Close
Enter your
text here

Security

In Today’s Privacy Environment, That’s the Way the (Website) Cookie Crumbles: Data Privacy Trends

It’s only been three weeks, but we’ve already talked plenty about the first big GDPR fine of €50 million (or about $56.8 million) fine to Google for failing to comply with GDPR.  Sure, you’re thinking “that’s Google, I can see how they got fined, but nothing to worry about here”.  Right?  Well, you may want to think again.

As covered in Alston & Bird’s Privacy and Data Security Blog (Google-Style GDPR Fines for Everyone? Bavarian DPA Conducts Website Cookie Practices Sweep, Announces Fines under Consideration, written by Daniel Felz; hat tip to Rob Robinson’s Complex Discovery blog for the link), last week, the Data Protection Authority (DPA) of the German state of Bavaria announced it was considering fining a number of companies under the GDPR for their website cookie practices.  None of these companies appear to be in Google-style tech industries.  The Bavarian DPA’s action potentially signals that cookies, user tracking, and online advertising are not a ‘tech industry issue,’ but instead a priority issue for companies irrespective of their industry – and one that can carry GDPR fine risk.

In an online publication, the Bavarian DPA announced it had conducted a sweep of 40 large companies’ website cookie and user tracking practices.  While the identities of these companies have not been published (as is common in Continental European agency investigations), the Bavarian DPA identified the industries in which the companies were active – and no company was identified as a technology company.  Following its sweep, the Bavarian DPA announced that none of the 40 companies it had audited had built GDPR-compliant cookie/tracking practices into their websites.  As a result, the Bavarian DPA has announced it is considering GDPR fines.  The companies audited were from industries ranging from online retail to sports to banking & insurance to media, even automotive & electronics and home and residential.

The Bavarian DPA found the following violations:

  1. Websites lacked the transparency needed for “informed” cookie consent. 30 of the 40 audited websites did not provide sufficiently transparent disclosures to users regarding the website’s use of tracking technology;
  2. No “prior” consent was collected from users. The Bavarian DPA indicated that for most of the 40 websites, cookie data was “automatically” sent data to third-party cookie providers as soon as the user visited the website;
  3. The consent obtained was not sufficiently “active”. The Bavarian DPA’s position is that cookies and “tracking scripts” should be blocked until “the user has actively consented.” The interesting thing here is that the Bavarian DPA noted that most of the 40 websites used cookie banners to inform users about their use of cookies, but that none of these banners resulted in effective consent being collected from the user.  As the article notes, it may be that none of the websites integrated a cookie-blocking function prior to ‘consent events’ being logged.

As the article notes, the larger point of the Bavarian DPA’s action is that cookie compliance appears to be becoming a front-burner issue for EU privacy regulators – and an issue that can generate fines.  Which means it should probably be a front-burner issue with companies out there as well.  Oh, and by the way, Alston & Bird’s blog also has a countdown to the effective date of the California Consumer Privacy Act (CCPA) — 328 days and counting by the time you read this, so get ready for more compliance challenges in the future.

So, what do you think?  Will this change how companies implement tracking cookies in their websites?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

We Finally Have Our First Big GDPR Fine: Data Privacy Trends

OK, we’ve been waiting for that first big fine for failing to comply with Europe’s General Data Protection Regulation and now we have one.  So, guess who it was?  OK, guess again.  You can probably guess within three guesses.

As covered in Fortune (France Fines Google $57 Million For GDPR Violations, written by Emily Price), France’s data protection regulator, the Commission nationale de l’informatique et des libertés (CNIL), has issued a €50 million fine (about $56.8 million) fine to Google for failing to comply with GDPR. The fine marks the first time a major tech company has been penalized under the new privacy law.

As part of the regulation, companies are required to get a user’s “genuine consent” before collecting information about them.  That consent needs to happen in the form of that user explicitly opting in to share their data. They also need to provide a way for users to delete that data.

Last week, Apple CEO Tim Cook penned an op-ed in Time where he suggested similar privacy laws be instated in the United States.

CNIL issued the fine because Google did not meet the country’s standards for providing information to consumers about how their data is being used, nor did it provide enough information about its data consent policies.

That fine of nearly $57 million is large, but not as large as it could be.  With a maximum fine of 4% of a company’s annual global turnover and Google’s market capitalization standing at about $745 billion as of last night, the fine could have been as much as $29.8 billion.  That considerably dwarfs the actual fine that Google received.

Thanks to Sharon Nelson and John Simek for the heads up during our podcast interview yesterday (more on that soon!) and to my boss, Brad Jenkins for the link to the Fortune article.

To all of the people who had Facebook in their office pools as the first company to receive a hefty GDPR fine, it’s time to pay up… :o)

So, what do you think?  Is this just the beginning?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Judge Suggests That “Bone-Crushing” Discovery is Needed to Explore Extent of Facebook Breach: Cybersecurity Trends

Remember the latest Facebook breach – the one from September of last year that exposed 50 million accounts?  I say “latest” because you have to differentiate these days.  Well, naturally, that breach spawned several lawsuits.  And, the judge presiding over those suits indicated that he will allow Facebook users “bone-crushing” discovery in those lawsuits, saying he’s sympathetic to users’ concerns and that’s worth “real money” — not just “some cosmetic injunctive relief.”

According to LAW360 (Alsup Wants ‘Bone-Crushing’ Discovery Into Facebook Breach, by Dorothy Atkins, subscription required), U.S. District Judge William Alsup said Facebook users don’t know how badly they’ve been harmed yet and he sees the “real anxiety and harm” to individuals who are going to be worried for the rest of their lives that their personal information and pictures were stolen off of the social media platform.

“That is a real problem that is worth money, not just a security package from Equifax,” he said, adding that the amount at stake is a “serious proposition” for Facebook if found liable.

While Facebook’s attorney indicated that it appears that the hackers only took users’ names and email addresses, Judge Alsup appeared skeptical, saying repeatedly that he’s going to allow their attorneys to take “bone-crushing discovery” to find out if that is true.

“I’ve seen too many defendants that say that and … another good lawyer gets in there, with bone-crushing discovery, and we find out it’s not true,” he said.

Judge Alsup added that many Facebook users post highly personal information on the site, and it doesn’t make sense that hackers would only steal a users’ name and email address when they could also take photos and other more sensitive information.

Facebook announced last September that hackers accessed approximately 50 million accounts from July 2017 through September 2018 by exploiting a vulnerability in Facebook’s code through its “View As” feature, which enabled the hackers to steal access tokens — digital keys that allow users to stay logged into Facebook without having to repeatedly re-enter passwords — that the attackers could then use to take over accounts, according to the company.

Judge Alsup also expressed his own frustrations with serving as a federal judge in a digital age, noting that U.S. marshals are currently trying to figure out how to protect the home addresses of federal judges. He also said a hacker recently stole his identity and posed as him online, posting a blog about the now settled, high-profile Waymo v. Uber trade secrets dispute, which Judge Alsup presided over.

“I think most people realized it wasn’t really me,” the judge said.

Whether that’s true or not, it’s clear Judge Alsup is going to have high expectations regarding discovery related to the breach.

So, what do you think?  Will Facebook face “real money” payouts or “some cosmetic injunctive relief”?  And, what about European interests and GDPR possibly yet to come?  Please let me know your thoughts or if you have a topic that you’d like to suggest.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

First Ever Multi-State Data Breach Lawsuit Targets Healthcare Provider: Cybersecurity Trends

Just as the number of data breaches continues to rise, the number of lawsuits over data breaches continues to rise as well.  Chances are that your data has been hacked at some point from at least one company with which you do business.  But this lawsuit is unique.

According to The Expert Institute (12 US States Join Forces to File First Ever Multi-State Data Breach Lawsuit, written by Victoria Negron), an Indiana court will serve as the venue for the first-ever multistate data breach lawsuit, as the attorneys general of twelve US states join forces against a healthcare provider and its subsidiary.

The lawsuit alleges that Fort Wayne-based Medical Informatics Engineering and its subsidiary NoMoreClipboard “failed to take adequate and reasonable measures to ensure their computer systems were protected,” resulting in a 2015 breach that gave hackers access to the personal healthcare information of 3.9 million US citizens. The stolen information included not only identifying details, such as names and Social Security numbers, but also healthcare information, including diagnoses and lab results.

Patients whose data was stolen in the hack had visited 11 different healthcare providers and 44 different radiology clinics, all of whom shared one common feature: they used the WebChart app offered by Medical Informatics Engineering and NoMoreClipboard. Most of the affected patients lived in Indiana, but several others were residents of different states.

In response to the hack, the attorneys general from Arizona, Arkansas, Florida, Iowa, Indiana, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin have jointly filed a cross-state lawsuit alleging multiple violations of the Health Insurance Portability and Accountability Act (HIPAA).  The lawsuit claims that the defendants failed to implement “basic industry-accepted data security measures,” leading to the breach.

According to the article, the use of “tester” accounts (with easily-guessed default usernames and passwords) enabled hackers to launch a SQL injection attack (which is execution of malicious SQL statements to control a web application’s database server), giving them useful information that eventually led to the access of medical data.  Allegedly, Digital Defense, a company specializing in network security solutions, tested the software in 2014 and 2015 and reported “high risk” in the way the system was designed both times, yet the lawsuit alleges that the defendants did not make changes after Digital Defense’s warnings.

Amazingly, not all states allow patients whose personal health information (PHI) is breached to bring a private right of action regarding the breach (hopefully that changes someday), so pursuing legislation at the state level enables the attorneys general named in the complaint to more directly address HIPAA violations and the alleged misconduct that may have caused them.  Of course, chances are that any breach takes months to discover, so it’s not just about the breach, it’s also about discovering the breach too.

So, what do you think?  Will we see more groups of states go after companies who fail to protect sensitive consumer data?  Please let me know your thoughts or if you have a topic that you’d like to suggest.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

In California, IoT Device Cybersecurity Foresight is Also 2020, Apparently: Cybersecurity Trends

As I noted a couple of months ago, 2018 is certainly on its way to becoming the year of data privacy rights for the individual and, back then, California passed a new data privacy law which will give consumers several rights regarding their personal data (though the California AG doesn’t seem thrilled about it).  Now, California is once again poised to take the lead on important new technology policy.

As reported by The Washington Post (The Cybersecurity 202: California’s Internet of Things cybersecurity bill could lay groundwork for federal action, written by Derek Hawkins), a bill to set cybersecurity standards for Web-connected devices — from thermostats to webcams to cars — is awaiting Governor Jerry Brown’s signature after cruising through the state legislature late last month. If Brown signs it, California would become the first state to pass legislation to govern security of Internet of Things (IoT) devices, which experts say is crucial as these products proliferate and malicious hackers find new ways to exploit them.  Like the data privacy law passed back in June, this one (if signed by Governor Brown) also takes effect on January 1, 2020.

However, many cybersecurity researchers argue the California bill (SB-327) fails to address the core issues that make connected devices vulnerable to hacks. Nonetheless, it could lay the groundwork for stronger IoT cybersecurity legislation at both the state and federal level. California’s bill, if signed by Brown, could rekindle the national discussion in a similar way to how landmark privacy law the state recently approved helped spur high-level talks between the Commerce Department and tech giants about federal privacy regulations.

Policymakers grew more concerned about vulnerabilities in IoT devices after the massive Mirai botnet attack in 2016 highlighted just how poorly secured many such devices are. In that incident, hackers exploited weaknesses in webcams and other connected devices and used them to launch cyberattacks that took down Netflix, Spotify and other major websites for hours.

There’s legislation on the table in Congress that would go further. The Internet of Things Cybersecurity Improvement Act, introduced by Virginia Senator Mark R. Warner and Colorado Senator Cory Gardner, would use the federal government’s buying power to boost IoT security. Under the bill, any companies that do business with the federal government would have to ensure that their connected devices are patchable, come with passwords that can be changed, and are otherwise free of known security vulnerabilities. Another bill, the Securing IoT Act, would require the Federal Communications Commission to create cybersecurity standards for certifying wireless equipment.  However, those efforts and others have so far failed to gain traction, despite bipartisan agreement that some sort of federal standards may be necessary.

As for the California bill, some experts said its broad language was too vague to be effective, and offered an example of how not to approach IoT security. Well-intended as it might be, the bill “would do little improve security, while doing a lot to impose costs and harm innovation,” according to security researcher Robert Graham.

I guess we’ll see what happens with that bill as well as other efforts to regulate the security of IoT devices.  As usual, it will probably take a few well publicized hacks before any serious progress is made.  We take for granted how many IoT devices we use these days – maybe I’ll have to conduct a survey soon to get a sense of how many IoT devices each of us uses and what types.  That would be interesting!

So, what do you think?  Will the California IoT bill make a difference?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

New Phishing Scam Goes After Office 365 Users: Cybersecurity Trends

According to a recent blog post, there’s a new phishing campaign where the scammers are taking advantage of a small, but serious oversight in Microsoft’s Office 365 suite of online services to serve phishing emails that are visually indistinguishable from work-related emails and appear completely safe.  This new attack has impacted an estimated 10% of Office 365 users worldwide.

As reported in Bitdefender (The Underrated Importance of Training Your Staff to Spot Devious Phishing Attacks, written by Filip Truta, and covered by Sharon Nelson’s excellent Ride the Lighning blog), PhishPoint, as the campaign is dubbed, has a variant that most other phishing scams don’t: it goes beyond email and uses SharePoint to harvest end-users’ credentials.

Here is how the PhishPoint scam works:

  • Victim receives email containing a link to a SharePoint document
  • Email body is identical to a standard SharePoint invitation to collaborate
  • Victim clicks the hyperlink in the email thinking it is a legitimate work document
  • Victim’s browser automatically opens a SharePoint file
  • SharePoint file impersonates a standard access request to a OneDrive file
  • Victim clicks on “Access Document” hyperlink that leads to a spoofed Office 365 login screen
  • Victim attempts to login, at which point their credentials are harvested by the PhishPoint authors

Exploited properly, the scam can easily lead to a catastrophic data breach. While Microsoft’s link-scanning security layer does sniff out malicious links in the body of an email, it does not scan the links inside a linked SharePoint document. Even if it did, it still couldn’t blacklist a malicious URL inside the document without blacklisting links to all SharePoint files. Researchers feel this is a dangerous oversight.

Stolen corporate domain usernames and credentials are in high demand on the dark web and underground specialized forums. As more and more organizations are moving to cloud-based solutions, phishers themselves are adjusting their techniques to steal credentials via existing attack tools, such as phishing kits.

These phishing kits are usually stored on legitimate-but-compromised websites and are linked to in generic communication. Fake invitations to files hosted on SharePoint Online, outstanding payments for Office 365 subscriptions, or notices of upcoming account termination are the most common lures used to persuade victims into giving away their credentials. And since the messages aren’t branded with visual identities of specific companies, these campaigns likely target a wide pool of organizations, not just a few select companies.  Some of the phishing kits even have their own defense mechanisms that enable them to fly under the radar and avoid blacklisting.

The post also provides several recommendations to avoid getting caught by phishing scammers, including hovering with your mouse cursor over the hyperlink to make sure the link is actually the site it claims to be, being wary of any unsolicited or uncharacteristic requests to input your credentials and using two-factor authentication on every site that offers it, among others.

These phishing scammers can be very clever and can even mimic people from within your own organization to make you think you’re clicking on a link provided by a co-worker.  One thing we have done at CloudNine to help identify those is to mark any emails coming from an external source with an “*** External Email ***” marker inserted into the received email to help recipients identify those phishing instances.  The battle against malware scammers continues.

So, what do you think?  Do you have any mechanisms your organization uses to spot phishing attempts that you would like to share?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Fourth Circuit Rules that Warrantless Cell Phone is Warranted: Data Privacy Trends

Don’t let my cute title confuse you.  In this case, the Fourth Circuit issued an interesting decision regarding whether a warrant is required to search an individual’s cell phone.

According to Sharon Nelson’s terrific Ride the Lightning blog (4th Circuit Says Border Search of Phones Requires Individualized Suspicion (But Not a Warrant)), on May 9th, the Fourth Circuit Court of Appeals issued a decision in US v. Kolsuz, ruling that in light of the immense privacy concerns, forensic searches of electronic devices seized at the border must be justified by individualized suspicion, or some reason to believe that a particular traveler had committed a crime.  But not a warrant.

The appeals court said border patrol officers had reasonable suspicion to conduct a forensic search of Hamza Kolsuz’s cellphone, and they were entitled to rely on that standard based on case law that suggested it was, at most, all that was required. The officers had seized Kolsuz’s phone after they found firearms parts that required an export license in his checked luggage. It was the third time weapons parts were found in his luggage.  That certainly seems like reasonable suspicion to me.

The forensic search of Kolsuz’s phone produced information that included personal contact lists, e-mails, messenger conversations, photographs, videos, calendar, web browsing history, call logs and GPS tracking history. He was sentenced to 30 months in prison after a conviction for violating the Arms Export Control Act and conspiracy.

The federal government had contended that searches of electronic devices require no warrant or individualized suspicion under an exception that allows searches of suitcases at the border.  Tom O’Connor discussed the Border Entry exception as part of his Understanding eDiscovery in Criminal Cases on our blog here.

The decision is the first federal appellate ruling to require individualized suspicion in a border search of a cellphone since the U.S. Supreme Court ruled in Riley v. California in 2014 (which Tom O’Connor also discussed on our blog here) that police generally can’t search the contents of a cellphone seized during an arrest, unless they get a warrant, according to the Electronic Frontier Foundation (EFF).

Under Riley’s recognition of the extensive information stored on cellphones, the Fourth Circuit said, the forensic search of Kolsuz’s phone should be considered a nonroutine border search that requires some measure of individualized suspicion.

The EFF and the ACLU had filed amicus briefs urging the Fourth Circuit to go further and hold that probable cause is needed before a search of electronic devices, whether it’s a manual search or one using forensic software.

After arguments in the case, the Department of Homeland Security adopted a policy that treats forensic searches of digital devices as nonroutine border searches requiring reasonable suspicion of activity that violates the customs laws or in cases raising national security concerns, according to the opinion.

The ACLU and the EFF have filed a separate lawsuit that challenges warrantless searches of electronic devices at the border.  In her blog, Sharon notes that she “remain(s) on their side.”  We can agree to disagree on this one… :o)

So, what do you think?  Should cell phone and other electronic device searches at the border require a warrant?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Here’s One Way to Comply with GDPR – Block All EU Users: Data Privacy Trends

Believe it or not, Europe’s General Data Protection Regulation (GDPR) is set to go into effect in one just one week(!), on May 25th.  Many organizations are scrambling to comply with the new regulation and a lot of them won’t have compliance sorted out in the next week.  As a result, some companies have realized it’s just too much of a hassle and decided to block all access to EU users.

According to Above the Law (Companies Respond To The GDPR By Blocking All EU Users, written by “Techdirt”), F-Secure’s Mikko Hypponen has tracked a bunch of examples of sites that give you some simple javascript to block EU visitors.  Hypponen highlighted one site (currently offline, but can be seen at the Internet Archive) called GDPR Shield that does that (assuming the requestor has Javascript turned on, and their location is determined accurately — both of which may be big assumptions). Hypponen also noted several other sites cutting off EU users, including: Ragnarok Online, Verve, Brent Ozar, Unroll.me, SMNC, Tunngle, Drawbridge and Steel Root.

Hypponen also noted the very different reactions to all of this from EU readers and US readers. EU folks seem to be generally supportive of the GDPR and think that companies shutting down service are either stupid & ignorant or evil and thus should shut down. On the US side, he noted people are smug about how this serves the EU right and will harm the EU.

I can understand the prospects of a penalty of €20 million or 4% of worldwide revenue (whichever is greater) can cause organizations to take drastic steps.  But, should those steps include blocking EU users altogether?  Seems like a great way to cut off a lot of potential revenue.  What’s better: to be penalized for not complying with GDPR or to give up potential business in a drastic attempt to avoid the penalty?

Back in February, Tom O’Connor and I discussed the aspects of GDPR and steps to comply in a webcast we conducted on the topic (and we didn’t advocate shutting out the EU users).  It’s not too late to check it out!  One week to go!

So, what do you think?  Are you ready for GDPR?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

More Than Two Thirds of Data Breaches Take Months to Discover: Cybersecurity Trends

One of my favorite annual cybersecurity publications to read is the Verizon Data Breach Investigations Report (DBIR), which analyzes the reported cybersecurity and data breach incidents for the year.  As always, this year’s report has some interesting findings.

But first, this week’s eDiscovery Tech Tip of the Week is about Selecting Views.  Workflows associated with reviewing documents in discovery can be varied, depending on the task to be accomplished during review, the type of information needed to conduct the review effectively and the individual’s preferred style in conducting the review.  It’s important to find a an eDiscovery review platform that gives you options for review that fit your workflows.

To see an example of how Selecting Views is conducted using our CloudNine platform, click here (requires BrightTalk account, which is free).

Anyway, every year, the Verizon DBIR report starts off with a notable quote.  This year, the report writers chose to get downright Shakespearean with the quote “I would give all my fame for a pot of ale, and safety” from Henry V.  Sounds like a pretty good trade to me!

Anyway, here are some interesting statistics from the 68 page PDF report:

  • They are reporting on over 53,000 incidents and 2,216 confirmed data breaches;
  • 73% of reported breaches were perpetrated by outsiders, 28% by internal actors;
  • 50% of breaches were carried out by organized criminal groups;
  • 12% of breaches involved actors identified as nation-state or state-affiliated;
  • Who was affected? 24% of breaches affected healthcare organizations, 15% of breaches involved accommodation and food services, 14% were breaches of public sector entities and a whopping 58% of victims are categorized as small businesses.  So, it’s not just the “big guys” who are the targets.
  • How do they get you? 48% of breaches featured hacking, 30% included malware, 17% of breaches had errors as causal events, 17% were social attacks, 12% involved privilege misuse and 11% of breaches involved physical actions.
  • Also, 49% of non-point of sale malware was installed via malicious email, 76% of breaches were financially motivated and, the most remarkable stat, 68% of breaches took months or longer to discover.

As always, the report chock full of graphics and statistics which makes it easier to read than the size of the report indicates and covers everything from social attacks to ransomware to denial of service to incident classification patterns and coverage of data breaches and other incidents in several industries.

You can download a copy of the report here.  Once again, you can register and download the report or just choose to download the report.  This is our fourth year covering the report (previous reports covered here, here and here).  Enjoy!

So, what do you think?  Have you ever experienced any data breaches, either personally or professionally?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Law Enforcement Has Found a New Way to Put a Finger on iPhone Evidence: eDiscovery Trends

A dead finger, that is.  Believe it or not, cops are now opening iPhones with dead people’s fingerprints.

A couple of days ago Sharon Nelson (on her excellent Ride the Lightning blog) covered a Forbes article that discussed a suspect who mowed down a group of people in his car, went on a stabbing spree with a butcher’s knife and was shot dead by a police officer on the grounds of Ohio State University.  To try to access the phone to learn more about the assailant’s motives, an FBI agent applied the bloodied body’s index finger to the iPhone found on the deceased suspect.

In that case, it didn’t work as the iPhone had gone to sleep and when reopened required a passcode.  But, this technique is working in many other cases.  Separate sources close to local and federal police investigations in New York and Ohio, who asked to remain anonymous as they weren’t authorized to speak on record, said it was now relatively common for fingerprints of the deceased to be depressed on the scanner of Apple iPhones, devices which have been wrapped up in increasingly powerful encryption over recent years. For instance, the technique has been used in overdose cases, said one source. In such instances, the victim’s phone could contain information leading directly to the dealer.

Not surprisingly, there are concerns about whether a warrant should be required. Greg Nojeim, senior counsel and director of the Freedom, Security and Technology Project at the Center for Democracy & Technology, said it’s possible in many cases there would be a valid concern about law enforcement using fingerprints on smartphones without any probable cause. “That’s why the idea of requiring a warrant isn’t out of bounds,” Nojeim added.

Think having an iPhone X that replaces the fingerprint security with facial recognition technology will keep law enforcement at bay?  Think again.  It could be an easier way into iPhones than Touch ID. Marc Rogers, researcher and head of information security at Cloudflare, told Forbes he’d been looking at Face ID in recent months and had discovered it didn’t appear to require the face of a living person to work – apparently the technology can be deceived simply using photos of open eyes or even only one open eye on the suspect.  “In that sense it’s easier to unlock than Touch ID – all you need to do is show your target his or her phone and the moment they glance it unlocks,” he stated.

Or open the eyes of the dead suspect.  Dead men tell no tales?  Maybe they do after all.

So, what do you think?  Should a warrant be required to access phones with fingerprint or facial recognition technology?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.