some sources, at least 20 states have enacted them.
The most well-known is California’s, known as the California Privacy Protection Act (CCPA). Under that statute, companies like Insightful Data that store personal information of California residents must enact “reasonable security procedures and practices” to protect the data. Even under tort law, these duties are known to derive from “best practices.” Personal information under the CCPA includes customer social security numbers.
Here, you were responsible for digital operations at the company, including cyber-related precautions.
You could be sued by the company for violating your fiduciary duties.
That’s in the event that applicable practices were not complied with to protect the digital infrastructure.
Trusted insights for technology leaders
Our readers are CIOs, CTOs, and senior IT executives who rely on The National CIO Review for smart, curated takes on the trends shaping the enterprise, from GenAI to cybersecurity and beyond.
Subscribe to our 4x a week newsletter to keep up with the insights that matter.
Company’s liability to its customers:
Similarly, Insightful Data can be vicariously liable to customers of the company. Vicarious liability basically means that the company is liable for the acts of another.
To the extent that the CIO’s actions injured customers in question whose data was breached, the company would likely be liable for the CIO’s conduct.
Third-party claims against the company:
Another potential source of liability here is consequential damage.
There may also be third parties that rely on the company’s data, through the company’s customers, to the third parties’ detriment. In the hypothetical above, this can arise when Insightful Data customers distribute the company’s data to third parties or permit them to trade on it.
These third parties, relying on the company data, can then sue.
This is similar to how a manufacturer can be liable for a product that is defective and distributed to an end user through a distributor supply chain.
The Wrap
Virtual technology is increasingly being used these days to communicate. In 2021, Zoom use increased by 326%. According to other estimates, 70% of the Fortune 100 currently use Zoom.
When using any such technology that can involve “deep fakes,” CIOs are best advised to consult with their CTO to better understand how the technologies interact. Then, doing a deep dive with tech legal counsel on the applicable best practices to secure the particular technology at hand is well advised.
