Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

Get Ready for Artificial Intelligence (AI) in the middle of Blockchain!

Posted in eCommerce

The eCommerceTimes column described combining “AI with blockchain allows for the secure, transparent review of data that is changed or moved over time, giving both the buyer and seller confidence in the validity, title and transfer of that bridge in Brooklyn.”  The May 18, 2017 column written by my Gardere colleagues Eric Levy, Eddie Block, and me and is entitled “Intertwining Artificial Intelligence With Blockchain” which describes Blockchain and includes a 1955 definition of AI from James McCarthy of Dartmouth College and a team of researchers as follows:

…the conjecture that every aspect of learning or any other feature of intelligence can in principle be so precisely described that a machine can be made to simulate it. An attempt will be made to find how to make machines use language, form abstractions and concepts, solve kinds of problems now reserved for humans, and improve themselves.

Let us know what you think about our column.

Googlification: Google has taken over US schools and as a result – the next generation!

Posted in eCommerce, Social Media

The New York Times reported that “more than half the nation’s primary- and secondary-school students — more than 30 million children — use Google education apps like Gmail and Docs.”  The May 13, 2017 report entitled “How Google Took Over the Classroom” included the observation that Google has taken over replaced “Apple and Microsoft with a powerful combination of low-cost laptops, called Chromebooks, and free classroom apps.”  As a result:

In doing so, Google is helping to drive a philosophical change in public education — prioritizing training children in skills like teamwork and problem-solving while de-emphasizing the teaching of traditional academic knowledge, like math formulas. It puts Google, and the tech economy, at the center of one of the great debates that has raged in American education for more than a century: whether the purpose of public schools is to turn out knowledgeable citizens or skilled workers.

What do you think of Googlification?  No doubt Googlification is an interesting social change that neither Apple nor Microsoft managed to divert!

Private Blockchains may not be secure!

Posted in Cyber, eCommerce

Coindesk recently published a blog which “attacks the idea that true immutability can be achieved in blockchain systems, arguing a more relative definition of this feature better encapsulates what’s the technology can achieve.” The May 9, 2017 article entitled “The Blockchain Immutability Myth” was a blog from “Dr.  Gideon Greenspan is the founder and CEO of Coin Sciences, the company behind the MultiChain platform for private blockchains.” Dr. Greenspan cited this example about private blockchain immutability and vulnerability if participants in the chain jointly undermine security:

Let’s imagine a private blockchain used by six hospitals to aggregate data on infections. A program in one hospital writes a large and erroneous data set to the chain, which is a source of inconvenience for the other participants. A few phone calls later, the IT departments of all the hospitals agree to ‘rewind’ their nodes back one hour, delete the problematic data, and then allow the chain to continue as if nothing happened.

Dr. Greenspan’s blog should help the dialogue about blockchain security!

GUEST BLOG: Attorney Client Privilege Lost in the Cloud!

Posted in E-Discovery, eCommerce, Internet Access, Uncategorized

My Guest Blogger Eddie Block (CISSP, CIPM, CIPP/G, CISA, CEH) is a senior attorney in Gardere’s Litigation Group and member of the Cybersecurity and Privacy Legal Services Team who focuses on all aspects of information cyber security, including credentialing functions, firewall and IDS deployment and monitoring, and penetration testing, and related complex litigation.  Eddie blogs at JurisHacker.

Eddie Block Dec 2 2016

Attorney Client Privilege in the cloud

Over the past few months I’ve been asked several times about the status of attorney-client privilege when attorneys use cloud technology.  It is an interesting question and there are a couple concepts that need to be explained about attorney client privilege.  So buckle up, this is a long one.

First (and very broadly speaking), attorney client privilege is lost when disclosed to a third party intentionally or inadvertently.  So an attorney and client discussing a case in a busy coffee shop could potentially lose attorney client privilege since a third party could overhear the communications.  I know the attorneys reading this post will likely come out of their chairs with exceptions, but I’m trying to paint a high level picture.

This loss of attorney client privilege does not mean that attorneys have to hide everything in locked safes buried in concrete.  The comments on the model rules of professional conduct state:

“…unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. ” (emphasis added).

So, this brings us to Harleysville Insurance Company v. Holding Funeral Home, No. 1:15cv00057, memorandum op. (WD Va. Feb. 9, 2017).  In Harleysville, an investigator for the parent company of Harleysville uploaded surveillance video of the underlying event to a file sharing site.  He then emailed a link to the video to another party.  The same investigator later placed the case file in the share.

The share was not password protected or otherwise protected.  In fact anyone with the link or anyone who found the share could see the information.  Remember the language of the model rule above?  The Virginia court echoed this language in their opinion stating that inadvertent disclosure can be caused “by failing to implement sufficient precautions to maintain its confidentiality.” (emphasis added)  The court continued “With regard to the reasonableness of the precautions taken to prevent the disclosure, the court has no evidence before it that any precautions were taken to prevent this disclosure.” (emphasis added).

The court concluded that attorney client privilege had been waived by posting the information to a publically available website.

As I’ve counseled clients in the past, whether attorney client privilege will survive in the world of cloud usage depends on the steps taken to prevent disclosure.  Encryption, access control, and logging are your friends.

Arizona passes a law recognizing that Blockchain is secure!

Posted in eCommerce, Internet Privacy

CIO from IDG reported that the first state to legalize Blockchain with this description “A record or contract that is secured through blockchain technology is considered to be in an electronic form and to be an electronic record.” The May 4, 2017 article entitled “Is blockchain technology secure for your company’s transactions?” described countries that are embracing Blockchain including “Egypt, India, Oman, Turkey and UAE” and banks including the Bank of England and the People’s Bank of China to name a few. The article explained why Blockchain is secure:

Cryptography secures the records in a blockchain transaction, and each transaction is tied (in the chain) to previous transactions or records. In addition, the transaction records are distributed among and viewable by all participants of a blockchain distributed ledger. An attempt to tamper with the data would require that the hacker also change all the previous records in the blockchain.

CIO from IDG also presented this overview about expanding Blockchain beyond bitcoin:

Organizations worldwide are seeking to take advantage of the new opportunities and disruptive power of blockchain — organizations that understand the magnitude of potential security issues. It has been rigorously tested in pilots and at scale by many governments, institutions and companies that have found the technology is incredibly secure.

Blockchain is for real if you haven’t noticed!

WEBINAR VIDEO: Blockchain Legal Risks

Posted in eCommerce

Gardere’s recent webinar includes a discussion about the future legal issues of Blockchain. Of course I think Blockchain will change the world since bitcoin, which relies on Blockchain, and other Blockchain uses currently impact everyone on earth.  You are welcome to watch the April 26, 2017 “Blockchain Legal Risks” webinar prepared and presented by me and Gardere lawyers Eric Levy and Eddie Block.  Here’s a description of the webinar:

Many people are familiar with the online currency “bitcoin,” but many do not understand that blockchain is the technology that permits the internet to have its own monetary system. In January 2017, the Food and Drug Administration signed a contract with IBM to utilize Watson (its artificial intelligence technology) to better protect electronic medical records using blockchain technologies. Since data may be stored on the cloud anywhere around the world, it is essential to understand the laws that apply to your own use of blockchain. This webinar will educate you on blockchain and offer some insights into what the future may bring to currency, contracts and cross-border transactions.

Eric, Eddie, and I welcome any questions or comments.

4 ways to stop Spearphising (aka Business Email Compromise “BEC”) which has cost more than $2.3+ billion!

Posted in Cyber, eCommerce

Proofpoint’s report states that spearphising/BEC “have collectively scammed victims out of more than $2 billion globally” and that these “threats have hit more than 7,000 companies since the FBI’s Internet Crime Complaint Center (IC3) began tracking this type of scam in late 2013.” When I blogged about the FBI report “Watch out for BEC (Business eMail Compromise- aka Spearphishing) which has cost $2.3+ BILLION!” I had not seen Proofpoint’s report “Impostor Email Threats- 4 Business Email Compromise Techniques and How to Stop Them” with these four recommendations:

  1. Deploy an email gateway that supports advanced configuration options for flagging suspicious messages based on attributes (such as direction and Subject line) and email authentication techniques.
  2. Adopt advanced threat solutions to identify and block targeted attacks that travel over email, the No. 1 threat vector. These solutions must take into account the increasing sophistication of emerging threats and socially engineered attacks. Speak to your security vendor about system settings to identify and block impostor email threats.
  3. Put internal finance and purchasing controls in place to authenticate legitimate requests. These controls should include a secondary, out-of-band, in-person, or phone approval by another person in the organization.
  4. Make users aware of the latest social engineering and phishing schemes through regular training. Done right, “phishing” your own employees can also be a useful test of how effective your user-awareness efforts are. This approach also helps address the “human factor” of attacks.

Good advice to avoid spearphising/BEC!

IoT Privacy Lawsuit- Bose sued for taking headphone data without consent!

Posted in eCommerce, Internet Privacy

A class action was filed against Bose which alleges that Bose “Unbeknownst to its customers, however, Defendant designed Bose Connect to (i) collect and record the titles of the music and audio files its customers choose to play through their Bose wireless products and (ii) transmit such data along with other personal identifiers to third-parties—including a data miner—without its customers’ knowledge or consent.” Further the plaintiff states that one’s personal audio selections “provide an incredible amount of insight into his or her personality, behavior, political views, and personal identity.”  The April 18, 2017 case Kyle Zak et al v. Bose Corp. filed in the Northern District of Illinois includes claims that apply to Bose’s “QuietComfort 35, SoundSport Wireless, Sound Sport Pulse Wireless, QuietControl 30, SoundLink Around-Ear Wireless Headphones II, and SoundLink Color II (“Bose Wireless Products”)” in which Zak claims that:

None of Defendant’s customers could have ever anticipated that these types of music and audio selections would be recorded and sent to, of all people, a third party data miner for analysis.

Bose posted these comments in response to the lawsuit:

Nothing is more important to us than your trust. We work tirelessly to earn and keep it, and have for over 50 years. That’s never changed, and never will. In the Bose Connect App, we don’t wiretap your communications, we don’t sell your information, and we don’t use anything we collect to identify you – or anyone else – by name.

This will be an important privacy case to follow!

GUEST BLOG: Do you know which 2 states don’t have data breach notification laws?

Posted in Cyber, eCommerce

My Guest Blogger Eddie Block (CISSP, CIPM, CIPP/G, CISA, CEH) is a senior attorney in Gardere’s Litigation Group and member of the Cybersecurity and Privacy Legal Services Team who focuses on all aspects of information cyber security, including credentialing functions, firewall and IDS deployment and monitoring, and penetration testing, and related complex litigation.  Eddie blogs at JurisHacker.

Eddie Block Dec 2 2016

Breach notification laws: Better privacy or the 10th circle?

Now only Alabama and South Dakota do not have a notification law on the books since on April April 19, 2017 New Mexico became the 48th state to enact a data breach notification law. .

On the one hand this is good news for the privacy on New Mexicans.  They are now ensured they will have notice of a breach of their personally identifying information.  They will have the opportunity to mitigate the damage resulting from such a personal exposure.

For security and privacy folks, though, there is a different perspective.  We now have 48 distinct regulations to track.  If I have a client that does business across the country, I have to ensure I am able to help them comply with 48 different (and sometimes contradictory) regulations.  As an example, assume I have a client doing business in Texas, Oklahoma, and Colorado:

  • In Texas and Oklahoma consider a drivers license an element of personally identifying information; Colorado does not.
  • Colorado requires notification to the credit reporting agencies (CRA) if more than 1000 records are breached.  CRA reporting is required in Texas if more than 10,000 records are breached.  Oklahoma does not require CRA reporting at all.
  • Oklahoma allows for electronic communications if the cost of written communication exceeds $50,000; in Texas and Colorado it is only allowable if the costs exceed $250,000.

Add the other 45 states to the mix and the mapping becomes complex.  I won’t comment on whether there is a “better” rule, but the hodgepodge of requirements makes it more difficult for everyone.   This is the type of conflict that is ripe for a federal rule to unify requirements.  Unfortunately the attempts to do so over the past few years have failed to garner much attention.

BTW:  For the curious, there are at least 89 different counties with breach or privacy laws.  A breach at a multi-national corporation can be very complex.

Do you believe China’s new cyber laws are for real?

Posted in Cyber, eCommerce

Reuters reported that a new Chinese law “would require firms exporting data to undergo an annual security assessment law….[and] would ban the export of any economic, technological or scientific data whose transfer would pose a threat to security or public interests. It would also require firms to obtain the consent of users before transmitting data abroad.” The April 11, 2017 Reuters report entitled “China draft cyber law mandates security assessment for outbound data”included these comments about the new law which is open for public comment until May 11:

Any business transferring data of over 1,000 gigabytes or affecting over 500,000 users will be assessed on its security measures and on the potential of the data to harm national interests, showed the draft from the Cyberspace Administration of China.

The law would ban the export of any economic, technological or scientific data whose transfer would pose a threat to security or public interests. It would also require firms to obtain the consent of users before transmitting data abroad.

The proposed law, which focuses on personal information security, comes just a day after state media reported government rewards of $1,500 to $73,000 for citizens who report suspected spies.

Skeptics have criticized the proposed cyber law “calling rules “vague” and claiming they unfairly target foreign companies with stringent requirements.”