Close
Enter your
text here

Security

Why Do Hackers Hack? It’s About the Money, Apparently: Cybersecurity Trends

Big surprise there, right?  So says the 2019 Verizon Data Breach Investigations Report (DBIR), which analyzes the reported cybersecurity and data breach incidents for the year.  According to this year’s report, senior C-level executives are 12 times more likely to be the target of social engineering attacks, and 9 times more likely to be the target of social breaches than in previous years, with financial motivation the key driver in these attacks.

Many of the attacks on C-level executives are phishing attacks, often where the hackers pose as the CEO, eventually asking for a financial transfer to be conducted to a certain account (I wrote about an attempt I received earlier this year).  As I wrote in that article, marking emails coming from an external source with an “*** External Email ***” marker inserted into the received email has helped us at CloudNine identify those phishing instances.

As always, this year’s report has some interesting findings.  Here are some of them from the 78-page PDF report:

  • They are reporting on over 41,686 incidents and 2,013 confirmed data breaches, both numbers were down this year from last year;
  • 69% of reported breaches were perpetrated by outsiders, 34% by internal actors (last year, the ratio was 73%-28%);
  • 39% of breaches were carried out by organized criminal groups, down 11% from last year;
  • 23% of breaches involved actors identified as nation-state or state-affiliated, up 11% from last year;
  • Who was affected? 16% were breaches of public sector entities, 15% of breaches affected healthcare organizations, 10% of breaches involved the financial industry and 43% of victims are categorized as small businesses.  While that is the highest category, it is 15% lower than last year.
  • How do they get you? 52% of breaches featured hacking, 33% were social attacks (nearly double last year’s 17%), 28% included malware, 21% of breaches had errors as causal events, 15% involved misuse by authorized users and 4% of breaches involved physical actions.
  • Also, 71% of breaches were financially motivated, 25% of breaches were motivated by the gain of strategic advantage (espionage), 32% of breaches involved phishing, 29% of breaches involved use of stolen credentials and 56% of breaches took months or longer to discover. While that number seems remarkable, it is 12% down from last year’s 68%.

As always, the report is chock full of graphics and statistics which makes it easier to read than the size of the report indicates and covers everything from social attacks to ransomware to denial of service to incident classification patterns and coverage of data breaches and other incidents in several industries.

You can download a copy of the report here.  Believe it or not, this is our fifth(!) year covering the report (previous reports covered here, here, here and here).  Enjoy!

Also, just a reminder that CloudNine will be the Scarlett sponsor of the Murder in the Manor charity fundraiser hosted by Oasis Discovery to be held May 16th at The Mansion on O Street in Washington DC (2020 O Street NW, Washington, DC 20036).  CloudNine will be running the Speakeasy, where drinks will be available and a lot of fun will be had.  And, all proceeds from the event will benefit the Capital Area Food Bank (CAFB), which is the largest public, non-profit hunger and nutrition education resource in the Washington Metropolitan Area.  Click here for more information and to purchase your tickets.  Remember, it’s for a great cause.

So, what do you think?  Have you ever experienced any data breaches, either personally or professionally?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Another Sedona Conference Commentary Published: eDiscovery Best Practices

Last week, I discussed two public comment publications from The Sedona Conference® (TSC) from last year that were published in final form over the past few weeks.  Now, TSC has announced a new publication from and its Working Group 11 on Data Security and Privacy Liability (WG11) that evaluates the application of the attorney-client privilege and work-product protection doctrine to an organization’s cybersecurity information.

Last week, TSC and its WG11 group announced the public comment version of its Commentary on Application of Attorney-Client Privilege and Work-Product Protection to Documents and Communications Generated in the Cybersecurity Context (Commentary), which may be the longest title for a TSC publication ever.

The goal of the Commentary is to address the absence of “settled law” on this topic by assessing (1) how the courts have and can be expected to decide, and what organizational practices will be important to a court’s decision regarding, whether the attorney-client privilege or work-product protection apply to documents and communications generated in the cybersecurity context; and (2) how the development of the law in this area should be informed not just by established attorney-client privilege and work-product protection legal principles, but also by the policy rationales underlying the attorney-client privilege and work-product protection generally and those unique to the cybersecurity context.

There are essentially five parts in the 65-page (PDF) Commentary.  Part A of the elaborates on the Commentary’s purpose and sets forth its target audience. Part B sets forth the legal principles generally applicable to claims of attorney-client privilege and work-product protection. Part C uses the general principles set forth in Part B and other relevant legal sources to evaluate how the courts have and can be expected to decide, and what organizational practices will be important to a court’s decision regarding whether the attorney-client privilege or work-product protection applies to various types of documents and communications that an organization generates in the cybersecurity context. Part D examines whether and to what extent the results suggested in Part C are consistent with the policy rationales underlying the attorney-client privilege and work-product protection generally and those unique to the cybersecurity context. Section 2 of Part D considers various proposals for adapting existing attorney-client privilege and work-product protection law, or developing entirely new protections, in the Cybersecurity Information (CI) context, and the tradeoffs those proposals present.   Part E is a one-paragraph conclusion to the Commentary.  There are no Appendices.

You can download a copy of the Commentary here (login required, which is free).  The Commentary is open for public comment through June 25, 2019. Questions and comments on the Commentary are welcome through June 25, and may be sent to comments@sedonaconference.org.  The drafting team will carefully consider all comments received, and determine what edits are appropriate for the final version.  Also, a webinar on the Commentary will be scheduled in the coming weeks, and will be announced by email and on The Sedona Conference website to give you the opportunity to ask questions and gain additional insight on this important topic.

So, what do you think?  How does your organization address attorney-client privilege and work-product protection of its cybersecurity information?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Data Privacy Compliance Isn’t Just for Europe or California Anymore: Data Privacy Trends

We have covered Europe’s General Data Protection Regulation (GDPR) over several posts the past couple of years and even conducted a webcast on the topic last year.  And, we have covered the California Consumer Privacy Act (CCPA) several times as well, including as recently as last week.  But, what about the rest of the wide, wide world?  Do countries in other parts of the world have data privacy policies as well?  Yes.  Do they mimic GDPR policies?  Not necessarily.

As reported in Legaltech News (Data Protection Laws Take Center Stage For Global GC, written by Caroline Spiezio), lawyers are saying that ignoring data privacy changes outside of Europe, or assuming GDPR policies will comply anywhere, may lead to fines or diminished consumer trust in other regions.  For example, Camila Tobón, a Colorado-based data privacy lawyer at Shook, Hardy & Bacon, said many countries in the Latin America follow a consent-based model, which doesn’t allow for the legitimate interest data collection case presented under GDPR. She said many Latin American countries with data privacy laws used Spain’s consent-based version of the 1995 Data Protection Directive (the predecessor to GDPR in Europe) to shape their regulations.

“When Spain incorporated the directive into their law, one noticeable change [from other EU countries] was the lack of legitimate interest for a basis for processing personal data,” Tobón said. “When most Latin American countries were starting to implement their laws in 1999, 2000, 2001, they used the Spanish law as a model, which didn’t include legitimate interest. So what you ended up seeing in Latin America was a consent-based model.”

However, Brazil’s General Data Protection Law, which passed in 2018, includes the case for legitimate interest collection, which closely aligns that country’s laws with Europe’s.  And, other countries in Latin America are working on changes as well.  Chile recently voted to create a national data protection authority. Panama’s National Assembly approved a national data protection regulation last year that currently awaits the president’s signature. An updated Argentine bill to bring the country’s data protection regulations closer to Europe’s with a legitimate interest model and data protection officer requirement is also in the works, with a draft standing in front of Congress.

Beyond Latin America, other countries are making (or considering making) changes as well.  The Corporate Counsel Association of South Africa’s chief executive officer Alison Lee said she expects to see the country implement the Protection of Personal Information Act this year.  Unlike GDPR, POPIA asserts companies also have “personal data” that requires protection. South Africa currently doesn’t require explicit consent to collect data or legitimate interest, but it does require some form of consent.  Nigeria could also see data protection changes, as it has long attempted to pass a specific data protection bill.

So, what about Asia Pacific (APAC)?  Scott Thiel, a Hong Kong-based DLA Piper partner, said, since GDPR’s implementation, he’s increasingly asked questions about data protection in Asia.

“Everyone is sort of finally taking a breath and going, ‘OK, we got through GDPR, we’re somewhere near compliance and that’s great. I assume that works everywhere, does it?’ And the short answer is no, it doesn’t,” Thiel said. “A lot of the approaches to data compliance that work in Europe don’t work in the Asian markets.”

He said many companies have tried applying their GDPR policies to China and other Asian countries and it “just doesn’t” work.  Like Latin America, much of East Asia relies on a consent-based model rather than legitimate interest, Thiel said.  Nonetheless, cybersecurity laws are changing in APAC, as well.  The article has several more details regarding data privacy changes in Latin America, Africa and APAC.  GDPR, with its heavy fines, has gotten a lot of the coverage regarding data privacy compliance, but you can’t ignore requirements in the rest of the world if you’re a multi-national company.  I’m sure Antarctica will come out with their data privacy laws any day now.  ;o)

So, what do you think?  Are you prepared for data privacy changes around the rest of the world?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

What’s a Lawyer’s Duty When a Data Breach Occurs within the Law Firm: Cybersecurity Best Practices

When I spoke at the University of Florida E-Discovery Conference last month, there was a question from the live stream audience about a lawyer’s duty to disclose a data breach within his or her law firm.  I referenced the fact that all 50 states (plus DC, Guam, Puerto Rico and the Virgin Islands) have security breach notification laws, but I was not aware of any specific guidelines or opinions relating to a lawyer’s duty regarding data breach notification.  Thanks to an article I came across last week, I now know that there was a recent ABA opinion on the topic.

An article written by Anton Janik, Jr. of Williams Mitchell and originally published in the 2019 Winter edition of The Arkansas Lawyer and republished on JD Supra (The Lawyer’s Duty When Client Confidential Information is Hacked From the Law Firm, hat tip to Sharon Nelson’s terrific Ride the Lightning blog for the reference) takes a look at a lawyer’s duties following a data breach and discusses the requirements of ABA Formal Opinion 483, which was issued in October 2018.

Janik begins his article by referencing the DLA Piper NotPetya ransomware attack in 2017, as follows:

“Imagine it’s a usual Tuesday morning, and coffee in hand you stroll into your office. Right inside the door, you see a handwritten notice on a big whiteboard which says: All network services are down, DO NOT turn on your computers! Please remove all laptops from docking stations & keep turned off. *No exceptions*

Finding this odd, you turn to your firm receptionist who tells you that the firm was hit with a ransomware attack overnight, and that if you turn on your computer all of your files will be immediately encrypted, subject to a bitcoin ransom.”

That’s what happened to DLA Piper and the 4,400-attorney law firm was “reduced to conducting business by text message and cell phone” until the situation was resolved, requiring 15,000 hours of overtime IT assistance, though they sustained no reported loss of client confidential information.

Of course, as you probably know by reading this blog, the DLA Piper situation isn’t unique.  A recent American Bar Association report stated that 22% of law firms reported a cyberattack or data breach in 2017, up from 14% the year before.

The ABA Opinion discusses three duties under its Model Rules: the duty of competence, the duty of communication, and the duty of confidentiality. While the ABA Opinion focused narrowly upon the ethical duties it sees arising between an attorney and client, it is important that you understand “the types of data you work with, and keep yourself abreast of what laws, regulations and contractual provisions govern its loss” (I just pointed you to a resource for breach notification laws up above).

Janik’s article covers stopping the breach, restoring systems and determination what happened and the cause. Best practices (and often your cybersecurity insurance coverage) dictate that your law firm should draft, and regularly train on, a breach response plan which defines personnel roles and procedural steps to employ in assessing and addressing any given breach, including through the use of outside vendors whose use may be contractually prearranged.

When a breach is discovered, the ABA Opinion finds that the duty of competence under Model Rule 1.1 requires the attorney to act reasonably and promptly to stop the breach and mitigate the damage, using “all reasonable efforts” to restore computer operations to be able to continue client services.  And, Model Rule 1.4 requires that an attorney keep the client “reasonably informed about the status of the matter.”

So, now I know – which means you know too.  :o)

So, what do you think?  Were you familiar with ABA Formal Opinion 483?  Does your firm have a formalized breach response plan?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Answers to Your Frequently Asked CCPA Questions: Data Privacy Best Practices

As we discussed last year (here and here), the California Consumer Privacy Act (CCPA) is a comprehensive new consumer protection law set to take effect next January 1.  And, as we also reported recently, about half of surveyed companies haven’t even started preparing to be CCPA compliant.  Maybe that’s because they don’t know where to start to comply and don’t know whether the CCPA applies to their business, what rights will Californians have under CCPA and what impact CCPA will have on their privacy policy.  Here are answers to some of those questions.

In the Data Privacy Monitor site by Baker Hostetler (The California Consumer Privacy Act: Frequently Asked Questions, written by Alan L. Friel, Laura E. Jehl and Melinda L. McLellan), the authors address ten frequently asked questions that companies are asking about CCPA (if they’re not asking them, they should be).  Here are the questions they are addressing in this article:

  1. Does the CCPA apply to my business? What if we don’t have operations in California?
  2. Does the $25 million revenue threshold apply to California revenue specifically, or is it $25 million for the business as a whole?
  3. Will the CCPA be amended? What are the open issues?
  4. What new rights will the CCPA give to California residents?
  5. Will we need to amend our company’s online privacy policy?
  6. How do the “copycat” CCPA laws being proposed in other states compare with the CCPA?
  7. How does a business confirm that a person making an access or deletion request under the CCPA is a California resident, or who they claim to be?
  8. What should our company be focusing on right now, while we wait to see how these various state and federal law proposals shake out?
  9. What are the potential penalties for violations of the CCPA?
  10. Does my business qualify for one of the CCPA’s exceptions?

I won’t steal any thunder here – the authors give detailed and thoughtful answers to the questions that you will want to check out for yourself.

It’s interesting to note that there are at least 15 state data privacy laws that are working their way through the legislative process – some that are “virtually identical to the CCPA”, others that are similar, but with key differences.  As the authors note, the “prospect of having to comply with dozens of different state laws of this nature has fueled interest in a federal law to harmonize these proposals and provide businesses with clear compliance goals.”  That’s not surprising to me.

As the authors note in their conclusion: “A new era of consumer privacy rights has dawned in the U.S., and businesses will need to have a sound understanding of the personal information they collect, process, use and share to be able to comply with incoming rules and regulations.”  Given recent trends, it certainly appears that virtually every US business will be subject to new and developing data privacy laws sooner rather than later.

So, what do you think?  Is your company subject to CCPA?  If so, has it begun to address CCPA yet?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Fired IT Guy Deleted 23 of His Ex-Employer’s AWS Servers: Cybersecurity Trends

When it comes to data breaches and other cybersecurity threats, many people discuss the threats from outside hackers.  But, it’s the internal employees who can do as much, if not a lot more, damage to an organization’s IT infrastructure.  Especially if the internal employee has been canned and is bent on getting revenge.

An article in Naked Security (Sacked IT guy annihilates 23 of his ex-employer’s AWS servers, written by Lisa Vaas) reports that the UK’s Thames Valley Police announced on Monday that 36-year-old Steffan Needham, of Bury, Greater Manchester, was jailed for two years at Reading Crown Court following a nine-day trial.  Needham pleaded not guilty to two charges of the Computer Misuse Act – one count of unauthorized access to computer material and one count of unauthorized modification of computer material – but was convicted in January 2019.

As the Mirror reported during Needham’s January trial, the IT worker was sacked after a month of lousy performance working at a digital marketing and software company called Voova in 2016.

In the days after he got fired, Needham got busy: he used the stolen login credentials to get into the computer account of a former colleague – Andy “Speedy” Gonzalez – and then began fiddling with the account settings. Next, he began deleting Voova’s AWS servers – 23 servers of data in all, which related to clients of the company.

The company lost big contracts with transport companies as a result. Police say that the wreckage caused an estimated loss of £500,000 (about $700,000 at the time). The company reportedly was never able to claw back the deleted data.  And, it took months to track down the culprit. Needham was finally arrested in March 2017, when he was working for a devops company in Manchester.

Prosecutor Richard Moss noted during the trial that security experts agreed that Voova could have done a better job at security.  Most notable was their failure to implement two-factor authentication.

According to the 2017 Verizon Data Breach Investigations Report (DBIR) (covered by us here), 81 percent of hacking-related breaches used stolen passwords and/or weak passwords.  But, according to this infographic from Symantec, 80 percent of data breaches could have been eliminated with the use of two-factor authentication.  With two-factor authentication, a stolen password is useless if the thief doesn’t also have the device where the authorization code is being sent.  So, you should implement two-factor authentication wherever possible – Voova sure wishes they did.

So, what do you think?  Do you use two-factor authentication to secure your technology solutions?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Is Blockchain as Secure as People Think? Maybe Not: Cybersecurity Best Practices

As you may have seen yesterday, Tom O’Connor has written his latest terrific informational overview series for CloudNine about blockchain that we will be covering in a six-part series over the next couple of weeks.  Not to steal any thunder, but Tom’s article will cover things like the advantages of blockchain and its impact on legal technology and eDiscovery.  One advantage that a lot of people have been saying about blockchain is the idea that it’s essentially “unhackable” from a cybersecurity standpoint.  That may not actually be true.

According to the MIT Technology Review (Once hailed as unhackable, blockchains are now getting hacked, written by Mike Orcutt – hat tip to Rob Robinson’s Complex Discovery blog for the link), hackers have stolen nearly $2 billion worth of cryptocurrency since the beginning of 2017, mostly from exchanges, and that’s just what has been revealed publicly.

Last month, the security team at Coinbase noticed something strange going on in Ethereum Classic, one of the cryptocurrencies people can buy and sell using Coinbase’s popular exchange platform.  An attacker had somehow gained control of more than half of the network’s computing power and was using it to rewrite the transaction history. That made it possible to spend the same cryptocurrency more than once—known as “double spends.” The attacker was spotted pulling this off to the tune of $1.1 million (though Coinbase claims that no currency was actually stolen from any of its accounts).  The so-called 51% attack against Ethereum Classic was just the latest in a series of recent attacks on blockchains that have heightened the stakes for the nascent industry as a second popular exchange, Gate.io, has admitted it wasn’t so lucky, losing around $200,000 to the attacker (who, strangely, returned half of it days later).

As the article notes, blockchains are particularly attractive to thieves because fraudulent transactions can’t be reversed as they often can be in the traditional financial system. Besides that, we’ve long known that just as blockchains have unique security features, they have unique vulnerabilities. Marketing slogans and headlines that called the technology “unhackable” were dead wrong.

The article concludes by noting that, while blockchain technology has been long touted for its security, under certain conditions it can be quite vulnerable. Sometimes shoddy execution can be blamed, or unintentional software bugs. Other times it’s more of a gray area—the complicated result of interactions between the code, the economics of the blockchain, and human greed. That’s been known in theory since the technology’s beginning. Now that so many blockchains are out in the world, we are learning what it actually means—often the hard way.

When this article came out last week, Tom and I discussed whether to reference it in his already completed paper – ultimately, we agreed to let me cover it here.  One thing that Tom’s article makes clear is that we’re still learning a lot about blockchain and its capabilities and this article certainly reinforces that notion.  Do your homework!

So, what do you think?  Are you surprised by this indication that blockchain may not be “unhackable” after all?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Here’s an Example of a Phishing Email I Received and What I Did About It: Cybersecurity Best Practices

When you get an email from your boss asking you to help him with something, your natural tendency is to take it seriously and drop what you’re doing so that you can help.  But, if you’re not careful, you could find out that you’re the victim of a phishing email.  I got an email just like that yesterday – here’s how I was able to quickly realize what it was and avoid making a big mistake.

In case you’re not clear what “phishing” is, here’s a definition (straight from Wikipedia):

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. The word is a neologism created as a homophone of fishing due to the similarity of using a bait in an attempt to catch a victim.

You’ve probably seen plenty of emails that look like a legitimate entity (e.g., Apple, Amazon, various banks and financial institutions) where they tell you there’s a problem with your account and you’re directed to click on the link to provide your credentials again, or your account login or other account information.  You do, and they can take that info and wreak havoc from there.  That’s a phishing email and that’s pretty common.

Another type of phishing email is where it looks like it comes from someone you know (e.g., your boss or other colleague).  Again, they typically want you to click on a link – or – open an attachment that contains malware that can proceed to infect your system and, perhaps, your company’s network.  Sometimes, you may not even realize that malware has been “unleashed” until much later.  Or, they indicate that they need you to wire some money to pay a bill and give you the wire information.

So, yesterday, I got one of those types of phishing emails that looked like it came from my boss, Brad Jenkins, who is the CEO of CloudNine.  Here is what it said (bold italics used for emphasis, it was actually a plain text email):

Hello are you free at the moment?  i need you to get something done for me.

P.S. I am heading to a meeting right now and i won’t be able to receive call but i will be available by email.

Sent from my Samsung Galaxy smartphone.

Anybody who sends emails from their smartphones knows that we sometimes abbreviate, misspell, uncapitalize and so forth – phone email messages often have their own “email shorthand”, so the informality of this message seems consistent with that.  And, I could certainly see Brad sending me a quick message from his phone to ask for my help or a quick discussion – happens all the time.  But, then I see this at the top:

*** External Email ***

As I noted several months ago, at CloudNine, we mark any emails coming from an external source with an “*** External Email ***” marker inserted into the received email to help recipients identify those phishing instances.  Because of that, I knew that wasn’t an email from Brad via his CloudNine email address.  That told me it was very likely a phishing email; in fact, I didn’t even have to open the email to see that as it appears at the top, so I can see it in the three-line preview that Outlook shows in the Inbox.  If your organization doesn’t already do that, it’s a great way to help determine the origin of those messages that pretend to be from a co-worker.  In the meantime, you want to confirm any email that seems even the slightest suspicious came from the purported sender by checking out the email address or by asking your internal IT expert about it.  Better safe than sorry.

One other thing that I do if I’m unsure if the email came from the actual sender (if it’s purported to be from somebody outside my organization or I think it may be from a personal email address) is to contact them separately – not by replying to the email I received – but by either sending them a separate email to their known email address, or texting or calling them, and asking them if they sent the email.  Never reply to an email that looks suspicious.

By the way, this message had no link or attachment.  So, what were they after?  My guess is that they wanted to see if I took the bait and the next message was going to ask for me to “review this file” or “take a look at this site (link)” or “send a wire transfer to this address”.

Speaking of wire transfers, never send a wire transfer just based on an email, always get verification (preferably verbal) to confirm the request actually came from your boss.  That seems like a “no brainer”, but I’ve heard many stories of companies where employees did just that – only to find out that it was a phishing scam and the company was out tens of thousands of dollars.  Ouch!

So, what do you think?  Have you ever been a victim of a phishing email?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

How Many States Have Security Breach Notification Laws? You Might Be Surprised: Cybersecurity Trends

Usually, I end each blog post with “So, what do you think?”, but this time I’m starting with it.  How many states do you think have some sort of legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information (PII)?  Ten?  Twenty?  Thirty?  You might be surprised.

According to a post by the National Conference of State Legislatures (NCSL) (hat tip to Joe Hodnicki of Law Librarian Blog for the link), all 50 states, plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.

That’s certainly good to know!

Security breach laws typically have provisions regarding who must comply with the law (e.g., businesses, data/ information brokers, government entities, etc); definitions of “personal information” (e.g., name combined with SSN, drivers license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information).

The NCSL post linked to above provides links to each of the states’ and territories’ legislation – some have a single law, code or statute to address the requirements, while others have more than one.  It’s a great reference if you ever have to determine what the laws are in a particular state or territory in terms of compliance requirements – which are already growing because of the General Data Protection Regulation (GDPR) that went into effect last year and the California Consumer Privacy Act (CCPA) which is slated to go into effect next January.  More and more, compliance discovery is becoming a strong emphasis for organizations that need to manage their risk.  It’s good to know that all of the states and territories have security breach laws – the next question is how well are they enforced?

So, what do you think?  Were you surprised that every state and territory has security breach laws?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Germans Order Facebook To Change How it Collects User Data: Data Privacy Trends

Two days, two stories about Germans finding fault with companies’ handling of personal data.

According to Law360 (Facebook Ruling Gives Antitrust Weight To Data Privacy, written by Ben Kochman – subscription required), Germany’s Federal Cartel Office ordered Facebook last week to give users the right to opt in or out before the company merges data gleaned from users’ activity on other websites and apps to their Facebook accounts. Facebook uses this type of data, including from its own WhatsApp and Instagram as well as from third-party websites with its “like” or “share” buttons, to amass detailed profiles on consumers that fuel its lucrative targeted advertising operation.

Facebook users can reasonably expect that the social network is monitoring its activity on the platform for targeted advertising purposes, the German regulator said. But to extend that tracking to third-party sites — including those that have the company’s invisible Facebook Analytics software installed — without asking users first amounts to “exploitative abuse,” it said, in which the company is abusing its unique position as a social media giant for which users have no real replacement.

“In view of Facebook’s superior market power, an obligatory tick on the box to agree to the company’s terms of use is not an adequate basis for such intensive data processing,” FCO President Andreas Mundt said in a statement announcing the ruling.

The FCO explained its logic in a Q&A attached to the decision. Even though users do not suffer a financial loss from Facebook’s data collection, “the damage for the users lies in a loss of control,” the regulator said.

“They are no longer able to control how their personal data are used,” the authority wrote. “They cannot perceive which data from which sources are combined for which purposes with data from Facebook accounts and used e.g. for creating user profiles.”

“Due to the combining of the data, individual data gain a significance the user cannot foresee,” it added.

Facebook immediately pushed back, arguing in a blog post that the FCO “underestimates the fierce competition we face in Germany,” including from YouTube, Snapchat and Twitter.  The ruling “misapplies German competition law to set different rules that apply to only one company,” wrote the post by Yvonne Cunnane, head of data protection for Facebook Ireland, and company Associate General Counsel Nikhil Shanbhag. Facebook vowed to appeal the case and has a month to do so.

“There’s a sentiment issue here. People are developing feelings about Facebook, especially after what happened with Cambridge Analytica,” Pam Dixon, executive director of the World Privacy Forum (a consumer privacy nonprofit) said. “I wonder if Facebook is having a tin ear here to what its customer base really wants.”

So, what do you think?  Is this just the beginning of data privacy reform?  And, will “zee germans” have anything else to say about data privacy soon?  Please share any comments you might have or if you’d like to know more about a particular topic.

Image Copyright © Columbia Pictures Corporation

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.