Cyber Security and Data Privacy

Gibson Dunn & Crutcher LLP just published a very sobering article on this topic.  The article is entitled “Cyber-security and Data Privacy Outlook and Review: 2013,” and it is probably one of the most comprehensive reviews on the status of lawsuits, regulatory changes, and breaches I’ve read to date.  It’s guaranteed to make you wince.  The good news — maybe I should say the only good news– is that this arena has the potential to create lots of opportunities for lawyers.  Work abounds in class actions, defense, regulatory compliance, security audits and policies, trade secret protection, and white collar crime, to name but a few.

Just to give you an idea of how bad a year 2012 was in terms of security, here is a brief excerpt:

Data breaches continue to grow in both number and scale. This past year saw major hacks at Zappos (24M customer accounts), Statfor (private U.S. intelligence firm; 5M e-mails), Global Payments (1.5M credit card numbers), LinkedIn (6.5M passwords), eHarmony (1.5M passwords), Yahoo (0.5M passwords), Nationwide Mutual (1.1M customer accounts), and Wyndham Worldwide (600K credit card numbers). According to industry reports, this past year saw a sharp increase in browser-related exploits, such as luring an individual to a trusted website that has been infected with malicious code. Using browser vulnerabilities, attackers can install malware on the target system. In addition, the rise of “bring your own device” policies in the corporate world have led to security challenges for organizations. For example, many large organizations reported that security breaches were caused by their own staff, most commonly through ignorance of security practices.

This past year saw a dramatic increase in the number of breaches from state and local governments. Leading the pack was the South Carolina Department of Revenue, where an employee fell for a phishing e-mail that allowed hackers to steal 75GB of data containing the social security numbers, credit cards, and bank account information for 3.8M residents. The data also contained information about 700,000 businesses. The governor faulted outdated IRS standards, which did not require social security numbers to be encrypted. Another major hack affected the New York State Electric & Gas Company, in which 1.8M customer files were stolen that included social security numbers and some financial information. Investigations of the hack faulted out-of-date data security standards. Other notable breaches occurred at the California Department of Social Services (700K employees’ payroll information), Utah Department of Health (780K citizens’ health information), and the California Department of Child Support Services (800K health and financial records). Many of these attacks could have been prevented by following up-to-date security standards.

No wonder President Obama signed an executive order on February 12, 2013, seeking to strengthen the cyber security of critical infrastructure, by directing the development of a public-private sector cyber security framework, and increasing information sharing between the public and private sector.  If you’ve been following my blog, you’re read my previous posts “Another Cyberattack on a Major U.S. Bank;” “Cyberattacks on U.S. Banks — Are You Safe?;” “Beware Email Messages from Facebook Friends;” and “Trojan Infects 260,000 Android Devices” to name just a few.

It’s a very dangerous computing world.  That means you have to keep up to date on developments.  You need to keep your software updated to plug security holes as they’re discovered.  You need to actually use your shredder.  You need to avoid using public WiFi for accessing confidential information.  You have to train your employees not to click on links or email attachments which are unexpected, regardless of the source.  You should encrypt your laptop hard drive, and use a boot password too.  You should be sure you have enabled the ability to remotely wipe the data from your Smartphone before you put anything on there.  This is just a start off the top of my head.  If you’re not already doing all these things, or if you don’t even know about some of these things, perhaps your starting point should be a simple security audit by a qualified vendor.

ABA TechShow – Ready and Waiting

The American Bar Association’s TechShow is THE place to be if you want to get up to speed on the latest gizmos,  trends and technologies deployed by law firms.  I look forward to it each year.

I arose early this morning after a scant 1.5 hours of sleep — trying to clean up client work before departure — to make my way to Philly airport to catch a flight to Chicago. My suitcase came in at 48.5 lbs out of an allowable 50 lbs before a hefty $$ penalty applies.  So much for my usual practice of grabbing all the vendor “swag” I can fit into my suitcase.

 The windy city has not disappointed thus far.  Sunny, crisp breeze, moderate temperature, and a lovely room at the Hilton on Michigan Avenue.  Enroute from airport to  hotel, I had a delightful cab ride with a Nigerian driver who spoke beautiful English.  The accent is surprisingly similar to Jamaican.  Turns out he has his Masters in Psychology from St. Joseph’s in my neck of the woods, but couldn’t get the job he wanted, and wasn’t earning a decent wage with what he could get.  So he decided to drive cabs instead, and relocated to where he could earn the best money doing it.  He is working hard to earn enough to bring over his wife and baby daughter,  He couldn’t wait to show me pictures.  Maybe it was a ploy to increase his tip, who knows, but it was a great chat nonetheless.

So I’m unpacked, and awaiting the start of my annual update on everything related to law firm technology.  I’m especially looking forward to sessions on mobile apps, courtroom technology, Windows 8, security,  and more.    Some people come to the show to get a break from the office.  They spend as much or more time with local entertainment as they do in class.  Not me.  I take my educational opportunities very seriously.  There won’t be a timeslot that doesn’t have me in a class.  Class-free  breaks will have me going from booth to booth in the extensive exhibit hall, to see first-hand what’s new, and familiarize myself with vendors new to the marketplace.

This year my stay is much more comfortable thanks all my personal tech.  Let’s start with my high quality and very small pop-up  portable stereo speaker, all the great tunes I put on my iPhone, the multi-plug electrical cord I brought which makes it possible to plug everything in conveniently right on the night table.  No more taking turns in charging iPhone and iPad.  No more running across the room when the phone rings while being charged.    And I can leave my laptop in the room, and just carry my itty-bitty iPad around, using the convenient app to review handouts, make notes in sessions using the portable Bluetooth keyboard, keep track of which sessions I intend to attend, and even locate the next classroom on the map.

Stay tuned.  It’s going to be an exciting week.

BlackBerry Z10

In the past, I only used and recommended BlackBerry mobile phones for business use, because of the better security and business apps.  That was until I threw my 3rd BB out of the window of a moving car!  There has been just one too many frustrations with synchronizations gone awry and corrupting my dataset, an inability to respond to “dial by name” menu choices on telephone systems, and all too frequent inexplicable freeze-ups.  One day it froze up and frayed that final nerve.  I rolled down the window, and took great satisfaction in throwing it out.  My husband was astounded.  “You didn’t really do that, did you?”  By then my blood pressure was immeasurably lowered, my reptile brain gave way to rational thought, and I responded, “Yep, can you pull over?  I need to retrieve it and wipe the confidential data.”  After the data was wiped I put on glasses, took out my mallet, and gave it a sound and very satisfying whack.  It feels good just remembering it.

A lot of time has passed since then.  I became an iPhone user.  Now, let me assure you that I’m not one of those MAC-head fanatics.  In fact, I don’t even own an Apple computer.  But I DO have an iPad which I adore.  Here’s the thing about the iPhone.  It works.  Simply, intuitively (for the most part) it just works.  I’ve never had a synching issue.  I have had to reboot about 3 times in 5+ years, which has included 2 different models.

Using the touch screen for typing took some time to get used to.  Mostly that’s because of my beautiful long fingernails.  Great for hard keys, but impossible for soft keys which require heat from a fingertip.  It’s like trying to walk on stilts — my actual fingers are about 1/2″ away from the screen at all times.  I had to learn to use a stylus or the side of my fingers.  But aside from that, I have to say my experience has been great.  I even catch an occasional episode of my beloved HGTV on it when I am having lunch alone on the road.

The apps are all-inclusive in terms of what is available; virtually anything you can ask for.  Most are high quality, at least of the ones I have used.  So my long-term relationship with Apple has been very productive and pleasant thus far.  Yet . . .

There’s the new BlackBerry Z10.  Thus far it is disappointing analysts in numbers.  That’s because the market now has another major player in the form of Android, which makes a lot of other phones more desirable.  I predict that Android will eventually dominate the market in terms of operating system.  Windows has also started to take a bite out of the marketplace.  So the BlackBerry has lost a lot of momentum, and faces stiffer competition than before.  Yet . . .

BlackBerry Z10 is now marketing itself not as a business tool, which was always their niche.  They are marketing the BB-Z10 as “Fun re-invented.”  Huh?  BB was never known for being fun.  The Z10 features stuff like Time Shift for photograph improvement, and Video calls with Screen Share for on-the-fly face-to-face communications with sharing of documents and photos.  These are some seriously Apple-like innovations.  So UN-businesslike, and it looks easy.  (Look being the operative word!)  Who knows what the future holds?  It’s worth a look, and maybe more thought.  Wish I could take a test drive.

Technology Inches into the Sixth Circuit

The Sixth Circuit issued a new policy on the use of electronic devices by counsel during oral argument.  Prior to the policy, the Sixth Circuit generally prohibited the use of any electronic devices at oral argument.  A recent Squire Sanders blog post by Pierre Bergeron entitled “Sixth Circuit Issues Policy on the Use of Electronic Devices During Oral Argument” provides details and a link to the new policy.

I recall presenting “High Tech Courtroom Presentation Tools” for the first time at a Bench Bar Conference, about 10 years ago.  The entire front row of the audience was occupied by the judicial members of the county.  One of their hands went up in the first five minutes, with a comment “I would never allow any of this stuff you’re going to talk about to be used in my courtroom!”  I was a little shocked, but managed to ask that the opinion be restated at the conclusion of the presentation.  I guess I did a good job satisfying concerns regarding Rules of Evidence, because at the end, most of the judicial members said they would consider allowing use of electronic exhibits.

Lawyers have always been slow to embrace technology.  I never realized the courts were even further behind.

Computer Security Alert: Protect Your PC From a Data Dump

A data what?  Yep, you  heard it right.  There’s a new computer security threat afoot which can fill your hard drive in seconds.

This new threat was just reported in BBC News : Technology.  According to the report, the vulnerability has been created by a loophole in the programming of HTML5.  While most websites are currently built using version 4 of the Hyper Text Markup
Language (HTML).  However,  that code is gradually being upgraded by the newer version 5.

One big change brought in with HTML5 lets websites store more data locally on visitors’ PCs.  Based on one’s browser, there is a limit of how much data can be placed on  your PC.  However, the loophole is enabled by a software routine which endlessly creates new, linked websites, enabling each  to dump huge amounts of data onto a target PC.  Oh, and did I mention that the actual creation of the linked websites, and data dumping takes place literally in seconds?

What data will it dump?  Well, it could be pictures of cartoon cats, as done in the demo created by Developer Feross Aboukhadijeh, the discoverer of the loophole. According to the news report, In one demo, Mr Aboukhadijeh managed to dump one gigabyte of data every 16 seconds onto a vulnerable Macbook.

Most major browsers, including Chrome, Internet Explorer, Opera and Safari, were found to be vulnerable to the bug.  Only Mozilla’s Firefox capped storage at 5MB and was not vulnerable.

What can / should you do?  Well, this has been reported, and is being worked on.  Your number one defense is to have a back-up emergency boot disk, so that if your hard drive is crammed with cr*p, you can still boot your computer.  You also need to have a good solid back-up, so that you can restore your software and documents after you reboot.

If you use one of the impacted browsers on either MAC or PC platform, you may want to make sure that your anti-virus software is set to scan sites for malicious code before you actually connect.  There is no mention in the report as to whether this is detectable, so I can’t say for sure it will protect you.  But it’s worth a try, and it’s always a good idea anyway, since malicious code can be placed on just about any web site.  Last, stay away from web sites which are known to harbor nasty stuff, like file and music sharing and game sites.  At least until you’ve heard this problem is resolved.

Beware: Office 2013 Has NON-Transferable License

Normally Microsoft Office software is transferable from one computer to another, as long as it is uninstalled on the old computer.  No more!  Is MS really this greedy, that they would make you buy new software every time you replace a computer?  Apparently, yes.

Thanks to Woody’s Office Watch — to which I have subscribed for years — I have been alerted that the Software License Agreement (the SLA is the newer name of the EULA –End User License Agreement) has changed substantially for Office 2013.  And according to Office Watch, the change is fairly well hidden.

Here is the relevant language Office Watch cited in the SLA:

” How can I use the software?

We do not sell our software or your copy of it – we only license it. Under our license we grant you the right to install and run that one copy on one computer　(the licensed computer) for use by one person at a time, but only if you comply with all the terms of this agreement. Our software license is permanently assigned to the licensed computer. ”

or

“Can I transfer the software to another computer or user?　

You may not transfer the software to another computer or user.　”

It’s the same wording for both Retail and OEM copies of Office 2013. OEM copies are sold, usually pre-installed, on new computers.

Not satisfied?

The retail boxes of Office 2013 that we’ve seen include only the phrase ‘1 PC’ which is strictly true but doesn’t tell the whole story. We wonder if any ‘Fair Trading’ or consumer protection agency is prepared to take on Microsoft about the lack of clear disclosure of the changed terms?

Amazon is more careful about disclosing the Office 2013 terms. One of the bullet point ‘Product Features’ is:

” One time purchase for the life of your PC; non-transferrable“

Before concluding this post, and to satisfy myself, I went to the Microsoft Office site.  I searched for the SLA but could not find it so I used their live Chat feature.  The assistant in their online store was kind enough to find me the link so I could download a copy of the SLA and read it myself.  The language is identical to what appears above.  So before you plunk down your hard-earned dollars, be sure you understand what you are paying for.  Because if you buy the software figuring you will just reinstall it on your new computer the next year, you may be in for a nasty surprise.

Review of Changes in Latest Apple iOS

One of my favorite blogs is iPhone J.D.  It’s the place to turn to for all things Apple, related to the use of the iPhone and iPad by lawyers.  Their recent blog post, “Apple Releases iOS 6.1″ covers every change in the update, with clear screen shots and explanations.  It’s everything you want to know, and more, clearly written.

Another Cyberattack on a Major U.S. Bank

Citizens Bank of PA has been hit by cyberattacks, according to an article in Philadelphia Business Journal.  In keeping with my previous post on this topic, “Cyberattacks on U.S. Banks – Are You Safe?” these attacks are still being blamed on Iran, despite their continued denial of involvement.

Thus far the financial institutions have spent millions trying to shore up their security and ward off attacks.  At this point, they are requesting assistance of the U.S. government, according to an article in the Wall Street Journal.  This is significant, coming from an industry which flatly rejected the imposition of security measures previously.

Cyberattacks on U.S. Banks – Are You Safe?

McAfee warned of this months ago, and their predictions are coming true.  U.S. Banks are under attack.  As are some cloud providers, for that matter.  The attacks are more massive and organized than ever before.  An article in CNet News on December 13, 2012 revealed that a report released by McAfee Labs predicted an impending attack on U.S. financial institutions — dubbed Project Blitzkrieg — was a “credible threat.”

Project Blitzkrieg is believed to be headed by an individual known as vorVzakone, according to McAfee. In September, vorVzakone announced a massive fraud campaign to be launched against 30 U.S. banks in spring 2013. VorVzakone also put out a call to arms for fellow hackers to join his cause. The attacks are said to be done with a highly developed Trojan that could infect victims’ computers, plant software, and allow cybercriminals to steal information and money.

Rather than being a sweeping attack, McAfee said the campaign will selectively target accounts at investment banks, consumer banks, and credit unions. Going after selected groups makes it easier for vorVzakone to stay under the radar and not be detected by network defenses, according to McAfee.

The attack was to expected to hit hard in Spring, 2013.  But it looks like plans have moved up a bit.  And are not being executed as predicted.  A January 10, 2013 article in the Philadelphia Business Journal carried the title “PNC, Wells Fargo Cyberattacks Work of Iran, U.S. Believes. “  The real story is based on a January 8, 2013 article in the New York Times entitled “Bank Hacking Was the Work of Iranians, Officials Say“:

But there was something disturbingly different about the wave of online attacks on American banks in recent weeks. Security researchers say that instead of exploiting individual computers, the attackers engineered networks of computers in data centers, transforming the online equivalent of a few yapping Chihuahuas into a pack of fire-breathing Godzillas.

The skill required to carry out attacks on this scale has convinced United States government officials and security researchers that they are the work of Iran, most likely in retaliation for economic sanctions and online attacks by the United States.

Since September, intruders have caused major disruptions to the online banking sites of Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC.

A hacker group calling itself Izz ad-Din al-Qassam Cyber Fighters has claimed in online posts that it was responsible for the attacks. . . . But American intelligence officials say the group is actually a cover for Iran. They claim Iran is waging the attacks in retaliation for Western economic sanctions and for a series of cyberattacks on its own systems.

Iranian officials emphatically deny any connection with the attacks.  However, the attackers allegedly stated last week that they had no intention of halting their campaign. “Officials of American banks must expect our massive attacks,” they wrote. “From now on, none of the U.S. banks will be safe.”

I don’t know what I believe about who or what is behind these attacks.  I do believe that the threat, no matter the source, is very real.  Thus far there has been no theft; simply a consistent disabling of the bank’s abilities to service online customers.  However, I have no doubt that this is camouflage designed to distract security professionals from the eventual real consequences of these attacks, which has the potential to create havoc with assets of individuals and businesses. 

What do you need to do? 

1. Be mindful of the insurance limits which apply to all of your combined accounts.  (Excluding IOLTA.  See “Unlimited FDIC Insurance on IOLTA Accounts Due to Expire” for further details about this issue.) 
2. Make sure that you are not dependent on online banking for essential transactions.  Even if you do your deposits and bill paying remotely, have good old-fashioned deposit slips and checks handy. 
3. Be sure you print out your monthly statements if you do electronic review.  You may need to access your information quickly at a time when your financial institution is trying to clean up a mess.  Those with an audit trail of their own will always fare better.
4. Be careful about where you conduct your business.  Never log onto your secure encrypted accounts from a public computer, or over a public WiFi connection.
5. If you don’t have a password on your smartphone, netbook and/or tablet, put one on immediately.  Yes, I know it’s a pain that after 3 – 10 minutes of idle time you have to put in a password to resume work.  On the other hand, no one can pick up your device when you’re not looking, and find your autologin information for your bank!
6. Be especially wary of any so-called email communications from your banking institutions asking you to logon and reset your password, enter your SSN, or other sensitive information, and especially if they provide you with a link to do so.  Verify the legitimacy of the request by calling the institution on the phone before clicking on the link.  Nowadays sophisticated fraudsters create web sites that are so close to the real thing it can fool most people into entering sensitive information.

These are just a few quick thoughts to get this issue on your personal radar screen.  I encourage you to add your thoughts in terms of what we need to do to protect our firms, ourselves, and our clients.

VoIP — Call Quality is Key

Not all VoIP telephone systems deliver the same sound quality.  That’s OK if you’re using it to talk to family members and friends around the country or across the globe.  Choppy connections with dropped words, noise on the line, echoing, and outright disconnections can be common with a low-quality system.  But heck, when you’re paying a low monthly fee for all-you-can-eat calling, you simply endure, or hang up and redial.  No big deal. 

On the other hand, when you’re using your VoIP telephone system to connect with clients, prospects, peers and referral sources, poor quality is decidedly not fine!  Put another way, if a client asks if you’re calling from a submarine, that’s a clue that sound quality is an issue.

Back in August, I announced that I had won a new telephone system in a post uncreatively titled “We Won a New VoIP Telephone System!!!”  I promised to report regularly once cutover happened.  There were some delays before that actually happened.  The telephones which were to be deployed were a new model.  It took  much longer than anticipated for them to get shipped.  But the wait seemed worth it, based on some of the anticipated features available.  But when they finally arrived, the provider could not get them properly configured and working reliably, and refused to send them to me knowing they were imperfect. 

What a welcome change from the experience most consumers have today.  Admit it, you know you’ve been the beta site for more than one device or software package.  Sure, the vendor knows it won’t work right,  But that doesn’t stop them from delivering it to you, in exchange for your hard-earned dollars, and then trying to work through it on your dime.  Meanwhile, you endure the hiccups.  So while it was annoying to wait so long, I was actually relieved to hear that a different manufacturer and model was going to be deployed, because it’s track record was that it worked reliably.  And in fact it did.

The first thing which was clear upon installation — crystal clear, in fact — was the sound quality of each call.  The previous system suffered from choppy calls, dropped calls, and bathyspherish sound and echoing.  But those were “distinct” experiences, meaning not on every call.  I thought the calls which did not have any of these issues were decent.  I heard the person on the other end, and they heard me.  However, when I compare the sound quality of the former system with that of the current system, there is just no comparison at all.  It’s like comparing the sound from a Bose headset to a cheap <$20 headset from the local big box store.  They’re not in the same class. 

The clarity of sound on virtually every call is startling.  I never thought that there could be such a significant, noticeable difference.  I was wrong.

First, it’s a full-duplex conversation, meaning that sound can go in both directions simultaneously.  Most telephones operate in half-duplex mode.  That means that sound can only travel in one direction at a time.  If you’ve ever found yourself screaming into the phone because the other person keeps talking on and on and you’re trying to comment, but they can’t seem to hear you, you’ve experienced the joy of half-duplex.  And even if you have a full-duplex conversation through your handset, in all likelihood when you use the telephone’s speaker, you are in half-duplex mode.  (Most firms buy a Polycom or similar equipment for conference rooms in order to get a full-duplex conversation. )  Imagine having full-duplex all the time.

But the clarity isn’t just about full versus half duplex.  It’s about the elimination of noise on the line, echo-cancellation, and so forth.  This vendor is using a router which enables them to constantly monitor the quality of the connection, and make adjustments automatically.  I’m convinced that this higher quality router is a key to consistent quality.

I’m not sure that I mentioned yet who my new telephony provider is.  So let me introduce you to Alteva.  I’ll have a lot more to say in the coming weeks and months.