Security

Two Out of Three Companies Haven’t Reviewed Their Breach Preparedness Plans: Cybersecurity Trends

The singer Meat Loaf (real name Marvin Lee Aday) had a song once called Two Out of Three Ain’t Bad. Well, in this case, it is.  According to a new study, many companies haven’t updated their data breach plans since developing them, report a lack of adequate employee training on data protection, and still haven’t figured out how to guard cloud services and mobile devices.

As reported by Legaltech® News (Two Out of Three Companies Haven’t Reviewed Their Breach Preparedness Plans, Study Says, written by Sue Reisinger), a study of global companies also found that just over half of professionals believed their C-suite executives knew the company’s plan to deal with a breach.  The “Seventh Annual Study: Is Your Company Ready for a Big Data Breach?” was sponsored by Experian Data Breach Resolution and conducted by Ponemon Institute.

“I was surprised that two out of three respondents said they haven’t reviewed or updated their data breach preparedness plans,” said Michael Bruemmer, vice president of data breach resolution and consumer protection at Experian. “Preparedness plans can’t be a binder on a shelf that are not active and fluid plans. They should be reviewed and updated at least on a yearly basis.”

Bruemmer said a main takeaway from the report for general counsel is that “their clients are not preparing enough by practicing [data breach drills] and updating their response plans. They should work with clients to ensure this piece is a well-oiled machine.”

The study showed that 55% of respondents believed their C-suite executives knew the company’s plan to deal with a breach, but Bruemmer said the number should be higher. He recommended that general counsel make sure the CEO and C-suite “are knowledgeable and prepared for a data breach response. We have witnessed many leaders ill-equipped to handle the consumer response after a data breach.”

Here are some other notable study findings:

  • About 36% of respondents reported their organization had a ransomware attack last year with only 20% feeling confident in their ability to deal with it. The average ransom was $6,128 and 68% of respondents say it was paid.
  • Spear phishing attacks are pervasive, with 69% of respondents reporting one or more attacks and 67% saying the negative consequences of these attacks were very significant. Bruemmer called these threats “rudimentary at this point, and … a strong employee training program against these attacks [is] a must.”
  • Some 68% of respondents said their company has put more resources toward security technologies to detect and respond quickly to a breach. Still data breaches are increasing, with significantly more organizations reporting data breaches than ever before. “Consequently, confidence levels among executives to thwart spear phishing and other common attacks have declined,” according to the report.
  • More organizations at 54% report they have a high ability to comply with the European Union’s General Data Protection Regulation, compared with only 36% a year ago.

You can download a copy of the study from the Experian web site here.

So, what do you think?  Are you surprised by any of these findings?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Image Copyright © Page Six

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

FBI Says Half of $3.5 Billion Cyber Losses in 2019 Were Due to Business Email Scams: Cybersecurity Trends

The FBI’s Internet Crime Complaint Center (IC3) reported that it received over 460,000 internet and cyber-crime complaints in 2019, which the agency estimates caused losses of more than $3.5 billion, the bureau wrote in its yearly internet crime report released earlier this month.  And, about half of that is due to BEC (Business Email Compromise), aka EAC (Email Account Compromise) crimes, which are sophisticated scams targeting businesses and individuals performing wire transfer payments.

This was reported by ZDNet (FBI: BEC scams accounted for half of the cyber-crime losses in 2019, written by Catalin Cimpanu – hat tip to Sharon Nelson of the excellent Ride the Lightning blog).

“At its heart, BEC relies on the oldest trick in the con artist’s handbook: deception,” the FBI said back in 2017, when it started receiving an increased number of BEC scams reports.

A typical BEC scam happens after hackers either compromise or spoof an email account for a legitimate person/company. They use this email account to send fake invoices or business contractors. These are sent to employees in the same company, or upstream/downstream business partners.

The idea is to trick counterparts into wiring money into the wrong bank accounts.

BEC scams are popular because they’re (1) dead simple to execute, and (2) don’t require advanced coding skills or complex malware.  And, they pay BIG.  There were only 23,775 BEC victims last year, but they accounted for over $1.77 billion in losses for victims, which is an average of $75,000 per complaint.  Wow.  Here’s a breakdown of the loss amounts and victim counts by crime type over last year – as you can see, BEC crimes are almost four times as large as any other by total loss amount, but only sixth in total number of victims:

I wrote (almost to the day, no less) about an email I received last year that I suspect was a BEC scam that appeared to be from CloudNine’s co-founder Brad Jenkins.  But I could tell that it wasn’t because it was identified as an external email.  At CloudNine, we mark any emails coming from an external source to identify them as an external email, which is inserted into the received email to help recipients differentiate between real and fake CloudNine emails.  It’s easy to set up and an effective way to flush out those BEC scam emails.

BTW, the map at the top shows the number of complaints by state and, as you can see, California was the only state with over 30,000 complaints (while Florida, Texas and New York had between 20,000 and 30,000).  But the map is a bit deceiving in this respect – California had 50,132 complaints last year, nearly double that of the next highest states (Florida and Texas, which tied at 27,178 complaints).  Ouch.

So, what do you think?  Do you know someone who has been victimized by a BEC scam?  Please share any comments you might have or if you’d like to know more about a particular topic.

Images Courtesy of 2019 FBI Internet Crime Report

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

How Long Will it Take to Crack Your Password?: Cybersecurity Trends

Have I mentioned lately how much I love an infographic?  Well, I do. And this latest infographic that I have come across – from a Facebook friend who is also a colleague nonetheless – is a great one to note when considering your own passwords.

As you can see from the infographic above, the size and composition of your password could dramatically affect how long it takes to crack the password.  For example:

  • If you have a password that is numbers only, a password that is as much as eight numbers (that’s nearly 100 million number combinations) can still be cracked instantly;
  • Even if that number only password is 14 numbers (that’s nearly 100 trillion number combinations), it only takes four days to crack a password even that size;
  • Want to use all upper and lower case letters instead? That will help somewhat, but a five-letter password can still be cracked instantly;
  • And a nine-letter password will still only take 4 days to crack;
  • Want to mix numbers and upper and lower case letters? You’d better use more than seven characters or it will take no more than 3 hours to crack your password;
  • Even with eight characters, it could still take as few as ten days;
  • If you add in symbols, then a seven character password could still take less than a day;
  • But, if you add an eighth character, that pushes the time up to 57 days. Add a ninth character? That pushes the time up to 12 years;
  • But, notably, size does matter – when it comes to passwords and other things. ;o)  An 18 number password still takes 126 years to crack, an 18 letter password takes a trillion years, an 18 number and letter password takes 374 trillion years and an 18 number, letter and symbol password takes 1 quintillion years!

Ain’t nobody got time for that!

Interesting!  Of course, that’s one school of thought – here’s another, straight from the man who originally wrote password advice for the National Institute of Standards and Technology (NIST) and ultimately decided that advice was wrong.  And, here’s a case from last year involving a criminal defendant who used a 64-character password to protect his device!

As I mentioned, I got this infographic from a Facebook friend – Michael Potters, who is also the CEO and Managing Partner of the Glenmont Group.  It may be available in other places (not sure where it started), but I got it from Michael, so hat tip to him for the info!

So, what do you think?  Does this change your thinking about password creation?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

How Many States Have Outlawed Ransomware? You May Be Shocked: Cybersecurity Trends

Care to hazard a guess?  Ten?  Twenty?  More?  Try TWO.  Maryland is currently considering a bill to become only the third state after Michigan and Wyoming, to criminalize the possession and distribution of ransomware.

As noted by Bitdefender’s Hot for Security blog (with hat tip to Sharon Nelson’s Ride the Lightning blog), the bill understandably makes exceptions for penetration testing, security researchers, and other legitimate reasons to own ransomware.

Certainly a motivating factor may have occurred when hackers hit Baltimore, Maryland’s largest city, with a RobbinHood ransomware attack on May 7, 2019. All administrative transactions, payments and communications were frozen after city officials refused to pay the attackers. It took them more than eight weeks to restore all systems.  Following the attack, Baltimore City’s board allocated $10 million to an emergency ransomware response to prevent similar attacks. When the dust settled, the city estimated recovery costs at $18 million.

The current law in Maryland specifies that a cyberattack that incurs damages of less than $10,000 is a misdemeanor and carries a punishment of up to five years in prison and a fine up to $10,000. If the damages pass the $10,000 mark, it turns into a felony, and the punishment goes up to 10 years in prison.  The bill would dispense with limits for damages and raises the punishment to up to 10 years, even if it’s a misdemeanor.

This while the Insurance Journal reported (via Reuters – hat tip again to Ride the Lightning) last week that U.S. insurers are ramping up cyber-insurance rates by as much as 25% and trying to curb exposure to vulnerable customers after a surge of costly claims.  While there were 6% fewer ransomware incidents in 2019 versus the prior year (according to Malwarebytes), the average ransom of $41,198 during the 2019 third quarter more than tripled from the first quarter, according to Coveware, which helps negotiate and facilitate the payments.

By the way, if you remember our post from a couple of weeks ago regarding Apple and Attorney General William Barr’s claim that they weren’t helping to crack into password-protected iPhones used by Pensacola Navy base shooter Mohammed Saeed Alshamrani (Apple, for their part, disputed Barr’s assessment that it failed to provide “substantive assistance”), Naked Security reported that Apple, under pressure from the FBI, backed off plans to let iPhones users have end-to-end encryption on their iCloud backups.  Where did I find that out?  You guessed it – Ride the Lightning (via Sharon’s post here).  It’s the RTL trifecta!  :o)

Just a reminder, CloudNine will be once again exhibiting next week at Legaltech, at booth 3000 in America’s Hall 2.  And, we’re once again excited to be co-sponsoring the annual #DrinkswithDougandMary cocktail reception with Mary Mack, Kaylee Walstad and the rest of the EDRM team!  This is our fourth year and we’re grateful to Marc Zamsky and Compliance Discovery for co-sponsoring as well.  It will once again be at Ruth’s Chris Steak house and will happen Wednesday, February 5 from 4-6pm.  You can register to attend here.  And, as I told you on Wednesday, we will be conducting another NineForum education series of TED-talk discussions from our booth, so please check that out as well!

So, what do you think?  Are you surprised that there are only TWO states that criminalize ransomware?  Seriously, TWO?!?  Please share any comments you might have or if you’d like to know more about a particular topic.

Ransom Image Copyright © Touchstone Pictures

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Here’s Another Updated Commentary from The Sedona Conference: eDiscovery Best Practices

Last Friday, we covered one updated commentary from The Sedona Conference® (TSC) and promised to cover another one this week.  Consider our promise kept!  :o)

On January 10, TSC and its Working Group 11 on Data Security and Privacy Liability (WG11) announced the publication of the January 2020 final version of The Sedona Conference Incident Response Guide.

The mission of WG11 is to identify and comment on trends in data security and privacy law in an effort to help organizations prepare for and respond to data breaches, and to assist attorneys and judicial officers in resolving questions of legal liability and damages.  WG11 developed the Incident Response Guide to provide a comprehensive but practical guide to help practitioners and organizations deal with the multitude of legal, technical, and policy issues that arise whenever a data breach occurs.

The Incident Response Guide is intended to help organizations prepare and implement an incident response plan and, more generally, to understand the information that drives the development of such a plan. It has been created by thought leaders in the industry and reflects both the practical lessons learned and legal experience gained by the drafters from direct experience responding to incidents, from representation of affected clients, and from the promulgation of rules and guidelines on national and international levels, and is intended to provide general guidance on the topic.

A couple of interesting and curious things about this guide, compared to other TSC guides we’ve covered in the past:

  • The Public Comment version of the Guide was developed way back in March 2018, almost two years ago
  • The guide starts on page 124 and goes to page 262?!? At least in the version I just downloaded this weekend.  Hmmm…

Regardless, there are essentially seven parts in the 139-page(!) (PDF) Commentary (after the Introduction, Part I), plus six appendices.  The Guide covers various topics like pre-incident planning, the incident response plan and executing it, key collateral issues and basic notification requirements.  The appendices include a Model Incident Response Plan and Model Notification Letter and Model Attorney General Breach Notification examples.

You can download a copy of the Commentary here (login required, which is free).  BTW, do you know how many states have security breach notification laws?  You might be surprised!

So, what do you think?  Does your organization have a incident response plan for data security?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Friday the 13th is Unlucky for the City of New Orleans. Almost. Maybe.: Cybersecurity Trends

In Friday’s post about Norton Rose Fulbright’s 2019 Litigation Trends Annual Survey, one of the most notable trends was that 44 percent of corporate respondents identified Cybersecurity/data privacy as the most likely new source of dispute for their business on the horizon, which was more than four times the next likely sources.  Cybersecurity is also a big challenge for municipalities as we saw on Friday.

According to Forbes (New Orleans Declares State Of Emergency Following Cyber Attack, written by Davey Winder), the City of New Orleans suffered a cybersecurity attack last Friday serious enough for Mayor LaToya Cantrell to declare a state of emergency.

The attack started at 5 a.m. CST on Friday, according to the City of New Orleans’ emergency preparedness campaign, NOLA Ready, managed by the Office of Homeland Security and Emergency Preparedness. NOLA Ready tweeted that “suspicious activity was detected on the City’s network,” and as investigations progressed, “activity indicating a cybersecurity incident was detected around 11 a.m.” As a precautionary measure, the NOLA tweet confirmed, the city’s IT department gave the order for all employees to power down computers and disconnect from Wi-Fi. All city servers were also powered down, and employees told to unplug any of their devices.

During a press conference, Mayor Cantrell confirmed that this was a ransomware attack. A declaration of a state of emergency was filed with the Civil District Court in connection with the incident.

NOLA Ready said that emergency communications had not been affected. Although the “Real-Time Crime Center” had been powered down, public safety cameras were still recording, and incident footage would be available if needed. The police and fire departments continued to operate as usual, and the ability to respond to 911 calls was not impacted.

The ransomware attack that has hit New Orleans follows another that targeted the state of Louisiana in November. Louisiana school district computers were also taken offline, and a state of emergency declared, in response to a ransomware attack in July. It isn’t yet known if the two were connected. However, in August, 23 government agencies were taken offline by a cyber-attack on the State of Texas. Which suggests that U.S. municipalities are firmly in the crosshairs of ransomware threat actors.

Gee, you think?  Apparently, any business is in the crosshairs these days, if they have enough money.  After all, why do hackers hack, if not for the money.

So, what do you think?  Does your organization have a plan if it’s hit by a ransomware attack?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Today’s Webcast Will Help You Learn about Important eDiscovery Developments for 2019: eDiscovery Webcasts

2019 was another busy year from an eDiscovery, cybersecurity and data privacy standpoint.  So busy, we couldn’t fit it all into a single webcast!  Nonetheless, what do you need to know about those important 2019 events?  Today’s webcast will discuss what you need to know about important 2019 events and how they impact your eDiscovery, data privacy and cybersecurity efforts.

Today at noon CST (1:00pm EST, 10:00am PST), CloudNine will conduct the webcast 2019 eDiscovery Year in Review.  In this one-hour webcast that’s CLE-approved in selected states, we will discuss key events and trends in 2019, what those events and trends mean to your discovery practices and provide our predictions for 2020. Key topics include:

  • How Much Data is Being Transmitted Every Minute on the Internet in 2019
  • What a Lawyer’s Notification Duty When a Data Breach Occurs
  • General Data Protection Regulation (GDPR) and Data Privacy Fines
  • Biometric Security and Data Privacy Litigation
  • Cell Phone Passwords and the Fifth Amendment
  • How Organizations Are Doing on Compliance with the California Consumer Privacy Act (CCPA)
  • Social Media and Judges Accepting “Friend” Requests from Litigants
  • How #metoo and Investigations are Impacting eDiscovery within Organizations
  • Whether Emojis Are the Next eDiscovery Challenge
  • The Challenge to Obtain Significant Spoliation Sanctions under the New Rule 37(e)
  • Whether Lawyers Are “Failing” at Cybersecurity?
  • Outside Hackers vs. Internal Employees As Cybersecurity Threat
  • Sanctions Resulting from Inadvertent Disclosure of Privileged Information

As always, I’ll be presenting the webcast, along with Tom O’Connor.  To register for it, click here – it’s not too late! Even if you can’t make it, go ahead and register to get a link to the slides and to the recording of the webcast (if you want to check it out later).  If you want to learn how key events and trends in 2019 can affect your eDiscovery practice in 2020, this webcast is for you!

So, what do you think?  Do you have FOMO (fear of missing out) on important info for 2019?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

The Password Reuse Problem Has Still Not Gone Away: Cybersecurity Trends

This isn’t a throwback post – that comes tomorrow.  But, it’s worth noting that we covered a story over two years ago where the guy who recommended we change our passwords periodically and require passwords that combine upper case letters, lower case letters, numbers and special characters admitted that was bad advice.  But, people – and systems – still seem to support the old ways.  That’s so 2003!

As discussed in Help Net Security (The password reuse problem is a ticking time bomb, written by Michael Greene), In the first six months of 2019, data breaches exposed 4.1 billion records and, according to the 2018 Verizon Data Breach Incident Report (which we covered here), compromised passwords are responsible for 81% of hacking-related breaches. The latest data from Akamai states that businesses are losing $4m on average each year due to credential stuffing attacks, which are executed by using leaked and exposed passwords and credentials.

The author recommends three key steps that organizations should take to strengthen their defenses:

  1. Prevent the use of weak, similar or old passwords: New passwords should be significantly different from the previous ones and old passwords shouldn’t be re-used. Also, fuzzy-matching is a crucial tool for detecting the use of “bad” password patterns, as it checks for multiple variants of the password (upper-lower-case variants, reversed passwords, etc.).
  2. End mandatory password resets, which don’t improve security: This policy has proven to be ineffective as it does nothing to ensure that the new password is strong and has not already been exposed. For example, changing your password from “Big5tud” to “Big5tud!” isn’t an incremental enough change to protect yourself.  ;o)  The author also notes that Microsoft and NIST guidelines (which we covered in the post two years ago) advise against this approach.
  3. Check credentials continuously: NIST advises companies to verify that passwords are not compromised before they are activated and check their status on an ongoing basis. As the number of compromised credentials expands continuously, checking passwords against a dynamic database rather than a static list is critical.

The other key step (that the author didn’t mention) is to implement two-factor authentication wherever possible and expect it from your applications.  Two-factor authentication is where the application sends you a code (via text or email – the means for sending may vary depending on the platform) once you provide your password that you have to enter to then be able to access the application.  Unless a hacker can also access your email account or see your texts, that second layer of security helps protect against hacking of your account via just your password.  According to this infographic from Symantec, 80 percent of data breaches due to stolen credentials could have been eliminated with the use of two-factor authentication.

We’ve known all of this information for at least a couple of years now, yet organizations continue to move slowly in making changes.  Maybe by 2031?

So, what do you think?  Does your organization require you to change passwords periodically?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

According to the ABA, Lawyers are “Failing at Cybersecurity”: Cybersecurity Trends

In these days of increased data privacy emphasis with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), how are lawyers doing with regard to cybersecurity within their firms?  According to the American Bar Association Legal Technology Resource Center’s ABA TechReport 2019, they are “failing at cybersecurity”.

In the ABA Journal article (Lawyers are failing at cybersecurity, says ABA TechReport 2019, by Jason Tashea), the author reports this quote from an accompanying article on cybersecurity released last Wednesday: “In fact, the results are shocking and reflect little, if any, positive movement in the past year or even in the past few years. The lack of effort on security has become a major cause for concern in the profession.”

The annual report looks at how attorneys use all kinds of technology in their practices. Articles on cloud computing, cybersecurity and websites and marketing were released free online. There are six more articles that will be released Wednesdays through Dec. 18.

The survey found that the most popular security measure being used by 35% of respondents was secure socket layers (SSL), which encrypt computer communications, including web traffic. Only 27% make local data backups. Since 2018, the number of respondents reading vendor privacy policies fell from 38% to 28%. A mere 23% investigated a vendor’s history, even though 94% said vendor reputation mattered when deciding who to contract with.

Only 35% of attorneys use SSL?!?  I have a feeling that many more use it, but don’t realize it.

Meanwhile, slightly more than a quarter of respondents (26%) reported their firm had had a security breach.  In addition, 19% of respondents who reported said that they do not know whether their firm has ever experienced a security breach.  So, the percentage of firms that have experienced a security breach could be quite a bit higher.

Consequences of security incidents included consulting fees for repair (37%), downtime/loss of billable hours (35%), expense for replacing hardware or software (20%), destruction or loss of files (15%), notifying law enforcement of breach and notifying clients of the breach (9% each), unauthorized access to other (non-client) sensitive data (4%), and unauthorized access to sensitive client data (3%).

Only 9% of firms notifying clients of the breach?!?  Ruh-roh.

The ABA Legal Technology Resource Center Tech Survey 2019 is available here.  It’s in five volumes, each available for $350 (non-members) or $300 (members).

BTW, the Legal Technology Resource Center of the ABA used to have a publicly available page with Cloud Ethics Opinions Around the U.S., showing a map of states that had a cloud ethics opinion (we’ve covered it a handful of times, the last being about 2 1/2 years ago here, when there were 21 states that had one, including one that the ABA didn’t have on its site).  That page is now inactive and I can’t find it via a search on the website.  If anybody knows if it’s still available in some form on the ABA website, let me know.

So, what do you think?  Are you surprised by any of the ABA findings on cybersecurity?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Been Hacked? That May Be Because of an Unpatched Vulnerability in Your Software: Cybersecurity Trends

There are plenty of reasons that organizations experience a data breach, including weak or stolen passwords (despite the availability of two factor authentication technology to thwart those efforts).  Here’s another common cause of data breaches: unpatched vulnerabilities in your software.

According to ZDNet (Cybersecurity: One in three breaches are caused by unpatched vulnerabilities, written by Steve Ranger – hat tip to Sharon Nelson’s excellent Ride the Lightning blog here), more than one in three IT professionals (34 percent) in Europe admitted that their organization had been breached as a result of an unpatched vulnerability according to a survey by security company Tripwire.  The overall average isn’t much better at 27 percent.

Why?  Software vendors are constantly publishing new patches to fix problems in software that they have sold. It’s then up to the users of the software to apply the patches – or else risk leaving themselves open to attack via the backdoors that the vendors failed to spot when building the product in the first place.

But the sheer volume of patches, with many vendors publishing new fixes on a monthly basis, and the need to test those patches to ensure that they don’t cause other unexpected problems, means that there’s often a delay in getting systems secured. That leaves a gap that hackers can exploit.

Finding the stuff that needs patching can be a challenge: 59 percent of respondents said they can detect new hardware and software on their network within hours, but it’s a difficult manual effort for many, with 35 percent saying less than half of their assets are discovered automatically.  As a result, nearly half (42 percent) of respondents take more than a week to deploy security patches in their environment.

And, there are often several patches to implement per month – 42 percent of respondents indicated that they patch at least 10 vulnerabilities per month, 15 percent said at least 50 per month, 6 percent said more than 100 per month.  Four out of five companies said they had stopped using a product because of a vulnerability disclosure.

The 2017 WannaCry ransomware attack was probably the clearest example of what can go wrong when patches aren’t applied; while a patch for the vulnerability exploited by the ransomware had existed for several months many organizations such as parts of the UK’s National Health Service had failed to use it.  Now, that really makes you wanna cry!

So, what do you think?  Are you aware of a data breach that occurred because of an unpatched vulnerability in the organization’s software?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.