The Rise of Disruptionware and High-Impact Ransomware Attacks

“Disruptionware is defined by the Institute for Critical Infrastructure Technology (ICIT) as a new and “emerging category of malware designed to suspend operations within a victim organization through the compromise of the availability, integrity and confidentiality of the systems, networks and data belonging to the target.” New forms of disruptionware can be a more crippling form of cyber-attack than other more “garden-variety” malware and ransomware attacks.” warns an article in JDSupra.

“Generalized forms of ransomware attacks – designed to block access to the victim’s computer systems until money is paid – are continuing to represent a more prevalent threat to government agencies, healthcare providers and educational institutions … another publication has noted the rise of ransomware attacks since the beginning of 2019 finding that there have been at least 621 reported successful ransomware attacks against U.S.-based corporations. Of these attacks, at least 491 were targeted against healthcare providers, while another 68 of the attacks were directed at county and municipal institutions, and 62 of the attacks were focused on school districts.”

“The FBI’s PSA serves as a warning to businesses that they should have a plan in place to respond efficiently and appropriately in the event of high impact ransomware and disruptionware attacks.”

Read the article.

 




What If a Border Agent Seeks Your Smartphone That Includes Client Secrets?

JD Supra discusses what an attorney is “to do if a customs agent asks to peruse the attorney’s smart phone? Or if a customs agent asks the attorney to identify the clients that attorney is meeting or working on behalf of in the foreign country? Such questions can create a tension for attorneys between their duty to comply with international travel directives and their duty to preserve confidential or privileged client information in their possession.”

“Trips abroad are becoming more common across various practices.”

“Notably, attorneys are not required by the rules of professional conduct to comply with” ABA recommendations. “Whether attorneys adopt these recommendations in their own practices will depend on the type of information attorneys have in their possession, as well as the reasonableness of taking certain precautions.”

Read this article for some traveling tips.




Do Companies Need a Written Security Information Plan?

“As of January 1, 2020, California became the first state to permit residents whose personal information is exposed in a data breach to seek statutory damages between $100-$750 per incident, even in the absence of any actual harm, with the passage of the California Consumer Privacy Act (“CCPA”). The class actions that follow are not likely to be limited to California residents, but will also include non-California residents pursuing claims under common law theories.” advises Jena M. Valdetero in Bryan Cave Leighton Paisner’s Insights.

“A successful defense will depend on the ability of the breached business to establish that it implemented and maintained reasonable security procedures and practices appropriate to the nature of the personal information held.  The more prepared a business is to respond to a breach, the better prepared it will be to defend a breach lawsuit.”

She provides a list that the organization’s WISP should include at a minimum.

Read the article.




Hunton Andrews Kurth Partner Speaks on Key Global Data Protection Issues in China

Hunton Andrews Kurth LLP partner Lisa J. Sotto was the featured speaker at a recent AmCham China U.S.-China Energy Cooperation Program event, outlining key privacy and data security issues in the United States and European Union to representatives of more than 50 Chinese companies.

Sotto, head of Hunton Andrews Kurth’s global privacy and cybersecurity practice, also presented to several other groups in China earlier this month, including a group of more than 50 in-house counsel organized by Data Protection Officer, an organization of legal counsel from leading Chinese and global technology, media and telecommunications companies.

She also was invited to present to a group of legal counsel and cybersecurity scholars and researchers at the Law School of Beihang University. Sotto separately addressed a group of 100 employees (including legal counsel, engineers and business personnel) of 360 Corporation, China’s top provider of internet and mobile security products and services.

“Given the ubiquity of data, there is an urgent need for international alignment on guiding principles related to data privacy and cybersecurity standards,” Sotto said. “I am pleased to have had the opportunity to promote this awareness and to provide guidance and assistance toward that end.”

Earlier this year, Sotto was invited by U.S. government officials and the U.S. Chamber of Commerce to travel to Brazil as a member of a delegation that met with Brazilian government agencies and industry representatives in the process of developing the country’s cybersecurity strategy. Her visit followed the release of a report proposing a framework for effective data breach notification legislation across the globe.

 

 




Do We Have A Contract? What Delta’s Win Tells Us About Privacy Policies

Computer - cybersecurity -privacyA legal victory for Delta Air Lines this year is unique in that it is the first time that a court has determined that a business owes no obligation of privacy to a customer because its privacy policy explicitly disclaims any type of contractual relationship between the business and its customers, writes Sunrita Sen in the Frost Brown Todd fbtTech Blog.

The case involved a breach of contract claim over the data breach suffered by the airline in 2017.

A U.S. district judge dismissed the claim, agreeing with Delta that the Airline Deregulation Act preempted the plaintiff’s breach of contract claims.

Read the article.

 

 




Preparing for the CCPA: Reviewing and Updating Privacy Policies and Agreements for Compliance

Duane Morris will present a complimentary webinar on the California Consumer Privacy Act (CCPA) on Thursday, June 20, 2019, at 9:30 a.m. Pacific time.

Led by an interdisciplinary team of Duane Morris attorneys, the California Consumer Privacy Act of 2018 Webinar Series offers an in-depth discussion and analysis of the CCPA, along with timely and practical strategies to prepare your business for compliance with this complex rule, the firm said in a release.

The CCPA of 2018 is the strictest privacy law in the United States and has national impact for anyone doing business in California. The new law takes effect Jan. 1, 2020, and gives consumers greater control over their personal information while establishing stringent rules and significant penalties for the companies that handle consumer information.

The second session topics include:

– Brief CCPA overview
– Examination of the CCPA requirements for privacy policies and third-party agreements
– Practical strategies for reviewing and updating your privacy policies and third-party agreements to comply with the CCPA

The first session of the series, Understanding the New California Consumer Privacy Act: Why The CCPA Applies to You and Practical Steps You Can Take Now to Comply, can be viewed on the firm’s website.

Register for the June 20 webinar.

 

 




Security Incident Mitigation Strategy: Effective Negotiation of Technology Contract Limitations of Liability

If technology vendors will have access to the personal information of their customers’ end users (regardless of whether the end users are employees or customers), treatment on caps on liability take on heightened importance, points out Janine Anthony Bowen in a post on the Data Privacy Monitor blog of BakerHostetler.

“Vendors have become increasingly reluctant to provide unlimited liability to protect customers against harms caused by security incidents, going to great lengths to narrowly tailor the situations under which the vendors will bear risk,” she writes.

She cites the 2019 Data Security Incident Report for guidance on decision-making regarding acceptable financial risk allocation.

Read the article.

 

 




How Small Law Firms Can Improve Cybersecurity to Prevent Data Disasters

By Josh Taylor, Smokeball

CybersecurityInsufficient data security practices lead to devastating consequences for small law firms. Breaches can inflict irreversible damage to a firm’s reputation, finances and client relationships. So why aren’t they taking cybersecurity seriously?

A recent American Bar Association survey uncovered this lack of concern, finding that only 42% of firms took action to increase digital security measures last year. Of these, 27% did so to better protect client or contract data. While lawyers spend their time looking out for clients’ risks and liabilities, the data suggests this diligence doesn’t extend to internal matters.

Exactis’ 2018 data leak shows how small business security lapses balloon into a much larger crisis. This breach exposed the personal information of over 230 million people and 110 million businesses, demonstrating that even smaller-scale businesses store massive amounts of sensitive data and face a constant threat as their data pool grows.

While small law firms may not have a long roster of big-name clients, they store a significant amount of personal details and business information. Clients trust them to protect sensitive business information like proprietary data, financial details and confidential deals. Leaks and breaches have severe ramifications, causing clients to walk out, IT headaches, financial worries and regulatory violations.

An accident or technical error may have created the breach, but innocent causes don’t render firms immune from serious business consequences. Each law office is responsible for preventing and quickly responding to leaks or attacks. Technical aspects of cybersecurity may overwhelm some small firms, but improving data protection and online safety practices doesn’t have to be complicated. Law firms bolstering digital security can start by keeping in mind a few simple tips:

Make Security People Powered

Small law firms don’t often face the organized cyber threats that plague larger organizations. Their risks tend to lie within the firm itself, stemming from workers that lack the technological savvy to sidestep malicious schemes. Ransomware and phishing scams rely on human error, and untrained employees open the door for them to poach important private records.

Implementing regular training for all employees assists organizations in avoiding personnel-caused breaches. This way, staff stay updated on how best to protect themselves and the firm from nefarious email schemes and other tactics cybercriminals use to siphon off personal data. Additionally, law offices should cultivate channels for quick information distribution to allow employees to respond quickly during data leaks. Training programs may increase costs and responsibilities up front, but pay off later on by warding off detrimental security issues.

Invest In Updated Tech

The phrase “small law office” doesn’t typically conjure up images of futuristic operations and state-of-the-art technology. But more than hurting firms’ reputations, this digital sluggishness produces security risks. Offices running on inconsistent operating systems, outdated software and unsecured Wi-Fi networks take on a higher vulnerability. Fortunately, these technology issues are easily fixed. Scheduling regular hardware and software updates and frequently changing the internet password helps fortify firms’ defenses.

Though it may seem obvious, it’s worth noting the large role passwords play in ensuring smaller firms’ security. One weak link opens the floodgates to your entire database of client information. Keep login information for sensitive data on a need-to-know basis, and consider using a password manager for all employees. Frequently changing passwords, though a small step, provides another line of protection against cyber threats.

Reduce In-Office Risks

Traditional, lock-and-key security is an easy concept to grasp, but digital security is a hazier concept. Fortunately for firms not familiar with technology-driven data protection, the two share some common ground.

Some believe that on-site servers make data safer, but this is a misconception. Seeing storage equipment physically in the office may be reassuring, but centralizing this information just compounds the risk. For example, burglars breaking into a small law firm could then take much more than basic office hardware. Backing up and housing data in the cloud lowers this hazard for organizations, removing important data from the risks inherent in physical spaces.

Another seemingly innocuous practice that poses security issues is carelessness with paper documents. More firms are adopting digital document software, but paper remains popular at many small firms. These documents also expose confidential information if left in plain view or accidentally included in social media photos. Just like with digital risks, reminding employees of security best practices helps suppress future issues.

Just like any business entrusted with sensitive data, law firms must commit to shielding themselves and clients from data breaches. Leaks at small offices quickly expand into a big problem. As data storage demands continue growing, firms can introduce simple technology and security improvements that protect client information and preserve their reputation.

 

 




2 U.S. Law Firms Lost Over $117K to International Cybercrime Network, Indictment Alleges

FBIA law firm in Washington, D.C., and a law office in Wellesley, Massachusetts, are among the victims of malware attacks by an overseas cybercrime network, according to an ABA Journal report.

A Department of Justice press release announced the dismantling of the cybercrime network in an international law enforcement operation. The release did not identify the law firm or law office, other than to reveal their locations.

“The operation was highlighted by the unprecedented initiation of criminal prosecutions against members of the network in four different countries as a result of cooperation between the United States, Georgia, Ukraine, Moldova, Germany, Bulgaria, Europol and Eurojust,” the press release states.

Read the ABA Journal report.

 

 

 




Understanding the New California Consumer Privacy Act

Duane Morris will present a webinar titled “Understanding the New California Consumer Privacy Act: Why The CCPA Applies to You and Practical Steps You Can Take Now to Comply.”

The event will be Thursday, May 23, 2019, beginning at 1 p.m. Pacific time.

The firm said the California Consumer Privacy Act (CCPA) of 2018 is the strictest privacy law in the United States and has national impact for anyone doing business in California. The new law takes effect January 1, 2020, and gives consumers greater control over their personal information, including the right to:

•Be informed which categories of their data will be collected by a business before it is collected;
•Opt out of the sale of their personal information;
•Delete their data from a business’ database;
•Be informed of any changes to categories of their data a business collects;
Know the categories of the third parties with whom their data is being shared;
•Know the categories of sources of information from whom their data is acquired;
•Know the business purpose for collecting their data;
•Be aware of all their data a business has collected (annually and free of charge at the consumer’s request).

Enforcement of the CCPA will be through consumer lawsuits for data breaches, along with enforcement action by the California attorney general, who can impose fines of up to $2,500 per violation or $7,500 per intentional violation of the CCPA.

Led by an interdisciplinary team of Duane Morris attorneys, the California Consumer Privacy Act of 2018 Webinar Series offers a discussion and analysis of the CCPA, along with strategies to prepare a business for compliance with this complex rule.

The first session will discuss:

•Understanding the CCPA
•How this law affects your business
•What steps can a business take to ensure compliance?

Register for the webinar.

 

 




Hackers Shut Down Boston Legal System for Weeks, Seeking Payment in Bitcoin

A cyberattack on the agency overseeing Boston public defenders has caused a weekslong slowdown, disabling e-mail systems, delaying some hearings, and hanging up payments for the private attorneys who represent clients, reports The Boston Globe.

“The Committee for Public Counsel Services has been cleaning up for two weeks after a ransomware attack locked up its servers, with the culprits demanding that a ransom be paid in bitcoin,” writes the Globe‘s Andy Rosen. “The agency refused to pay, because it has backup files it can use to restore the system.”

A similar attack hit the Jackson County, Georgia, government internal network recently, forcing most of the systems offline, according to ZDNet. In that case, the county paid $400,000 to cyber-criminals week to get rid of the ransomware infection and regain access to its IT systems.

Read the Globe article.

 

 




Facebook Fine Could Total Billions if FTC Talks Lead to a Deal

The New York Times is reporting that Facebook and the Federal Trade Commission are discussing a settlement over privacy violations that could amount to a record, multibillion-dollar fine, according to three people with knowledge of the talks.

Sources told the Times that the company and the FTC’s consumer protection and enforcement staff have been in negotiations over a financial penalty for claims that Facebook violated a 2011 privacy consent decree with the agency, according to reporter Cecilia Kang.

“The F.T.C. began its investigation into Facebook’s mishandling of data after The New York Times reported in March 2018 that the information of 87 million users had been harvested by a British political consulting firm, Cambridge Analytica, without their permission,” writes Kang.

Read the NY Times article.

 

 




Judge in Yahoo Data Breach Case Criticizes ‘Unreasonably High’ Attorney Fees

A federal judge in San Jose, California, refused to approve a class action settlement in litigation over a series of Yahoo data breaches, citing a lack of transparency and the possibility of “unreasonably high” attorney fees, according to the ABA Journal.

The plaintiffs had proposed a $50 million settlement fund, but the proposed notice to class members did not disclose the costs of creditor monitoring services or costs for class notice and settlement administration, U.S. District Judge Lucy Koh said.

She also found problems with the plaintiffs’ lawyers’ fees:

“Specifically, the court finds that class counsel prepared limited legal filings with numerous overlapping issues, and that class counsel completed limited discovery relative to the scope of the alleged claims. Moreover, class counsel fails to explain why it took 32 law firms to do the work in this case.”

Read the ABA Journal article.

 

 




Lawyer Sues Apple, Says FaceTime Bug Allowed Secret Recording of Deposition, Caused Emotional Trauma

AppleCourthouse News Service reports that an attorney in Houston filed a lawsuit claiming he was conducting a deposition with a client when he encountered Apple’s latest bug that allowed others to access his iPhone’s microphone without him answering a FaceTime call.

The New York Times explains how the bug worked:

“By adding a second person to a group FaceTime call, you can capture the audio and video of the first person called before that person answers the phone, or even if the person never answers.”

The Houston lawyer, Larry D. Williams II, seeks punitive damages against Apple and unknown parties for claims of product liability, negligence, warranty and fraudulent misrepresentation.

CNBC reports that Williams claimed the experience caused “sustained permanent and continuous injuries, pain and suffering and emotional trauma that will continue into the future” and that Williams “lost ability to earn a living and will continued to be so in the future.”

Read the Courthouse News Service article.

 

 

 




Dentons Associate Duped into Transferring $2.5 Million to Fraudster’s Account

FraudAn associate at Dentons Canada fell victim to a scammer who posed as a mortgage company representative and two bank officials to persuade him to transfer $2.5 million into the fraudster’s account.

A decision in a Toronto court revealed that the associate sent the money from a property sale to a Hong Kong bank account after he received emails requesting the transfer in a business deal, according to a report in the ABA Journal.

The Journal‘s Debra Cassens Weiss reports:

“The fraudster had sent emails to the associate in early January 2017 advising that money from the property sale should be wired to Hong Kong because of an audit of the mortgage company’s account. Dentons called the mortgage company, Timbercreek Mortgage Servicing, to confirm the Hong Kong account information but did not receive a call back, according to [the judge].”

The case came to light over litigation involving the firm’s insurance coverage.

Read the ABA Journal article.

 

 

.




‘The Dark Overlord’ Didn’t Hack Systems, Husch Blackwell Says

Cybersecurity - hacking - hackerA hacker group calling itself “The Dark Overlord” threatened to release documents relating to insurance litigation over the Sept. 11 attacks on the World Trade Center that it stole from Husch Blackwell, but now the firm says its systems weren’t hacked.

The group says it has 18,000 documents that include emails and nondisclosure documents sent and received by two insurers and a Husch Blackwell predecessor firm, according to a report in the ABA Journal. The group is seeking a ransom paid in bitcoin.

In a statement, Husch Blackwell said: “After a thorough review, Husch Blackwell can confirm that no documents were obtained from Husch Blackwell, and that there was no unauthorized access to Husch Blackwell systems, client files, documents or data.”

Read the ABA Journal article.

 

 

 

 




Natalie Friend Wilson Promoted to Langley & Banack Shareholder

Natalie Friend Wilson has been promoted to shareholder at Langley & Banack, Inc. and will lead the firm’s cybersecurity practice, as well as continue to practice in bankruptcy and litigation.

The firm said Wilson represents debtors, creditors, and bankruptcy trustees in complex insolvency proceedings, including related litigation and appeals. She also counsels clients on privacy and data protection, data breach response, cybersecurity and general cyber-contracting matters, as head of the Firm’s Cybersecurity, Data Protection and Privacy Practice Group.

Langley & Banack’s Cybersecurity team assists clients with drafting and implementation of cyber-security and general incident response plans and structures, enhanced compliance, and governance policies and protocols, the firm said in a release. They also advise financial institutions and industry clients in the drafting and negotiation of their website development, website hosting, SaaS agreements and other internet and data-based service agreements. As such, the practice group assists organizations to manage rapidly evolving privacy threats and mitigate the potential loss and misuse of information assets.

Wilson is active in the Military Spouse JD Network, a bar association for lawyers married to members of the armed forces. She is active in the local Air Force community and currently Key Spouse Mentor for the 836th Cyberspace Operations Squadron.

Wilson holds a B.A. from St. Mary’s College of Maryland, summa cum laude, and a J.D. from the University of Hawai’i, William S. Richardson School of Law, where she graduated cum laude.

She has been honored as a Professional “On the Rise” by Texas Lawyer Magazine (2018), San Antonio Business Journal’s 40 Under 40 (2016), and the Belva Lockwood Outstanding Young Lawyer by the Bexar County Women’s Bar Foundation (2014).

 

 




Access to Law Firm Data ‘Just Too Easy,’ Worrying Clients

Hacking - cybersecurity - phishingA cybersecurity scare at Foley & Lardner has drawn new attention to a debate over data security at top law firms, and some clients and outside organizations are taking matters into their own hands, according to a Bloomberg Law report.

Bloomberg’s Sam Skolnik writes that general counsels’ offices have been expressing renewed concern about whether even the biggest law firms are adequately protecting highly sensitive data.

“Cyber incursions into law firms clearly appear to be on the rise. According to a December 2017 American Bar Association legal technology report, just over a third of law firms with between 10 and 49 attorneys reported experiencing some sort of data-related security breach in the previous 12 months,” according to Skolnik.

Read the Bloomberg Law article.

 

 




Chinese Company Charged With Stealing Trade Secrets From U.S. Computer Firm

NBC News reports that the Justice Department revealed Thursday that a federal grand jury has charged companies in China and Taiwan  and three individual Taiwanese nationals with a scheme to steal trade secrets from Micron.

China is “shamelessly bent on stealing its way up the ladder of economic development and doing so at American expense,” said John Demers, assistant attorney general for national security.

NBC reporter Pete Williams writes: “Federal prosecutors said one of the defendants served as president of a company acquired by Micron five years ago. The charges said he went to work for the Taiwan company, United Microelectronics Corporation, and orchestrated the theft of trade secrets from Micron worth nearly $9 billion.”

Read the NBC News article.

 

 




Foley & Lardner Hit With Cybersecurity Incident

CybersecurityBloomberg Law is reporting that Foley & Lardner LLP experienced a cybersecurity incident earlier this month, but said there was “no unauthorized access to client data.”

Jill Schachner Chanen, external communications manager at Foley & Lardner, told Bloomberg Law in an email that the incursion occurred earlier this month.

She said the firm has security safeguards in place designed to protect the IT system and data and that no client data was exposed to the cyber intruders.

Read the Bloomberg Law article.