Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

Watch out for Cybersecurity Threats to IoT (Internet of Things) Medical Devices!

Posted in Cyber

The Food & Drug Administration (FDA) issued draft guidelines since all IoT “medical devices that use software and are connected to hospital and health care organizations’ networks have vulnerabilities—some we can proactively protect against, while others require vigilant monitoring and timely remediation.”  On January 15, 2016 the FDA announced:

Cybersecurity threats to medical devices are a growing concern.

The exploitation of cybersecurity vulnerabilities presents a potential risk to the safety and effectiveness of medical devices.

While manufacturers can incorporate controls in the design of a product to help prevent these risks, it is essential that manufacturers also consider improvements during maintenance of devices, as the evolving nature of cyber threats means risks may arise throughout a device’s entire lifecycle.

The FDA draft guidelines outlined “…important steps medical device manufacturers should take to continually address cybersecurity risks to keep patients safe and better protect the public health.”

Given the scope of IoT medical devices it is imperative that cybersecurity protections be included and well managed.

Read your Cyberinsurance policies closely since they may not cover your loses!

Posted in Cyber, IT Industry

Everyone needs to review their cyberinsurance polices following the December 2015  “multi-billion dollar loss after hackers cut electric power to more than 80,000 Ukrainians last month,” Reuters reported that many publicly-traded utility companies “have warned of their exposure to cyber risks in their most recent annual reports to securities regulators, and that their insurance coverage might not cover all expenses related to an attack.”  The January 28, 2016 report entitled “U.S. utilities worry about cyber cover after Ukraine grid attack” included these comments from “security experts, insurance brokers, insurers and attorneys representing utilities”:

…the Ukraine attack has exposed long-standing ambiguity over which costs would be covered by insurance in various cyber attack scenarios.

Reuters also included this warning:

Security experts have warned for several years that a cyber attack could cause power outages due to the growing reliance on computer technology in plants that is accessible from the Internet.

This report highlights the importance of getting the right experts to review you cyberinsurance policies.

eDiscovery Advice to IT – be on high alert to protect electronic evidence under “Legal Hold”!

Posted in E-Discovery, IT Industry

The concept of “Legal Hold” is not new in the least and long before anyone ever thought about electronic evidence (Electronically Stored Information- ESI) once a party became aware of potential litigation it had a duty to protect all relevant evidence, like paper documents.  So it comes as no surprise that an in recent IT white paper that sanctions for destruction of ESI (e.g. spoliation) has increased by “271 percent since 2005!”  Networkworld included Code42’s white paper “Protecting data in the age of employee churn” is on a broader scope for IT professionals because so many IT professionals leave their jobs at a relatively high rate.

Here are the points raised by Code42’s report that technology “that automates and tracks legal holds”:

  • Demonstrates the organization has an established process and enables identification, storage and maintenance of relevant data without increasing IT headcount.
  • Reduces risk and increases defensibility.
  • Guarantees that holds are issued in a timely fashion and contain all necessary information.
  • Enables data set selection.

Whether we like it or not every lawsuit now has ESI and IT is responsible for helping protecting ESI.

7 cyber risks using WiFi including risks of using free hotspots!

Posted in Cyber, eCommerce, Internet Access, Internet Privacy

Every one is dependent on WiFi -unfortunately most people think it is safe, however Networkworld identified 7 “ways you could be giving away your identity through a Wi-Fi connection and what to do instead.”  The November 13, 2015 report entitled “7 ways hackers can use Wi-Fi against you” including these points about “Using free hotspots”:

They seem to be everywhere, and their numbers are expected to quadruple over the next four years. But many of them are untrustworthy, created just so your login credentials, to email or even more sensitive accounts, can be picked up by hackers using “sniffers” — software that captures any information you submit over the connection. The best defense against sniffing hackers is to use a VPN (virtual private network). A VPN keeps your private data protected because it encrypts what you input.

They seem to be everywhere, and their numbers are expected to quadruple over the next four years. But many of them are untrustworthy, created just so your login credentials, to email or even more sensitive accounts, can be picked up by hackers using “sniffers” — software that captures any information you submit over the connection. The best defense against sniffing hackers is to use a VPN (virtual private network). A VPN keeps your private data protected because it encrypts what you input.

All 7 of the WiFi Cyber Risks are:

  1. Using free hotspots
  2. Banking online
  3. Keeping Wi-Fi on all the time
  4. Not using a firewall
  5. Browsing unencrypted websites
  6. Not updating your security software
  7. Not securing your home Wi-Fi

Networkworld provided good advice given the ubiquitous nature of cells and tablets which rely on WiFi.

Will antitrust laws limit the Frightful 5 who dominate digital life?

Posted in eCommerce, Social Media

The New York Times identified Amazon, Apple, Facebook, Google, and Microsoft  as the “undisputed rulers of the consumer technology industry” in a January 20, 2016 article entitled “Tech’s ‘Frightful 5’ Will Dominate Digital Life for Foreseeable Future.”  Don’t forget that Microsoft lost it antitrust lawsuit in 2000, which is about 7,652 Internet years ago.  As recently as January 18, CNBC reported about the EU  “Antitrust case against Google worth 6 billion euros”.

Nonetheless the New York Times made these observations about the Frightful 5:

This gets to the core of the Frightful Five’s indomitability. They have each built several enormous technologies that are central to just about everything we do with computers. In tech jargon, they own many of the world’s most valuable “platforms” — the basic building blocks on which every other business, even would-be competitors, depend.

These platforms are inescapable; you may opt out of one or two of them, but together, they form a gilded mesh blanketing the entire economy.

The Frightful 5 may also not exist in 10 years given the history of IT and the Internet, who knows?

Lawyers & Clients Need to Understand the Cyber Threats to the IoT (Internet of Things)!

Posted in Cyber, eCommerce

Wired reported its 2016 Cyber Threats which included the comment that “anyone who follows cybersecurity knows that techniques get bolder and more sophisticated each year. The last twelve months saw several new trends and next year no doubt will bring more.” On January 1, 2016 Wired made its predictions of “The Biggest Security Threats We’ll Face in 2016” which highlighted the “Rise of the IoT Zombie Botnet”:

There are many who say that 2015 was the year of the Internet of Things; but it was also the year the Internet of Things got hacked. Connected cars, medical devices, skateboards, and Barbie dolls, were just a few items shown to be vulnerable to hackers this year.

If 2015 was the year of proof-of-concept attacks against IoT devices, 2016 will be the year we see many of these concept attacks move to reality. One trend we’ve already spotted is the commandeering of IoT devices for botnets. Instead of hackers hijacking your laptop for their zombie army, they will commandeer large networks of IoT devices—like CCTV surveillance cameras, smart TVs, and home automation systems. We’ve already seen CCTV cameras turned into botnet armies to launch DDoS attacks against banks and other targets. Unlike a desktop computer or laptop, it can be harder to know when your connected toaster has been enlisted in a bot army.

Here’s Wired’s 2016 top 5 list:

  1. Extortion Hacks
  2. Attacks That Change or Manipulate Data
  3. Chip-and-PIN Innovations
  4. The Rise of the IoT Zombie Botnet
  5. More Backdoors

Anyone surprised by Wired’s report?

Is Google violating privacy laws in its use of K-12 student data?

Posted in Internet Privacy

TexasBarToday_TopTen_Badge_Small (1)

A recent letter sent to Google from a US Senator expressed concern about the “extent to which Google may be collecting K-12 students’ personal data and using that information for non-educational purposes without parents’ knowledge or consent.”  On January 13, 2016 Senator Al Franken sent a letter to Sundar Pichai (Google CEO) about Google’s foray into education technology (EdTech) which included these statements:

Given the sensitive nature of student data, all parties involved, including the school administrators, teachers, parents, and the students, should have a clear understanding about what data are shared by schools with EdTech vendors, what data are collected by those vendors, how long the data are stored, and how they use the data.

Students and their families should be empowered to make informed decisions about whether and with whom they share such sensitive information, and they must be assured that when the information is retained it will receive the utmost protection.

He went on to ask that Google respond to these questions by February 12:

When a student is signed in to their GAFE account but is not using one of the GAFE services, what kind of data does Google collect on an individual student?

When a student is using a Chromebook but is not using one of the GAFE services, what kind of data does Google collect on an individual student?

If Google does collect any individualized data on a student, such as browsing information or viewing habits, when a student is using a Chromebook or is logged in to their GAFE account but is not using one of GAFE services, please address the following questions:

a. For what purposes does Google collect this information?

b. s it necessary to collect all of this information for the provision of GAFE services or to deliver other valuable features that may be relevant for educational purposes?

c. Has Google ever used this kind of data to target ads to students in Google services, either in the GAFE services or other Google services, such as Google Search, Google News, Google Books, Google Maps, Blogger, or YouTube?

d. Has Google ever used this kind of data for its own business purposes, unrelated to the provision of Google’s educational offerings?

e. Is it possible to make this data collection opt-in?

f. Does Google share this information with additional parties?

Google has indicated that it compiles data aggregated from student users of Chrome Sync, anonymizes the data, and uses it to improve its services. Can you expand on how the aggregated information is treated? For example, does this include sharing the aggregated data with third parties for research purposes or otherwise?

Can you describe Google’s relationship with school districts and administrators that choose to use Google for Education products and services? Apart from publicly available privacy policies, does Google offer any explanation to parents, teachers, and education officials about how student information is collected and used? 

Can you describe all the contexts and ways in which both school administrators and parents of students using Google for Education products and services have control over what data is being collected and how the data are being used?

It will be interesting to see how Google responds.

Supreme Court thinks proportionality will help eDiscovery, but not everyone agrees

Posted in E-Discovery

In support of the 2015 Amendments to the Federal Rules of Civil Procedure Chief Justice John Roberts said that “Rule 26(b)(1) crystalizes the concept of reasonable limits on discovery through increased reliance on the common-sense concept of proportionality.”  On December 31, 2015 the Supreme Court released the “2015 Year-End Report on the Federal Judiciary” in which the Chief Justice made many comments about the 2015 Amendments and specifically regarding eDiscovery and called for a “change in legal culture.”  He highlighted proportionality:

The amended rule states, as a fundamental principle, that lawyers must size and shape their discovery requests to the requisites of a case. Specifically, the pretrial process must provide parties with efficient access to what is needed to prove a claim or defense, but eliminate unnecessary or wasteful discovery. The key here is careful and realistic assessment of actual need. That assessment may, as a practical matter, require the active involvement of a neutral arbiter—the federal judge—to guide decisions respecting the scope of discovery.

The New York Times reported that not everyone agrees with the Chief Justice’s assessment:

Arthur R. Miller, a law professor at New York University said “This provision will be used to restrict a citizen’s access to the information that often is critical to establishing a grievance, whether it be a civil rights claim or an economic or personal injury claim.”  

Stephen B. Burbank, a law professor at the University of Pennsylvania, said the new rules were a poor fit for many lawsuits and will often prove counterproductive. “Continuing a trend that goes back decades, these amendments take a problem that arises chiefly in complex, high-stakes litigation between corporations, and devise solutions that necessarily apply to all federal litigation,” he said. “As a result, the layers of additional expense that active judicial management can impose make litigation costlier for litigants less able to afford it, including most importantly individuals.”

Time will tell how the 2015 changes to the Federal Rules will really work out.

Warning Issued about Legal Risks of Using Big Data

Posted in eCommerce, Internet Privacy

TexasBarToday_TopTen_Badge_Small (1)

Most people do not appreciate what is meant by the term Big Data so the Federal Trade Commission (FTC) issued a report which highlights that “potential benefits to consumers are significant, but businesses must ensure that their big data use does not lead to harmful exclusion or discrimination.”  On January 6, 2016 the FTC released its report entitled “Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues” included the following applicable laws that may be impacted by Big Data:

  1. The Fair Credit Reporting Act
  2. Equal Opportunity Laws
  3. The Federal Trade Commission Act

The Big Data report also included these Questions for Legal Compliance:

If you compile big data for others who will use it for eligibility decisions (such as credit, employment, insurance, housing, government benefits, and the like), are you complying with the accuracy and privacy provisions of the FCRA? FCRA requirements include requirements to (1) have reasonable procedures in place to ensure the maximum possible accuracy of the information you provide, (2) provide notices to users of your reports, (3) allow consumers to access information you have about them, and (4) allow consumers to correct inaccuracies.

If you receive big data products from another entity that you will use for eligibility decisions, are you complying with the provisions applicable to users of consumer reports? For example, the FCRA requires that entities that use this information for employment purposes certify that they have a “permissible purpose” to obtain it, certify that they will not use it in a way that violates equal opportunity laws, provide pre-adverse action notice to consumers, and thereafter provide adverse action notices to those same consumers.

If you are a creditor using big data analytics in a credit transaction, are you complying with the requirement to provide statements of specific reasons for adverse action under ECOA?

Are you complying with ECOA requirements related to requests for information and record retention?

If you use big data analytics in a way that might adversely affect people in their ability to obtain credit, housing, or employment:

*Are you treating people differently based on a prohibited basis, such as race or national origin?

*Do your policies, practices, or decisions have an adverse effect or impact on a member of a protected class, and if they do, are they justified by a legitimate business need that cannot reasonably be achieved by means that are less disparate in their impact?

Are you honoring promises you make to consumers and providing consumers material information about your data practices?

Are you maintaining reasonable security over consumer data?

Are you undertaking reasonable measures to know the purposes for which your customers are using your data?

*If you know that your customer will use your big data products to commit fraud, do not sell your products to that customer. If you have reason to believe that your data will be used to commit fraud, ask more specific questions about how your data will be used.

*If you know that your customer will use your big data products for discriminatory purposes, do not sell your products to that customer. If you have reason to believe that your data will be used for discriminatory purposes, ask more specific questions about how your data will be used.

Obviously Big Data is growing and apparently legal risks will grow as well.

Cyberattacks on the Increase in 2015 with 102+ Million People Exposed in 315 Data Breaches!

Posted in Cyber, eCommerce, Internet Privacy

The Identity Theft Resource Center (ITRC) “defines a data breach as an incident in which an individual name plus a Social Security number, driver’s license number, medical record or financial record (credit/debit cards included) is potentially put at risk because of exposure.”  The ITRC December 31, 2015 Data Breach Reports were significantly higher than 2014 Reports of the 81+ Million people exposed. Here are the categories of breaches and records for 2015:

Banking/Credit/Financial – 71 breaches of 5,063,044 records

Business – 312 breaches of 16,191,017 records

Educational – 58 breaches of 759,600 records

Government/Military – 63 breaches of 34,222,763 records

Medical/Healthcare – 277 breaches of 112,832,082 records

ITRC provides a great service in reporting this information in support of the ITRC’s Mission Statement:

  • Provide best-in-class victim assistance at no charge to consumers throughout the United States
  • Educate consumers, corporations, government agencies, and other organizations on best practices for fraud and identity theft detection, reduction and mitigation
  • Serve as a relevant national resource on consumer issues related to cybersecurity, data breaches, social media, fraud, scams and other issues.

Unfortunately the number of data breaches continues to grow, and it is unlikely this will ever change!