DLA Piper Falls Victim to Latest Cyberattack

After last month’s WannaCry ransomware attack infected thousands of businesses and individuals across the globe, law firms were identified as likely targets of future, similar attacks. On Tuesday, multinational firm DLA Piper became the latest victim of a major cyber hack.

The Petrwrap/Petya attack, which was found to have originated in the firm’s office in Spain, caused DLA’s network and phone system to be shut down. Employees were instructed to turn off their computers and to unplug their laptops from the network as a precaution. During the shutdown, a DLA Piper spokesperson said in a statement: “The firm, like many other reported companies, has experienced issues with some of its systems due to suspected malware. We are taking steps to remedy the issue as quickly as possible.” DLA worked with external forensic experts, including the FBI and UK National Crime Agency, to get its systems back online and recover from the attack. Nonetheless, the firm’s lawyers were without access to company phones and email due to the lockdown.

In addition to DLA Piper, other large companies were hit, including Russian oil producer Rosneft and Danish shipping company Maersk. Though first reported in the Ukraine, where the most severe damage has been sustained, the virus quickly spread to the United States and Europe. United States-based pharmaceutical company Merck was also infected. DLA Piper has experienced effects of the attack in its offices globally.

While DLA Piper is the only law firm that has been reportedly attacked by the Petrwrap/Petya ransomware thus far, experts have indicated that law firms, generally, are attractive targets for hackers, as they maintain an abundance of highly-sensitive client information on their systems. Many smaller firms are vulnerable and easily exploited because they do not have the infrastructure to protect themselves against cyber threats. Yet, as can be seen, these increasingly pervasive attacks can cripple even the most prepared companies. In fact, DLA Piper, a firm with a global cybersecurity team, published an article in the wake of the WannaCry, titled “9 Things You Should Know to Protect Your Company from the Next Attack.”

Details about the Petrwrap/Petya ransomware, including how it is spread, are still being investigated. Researchers have reported that it is both similar to and different from WannaCry in various ways. Needless to say, in the face of another widespread attack, it is more important than ever for law firms to be vigilant against cyber threats.

 

SCOTUS to Address Whether There is a Reasonable Expectation of Privacy in Mobile Phone Location Data

On June 5, 2017, the United States Supreme Court granted a petition for a writ of certiorari in Carpenter v. United States, from the Sixth Circuit Court of Appeals. The Supreme Court will have to address whether or not the Fourth Amendment protects government access to historical cellular phonesite records. In Carpenter, the government seized several months’ worth of cell phone location records from robbery suspects without obtaining a probable cause warrant. For one suspect, Timothy Carpenter, the records revealed 12,898 separate points of location data. For another suspect, Timothy Sanders, the records revealed 23,034 separate points of location data.

FBI agent Christopher Hess offered expert testimony explaining that the cell phone data acquired under the  Stored Communications Act (“SCA”)(18 U.S.C. Chapter 121 §§ 2701–2712) indicated that Carpenter and Sanders’ phones were within one-half mile to two miles of the location of each of the robberies around the time the event occurred. Carpenter and Sanders sought to suppress this evidence under the Fourth Amendment, but the district court denied their motion.

The SCA permits the government to obtain records where “specific and articulable facts show that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation”—a much lower bar than the probable cause needed to obtain a run-of-the-mill search warrant.

A divided panel of the Sixth Circuit stated that, “although the content of personal communications is private, the information necessary to get those communications from point A to point B is not.” For example, while individuals may enjoy a reasonable expectation of privacy regarding the content of their telephone calls, they do not have the same expectation for the numbers dialed. The court concluded that, “[t]oday, the same distinction applies to internet communications,” i.e., while the Fourth Amendment protects the contents of an email, it does not protect metadata. The Sixth Circuit joins the Fourth, Fifth, and Eleventh Circuits in holding that there is no reasonable expectation of privacy in historical cell site location information under the Fourth Amendment, and therefore no warrant is required.

Numerous lower court judges encountering the issue have followed the Supreme Court’s third-party-doctrine cases, which hold that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties. However, this line of thinking has been deemed antiquated by some in light of the vast amounts of data that are collected on a daily basis. Justice Sotomayor noted in United States v. Jones, that it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties and that this approach is ill-suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. 132 S. Ct. 945, 957 (2012).

In recognition of this changing tide, and relevant to the issue presented in Carpenter, some courts have concluded that individuals have a reasonable expectation of privacy in their location. For example, in United States v. Maynard, 615 F.3d 544 (D.C. Cir. 2010), aff’d on other grounds sub nom. Jones, 132 S. Ct. 945, the D.C. Circuit held that using a GPS device to surreptitiously track a car over the course of 28 days violated reasonable expectations of privacy and was therefore a Fourth Amendment search. Id. at 563. The court explained that “[p]rolonged surveillance reveals types of information not revealed by short-term surveillance, such as what a person does repeatedly, what he does not do, and what he does ensemble. These types of information can each reveal more about a person than any individual trip viewed in isolation.” Id. at 562. Therefore, people have a reasonable expectation of privacy in the intimate and private information.

Collecting and analyzing cell phone records can, and often does, reveal extraordinarily sensitive details about a person’s life. This case will have an enormous impact on the Fourth Amendment in connection with data collected and an individual’s expectation of privacy in the ever progressing digital age.

The Border Search Exception to the Warrant Requirement

You are sitting in O’Hare airport or in a Starbucks in Tucson, Arizona skyping with a friend when an ICE agent approaches you, asks you to produce evidence of your legal presence, and demands that you hand over your laptop and cell phone and give him the passcodes. You refuse. Can he detain you or confiscate your devices? Maybe.

The Supreme Court has long recognized that the “border search exception to the warrant requirement” allows the government to conduct search and seizure in proximity to the international border without reasonable suspicion. United States v. Martinez-Fuerte, 428 U.S. 561-61 (1976). This allows the government to conduct warrantless searches of laptop computers and cell phones at the border without reasonable suspicion of illegal content. United States v. Arnold, 533 F.3d 1003 (9th Cir. 2008). Albeit, an agent must have “reasonable suspicion” (but still not a probable cause warrant) to conduct an extensive forensic search of a laptop. United States v. Cotterman, 709 F.3d 952, 957 (9th Cir. 2013).

The border search exception applies well beyond geographic borders. It applies anywhere within a zone extending 100 miles from such borders and from all ports of entry. See 8 CFR § 287.1 (a). About 2/3 of the US population lives within this zone. Thus, without reasonable suspicion, ICE agents can stop you throughout much of the USA and inquire as to your immigration status. If they do, you would be subject to immediate deportation, without getting the opportunity to go before a judge, unless you can establish your legal presence in the country. See M. Shear & R. Nixon, “New Trump deportation Rules Allow Far More Expulsions,” New York Times (Feb. 21, 2017) (available online at https://www.nytimes.com/2017/02/21/us/politics/dhs-immigration-trump.html).

Arguably, if you were overheard conversing in Spanish or a foreign language unintelligible to the agent (Arabic?) and aggressively objected to the agent’s demands, the agent could determine reasonable suspicion and, on that basis, could confiscate your devices and conduct an extensive forensic search. If you did not have identification establishing legal presence, the agent could detain you until you can provide such proof. Happy travels.

Blockchain Technology: Balancing Benefits & Evolving Risks

The “blockchain” has the potential to transform the way financial institutions process transactions and corporations conduct business. While first introduced as the technology underlying cryptocurrencies such as bitcoin, financial institutions have partnered to apply the blockchain to streamline cross-border payment settlement and interbank settlement solutions. Implementing blockchain technology in pursuit of these types of efficiencies may fundamentally change how financial institutions conduct business and alter the risks banks face.

Fundamentally, the blockchain stores data about individual financial transactions in a decentralized way that should, in theory, provide greater security and limit the risk of fraud. It relies on cutting-edge cryptography to secure the authentication process. Before recording a block of transactions, “miners” authenticate them by applying a mathematical formula that results in a seemingly random sequence of letters and numbers known as a hash. The hash is produced using the hash of the preceding block, in a math problem. Although the math is difficult to solve, the solution is easy to verify.

The hash becomes the digital version of a wax seal. After using this process to authenticate a transaction, miners store the “block,” along with its hash, in a unique “chain.” If you change just one character in a block, its hash will change completely. The ramification for security is that if someone tampers with the block, the change becomes public.

A blockchain documents each transaction’s details, identifying the sender, recipient, input amount, and output amount. Only the parties to a transaction can unlock the contents of the block because only they hold the private key necessary to open the data. But since each entry bears a hash, anyone can verify the existence of a transaction within the block.

The application of blockchain technology could potentially increase the risk of fraud. That’s because a comprehensive review of fraud, alteration, and forgery may not occur in a blockchain transaction. The participating financial institutions may not receive the transaction’s original documents, on which the transaction is based, and thus may not have an opportunity to analyze those documents for fraud. Since parties using blockchain for transactions appear to be moving towards competing blockchain-based platforms, there is a potential for assets to be double-pledged or for conflicting financial transactions to be entered into on different platforms.

As financial institutions and their corporate clients move forward into the brave new world of blockchain technology, they must remain mindful of the fact that this is just another means of conducting business transactions, and the time honored principle of caveat emptor still applies. Parties entering into blockchain transactions should ensure that they are doing their due diligence on the representations underlying those transactions. This includes, when applicable, examining original documents on which transactions are based. Also, participants should be mindful that there may be multiple blockchain-based platforms on which business is conducted, meaning that the lack of a conflict on the platform in which the transaction is entered into does not mean that a competing or conflicting transaction will not be entered into on another platform.

Target Settlement a First Step for Companies Looking to Avoid Data Breach Litigation

Target ends its multi-state data breach litigation over its 2013 data breach with an $18.5 million settlement to 47 states. While the settlement outlines the type of security measures companies should employ in order to not be found negligent with customer data, it doesn’t go far enough to improve organizational security. The bulk of the settlement terms are still defensive in nature when it comes to data breaches. As such, companies looking to follow the terms of Target’s settlement should be cautioned to use offensive tactics to prevent such attacks if they want to avoid litigation.

In 2013, while Target’s security systems had detected the breach, no one understood the significance of, or acted upon, the alerts, resulting in the massive data breach given the delay in response time. Target has since toughened its security systems and made significant improvements. The terms of the settlement give Target 180 days to develop, implement, and maintain a comprehensive security program. However, this requirement refers to the changes the retailer has already implemented. While the settlement reiterates some of the basics, such as having a comprehensive security program, segmenting the network, and implementing stricter access control policies to sensitive networks and data, future data breach lawsuits may use the Target settlement to try to prove an organization did not go far enough in protecting personal information and other sensitive data. As such, abiding by the terms of the Target settlement is a first step for companies looking to avoid data breach litigation, but further tactics will be required for companies to go on the offensive to prevent breaches as the plaintiffs’ bar will try to use the Target settlement as a varying degree of negligence in pushing forward with future litigation.

Recent Massive Ransomware Attack Underscores Importance of Keeping Operating System Software Updated and Vigilance Against Suspicious Emails

On May 12, 2017, countless individuals and businesses worldwide were the targets of what experts deem the largest ransomware attack in history. In this attack, hackers sent emails containing encrypted .zip file attachments, which, when downloaded by the email recipient, infected the recipient’s computer with ransomware that commandeered and locked the computer’s files. The files were rendered inaccessible and released only upon payment of a bitcoin ransom to the hacker. According to reports, over 74 countries were hit by the attack, and hospitals and government agencies were among the victims. The damage, monetary or otherwise, resulting from the attack remains to be determined.

“Wannacry,” the name of the ransomware variant used in this attack, is reportedly derived from a stolen NSA hacking tool. The ransomware exploited Windows-based operating system vulnerabilities in computers that were not patched with the latest software update from Microsoft.

Although individuals and businesses in the United States remained largely unaffected, many experts say that this recent attack merely foreshadows future attacks of this scale that may potentially reach users stateside. As hackers become more sophisticated, attacks of this type may become the new normal. Given this new reality in the world of computing, it is increasingly important that computer users, particularly organizational users with databases and systems that house confidential and sensitive information, such as personally identifiable information (“PII”) or protected health information (“PHI”), ensure that computer systems are regularly updated with operating system software and security patches. Equally important is implementing organizational policies and procedures that require and encourage users to be vigilant against indiscriminate accessing and opening of suspicious emails with infected attachments and links.

Recent Study Reveals Interesting Trends in Cyber Attacks in First Quarter of 2017

A recent study issued by Navigant Global Technology Solutions has indicated that “2017 is poised to be a year of significant awareness and development in the area of cybersecurity regulation.” The study indicates that the ferocity of cybersecurity attacks has continued unabated since 2016 and that 2017 is shaping up to be another “watershed year” for cybersecurity threats and attacks.

Statistics (Q1 2017):

  • The overall average breach size decreased from 58,882 records in Q3 2016 to 49,877 in Q4 2016.
  • Healthcare accounted for the largest percentage of reported data breaches (42.77%).
  • Hacking incidents were the most common type of breach.
  • An average of more than 4,000 ransomware attacks occurred per day.
  • 73% of IT security professionals at critical infrastructure utilities say their organizations have suffered a breach.

Additionally, there has been a significant increase in the number of security incidents caused by remote desktop protocol (“RDP”) hacking in the first quarter of 2017. Not surprising in light of the increasing “work-from-home” trend, this hacking technique involves technology to allow users and system administrators to remotely access computers that they are not physically able to access. The attackers gain access to the network through phishing emails or other social engineering techniques. The study also noted that TeamViewer, a major RDP provider, has also seen a spike in the number of RDP security breaches. However, TeamViewer and Navigant both note that the exposure is not due to a “flaw” in the technology, but rather the usage of poor password policies by users. Once again, the findings indicate that human error appears to be one of the most difficult problems to safeguard against.

The second quarter of 2017 is poised to be no exception to the spike in cybersecurity breaches. The 2016 tax year is coming to a close and a plethora of sensitive personal information is available to hackers across multiple platforms. Recognizing that a majority of cyber attacks are the result of the usage of poor/duplicative passwords by users, the use of “two-factor authentication” on all account logins continues to be a focus in designing effective cyber security programs.

Two-factor authentication (also referred to as “2FA”) is a process requiring two different authentication methods to prevent unauthorized access of private and sensitive information. The three main categories of authentication factors are: something you know (password, pin code, social security number); something you have (USB security token, bank card, key); and something you are (fingerprint, eye, voice, face). The two-factor authentication process requires two of these factors.

According to Symantec’s 2016 Internet Security Threat Report, 80% of breaches can be prevented by using multi-factor authentication. Thus, by using basic, two-factor authentication, an organization can immediately reduce its cybersecurity threat profile in a fast and meaningful way.

As we continue in 2017, these statistics and studies must inform the development of practical, effective means of combating countless threats to cyber security. Being attacked is only a question of when, not if. In cyber security, the best offense is a strong defense, including accommodations for the likelihood of human error.

Japan’s High Court Holds that Individual With Certain Criminal History Had No Right to Be Forgotten

In late January 2017, the Supreme Court of Japan held that a man who had been convicted of breaking child prostitution and pornography laws had no right to require Google to remove his name and address from Google search results. The decision reversed the Saitama District Court’s ruling of December 2015 that the man could require Google to delete news reports of his arrest and conviction three years earlier.

The district court had held that the man had a “right to be forgotten,” the first such ruling in Japan. Presiding Judge Hisaki Kobayashi reportedly stated that, depending on the nature of the crime, after a certain period of time has elapsed individuals should be able to undergo rehabilitation with a clean online slate.

The Japanese Supreme Court, however, disagreed. It held that the public’s right to know outweighed the man’s right to privacy given the serious nature of his crimes. According to the court’s website, the deletion of references in search engine results to such charges can be required only where the value of privacy protection clearly exceeds or outweighs that of information disclosure. According to the Kyodo news agency, at least Supreme Court Justice Kiyoko Okabe found that the scales tipped more heavily to disclosure because child prostitution is prohibited under the penal code and is subject to strong social condemnation.

The Supreme Court of Japan, according to its website report on the case, said that in determining whether search engine results should be deleted, relevant factors include the degree of damage the information may cause to the person’s privacy interests, how broadly specific searches can be carried out, and the social standing of the individual in question. Website operators would need to perform a case-by-case analysis but these factors alone would not seem to give them much guidance.

The Japanese high court did not mention a “right to be forgotten.” Such a principle has been publicized within the past few years in the European Union and some other jurisdictions. The term “right to be forgotten” became widely known following a May 2014 ruling by the European Court of Justice involving a Spanish man who demanded his past debt record be removed from the Internet.

More nuanced discussions of the doctrine sometimes distinguish between a “right” of an individual to stop the circulation of embarrassing personal facts, statements, or graphics that the person himself or herself originally published on the internet, versus the right to stop the circulation of information placed there by unrelated third parties, such as companies and government agencies, for a broader public purpose. In the first case, the person may have been under age or have acted precipitously, and could be considered the “owner” of the information. In the second case, those circumstances would seem to be missing.

Neither the U.S. nor Japanese constitutions contain an express right of privacy. For example, the Japanese 2003 Personal Information Protection Law states what businesses should do in handling personal information but does not specify an individual’s corresponding right to privacy. In contrast, the U.S. and Japan both expressly protect a right to freedom of speech. Article 21 of the Japanese Constitution expressly provides that the freedom of speech, press and all other forms of expression are guaranteed, and that no censorship shall be maintained.

The case in Japan may have been the first for that country’s high court on this issue, but there will likely be other cases, both there and elsewhere. In political systems, there is generally an inverse relationship between the widespread availability of information and the government’s ability to rule coercively. In other words, the more that information can be controlled and limited, the more coercive can be the government. North Korea is a prime example. The balance between a right to be forgotten and the right to free speech may develop differently in countries that are based on democratic principles than in other countries.

“From the Office to Cyberspace: Workplace Violence in the Twenty-First Century” Article Published by DRI

Gordon & Rees Partner Diane Krebs and Associate Jamie Haar authored an article, “From the Office to Cyberspace: Workplace Violence in the Twenty-First Century,” published in the January 2017 issue of DRI’s magazine, For The Defense.

In their article, Krebs and Haar, both members of Gordon & Rees’s Employment Practice Group, offer key legal considerations for employers on how to navigate workplace violence and bullying  in today’s social media-heavy world.

The article discusses the many forms of workplace violence and bullying, with a particular focus on workplace cyberbullying, as well as identifies legal implications and an employer’s potential liability. Among other things, the article discusses the privacy concerns implicated by the Stored Communications Act to assist employers in crafting their investigatory procedures.

To read the full article, click here.

Five Steps to Lower the Risk of Trade Secret Theft from Business Partners

As stories of international and domestic hacking and espionage dominate the news cycle, it’s easy to forget that when it comes to trade secrets, employees and business partners—not hackers—pose the biggest threat. See David S. Almeling et al., A Statistical Analysis of Trade Secret Litigation in Federal Courts, 45 Gonz. L. Rev. 291 (2009/2010).

In a recent webinar, Gordon & Rees addressed protection of trade secrets and proprietary information from employee theft. Here, we address some steps to help prevent business partners from misusing your trade secrets.

  1. Identify your trade secrets and control access to them

Before any agreements are drafted or any information or documents are exchanged, be sure you have identified your trade secrets (see also the definition under the Uniform Trade Secrets Act). You can’t protect them unless you know what they are. This sounds like common sense, but surprisingly, in the hustle and bustle of everyday work, not all companies take the time to do this until they’ve realized their trade secrets have ended up in the wrong hands. (Unless it is appropriate for your industry, referring to everything as a “trade secret” is not helpful, either—for example, your business partners are less likely to take your actual trade secrets seriously if you claim that information you have made public are also trade secrets.)

A trade secret “registry” could be considered favorable evidence in court—as long as it is timely updated and actually distributed to employees. See Schalk v. State, 823 S.W.2d 633, 643 (Tex. Crim. App. 1991). This registry will also help your own employees with the marking the proper designations when such information is exchanged with a business partner.

Securing your trade secrets in-house will not only help your case in court, it also helps when it comes to disclosure to third parties, particularly inadvertent disclosure. Chances are, not every employee will require access to every trade secret. Secure physical and electronic access to the appropriate trade secrets to the appropriate personnel.

What measures are appropriate will depend on the circumstances and will likely evolve with time and technology. Information stored on secure servers that had three layers of physical security passwords, 256-character PuTTY keys, with portions possessed by only a single person was found by a court sufficient evidence for a jury to conclude that a trade secrets owner took appropriate measures to protect its trade secrets. Xtec, Inc. v. CardSmart Techs., Inc., No. 11-22866-CIV-ROSENBAUM, 2014 U.S. Dist. LEXIS 184604, at *26 (S.D. Fla. May 15, 2014).

On the other hand, where information was distributed to 600-700 people where at most only 190 people signed confidentiality agreements, and where that same information was not stamped as “confidential,” a court found that no reasonable jury could conclude that “reasonable efforts” were made. Tax Track Sys. Corp. v. New Inv’r World, Inc., 478 F.3d 783, 788 (7th Cir. 2007).

  1. Draft tailored non-disclosure agreements (“NDAs”)

Before any information is exchanged with a business partner, have your attorneys help you draft a non-disclosure/confidentiality agreement tailored to the arrangement. Not only will this agreement help you in case you need to litigate the matter, it will provide the protocols for your business partner to follow.

Some provisions you and your attorneys will want to consider are the return/destruction of trade secrets at certain stages (and certainly when the relationship is terminated), a perpetual non-disclosure and non-use clause when it comes to trade secrets (as opposed to an expiring one), how trade secrets will be identified/marked (and the ability to later identify/mark previously exchanged documents), and requirements for the business partner’s employees to sign individual NDAs and/or obtain training on how to handle trade secrets.  This is not an exhaustive list—work with your attorney to flesh out the agreement.

Be wary of stock or template agreements; many of them may not contemplate the specific issues that may arise in your situation. Many “standard” agreements also contain language that relieve the business partner of its contractual obligations of non-disclosure and non-use as soon as the trade secrets are made public—without specifying that such public disclosure must have been authorized by the owner of the trade secret, and without giving the owner the chance to mitigate the effects and damage of the unauthorized disclosure.

But no matter how perfect the agreement, it won’t matter if it isn’t properly implemented.

  1. Train your own employees

Identify all the employees who will be corresponding with the business partner and make sure you train them. Let them know what information can be exchanged, what cannot, which individuals from the business partner they can exchange information with. Provide them with a written checklist and designate a person most knowledgeable—or better yet, a specialized team to direct their questions to. This team should also conduct some “spot checks” throughout the relationship to make sure protocols are being followed.

If the relationship with the business partner will span more than a couple months, also have a plan in place to retrain your employees in regular intervals.

  1. Train the business partner’s employees

Even if you require individuals from the business partner’s company to sign an NDA, that may not be enough. You may want to provide the partner’s employees with the necessary training, or at least provide the partner with the necessary materials to provide the training themselves (and require them to do so as part of the NDA). Regularly communicate with the partner to make sure they are protecting your trade secrets, and have your employees and your specialized team pay attention to how the business partner is using this information as well.

  1. Create a contingency/emergency plan

Did an employee send a trade secret to the business partner without marking it as such? Has the business partner communicated plans that may violate the NDA?  Has the relationship with the business partner begun to go sour?

Your team should already have a contingency plan in place to deal with these—and other—situations, and protocols to continually improve security and access. Make sure you follow through on enforcing contractual provisions, and make sure you act swiftly.

In closing, remember that when dealing with trade secrets or handling other proprietary, confidential or otherwise private information, nothing beats being prepared.