With all the pressure on companies to build a robust cybersecurity defense within their own four walls, one area of risk might be getting overlooked, writes Shawn Shinneman of the Dallas Business Journal.

He talked to Sara Romine, an attorney at Carrington Coleman in Dallas, to find out how to deal with an attack that comes in through a third-party vendor.

Companies can be at risk and liable when dealing with vendors who have direct access to sort, store or transmit their data, she told the reporter.

“She’s found that companies tend to make some mistakes that grant leverage to the other side during negotiations either to strike a new agreement or renew an existing one. One big one is waiting until the last month or so to start the process,” the article reports.

Read the article.

As the risk of cyber threats to all businesses grows, there is a corresponding interest in managing and shifting cyber risks by contract and through cyber insurance, write Branwen Buckley and Corby J. Baumann of Thompson Hine.

“Insurance requirements are common in commercial contracts, and many contracts now include a sub-clause regarding cyber insurance. Whether a company is asking for a contracting party to provide cyber insurance or is on the receiving end of such a request, there are some important background considerations to remember,” the authors explain in their article.

They list some issues to consider when evaluating contractual requirements for cyber coverage: cyber insurance can never be a substitute for proper preventive measures, keep cyber insurance provisions specific, consider asking to see the policy, and be realistic in your expectations.

Read the article.

The Wall Street Journal and Bloomberg Law are reporting that eight large U.S. banks are forming a new group to share information in the fight against cyber attacks.

The new cyber sharing group — which comes after thousands of banks formed a group earlier — will include Goldman Sachs, Morgan Stanley, Bank of America, J.P. Morgan Chase, State Street, Bank of New York Mellon, Wells Fargo and Citigroup.

“The financial-services industry ranked third in number of cyberattacks last year, after health care and manufacturing, according to a U.S. cybersecurity report released by IBM Corp. in May. Two years ago, J.P. Morgan, the largest U.S. bank by assets, was targeted by cybercriminals in a breach that exposed names, addresses and other information of 76 million customer households, although no money was taken,” The Journal reported.

Read the article.

The operator of 12 hospitals and more than 200 other treatment centers in Chicago and central Illinois has agreed to the largest settlement to date with the Office for Civil Rights for multiple potential violations of the Health Insurance Portability and Accountability Act, reports Kelly A. Leahy of Shumaker, Loop & Kendrick.

The agreement will cost Advocate Health Care Network $5.5 million and force Advocate to adopt a multi-year corrective action plan that stemmed from three incidents reported to OCR in 2013.  The breaches involved Advocate’s medical group subsidiary, Advocate Medical Group, which employs more than 1,000 physicians. The incidents that cost Advocate involved data breaches involving unencrypted devices and unauthorized access to a network.

In the article, Leahy offers some suggestions for what covered entities and business associates can do to prevent costly fines and burdensome settlements.

Read the article.

Practical Law will present a complimentary webinar Tuesday, July 26, 1-2:30 p.m. EDT, on evolving cybersecurity issues for banks.

In a release, the company said cybersecurity poses important and time-sensitive challenges to banks and will continue to do so into the foreseeable future. In addition to regulatory and compliance risks, cybersecurity also poses litigation and reputational risks. Bank counsel need to be at the forefront of cybersecurity to ensure that their bank’s directors, management, and employees are aware of the challenges and the measures that need to be taken.

Speakers will be Heath Tarbert and William White of Allen & Overy and Jeremy Estabrooks of Practical Law.

Topics will include:

• What cybersecurity entails and the types of cyber threats facing banks.
• Federal laws and regulations addressing cybersecurity.
• Federal regulatory guidance and resources.
• State laws and regulations addressing cybersecurity.
• What cybersecurity issues bank counsel should currently be thinking about.

A brief Q&A session will follow.

Register for the webinar.

A federal appeals court on Tuesday gave the U.S. Department of Justice broad leeway to police password theft under a 1984 anti-hacking law, upholding the conviction of a former Korn/Ferry International executive for stealing confidential client data, reports Reuters.

“The 9th U.S. Circuit Court of Appeals in San Francisco said David Nosal violated the Computer Fraud and Abuse Act in 2005 when he and two friends, who had also left Korn/Ferry, used an employee’s password to access the recruiting firm’s computers and obtain information to help start a new firm,” reports Jonathan Stempel.

The court found that Nosal acted “without authorization” even though the employee, his former secretary, had voluntarily provided her password.

Read the article.

The National Labor Relations Board (NLRB) has continued its assault on businesses and their ability to legitimately protect their computer systems and information against unauthorized non-business use by employees, writes Shawn E. Tuma, in Cybersecurity Business Law.

Tuma is a cybersecurity and data protection partner at Scheef & Stone, LLP.

“On May 3, 2016, an NLRB Administrative Law Judge struck down as overbroad a Computer Use Policy in Ceasars Entertainment Corporation d/b/a Rio All-Suites Hotel and Casino (NLRB Docket Sheet). The policy, titled Use of Company Systems, Equipment, and Resources, was part of the company handbook and stated that computer resources may not be used to do several things that were listed out and is standard in many similar policies,” he writes in his article.

Read the article.

Reuters is reporting that Morgan Stanley has agreed to pay a $1 million fine to settle U.S. Securities and Exchange Commission civil charges that security lapses at the Wall Street bank enabled a former financial adviser to tap into its computers and take client data home, the regulator said.

“The settlement resolves allegations related to Galen Marsh’s unauthorized transfers from 2011 to 2014 of data from about 730,000 accounts to his home computer in New Jersey, some of which was hacked by third parties and offered for sale online,” reports Jonathan Stempel for Reuters.

“According to the SEC, Morgan Stanley violated a federal regulation known as the Safeguards Rule by failing to properly protect customer data, allowing Marsh to access names, addresses, phone numbers, and account holdings and balances,” the report says.

Read the article.

Compliancy Group will present a complimentary webinar designed to give individuals and entities operating in the health care sector the skills they need to be prepared to identify, respond and manage data breaches in a timely, efficient and compliant manner.

The event will be Wednesday, June 15, beginning at 2 p.m.

“Data breaches are becoming more and more common among health care providers, payers and their vendors,” the company says on its website. “Some estimates indicate that one-third of all Americans had their health information breached in 2015 alone, and data breach costs are approaching $250 per affected individual – not including the million dollar penalties with government regulators have recently issued.

This webinar will give listeners the tools they need to develop a data breach plan to protect their organization.

Register for the webinar.

A new complimentary on-demand video presented by Harlan Carvey, Security Analysis Senior Consultant, SecureWorks Counter Threat Unit Research Team, and posted on BrightTALK discusses ransomware attacks and how to protect an organization using a holistic and unifying visibility into the network and endpoints.

“The proliferation of ransomware has ushered in a new wave of extortionware and a new generation of malware attacks,” BrightTALK says on its website. “While these types of attacks are not new, they have become more insidious and sophisticated, growing in popularity in concert with the expansion of electronic payment systems such as bitcoin. In April, the US and Canada both issued formal warnings and suggestions, but how much that is reported about this new malware is true? Are we being naïve in our efforts to block these Ransomware attacks?”

The video covers:

– What is ransomware?
– How does it proliferate?
– How do I detect and block it?
– How do I know what systems are compromised or how the attacker got in?
– Do I pay the ransom if I am attacked?
– How do I ensure that I don’t become a victim (again)?

Watch the on-demand video.

Strasburger & Price attorney Kathryne “Kate” M. Morris has earned the ANSI-accredited Certified Information Privacy Professional/United States (CIPP/US) credential through the International Association of Privacy Professionals (IAPP). Morris earned the credential based on successfully passing the IAPP comprehensive examination covering privacy and data protection laws and practices in the United States, including how to respond in the event of a data breach.

Privacy professionals play an increasingly important role in today’s data-driven global economy. In a release, the firm said Morris’ knowledge in this area will allow her to assist Strasburger clients manage rapidly evolving privacy threats and mitigate the potential loss and misuse of information assets.

Morris is an associate in the firm’s Intellectual Property and Litigation practice groups. Her practice focuses on the areas of technology, e-commerce, privacy and data security. She regularly advises clients from a variety of commercial sectors, including retail and finance, in all aspects of technology transactions, the collection, use, disclosure, retention and destruction of data, and eDiscovery. Additionally, Morris’ practice includes disputes over copyrights and trademarks, software licensing, breach of contract and fraud, among other issues and claims.

The IAPP is the first organization to publicly establish standards in professional education and testing for privacy and data protection. IAPP privacy certification is internationally recognized as a reputable, independent program that professionals seek and employers demand. Although more than 8,000 professionals worldwide currently hold one or more IAPP certifications, very few attorneys hold this important credential.

Developed and launched by the IAPP with leading subject matter experts, the CIPP is the world’s first broad-based global privacy and data protection credentialing program. The CIPP/US demonstrates a strong foundation in U.S. private-sector privacy laws and regulations and understanding of the legal requirements for the responsible transfer of sensitive personal data to/from the U.S., the EU and other jurisdictions.

Atlanta-based LabMD was a successful company that tested blood, urine, and tissue samples for urologists, and had about 30 employees and $4 million in annual sales. Then one day in 2008, the company’s general manager received a phone call from a man who claimed to be in possession of a file containing LabMD patient information, including more than 9,000 Social Security numbers, reports Bloomberg.

Then came the sales pitch: His company, Tiversa, offered an investigative service that could identify the source and severity of the breach that had exposed this data and stop any further spread of sensitive information — at a cost of about $38,000. After some back-and-forth, LabMD told Tiversa to direct all communication through its lawyers. Then the Federal Trade Commission came calling.

LabMD’s woes could end up finishing off the once-promising business.

Read the article.

According to Grant Gross from IDG News Service, the banking document record leak now are known as the Panama Papers included 11.5 million confidential documents dating from the 1970s through to late 2015 — 4.8 million emails, 3 million database format files, 2.2. Million PDFs, 1.1 million images and 320,000 text documents. All of these documents were from Panama Law Firm Mossack Fonseca.

Allegedly these leaked documents reveal how dozens of high-profile professionals including public officials in countries including the U.K., France, and China have hidden their wealth abroad to avoid paying taxes, ContractRoom reports on its website.

What is clear is that if indeed these files were hacked from emails or off the server of Mossack Fonseca, this firm was not using a Cloud platform with proper security and encryption to store their documents. It appears they were using an on-site server.

Read the article.

The State Department has agreed to a conservative legal group’s request to question several current and former government officials about the creation of Hillary Clinton’s private email system, reports the Associated Press.

A judge granted the group, Judicial Watch, limited discovery to ask the officials why Clinton relied on an email server in her New York home during her tenure as secretary of state.

If the judge approves of the agreement, lawyers from Judicial Watch will be allowed to depose Clinton’s top aides, including former chief of staff Cheryl D. Mills, deputy chief of staff Huma Abedin and undersecretary Patrick F. Kennedy, the report says.

Read the report.

Microsoft sued the U.S. government Thursday, arguing that a law that can prohibit technology companies from telling customers when law enforcement comes looking for their data is unconstitutional, reports The Seattle Times.

This action is seen as the latest high-profile challenge to the reach of law enforcement into cyberspace, following Apple’s fight against an FBI order to disable an encryption measure on an iPhone connected to the San Bernardino mass shooting.

“When law-enforcement agencies get a warrant to grab email or other data stored online, they can request a court order to bar Internet service providers from informing the user their documents were seized,” the report says. “Microsoft said it has received about 5,600 federal demands for consumer data in the past 18 months, almost half accompanied by such gag orders.”

Read the article.

By Amy Terry Sheehan and Jill Abitbol
The Cybersecurity Law Report

Law firms store a wealth of sensitive and confidential information electronically, making them prime targets for hackers. Not only does weak data security affect business development and client retention for firms, but can result in legal and ethical violations as well. How can firms meet clients’ increasing data expectations? How can clients determine how robust their current and potential firms’ systems are? What mistakes are law firms making? John Simek, vice president and co-founder of cybersecurity and digital forensics firm Sensei Enterprises, Inc., answered these and other questions about law firm data security in a conversation with The Cybersecurity Law Report. See also “Sample Questions for Companies to Ask to Assess Their Law Firms’ Cybersecurity Environment” (Jun. 17, 2015).

CSLR:  What are the specific cybersecurity threats that law firms currently face?

Simek:  Probably the most prevalent threats that we’re seeing now, and not necessarily targeted ones, involve ransomware. At the end of last year, in the northern Virginia area alone, there were four law firms that got hit with ransomware attacks in just one month.

The key is for firms to make sure that their backups are engineered properly to recover from a ransomware infection. Then they are in a position to restore their data without having to pay the ransom. Of those four law firms that were hit with ransomware at the end of last year, two were engineered correctly and two were not.

[See “How to Prevent and Manage Ransomware Attacks” Part One (Jul. 15, 2015); Part Two (Jul. 29, 2015).]

CSLR:  What do you recommend to firms that have not yet proactively engineered proper backups?

Simek:  I tell solo practices and small firms, which tend to use external hard drives for backup, to disconnect that device after they’ve done their backup. That way, in the event their system gets infected, it won’t impact their backup. If their external drive is still connected to their computer, and their computer gets infected, their backup is going to get infected too. It’s a very simple thing. There’s no cost to doing that. It’s just a procedural piece.

I recommend hardware-based backup solutions for mid to larger firms. Hardware-based, also called agent-based, backup is not seen as a drive letter or a network share. The data is moved via software to the backup device.

CSLR:  Do you recommend that firms use cloud backups?

Simek:  Cloud backups are good as well. The key in cloud backups, and particularly for attorneys because of their ethical duties to protect the confidentiality of the data, is to select a cloud solution where the firm can control the encryption key. Not all backup solutions and cloud solutions will allow users to do that.

Carbonite, which is used by a lot of solo to mid-sized firms, allows users to define the encryption key themselves. Some cloud providers do not want users to do that because they fear that if the user forgets the encryption key, their backups will be useless. Although that is certainly a possibility, if a firm is planning to use a cloud-based backup, it will want a provider that allows it that control.

OneDrive, for example, does not allow users to define what that encryption key is. So that means that Microsoft can decode data stored in the cloud if it wanted. With Apple iCloud, Apple also can decode backup content. Apple actually can read iMessages and related content, even though it’s stored encrypted.

From an attorney’s perspective, the ability to define the encryption key is a crucial differentiator, and something they should look for in a cloud solution.

[See “Implementing an Effective Cloud Service Provider Compliance Program” (Nov. 25, 2015).]

CSLR:  In addition to the backups, what other steps should law firms currently be taking to address security threats?

Simek:  Training employees is crucial. Phishing attacks, such as emails where someone is trying to get an employee to wire money to a foreign bank, make up a large percentage of threats. The solution there – and firms tend not to want to do this – is to train employees. The people are the problem. An email message that has a malicious attachment or a malicious link in it won’t have any adverse effect unless someone clicks on it.

Firms have to educate their employees because all of the technology in the world is not going to prevent an attack. Threat actors may be smarter than the current security technology. They may be using malware that nobody has ever seen before, and your firm may be the first kid on the block to get it.

Threat actors can also get information from court filings, which are public record. Somebody can jump on Pacer and find out the name of the case and the attorney of record. They can then send an email message that purports to come from the attorney of record using a bogus email address or a fake domain and say “Here’s an updated complaint in such and such a case.” The receiving attorney will recognize the email and click on the attachment. Through training, firms can teach employees how to recognize and prevent these types of situations.

[See “Designing, Implementing and Assessing an Effective Employee Cybersecurity Training Program (Part Two of Three)” (Mar. 2, 2016).]

CSLR:  What about firms that are reluctant to invest in training because it is non-billable?

Simek:  Well, it can cost them so much more to clean up and recover from an infection, even if it’s reputational damage, than it would to educate their employees.

We see the larger firms now starting to invest more money in preventing threats. They’re beginning to see the value of what that training can do.

Some firms have gone so far, and I think this is good, as to test their employees by sending intentional phishing messages to see how many people click on what. Employees are then scored and the firm uses those scores to evaluate whether certain employees need one-on-one education.

CSLR:  Are there any other important security measures that firms should be taking?

Simek:  Patching vulnerabilities and updating are two important measures. The number one reason that firms get compromised is they are not applying patches. When you don’t patch your operating systems or your software, you’re susceptible. It doesn’t cost much to do that.

The second reason is use of outdated software. Firms don’t want to spend money to update and this makes them vulnerable to attacks. They’re still running Windows XP, which is not supported. They’re still running Internet Explorer. Internet Explorer 10 and below are no longer supported. I don’t know if a lot of law firms know that yet. There was an article several years in The New York Law Journal that said that continued use of Windows XP is unethical. So, firms have to upgrade their software and they have to spend money to do that.

CSLR:  What should clients expect from a law firm and would you say that client expectations are a driver for change?

Simek:  Client expectations are definitely a driver. Law firms would be reluctant to spend money on security unless clients were expecting it. The firms that are more advanced with security and related certifications will even use that as marketing plug.

We are starting to see clients hand prospective or current firms an IT security assessment, or some sort of questionnaire, and ask them to complete and submit it as a condition of their provision of legal services to the company. Depending on the client or the firm, the client may require an independent third-party audit.

So yes, definitely, it’s the clients that are driving change and enforcing it primarily through these audits.

[See “Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties” Part One (Apr. 8, 2015); Part Two (Apr. 22, 2015).]

CSLR:  Are companies treating law firms like any other third-party vendor in terms of the security audit or vetting questionnaire?

Simek:  It depends, I think, on the industry and who the client is. The questionnaire or audit can be very targeted, and maybe even more stringent, for law firms because the data that companies are giving to the law firm may be extremely valuable. This is not payroll data. This is not somebody that’s just cranking out W2s for the company, for instance. This is patent information, merger and acquisition information and other confidential data. Depending on the value of the information, the client may be a lot harder on the law firm than they would on some other third-party provider.

CSLR:  How does the completed questionnaire or audit get used by the client and/or the law firm?

Simek:  The results of the audit might demonstrate to the law firm that it is deficient in certain areas of security and it might then communicate its plan to remedy those deficiencies to the client. Especially if it’s a larger client, firms want to do what they can to keep them.

CSLR:  What certifications should law firms have in place?

Simek:  I think it depends on the size. Big firms are obtaining ISO [International Standards Organization] 27001 certification, which costs a lot of money and takes a lot of time. The mid to smaller firms are not going to be able to afford to do that but there are other things that they can do, like self-certification. NIST [National Institute of Standards and Technology] has small business standards that firms can follow, which will at least help assess their infrastructure, and whether they have any weaknesses and whether the assistance of a third-party is needed.

CSLR:  Is data security handled differently depending on practice area?

Simek:  It can be. It depends on the value of the data. Whether it is a law firm or a corporation, a risk assessment needs to be conducted to determine the value of the data being held and the risk of losing it. That information will define how much the firm is going to spend or what efforts the firm is going to make to protect the information or mitigate risk.

CSLR:  When is it appropriate for lawyers to use encryption in their communications?

Simek:  We’re at the stage now where every lawyer should at least have encryption capability, which includes the ability to encrypt communications and the ability to encrypt data at rest (for instance, when putting data on a flash drive).

Encrypted communication is easier today than it used to be. There are now many services that actually manage the encryption communication mechanism. Voltage and Zix are two such services. It can be as simple as clicking on a button in Outlook that says “Encrypt and Send.”

To save money, we advise smaller firms that only need to communicate in encrypted form once in a while to put the confidential information into a Word document, and then password protect that Word document. The password protection encrypts it. This can also be done using Adobe Acrobat or a WinZip file. The confidential information can then be sent as an attachment, and a separate communication would be used to transmit the password.

Firms that receive medical information or PII that falls under HIPAA may use Zix, but they can have the filter set to recognize any medical information or PII content, and then the service will automatically encrypt that message to send it.

CSLR:  Are clients being more selective about the data that they’re giving to the law firms in the first place?

Simek:  Not really. They’re not withholding the data. They’re just asking and making sure that the law firm is prepared to receive it and to properly protect it. Absent that assurance, there’s the likelihood the client will find another law firm.

CSLR:  What types of remote access or mobile device policies should law firms have in place?

Simek:  For anything related to the data the firm holds or the firm’s infrastructure, employees should know what is expected of them, what they should do, what they are allowed to do, and within what boundaries. This would require policies on remote access, computer usage, social media, internet usage, email, bring your own device, bring your own network and bring your own cloud.

The necessary policies are unique for every firm depending on the type of practice and type of attorneys. There is no template. To be effective, the policies need to be customized for every firm.

[See “How to Reduce the Cybersecurity Risks of Bring Your Own Device Policies” Part One (Oct. 14, 2015); Part Two (Nov. 11, 2015).]

CSLR:  What is the biggest challenge you face when you are asked to respond to an incident?

Simek:  Capturing data. The number one thing that we run into when we respond to these things is that there is minimal logging, if any, going on. Nobody had the foresight to configure their devices or their systems to capture information on an ongoing basis. That’s a killer for the investigations.

CSLR:  Why are lawyers or firms not configuring their devices or systems to capture information?

Simek:  Because the default is not to. All these devices, systems and applications have the ability to capture information but it’s not turned on by default.

CSLR:  In the event of a security incident, when and how should a law firm contact its clients?

Simek:  You just hit on a real touchy nerve. If you ask a lawyer or a managing partner, they’ll say they never want to tell the clients. However, 47 states have data breach notification laws. The unfortunate part is that most lawyers don’t want to conform to them, even if they’re legally bound to. They’re also ethically bound to notify clients of a data breach.

But whenever a law firm gets breached, the argument I always get is “Well, but we don’t know with 100% certainty what data was accessed.” Yeah, that’s true. You don’t know with 100% certainty, but you’ve got a pretty good idea. And in some cases, when there is notification of clients, the clients aren’t anxious for the breach to be made public.

In some instances, the client will insist on contract terms that set forth the number of days or hours within which they should be notified of an incident.

[See “Synthesizing Breach Notification Laws in the U.S. and Across the Globe” (Mar. 2, 2016).]

CSLR:  Have clients and law firms been able to get to a place where both sides are comfortable on the data security issue?

Simek:  It has been a wake-up call for a lot of firms. We are seeing firms use client surveys and audits to detect and remedy security deficiencies. By doing that, they are maintaining client relationships.

© 2015 – 2016 The Cybersecurity Law Report. All rights reserved.

Hogan Lovells announced that Julie Brill, a Commissioner at the U.S. Federal Trade Commission (FTC), will join the firm’s Washington, D.C. office as a partner and co-director of the Privacy and Cybersecurity Practice on April 1. Her FTC service will conclude on March 31.

As co-director of the Privacy and Cybersecurity practice, Brill succeeds co-director and founding partner Christopher Wolf, who will transition to a senior status at the firm. She will be joined in leadership with Marcy Wilder, co-director of the Privacy and Cybersecurity practice; Harriet Pearson, leader of the firm’s Cybersecurity Solutions Group and Cyber Risk Services business unit; and Eduardo Ustaran, a partner in the firm’s London office, and leader of the firm’s European data protection practice.

“Julie’s keen intelligence and reservoir of knowledge about privacy and data security law, combined with her commitment to consumer privacy, make her a natural leader for our privacy practice,” the firm said in a release. “She is renowned as a global leader in privacy law and public policy, and is widely-recognized for her distinguished work at the FTC. We are confident she will build upon her years of experience to provide exemplary client service and practice leadership.”

Brill was appointed to the FTC by President Obama and unanimously confirmed as a commissioner in 2010.

Prior to serving on the Commission, she was an Assistant Attorney General in North Carolina and Vermont for more than 20 years. Before joining the Vermont Attorney General’s office, she was an associate at a New York law firm.

Brill earned her B.A. from Princeton University magna cum laude, and her J.D. from New York University School of Law, where she had a Root-Tilden Scholarship for her commitment to public service.

In last night’s Democratic debate, Hillary Clinton dismissed a question about whether she would resign if indicted for mishandling classified information, saying “Oh for goodness … that’s not going to happen. I’m not even answering that question.”

A report by Christian Science Monitor staff writer Peter Grier addresses the question: Is Clinton right to be so dismissive?

“On the one hand, the FBI investigation of the issue could be a shield for Clinton,” Grier writes. “If she isn’t indicted, she can use that fact as an all-purpose dismissal. Something along the lines of, ‘The feds found no problem here, so move along, move along.’ ”

But Republicans will keep the issue alive, he adds, pointing to two new lawsuits seeking access to Clinton’s State Department communications.

Read the article.

The U.S. Department of Justice filed a legal response on Thursday to Apple’s refusal to help the FBI unlock an iPhone used by one of the San Bernardino shooters, and Apple quickly responded, with general counsel Bruce Sewell delivering a tense and angry response in a conference call with reporters, reports Business Insider.

Sewell called the DOJ response a “cheap shot” and said that its tone “reads like an indictment.”

He was responding to the DOJ’s claim that “Apple’s rhetoric is not only false, but also corrosive of the very institutions that are best able to safeguard our liberty and our rights … .”

Read the article.