Caveat 8.4.21
Ep 88 | 8.4.21

An important consumer protection law you may not know about.


David Derigiotis: Yeah. This law is probably one of the most important consumer protection laws in place. But unfortunately, most consumers do not know that it exists. And, really, it's looking like some financial institutions don't know that it exists either.

Dave Bittner: Hello, everyone. And welcome to "Caveat," the CyberWire's privacy, surveillance law and policy podcast. I'm Dave Bittner. And joining me is my co-host, Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: On this week's show, Ben looks at an appeals court case on peer-to-peer file sharing and the Fourth Amendment. I'll be discussing the FBI's recent testimony before a Senate Judiciary Committee on whether or not to ban ransomware payments. And later in the show, my conversation with David Derigiotis of Burns & Wilcox. We're going to be discussing protections related to fraud that are provided by the Electronic Fund Transfer Act. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, let's just jump into our stories here this week. Why don't you start things off for us? 

Ben Yelin: So I found a story again from my favorite member of appeals court Twitter, which is a real thing... 

Dave Bittner: (Laughter). 

Ben Yelin: ...Gabriel Malor, another person who we're going to have to send a gift basket on Christmas... 

Dave Bittner: (Laughter) OK. 

Ben Yelin: ...Because he keeps alerting me to interesting cases. 

Dave Bittner: All right. 

Ben Yelin: This comes from the 8th Circuit Court of Appeals, U.S. Court of Appeals. This is a federal case. The incident happened in the state of Minnesota. So a law enforcement officer downloaded part of a computer file containing child pornography. He downloaded that file on a peer-to-peer network from an IP address connected to an individual named Christopher Shipton. 

Dave Bittner: OK. 

Ben Yelin: Shipton - based on that suspicion, they raided his house, found more digital devices with child pornography. He was arrested and prosecuted. He is challenging his arrest and prosecution on Fourth Amendment grounds, saying he has a reasonable expectation of privacy in sharing data on a peer-to-peer network. So what happened here is this Minneapolis police officer had a suspicion about Mr. Shipton and other individuals - had a suspicion that they were sharing child pornography on peer-to-peer networks. So they used this program called RoundUp eMule, which neither of us have heard of. 

Dave Bittner: (Laughter) Although I will say I - certainly, in my younger days, I spent a good amount of time on peer-to-peer networks. 

Ben Yelin: Didn't we all? Yeah. 

Dave Bittner: (Laughter) Right, exactly. Before music subscription services were a thing, I may have, you know, downloaded a copy of one of my favorite albums or something like that. So, you know, most of us have done our time on peer-to-peer networks and are familiar with what they are. 

Ben Yelin: I will not confirm nor deny that I still have music in my library from LimeWire. 

Dave Bittner: (Laughter) Right, right. 

Ben Yelin: But we'll save that for another time. 

Dave Bittner: There you go. 

Ben Yelin: So what they do is the officer uses what's called the file's hash value, and using that hash value, they're able to obtain the complete file, match it against known files that contain child pornography and make the connection that this person is trafficking child pornography because it's all part of a child protection system database, which, as a lower court judge explained, compiles these hash values of previously identified child pornography files and documents. 

Dave Bittner: So without actually seeing the file, somehow they have a view into the peer-to-peer network, and they can sort of - I don't know - these files have a fingerprint based on their hashes, and that's how they go after them. 

Ben Yelin: Absolutely. And now they have several programs. One of them is this RoundUp eMule, but there are others - G2 Scanner, NordicMule - that are tools that law enforcement use to help identify and find these files. What Shipton, the defendant, is arguing is that the officer who used this program performed a search under the Fourth Amendment and should have required a warrant. 

Ben Yelin: What the court said and the conclusion they came to is that Mr. Shipton does not have a reasonable expectation of privacy in information that is shared over a peer-to-peer network. And this is based on long-standing precedent in the 8th Circuit and in other courts across the country that if you are engaging in file sharing, you are necessarily doing something that's public. You're not trying to conceal that file. It's not something that you're keeping in a private place. 

Dave Bittner: Right. 

Ben Yelin: It's something that you're sharing publicly. 

Dave Bittner: (Laugher) Right, right. 

Ben Yelin: And so it makes sense that you don't have a reasonable expectation of privacy in that information. 

Dave Bittner: Interesting. 

Ben Yelin: So what Shipton tried to argue in front of this court is that there are three recent Supreme Court cases that would justify a newfound legal doctrine saying that peer-to-peer file sharing merits Fourth Amendment protection. And the court rejected his argument, but I'll briefly bring up those three cases that he invoked. The first is Carpenter v. United States, which we've talked about a million times... 

Dave Bittner: Yup, yup. 

Ben Yelin: ...Where the court said that you need a warrant to obtain historical cell site location information. What the court said is, yes, that information is something that you've shared publicly and, you know, so maybe there's a parallel there, but that's very detailed personal information about your long-term historical movements. That's very different than what files you share on a peer-to-peer network. So that case does not provide a worthy precedent. 

Ben Yelin: They invoked Riley v. California, which is the government needing a warrant to search your cell phone. Again, that's completely different because of the quality and the nature of information that's contained on one's personal device and the fact that, as opposed to peer-to-peer networks, you're not necessarily sharing anything by having something stored on your cell phone. You really could be attempting to keep something private if it's stored on your own smartphone or device. Then they bring up United States v. Jones, which was about tracking somebody with a GPS tracker. I feel like that was a real long shot. That really has nothing to do with the facts of this case. 

Dave Bittner: (Laughter) OK. 

Ben Yelin: What the court said is basically none of those cases offer any insight on peer-to-peer file sharing and that the precedent still holds that what you share, you know, on a peer-to-peer network is public. You do not have a reasonable expectation of privacy in that information. The government does not need a warrant to search it, and you could be subject to arrest and prosecution. So I thought it was a really interesting case, a really interesting investigative tool that law enforcement is using here and reinforces the idea that, you know, what you do on these peer-to-peer networks almost by definition is public because you are sharing something and passing files around, and therefore you've forfeited your reasonable expectation of privacy. 

Dave Bittner: That is interesting. I mean, I wonder - I would assume that the folks who are out there trying to share, you know, this horrible stuff with each other are trying to lay low with it, right? Like, I would - I mean, it - wouldn't you imagine that it's some sort of, you know, insular group, that they would somehow try to establish their own bubble with each other? 

Ben Yelin: Yes. 

Dave Bittner: And is that possibly a defense, by saying, we weren't putting this out for everyone to see, we were making an effort to keep this to our own small group of horrible people, right (laughter)? 

Ben Yelin: Yeah, I don't think that would be a valid defense. I think what courts have said is you could be trying to, in a certain sense, conceal the information that you're sharing... 

Dave Bittner: Yeah. 

Ben Yelin: ...But you are still sharing it online. It is - you know, even if you're sharing it with a subset of people, it's still public. You're still using some sort of peer-to-peer network. 

Dave Bittner: Right, right. 

Ben Yelin: And so that doesn't provide you a defense that you actually had a reasonable expectation of privacy in that information. 

Dave Bittner: Interesting. 

Ben Yelin: I think it's the nature of sharing that file, passing it to somebody else, putting it in the ether... 

Dave Bittner: Right. 

Ben Yelin: ...That forfeits that reasonable expectation of privacy, as opposed to a file stored on your own device that you haven't shared on a peer-to-peer network, where the law is a little bit different or, you know, some of these other cases he talked about, where, yes, maybe something is being shared publicly, but the quality and quantity of that information is so private and personal and revealing that that merits Fourth Amendment protection. 

Dave Bittner: Interesting. 

Ben Yelin: What the court is saying here is when none of those circumstances are present, there is no Fourth Amendment protection. And that's the case with peer-to-peer file sharing networks. 

Dave Bittner: Yeah, interesting. All right. Well, we'll have a link to that in the show notes. My story this week comes from CNN. This is on their politics page. It's written by Brian Fung and Geneva Sands, and it's titled, "FBI tells Congress ransomware payments shouldn't be banned." This is pretty interesting to me. Recently, Bryan Vorndran, who is the assistant director of the FBI's cyber division, he spoke to Congress before a Senate Judiciary Committee hearing about ransomware. And he made the case that we should not, as a matter of policy, ban ransomware payments. Now, you know, as we know, the - we have the ability to prohibit selling things to different nations, you know, doing business with - like, you know, you're not allowed to do business with North Korea. 

Ben Yelin: Yup. 

Dave Bittner: Right? And what's also, I think, interesting sort of in the history of this is that the FBI was out early on taking the position that you should not pay the ransom as a best practice. 

Ben Yelin: Right. 

Dave Bittner: Right? Because paying the ransom does all sorts of bad things. It - well, you're giving money to bad guys. You're encouraging that ecosystem and so on and so forth. The case that Bryan Vorndran makes - made in his testimony was he said, if we ban ransom payments now, you're putting U.S. companies in a position to face yet another extortion, which is being blackmailed for paying the ransom and not sharing that with authorities. I find that interesting (laughter). 

Ben Yelin: I thought that was a really interesting argument as well. 

Dave Bittner: Yeah. What do you make of that? 

Ben Yelin: It's not something I, on first blush, necessarily agree with. So I think there's a distinction we need to make here. There's the best practice of - you know, the FBI and other law enforcement agencies have been telling us for a long time, don't pay the ransom. It will simply encourage the MFers. 

Dave Bittner: Right. 

Ben Yelin: And, you know, I think that message is consistent with what the FBI is saying now. The separate question that they're bringing up - that they brought up at this committee hearing - is the prospect of Congress passing a law banning companies from paying ransoms. You know, whether it's an explicit ban or fining a company with a civil or criminal fine, criminal penalty, for paying the ransom, that's a different question entirely. And it can create, according to Mr. Vorndran, a perverse incentive, which is that you would get blackmailed for paying the ransom and not sharing that with authorities. I think the rationale there is, all right. We've been a victim of a ransomware attack. Federal law prohibits us from paying a ransom. But we really want our data back. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: We want our data back very quickly. We need to run our business. So I'm going to pay you in cryptocurrency under the table, and we're going to never talk about this again. What Mr. Vorndran is saying is, now the cybercriminals lord a lot of power over you. Because not only have they extorted a ransom from you, but they've also - now know that you've broken federal law by paying that ransom. And that could lead them to try to induce you to pay additional payments. 

Dave Bittner: Right. 

Ben Yelin: It's a decent argument. It sort of rubs me the wrong way because - and I don't know exactly how to put this. It kind of is going too far into the incentive structures here. You know, I do think Congress could pass a general principle against, you know, or explicitly penalizing companies or organizations from paying a ransom, and, you know, that might have some downstream effects. But not passing such a law also has downstream effects. So I just feel like it's a bit of a stretch to make that argument. Maybe that's just my opinion. 

Dave Bittner: I mean, you know, I think about - for example, I know of a community that has a bunch of swimming pools, right? And at the end of the swimming season, you're not allowed to just empty your swimming pools out into the local stream. 

Ben Yelin: Right. 

Dave Bittner: You get you get fined for that. 

Ben Yelin: Right. 

Dave Bittner: It's a violation. Well, I know of a community that simply does it and chooses to pay the fine, right? 

Ben Yelin: Yeah. 

Dave Bittner: Because it's... 

Ben Yelin: It's cheaper to do that. 

Dave Bittner: It's cheaper to do that. It's easier. It is - and so they're willing to do that. So I guess what I'm thinking of is, in a case like this, if there were a fine for paying the ransom, some organizations would choose to pay the ransom and pay the fine... 

Ben Yelin: Right 

Dave Bittner: ...As a cost of getting their data back. Is that a middle ground? 

Ben Yelin: It could be. And that would also cut against the argument that was made at this hearing. Because at that point, then a company might not be ashamed or might not be able to be extorted into paying additional ransom with the threat that, oh, we're going to, you know, make it public that you paid the ransom, which is a violation of federal law. That company might just say, yeah, we paid the ransom. 

Dave Bittner: Yep. 

Ben Yelin: Yes, it's a violation of federal law or federal regulations. But we're willing to pay the fine because we were that desperate to get our data back. 

Dave Bittner: Right. Right. 

Ben Yelin: You know, that might happen with more frequency, in which case Congress might go a step further - either make the penalties prohibitively expensive, or start actually prosecuting people seriously - you know, putting CEOs behind bars, that sort of thing, which I just think is a step that Congress would not be willing to take in the near future. 

Dave Bittner: No. I can also imagine that you could end up with the haves and the have-nots, where an organization that has unlimited resources could - it wouldn't hurt them at all to pay the fine. And we see this all the time, where big companies get hit with fines that are, you know, big numbers, but relative to their revenue... 

Ben Yelin: Right. Exactly. 

Dave Bittner: ...Meaningless (laughter). 

Ben Yelin: Right. 

Dave Bittner: Right? So - whereas a small company, a mom and pop, something like that - it could discourage them from - it could be prohibitive for them to pay the ransom and the fine and put them out of business. 

Ben Yelin: Yeah. And they're the ones who would suffer most from ransomware attack in the first place. 

Dave Bittner: Yeah. 

Ben Yelin: And so they're the ones that hopefully the law would be designed to protect. You know, ultimately, the goal here is to discourage ransomware attacks. 

Dave Bittner: Yeah. 

Ben Yelin: So if we're being unduly punitive to organizations who have suffered, maybe through some fault of their own, but maybe - you know, maybe not, maybe they just didn't have the resources to protect - you know, to raise up proper cyberdefenses, you know, we don't want to be in a position where we're being overly punitive to those people. Because that kind of defeats the purpose... 

Dave Bittner: Right. 

Ben Yelin: ...Of passing a law in the first place, which is to protect these companies. You know, I think the middle ground is what the DOJ has recently suggested that mirrors federal legislation that's been proposed by a bipartisan cohort of United States senators, where there is a reporting requirement on federal agencies, contractors, critical infrastructure operators, where you at least have to tell the government that your data has been breached. I think that's a reasonable first step. It is silent on the issue of whether to pay the ransom. But I think starting with a reporting requirement, you know, giving the government details so that the government can start to track patterns, you know, to start to try and figure out who some of these bad cybercriminals are and, you know, the government can pool resources to try and rectify the problem. I think that could be the proper middle ground here without addressing this land mine of whether to punish organizations for paying the ransom. 

Dave Bittner: All right. Well, we will have a link to that article in the show notes as well. And of course, we would like to hear from you. If you have something you'd like us to discuss here on our show or you have a question for us, you can write us. It's Ben, I recently had the pleasure of speaking with David Derigiotis. He is from the firm Burns & Wilcox. And actually, David caught my attention over on Twitter, so I'm pulling a Ben Yelin here. 

Ben Yelin: Yeah. 

Dave Bittner: (Laughter). 

Ben Yelin: You're turning into me, getting all of your good sources from Twitter. 

Dave Bittner: There you go. 

Ben Yelin: Yeah. 

Dave Bittner: That's right. That's right. I don't know if that's something I should brag about it or not. 

Ben Yelin: No. 

Dave Bittner: But David caught my eye with some some information that he was sharing about some fraud protection that is provided by the Electronic Fund Transfer Act. And it was some stuff that I was unaware of. So I thought it was worth sharing with our audience here. We reached out. And he agreed to come on the show. So here's my conversation with David Derigiotis. 

David Derigiotis: We oversee placing complex risks for our clients all over North America. So it's assisting with areas of professional liability, maybe for a law firm or for an accounting firm. Or it could be medical malpractice coverage for a physician, a doctor. Or it could be securing coverage for a data breach, cyber and privacy liability. That's been one of the biggest areas of growth and one of the greatest areas of focus probably over the last 12 months or so just with everything going on. So it's all specialty insurance, advising on coverage, making sure that the right terms and conditions are in place and working with clients to make sure that their risk management needs are met. 

Dave Bittner: Well, what led to our conversation today is I actually saw a series of posts that you put out on Twitter where you were calling attention to an issue one of your clients was having with a credit union. Can you walk us through? What exactly was going on there? 

David Derigiotis: Yeah. This law is probably one of the most important consumer protection laws in place. But unfortunately, most consumers do not know that it exists. And really, it's looking like some financial institutions don't know that it exists either. You know, I was contacted by the local news to speak on protections around online transfers, mobile banking, what we can do to secure our accounts and protect our funds. Because what happened - a local resident in Detroit was scammed. She was taking advantage of. And she thought that somebody from the bank had reached out to her. But of course, it wasn't somebody from the bank. They told her that her funds were being frozen. Somebody was trying to access her account in Texas. And she was rightfully concerned. And when I spoke with her, she said that a level of trust was built because she saw on the caller ID that it was coming up as her credit union. You know, I explained to her that spoofing is a very easy thing to accomplish. And you can make it look like it's coming from anywhere that you want to call to appear to be coming from. So she doesn't recall giving any type of account access over the phone. But somehow the criminals were able to get into her account. And they were able to transfer $4,000 in four separate $1,000 transactions through the Zelle software that was tied into her banking, into her account. So she called the the credit union the next day. And they told her, we never called you. Don't ever give out any type of information. But they also told her, unfortunately, there was nothing that they could do. And that's just not the case. 

Dave Bittner: Well, OK. So explain to us because I think a lot of people at that point would sort of chalk this up to being out of luck, that, oh, you know, I got scammed. And I guess I've learned a hard lesson here. But what protections are in place? 

David Derigiotis: Yeah. There's something called the Electronic Fund Transfer Act. And this is a very key consumer protection piece of law that has to do with really operating and living in a digital world, operating and accessing your bank account online, through mobile apps, the use of an ATM. This law was passed and signed back in 1978, believe it or not, way before we've gotten to the digital, you know, adoption that we have today. And back then, it really had to do more with ATMs and the use of automated teller machines in general. But what this consumer protection law does is it will actually provide recourse for a consumer if somebody accesses their bank account, if they make some type of unauthorized transfer. And that's exactly what happened in this case. And it really appears that the credit union doesn't even know that this law exists because they don't appear to be working with her to resolve her issue and to put the funds back into her account. 

Dave Bittner: So help me understand here. I mean, because I think something that we - like, common advice that I've heard from folks is that if you're charging things online, you should use a credit card instead of a debit card because credit card has better protections than a debit card. But the flip side of that is I've always wondered, if I'm sitting here minding my business, you know, not doing anything, someone manages to break into my bank and - virtually, electronically - and steal some of my funds, isn't that on the bank for allowing that to happen the same way as if someone walked into the bank and, you know, emptied out the vault? 

David Derigiotis: Absolutely. It is on the bank 100%. And there are a variety of protections in place when consumers use credit cards. This law doesn't apply to the use of credit cards. It has specifically to do with ACHs. It has to do with the use of debit cards, even gift cards. They made some amendments to it. And it applies to the use of those. So if anybody were to conduct an unauthorized transaction, it doesn't matter if the consumer unknowingly gave up account access. If you gave your email address, your password, your phone number, anything that it takes to get into your account, the Consumer Financial Protection Bureau, which actually oversees this law and the rulemaking for it, they came out with a bunch of FAQs surrounding fraud and abuse, social engineering, which was very helpful. I think it provides a lot of great information. If a consumer unknowingly gives it away because they think they're corresponding with somebody from the bank, the Consumer Financial Protection Bureau states that it doesn't matter. It doesn't matter if the consumer gave them keys to the kingdom, access to the account. The financial institution is still going to be responsible for that unauthorized transaction. And they need to reimburse the consumer for those lost funds. So while there are a great deal of protections around using credit cards, there's also another set of protections that have to do specifically with debit cards, the use of a checking account and savings account for consumers. And that's where this one applies right in the bull's-eye. 

Dave Bittner: You also pointed out in this series of tweets that this person may be entitled to statutory damages in addition. 

David Derigiotis: That's the interesting part about this law, is that it is preemptive. And that's where we get into a lot of problems with passing a national privacy law. The states - some have more comprehensive laws and rules around consumer protections. And with putting a national privacy law in place, the fight is always, is this going to be preemptive? Is this going to override any of our state data breach notification laws or state consumer protections that are put in place? This law actually preempts any type of weaker state protections that are in place. And within that law, within the rules, there are up to $1,000 of statutory damages that can be awarded for the consumer, along with attorneys fees and, of course, any actual damages that they've sustained in the loss. 

Dave Bittner: So for someone who has sustained a loss in this way, there's been unauthorized transfer out of their bank account or something like that, what do you recommend in terms of pursuing this, if they're having trouble with the bank, of letting them know that this is out there? 

David Derigiotis: Yeah. First and foremost, you have to contact the bank because they do have guidelines around notice and letting the financial institution know that something has happened. So typically, the way the wording is laid out, you have two days after you become aware of the unauthorized transaction. So you can let the bank know, either by making a call, communicating it to them verbally or through some type of written communication - or up to 60 days after you receive some type of statement in the mail or online. So they give a bit of a window there. And if you can get a hold of the bank within that time frame, two days after you find out or within 60 days of viewing it on the statement, your liability is dramatically reduced, typically up to $50 you'll be responsible for - in some cases, $500. In this particular case for Constance, who was involved in it, you know, we're talking about $4,000. But again, if you're not getting any type of reaction out of the credit union, the financial institution that you've contacted, you do have recourse through the Consumer Financial Protection Bureau directly. And I advise filing a complaint with them. And they can look into the matter on your behalf to try to get that money back for you. 

Dave Bittner: I realize this is a little bit like asking a barber if I need a haircut - but perhaps reaching out to a lawyer who could take your case as well. 

David Derigiotis: Absolutely. There are a number of attorneys that specialize in consumer protection laws. And I know that there would be an attorney out there without question that would be willing to get their hands on this because, again, the law is in favor of the consumer. And the burden is on the financial institution to show that it was not, in fact, an unauthorized transaction. So whether you do it yourself, you have the resources working through the Consumer Financial Protection Bureau, pushing forward ahead with the credit union or institution or, in some cases, getting hold of a lawyer that can represent you. 

Dave Bittner: And there are rules in here that they could allow for the payment of the attorney fees, which would, you know, I guess, take away some of the fear that someone might have of engaging an attorney, that they'll end up with a lot of money out of pocket. 

David Derigiotis: That's exactly right. And that's why the law provides that type of recourse for consumers. Not only getting your money back, but because you had to go through the trouble, the time, the energy and the expense of hiring attorney, you will get that reimbursed and covered the way the law reads. And on top of that, through another $1,000 for statutory damages - is there protections that are needed for consumers? 

Dave Bittner: It's interesting to me that there isn't broader awareness that this exists, you know? As we sort of said at the outset, I was under the - this is news to me that, I guess, that this protection exists to the degree that which it does. 

David Derigiotis: Yeah. You know, it's very interesting because the Consumer Financial Protection Bureau just came out in June - I mean, we're talking just a few months ago, a couple of months ago. They came out with some clarifying statements and Q&A around this exact scenario that we're discussing. So I think there were some misinterpretations in the way that the law was drafted and the way that the wording applied. But they were very clear in how they addressed fraud, how they addressed social engineering. There are - there is recourse for a consumer. The burden is on the financial institution. And there's just so much confusion around it because looking back at this case in particular, Dave, there has been some fighting between the financial institution or - I don't want to say fighting. Maybe arguing or pointing fingers back and forth. 

Dave Bittner: Right. 

David Derigiotis: The financial institution was trying to recoup money from Zelle, and Zelle, was saying, no, this isn't our responsibility; this is your responsibility to reimburse your customer on this. So there does still seem to be a lot of confusion. In this case, clearly, the credit union isn't aware of the rules, the law, and what type of protections are in place, or they clearly would have reimbursed her by now. That's why it's so important - you have to be armed with this knowledge. You need it to have it in your back pocket if you find that the financial institution is not working on your behalf and working to restore your funds. 

Dave Bittner: All right, Ben, what do you think? 

Ben Yelin: First thing I'll say is, who knows? If you engage with us on Twitter, you could end up on our show. 

Dave Bittner: (Laughter). 

Ben Yelin: So always respond to our tweets when we're interested in what you have to say. 

Dave Bittner: We're looking at you, Orin Kerr (laughter). 

Ben Yelin: I've been trying. The invitation is open any time, any day. 

Dave Bittner: (Laughter) That's right. That's right - 24/7. 

Ben Yelin: I will interview you in the middle of the night if I have to. 

Dave Bittner: (Laughter) OK. 

Ben Yelin: It was really interesting - it was a really interesting story to me. I mean, it's kind of surprising that credit unions would not be fully versed in a law that requires them to protect the financial transactions of their own consumers. I understand it because credit unions don't have the same type of legal department resources that the big banks have. It was still sort of surprising to hear. And it seems like protection, according to this law that he was referencing, is pretty robust if, you know, somebody fraudulently convinces you to give them information that might give them access to your money, to your bank account. 

Dave Bittner: Right, right. 

Ben Yelin: So I was sort of surprised listening to it, particularly the aspect of the credit unions themselves not being aware of this law that they're obligated to follow. 

Dave Bittner: Yeah, it was - that fascinated me too as well, this idea that the protections are far more robust than I think I had assumed that they would be because I think a lot of times it's easy to be cynical and assume that things are sort of stacked up against the consumer. 

Ben Yelin: Which they are in many contexts, yeah. 

Dave Bittner: Right. Absolutely. So to hear that there is this robust protection for folks out there, I think it's a good thing, and I think it's something that we should help spread the word about. If you find yourself in a situation where you've been hit by something like this, you know, do a little bit of homework, reach out to someone with expertise, someone like David, who can help you navigate that sort of thing, and just make sure that you aren't leaving anything on the table. 

Ben Yelin: Yeah, and I think it was particularly poignant because the example that he brought was somebody who was clearly exploited. You know, it was someone who, you know, fell for a scam. You know, this person - in retrospect, you know, maybe one of us would have caught on when somebody was calling us asking for this information, but many of us would not have caught on. 

Dave Bittner: Right. 

Ben Yelin: So they are exploiting somebody, and the law is designed to protect people who have been exploited in that manner. And, you know, we should be taking advantage of those consumer protections. 

Dave Bittner: Yeah, yeah. All right, well, again, our thanks to David Derigiotis from Burns & Wilcox for joining us. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.