Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

Email Privacy Act passes the House, but the proposed Act does not require notice of warrants

Posted in eCommerce, Internet Privacy

The Electronic Communications Privacy Act (ECPA) of 1986 was created to deal with telephone records not email, so the new proposed Email Privacy Act clarifies what email is, but did change the ECPA much since it “does not require authorities to notify users that a warrant has been obtained to review their electronic communications.” Also the Email Privacy Act does require search warrants to review electronic communications older than 180 days which was not in the ECPA.  As well InformationWeek pointed out:

The Email Privacy Act also makes a distinction between commercial public content, such as advertisements, and content sent to an individual or select group, such as email.

In the meantime to get a difference perspective on the ECPA and Email Privacy Act you might want to check out my April 18, 2016 blog “Are US Privacy Laws Unconstitutional? We’ll find out in Microsoft’s new suit against the US Government!

Even though the Email Privacy Act passed unanimously there is no exact predictability about what the Senate may do.

FBI says only 20% of private sector reports cyberintrusions!

Posted in Cyber, eCommerce

20+ years ago, before the Internet and Social Media, the conventional wisdom was that only 10% of businesses would report computer crime crimes. However since cyberintrusions against Sony, Target, and other high visibility companies are daily headline news, one would think the increase was much more than only 20%. But FBI Director James Comey commented in a recent speech at the “Georgetown University International Conference on Cyber Engagement”:

According to a recent study, about 20 percent of those in the private sector in the United States who had suffered computer intrusions, actually turned to law enforcement. That means 80 percent of the victims in this country are not talking to us. We have to get to a place where it becomes routine for there to be an exchange—an appropriate, lawful exchange of information between those victims and government. First and foremost because we need that information to figure out who’s behind the attack.

He also pointed out that “the nation-states like China, Russia, Iran, and North Korea, and multi-national cyber syndicates—we’ve seen a significant increase in the size and sophistication of those who are looking to steal information simply to sell it to the highest bidder.” And of the multi-national cyber syndicates Director Comey pointed out:

Terrorists have become highly proficient at using the Internet to sell their message and to recruit and plan for attacks. They’re quite literally buzzing in the pockets of people to try and make them followers all around the world. There’s no doubt that terrorists aspire to use the Internet to engage in computer intrusions to get to our systems for all kinds of bad reasons, but we don’t see them there yet. Because the logic of terrorism and the Internet is what it is, that’s a threat we constantly worry about.

Clearly all businesses are at risk since everything is plugged into the Internet, so reporting cyberintrusions is essential so the cybercriminals can be found!

Apparently Yelp lost in its attempt to stop astroturfers!

Posted in eCommerce

In March 2015 I blogged about a Yelp lawsuit against alleged astroturfers, and in March 2016 the parties settled the case, but since the defendants continue to operate Revleap  it would seem that Yelp lost its case.  My blog “Do You Still Rely on Yelp Reviews After Hearing that Yelp Sues Astroturfers?” provides the details about the suit:

Yelp’s lawsuit alleges a breach of the ToS (Terms of Service) by the defendants who “try to game the system and undermine that trust, by building businesses based on fraudulent reviews…” in addition to the more obvious trademark violations. 

Since the lawsuit settled at a November 2015 we don’t know the settlement terms which are confidential.  And the parties filed their Stipluation on March 22, 2016 there merely says:

The Parties to the above-captioned action HEREBY STIPULATE, by and through their counsel of record, that the action shall be, and is hereby, dismissed pursuant to Federal Rules of Civil Procedure Rule 41(a)(1), consistent with the Parties’ Settlement Agreement.

All in all not much changed since the lawsuit was filed as Yelp’s Terms of Service are still from November 27, 2012 (- which is about 623 Internet years) and the defendants continue their Internet operations!

GUEST BLOG: Small Texas Law Firm Used in International Cyberattack

Posted in Cyber, eCommerce

My Guest Blogger John Ansbach is General Counsel of General Datatech, L.P. (“GDT”), and John is a seasoned attorney with a broad range of experience developed over more than 18 years of practicing law including as a corporate generalist, his background includes experience in contracts; cyberlaw; intellectual property; real estate; human resources; corporate governance; regulatory and compliance; and, litigation. He’s also developed experience as a legislative advocate and technologist, advocating for GDT and its industry partners in areas relating to cloud and cybersecurity, the Internet of Things (IoT), tax policy and patent reform.

Version 3Anshbach background

 

SMALL TEXAS LAW FIRM USED IN INTERNATIONAL CYBERATTACK

April 22, 2016

It started a couple of days ago. The folks at the James Shelton law firm in Clarendon, Texas, about 60 miles east of Amarillo, began receiving calls. Thousands of calls from all over the place, including Canada and the U.K.

According to what’s known so far, cybercriminals apparently gained access to and used a law firm email account to email an unknown number of recipients with the subject “lawsuit subpoena.” The subject is company specific, and it asks if the “legal department” has received it yet. The email says the matter is, of course, “urgent,” and it includes a Word document attachment.

Ansbach email from blog

Actual email used in the cyberattack, intended to deceive recipients into clicking the attachment and downloading a malware infected payload.

In fact, the email (one was sent to our company here in Dallas) contains malware that is, according to sources, “a variant of Dridex… [It is a] virus [that] relies on macros in MS Office to propagate.”  “Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.” (emphasis added) (Source: Webopedia).

Ansbach website pic

The law firm’s website now displays a warning banner about the cyberattack.

I spoke with Jim Shelton in Clarendon late this afternoon, who confirmed the attack. Working with his provider, they have disabled the email account and placed a bright red warning  banner on their website directing folks “not to click any links or download any attachments.” Jim told me he was also contacted by the State Bar of Texas, which had received calls about the email.

This attack is a serious one with the potential to cause significant damage and harm to folks who receive it and the companies they work for. If you or anyone you know receives an email like the one posted above, please do not open it and do not click on any attachments. Please do pass along word of this attack so that others might be made aware of and avoid it at all costs.

GUEST BLOG: Cybersecurity Compliance Just Got Tougher

Posted in Cyber

My Guest Blogger Nick Akerman learned about Cybercrime as a federal prosecutor where he prosecuted a wide array of white collar criminal matters, including bank frauds, bankruptcy frauds, stock frauds, complex financial frauds, environmental crimes and tax crimes. Nick was also an Assistant Special Watergate Prosecutor with the Watergate Special Prosecution Force under Archibald Cox and Leon Jaworski.  Dan Goldenberger is Nick’s partner at Dorsey.

AkermanNick_155x190akerman logo

Companies need specific, well-executed plans to meet growing demands of federal and state agencies.

By:  Nick Akerman and Dan Goldberger

While cybersecurity risks have increased, government regulation has traditionally  lagged behind.   Recently, some government  entities have tried to catch up by mandating that companies take a proactive approach toward protecting personal and competitively sensitive data. The move is a departure from the traditional reactive response of simply notifying consumers after their personal data is breached.

With this shift in emphasis, companies are asking the obvious questions:  “What are we expected to do and what is a proactive cybersecurity compliance program?”

Both on the state level and through federal regulatory agencies, the government is beginning to dictate a comprehensive compliance approach to data protection.   Late last year, the U.S. Securities and Exchange Commission’s Cybersecurity Examination Initiative directed broker-dealers to “further  assess cybersecurity preparedness in the securities industry.”  Thus, the SEC announced that it “will focus on key topics including governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.”

In January, the Financial Industry Regulatory Authority announced that in reviewing a securities firm’s approaches to cybersecurity risk management its examinations may include “governance, risk assessment, technical controls, incident response, vendor management, data loss prevention and staff training.”  On the state level, Massachusetts is the only state thus far to require all businesses that store personal data of its residents to secure that data through a compliance program modeled after the federal sentencing guidelines.

The framework under the federal sentencing guidelines is the gold standard for an effective compliance program.  Having expanded well beyond its original goal of detecting and preventing criminal activities, it is fast becoming the corporate framework to protect data.  These guidelines establish seven steps for companies to follow:  first, promulgate standards and procedures; second, establish high-level corporate oversight including the board of directors that must provide adequate funding  of the program in proportion to the size of the company and the risk; third, place responsibility with individuals who do not pose a risk for unethical behavior;  fourth, communicate the program to the entire workforce; fifth, conduct periodic audits of the effectiveness of the program; sixth consistently enforce the polices; seventh establish mechanisms for reporting violations.

COLLABORATION IS CRITICAL

Because a compliance program must be tailored to an organization’s culture, it is critical to its success that all data-protection stakeholders collaborate in its creation and daily operation.  This means that data compliance is not just an issue for information-technology security.  Other stakeholders include human resources and legal, which are responsible for company rules, employee agreements and training,  and may assist in responding to company data breaches; risk management, which may determine, along with legal, the adequacy of the company’s cyber insurance; and compliance, which is often the logical focus of the company’s data protection efforts.

Stakeholders in turn should focus on six areas of risk when developing a company-specific compliance program to minimize the risks posed by each area.

First, hiring is the time to explain to new employees the rules in place to protect the company’s data.  Additionally, companies must approach hiring defensively, ensuring new employees do not bring into the workplace data that belongs to a competitor that  can result in civil or criminal liability.

Second, company rules and policies should spell out what  employees can and cannot do with the company network and form the  foundation of top-to-bottom workforce training.  At least one court has recognized that such “explicit policies are nothing but security measures employers may implement to prevent individuals from doing things in an improper manner on the employer’s computer systems.”  (American Furukawa v. Hossain).

Third, agreements with employees and other third parties are a key component of data protection.  Employee agreements are an opportunity to reinforce the lack of an expectation of privacy in using company computers and define the scope of authorized  access.  When company data is outsourced to a cloud provider, agreements formalize the responsibilities of that third party to protect the company’s data.

Fourth, technology can be employed not only to secure data but to define who is authorized to access what portion of the network and provide admissible evidence of a breach.  Information-technology security, working with legal, can prepare mechanisms to capture audit trails in the network that can be used to identify the source and scope of a breach.

Fifth, effective termination procedures are critical.  This is when insiders are most likely to steal company data to use at their next  job.  This is also the last opportunity to remind departing employees of their post employment obligations to maintain the secrecy of company data, to return  all company data and for the company to inventory the data returned.

Finally, if a breach occurs, it is important to have protocols in place to quickly determine the scope of the breach and the appropriate response.  Companies must therefore have in place an overarching plan to investigate suspected  breaches and to mobilize internal and external resources.

For a data-compliance program to work consistently, it must be a collaborative effort among all stakeholders and comprehensively focus on mitigating the risks to the company’s data from multiple and unexpected sources.

No surprise that the FBI is warning law firms that they are cybertargets for insider trading

Posted in Cyber, eCommerce

A FBI Privacy Industry Notification identified in “a recent cyber criminal forum post an advertisement to hire a technically proficient hacker for the purposes of gaining sustained access to the networks of multiple international law firms.” Bloomberg BNA reported about the March 4, 2016 FBI Notification entitled “FBI Alert Warns of Criminals Seeking Access to Law Firm Networks” but the FBI did not share the name of the forum or when it was posted, however BNA identified the ‘Panama Papers’ Spill Insider Secrets’ were leaked by the “11.5 million records from the Panama-based law firm Mossack Fonseca.”

Data Breach Today reported that the 2.6-terabyte of “leaked data originated from Mossack Fonseca & Co., a Panama-based law firm that has more than 40 offices worldwide, including in the Bahamas, China, Columbia, Israel, the Netherlands, Singapore, Thailand and the United Kingdom” and revealed:

…how the shell companies have been used to launder extensive amounts of money, including $2 billion that’s been tied to banks and shadow companies linked to associates of Russian President Vladimir Putin,…

All law firms need to be vigilant since they have always been targets since they have client secrets, even apparently not all law firms admit such intrusions.

Are US Privacy Laws Unconstitutional? We’ll find out in Microsoft’s new suit against the US Government!

Posted in eCommerce, Internet Privacy

The Electronic Communications Privacy Act (ECPA) 18 U.S.C. § 2705(b) violates the First and Fourth Amendments since the Constitution should “afford people and businesses the right to know if the government searches or seizes their property.” The April 14, 2016 Complaint for Declaratory Judgment filed in Seattle federal court against the US Department of Justice and US Attorney General Loretta Lynch declares that:

People do not give up their rights when they move their private information from physical storage to the cloud. Microsoft therefore asks the Court to declare that Section 2705(b) is unconstitutional on its face.

The government, however, has exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations. As individuals and business have moved their most sensitive information to the cloud, the government has increasingly adopted the tactic of obtaining the private digital documents of cloud customers not from the customers themselves, but through legal process directed at online cloud providers like Microsoft.

Over the past 18 months, federal courts have issued nearly 2,600 secrecy orders silencing Microsoft from speaking about warrants and other legal process seeking Microsoft customers’ data; of those, more than two-thirds contained no fixed end date.

This will be an important case to follow!

Cybersecurity Advice to CEOs and Boards “Take more responsibility”!

Posted in Cyber, eCommerce

The White House and its top security advisors are regularly advised about cyberintrusions and as a result the “time has come for CEOs and Boards to take personal responsibility for improving their companies’ cyber security” according to Former White House Senior Director for Cybersecurity Sameer Bhalotra.  In the recent report from LogRhythm entitled “The Cyber Threat Risk – Oversight Guidance for CEOs and Boards” Bhalotra went to say:

Global payment systems, private customer data, critical control systems, and core intellectual property are all at risk today.

As cyber criminals step up their game, government regulators get more involved, litigators and courts wade in deeper, and the public learns more about cyber risks, corporate leaders will have to step up accordingly.

If you company does not have the CIO and CISO at the table with the CEO and Board to work on cybersecurity together, it’s time to start.

Watch out for BEC (Business eMail Compromise- aka Spearphishing) which has cost $2.3+ BILLION!

Posted in Cyber, eCommerce

Since October 2013 there have been more than 17,642 BEC victims so the FBI recommended that businesses be “wary of e-mail-only wire transfer requests and requests involving urgency” and to pick “up the phone and verify legitimate business partners.”  The April 4, 2016 alert entitled “FBI Warns of Dramatic Increase in Business E-Mail Scams” included this explanation:

The schemers go to great lengths to spoof company e-mail or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor.

They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy.  

Victims range from large corporations to tech companies to small businesses to non-profit organizations.

Many times, the fraud targets businesses that work with foreign suppliers or regularly perform wire transfer payments.

Here’s what the FBI recommends if a company has been “victimized by a BEC scam:”

Of course regular training for employees is critical and is a great deterrent to BEC scams.

Cybersecurity Alert: monetization of malware is one of the 7 biggest threats!

Posted in Cyber, eCommerce, IT Industry

There’s no substitute for training employees to avoid opening obviously suspect email and attachments, and HP Enterprise (HPE) issued a report which disclosed “a continued rise in attackers’ success at infiltrating enterprise networks” and as a result “defenders must accelerate their approach to detection, protection, response, and recovery.”  The HPE report entitled “Security Research Cyber Risk Report 2016” included comments about the pros and cons of market participation that has led to monetization of malware:

The fundamental elements of trade are buyers and sellers, along with the actual exchange of goods and services.

As in any market, if the number of buyers increases, the number of sellers tends to increase as well. In the case where there are incentives for criminal activities, a black or underground market often appears.  

As long as there is someone willing to pay, there will be someone willing to sell.

Security researchers and threat actors seek out vulnerabilities to improve their opportunity for financial gain through the monetization of bugs.

Note this comment in the Report’s introduction:

Security practitioners from enterprises of all sizes must embrace the rapid transformation of IT and ready themselves for both a new wave of regulations and an increased complexity in attacks.

Here are the Themes for the HPE report:

Theme #1: The year of collateral damage

Theme #2: Overreaching regulations push research underground

Theme #3: Moving from point fixes to broad impact solutions

Theme #4: Political pressures attempt to decouple privacy and security efforts

Theme #5: The industry didn’t learn anything about patching in 2015

Theme #6: Attackers have shifted their efforts to directly attack applications

Theme #7: The monetization of malware

No surprises in the Report, but important reminders about improving cybersecurity defenses.