Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

Lawyers Looking for Witnesses & Evidence Need to Know About Internet Anonymity!

Posted in Cyber

Infoworld recently reported about how folks can become anonymous on the Internet which comes in the wake of the 37 million individuals who were exposed in the Ashley Madison hack. The August 25, 2015 report was entitled “9 steps to make you completely anonymous online” and included these 9 steps which all lawyers need to understand in order to find witnesses and ESI:

1. Find a safe country
2. Get an anonymizing operating system
3. Connect anonymously
4. Use Tor
5. Don’t use plug-ins
6. Stick with HTTP/S
7. Avoid the usual applications
8. Set up burner accounts
9. Never use credit cards

Any lawyer who doesn’t understand these 9 steps is way behind the curve in 2015!

Cybercriminals Know How to Access Law Firms

Posted in Cyber

Aderant recently published an article entitled the “5 Deadly Sins Cyber Criminals Know About Law Firm Security” written by Lewis Thomason CFO William Kunkel, attorney Joy Justin, and consultants from Sword & Shield. The first deadly sin everyone know about:

1. The door is open.
Passwords are the one security routine we all know to be essential. But not all passwords are created equal, and inferior passwords often live too long. Hackers only need to successfully capture one user’s password to open the door and access your data. Some experts believe passwords have outlived their usefulness and stronger safeguards, such as dual-authentication tools, are now necessary.

At a minimum, firms need to ensure that the password door is closed to intruders. Implementing policies that reinforce strong passwords can go a long way in this effort. We suggest implementing the following criteria for more secure passwords:

§ Update passwords quarterly
§ Do not repeat passwords
§ Require passwords to be a minimum of 10 characters in length, using a combination of numbers, letters and special characters
§ Exclude use of names or so-called “dictionary words”

Here are all 5 of the deadly sins:

1. The door is open.
2. People are helpful.
3. Awareness is not translated into priority.
4. Monitoring and detection tools are not utilized.
5. Perception that security controls are cost prohibitive and hamper billable work.

It’s clearly all law firms protect themselves from these Cybercriminals who will attacking, it’s just when!

Surprise! Cyberintrusions are Directed at eDiscovery Evidence

Posted in Cyber, E-Discovery

eDiscovery is the monster that ate Cleveland as everyone knows, but storing the ESI (Electronically Stored Information) is at risk to cyberintrusions since the ESI includes “highly sensitive information” as reported by my good friend Monica Bay in Legaltech News.  Monica’s August 18, 2015 story is entitled “Cybersecurity Infiltrates E-Discovery Managed Services” should be a wake call to all litigants as she points out:

Over the last decade, e-discovery options for law firms have evolved dramatically. But whether a firm keeps it in-house, overseas or chooses some version of e-discovery managed services, vetting vendors has become even more difficult with the explosion of cybersecurity.

Law firms are especially vulnerable to breaches, because lawyers (especially those in litigation, property or mergers and acquisitions) process highly sensitive information—and law firms are notorious for weak security.

Clearly it is time for lawyers to realize how vulnerable they and their ESI are!

5 Things Every Lawyer Needs to Know about Cyberinsurance!

Posted in Cyber, eCommerce

Lawyers should take advantage of Computerworld’s recent update to IT professionals about cyberinsurance which included Gartner’s definition of cyberinsurance “as protection against losses stemming from data theft and data loss, or business interruptions caused by malware or a computer malfunction.”  The Computerworld report entitled “5 things you should know about cyber insurance” include these comments about the:

… staggering costs associated with data compromises are driving more companies to seriously consider cyber insurance, and plenty of insurers are stepping in to meet the demand.

#2 on the list is Look beyond the quote sheets is very important and Computerworld made these observations:

When purchasing insurance coverage for data breaches, pay attention to the fine print. Cyber insurance is an emerging field, and insurers don’t yet have a body of historical data to rely on when issuing policies, experts say. Policies that indemnify holders against losses due to cyberthreats are far less standardized than policies for other types of insurance. They often contain caveats and exceptions, making the coverage less comprehensive than it might appear on a quote sheet.

Here is Computerworld’s list of 5 thing you need to know:

  1. Insurance isn’t a proxy for security
  2. Look beyond the quote sheets
  3. Know your exposure
  4. Understand what insurers want
  5. Know how to minimize deductibles

Since all clients and lawyers need cyber insurance this list should be important to you!

Alert to All Lawyers – Inevitable Data and IT Disasters May Destroy Client Files!

Posted in IT Industry

A recent report warned that lawyers have an “ethical and regulatory responsibility to protect your client’s confidential information, it is imperative that you have a plan in place to protect your data from loss, corruption or theft.”  Abacus Data Systems issued its report entitled “10 Critical Disaster Planning Essentials for Your Law Firm” which included these troubling statistics:

  • 96% of all business workstations aren’t being backed up
  • 30% of small businesses will experience a natural disaster
  • 60% of companies that lose their data will shut down within six months of the disaster

In particular you should consider these great ideas:

3. AUTOMATE YOUR BACKUPS – The #1 cause of data loss is human error! Do not rely on someone to set up your data backup – they could set it incorrectly, or not at all. Automating your backups so they run without any interaction, along with auto email notification to notify you or your team of any issues saves you sleepless nights. Establish program backup procedures and test them regularly – you do not want to discover during a disaster situation that your data backup system is faulty.

9. TEST YOUR SYSTEM -Only about 50% of companies test their disaster recovery plan once a year, and 14% never test it at all! Having a disaster plan in place isn’t enough – you need to know that it is reliable. Run a test once a month to ensure your backups are working and your system is secure.

Here are all 10 Critical Disaster Planning Essentials:

  1. HAVE A WRITTEN PLAN
  2. SET UP A COMMUNICATIONS PLAN
  3. AUTOMATE YOUR BACKUPS
  4. HAVE AN OFF­SITE BACKUP FOR YOUR DATA
  5. HAVE REMOTE ACCESS AND MANAGEMENT OF YOUR NETWORK
  6. IMAGE YOUR SERVER
  7. NETWORK DOCUMENTATION
  8. MAINTAIN YOUR SYSTEM
  9. TEST YOUR SYSTEM
  10. HIRE A KNOWLEDGEABLE PRO TO HELP

No question that all lawyers need to know more about IT and data management to protect themselves and clients.

What a Great Idea – Keep a Cybersecurity Attorney on Retainer!

Posted in Cyber, eCommerce

Since “99% of incident response and forensics is run through IT not counsel” businesses should follow Computerworld’s advice about managing cyberintrusions since “time is not a friend in any breach situation, companies that have cyber security attorneys on retainer are better positioned to quickly and efficiently respond to incidents.”  My July 2015 eCommerce Times column entitled “DoJ: Firms Should Hire Cyber-Savvy Lawyers” is right on point as is the August 4, 2015 Computerworld story entitled “Do you need a cybersecurity attorney on retainer?” which included this comment:

Cybersecurity attorneys are also instrumental in working with the government for subpoenas so that organizations can maintain privilege and be in compliance with the law.

Also 4 areas of concern regarding having a cybersecurity attorney on retainer provided by JJ Thompson (chief executive officer at Rook Security):

  • breach scenarios,
  • personnel policies,
  • cyber liability insurance, and
  • working with government

Since every business will have a cyberintrusion, it’s just a matter of when…so  following Computerworlds’s advice to have a cybersecurity attorney on retain makes lots of sense.

Cyber & Legal Risks all over these 45 Security and Privacy Blind Spots!

Posted in Cyber, eCommerce

TexasBarToday_TopTen_Badge_Small (1)

Everyone should be interested in a recent Blind Spot Report which was created because of the “demand for accountability in respect to privacy protection is growing, and security professionals are finding themselves in part responsible for this issue.”  The International Association of Privacy Professionals (IAPP) issued a report entitled “The Top 45 Security and Privacy” with an example of each blind spot. Here is a sampling of important Privacy Blind Spots:

  1. Enforce Strong Password Policies
  2. Logging IP Addresses May Violate Privacy Policies

In late 2007 Peter Scharr, Germany’s data protection commissioner, argued that Internet Protocol (IP) addresses should be considered personal information, but a court ruling in Washington state in 2009 decided it wasn’t. Which is it, then? As a general rule of thumb, if you can combine an IP address with other information to identify an individual, it should be considered personal information. In either case, only collect IP addresses when there is a specific purpose for that information.  Many organizations make public promises that they don’t capture any personally identifying information. Yet just about every website or web-based application keeps a log of visitors to their sites, most of which capture IP addresses.

  1. Unauthorized Use of Information

In 2012, Spokeo paid the FTC $800,000 to settle charges that it violated federal law by compiling and selling personal information for use by potential employers. The complaint against Spokeo alleged that it violated the Fair Credit Reporting Act by marketing its consumer profiles without making sure they would be used for legal purposes. Many marketers and sales people scheme to aggregate as much information as possible about their targets in order to give their pitches the best chance of success. The interconnectedness of our modern culture makes this type of activity increasingly easy, but just because you can do something, doesn’t mean you should. “Just about every website or web-based application keeps a log of visitors to their sites”

  1. Unintentionally Collecting Information from Children

In an effort to boost its audience, Yelp created a streamlined sign-up process for its mobile app. Unfortunately, Yelp neglected to include a check for the applicant’s date of birth. As a result, it accidentally collected personal information from minors and a $450,000 fine from the FTC for violating the Children’s Online Privacy Protection Act. Regulations aggressively protect minors. If you believe your application or service will be used by minors, make sure to include a date check to verify their eligibility to send you their personal information.

  1. Employees Peeking at Private Information
  2. Personal Defamatory Remarks on an Internal Social Network
  3. Unique Identifiers Put Anonymity at Risk
  4. Collecting Information for Marketing Purposes Without Permission
  5. Emailing Canadians Without Explicit Consent
  6. Regulators Are Increasingly Technically Adept
  7. Responsibility for Sensitive Data Sent to Authorized
  8. Don’t Collect Information that Reveals Habits of the Individual Without Consent
  9. Recording Location Information Puts Anonymity At Risk
  10. Collecting Sensitive Information Without Allowing the User To Opt Out
  11. De-identification of Data Is Difficult; Really Difficult
  12. Don’t Collect Data You Can’t Use

Obviously all businesses have many of these blind spots.

Legal Departments Cause Lots of Cyberintrusions by Opening Too Much Phish!

Posted in Cyber, eCommerce

Verizon’s 2015 Data Breach Investigations Report identified that the legal, communications, and customer service departments “were far more likely to actually open an e-mail than all other departments.”   My blog entitled “Phishing and Malware Cyberattacks are Directed at Law Firms (and Clients) – So it’s Time to Train Employees” is right on point and was reinforced by Lance Spitzner (Training Director for the SANS Securing The Human program) who noted in the Verizon Report:

…one of the most effective ways you can minimize the phishing threat is through effective awareness and training. Not only can you reduce the number of people that fall victim to (potentially) less than 5%, you create a network of human sensors that are more effective at detecting phishing attacks than almost any technology.

What does this say about lawyers?  Are they too trusting or naïve, or just need more training?

EU Demands that Google’s ‘right to be forgotten’ to be Worldwide Searches, Not just in the EU

Posted in eCommerce, Internet Privacy

TexasBarToday_TopTen_Badge_Small (1)

Google is fighting a June 2015 order from the French CNIL (Commission nationale de l’informatique et des libertés) that ordered Google to “delist links not just from all European versions of Search but also from all versions globally.”  Google’s Global Privacy Counsel Peter Fleischer blogged on July 30, 2015 about the background of the EU May 2014 ruling:

…the Court of Justice of the European Union (CJEU) established a “right to be forgotten”, or more accurately, a “right to delist”, allowing Europeans to ask search engines to delist certain links from results they show based on searches for that person’s name. We moved rapidly to comply with the ruling from the Court. Within weeks we made it possible for people to submit removal requests, and soon after that began delisting search results.

However Mr. Fleisher’s blog about June CNIL order called this as a “troubling development that risks serious chilling effects on the web” and ultimately:

…the Internet would only be as free as the world’s least free place.

This CNIL order applies to other search engines, but since Google accounts for 90% of the search engine traffic the EU, Google is the target of testing the broadening the ‘right to be forgotten.’

HIPAA Violation from Cyberattack that Exposes 4.5 Million Patients at UCLA Health?

Posted in Cyber, Internet Privacy

In July 2011 UCLA Health settled HIPAA violations, paid a fine of $865,000, and “committed to a corrective action plan aimed at remedying gaps in its compliance with the rules,” but they were not prepared for a 2014 cyberattack because of July 17, 2015 UCLA issued a press release where it admitted a new HIPAA violation affecting up to 4.5 million patients “believed to be the work of criminal hackers”:

UCLA Health announced today it was a victim of a criminal cyberattack. While the attackers accessed parts of the computer network that contain personal and medical information, UCLA Health has no evidence at this time that the cyber attacker actually accessed or acquired any individual’s personal or medical information.

UCLA Health is working with investigators from the Federal Bureau of Investigation, and has hired private computer forensic experts to further secure information on network servers.

Apparently the cyberattack investigation began in 2014 and as part of the investigation:

…on May 5, 2015, UCLA Health determined that the attackers had accessed parts of the UCLA Health network that contain personal information such as names, addresses, dates of birth, Social Security numbers, medical record numbers, Medicare or health plan ID numbers and some medical information.

Time will tell about how bad this cyberattack has been for UCLA and its patients.