The Border Search Exception to the Warrant Requirement

You are sitting in O’Hare airport or in a Starbucks in Tucson, Arizona skyping with a friend when an ICE agent approaches you, asks you to produce evidence of your legal presence, and demands that you hand over your laptop and cell phone and give him the passcodes. You refuse. Can he detain you or confiscate your devices? Maybe.

The Supreme Court has long recognized that the “border search exception to the warrant requirement” allows the government to conduct search and seizure in proximity to the international border without reasonable suspicion. United States v. Martinez-Fuerte, 428 U.S. 561-61 (1976). This allows the government to conduct warrantless searches of laptop computers and cell phones at the border without reasonable suspicion of illegal content. United States v. Arnold, 533 F.3d 1003 (9th Cir. 2008). Albeit, an agent must have “reasonable suspicion” (but still not a probable cause warrant) to conduct an extensive forensic search of a laptop. United States v. Cotterman, 709 F.3d 952, 957 (9th Cir. 2013).

The border search exception applies well beyond geographic borders. It applies anywhere within a zone extending 100 miles from such borders and from all ports of entry. See 8 CFR § 287.1 (a). About 2/3 of the US population lives within this zone. Thus, without reasonable suspicion, ICE agents can stop you throughout much of the USA and inquire as to your immigration status. If they do, you would be subject to immediate deportation, without getting the opportunity to go before a judge, unless you can establish your legal presence in the country. See M. Shear & R. Nixon, “New Trump deportation Rules Allow Far More Expulsions,” New York Times (Feb. 21, 2017) (available online at https://www.nytimes.com/2017/02/21/us/politics/dhs-immigration-trump.html).

Arguably, if you were overheard conversing in Spanish or a foreign language unintelligible to the agent (Arabic?) and aggressively objected to the agent’s demands, the agent could determine reasonable suspicion and, on that basis, could confiscate your devices and conduct an extensive forensic search. If you did not have identification establishing legal presence, the agent could detain you until you can provide such proof. Happy travels.

Blockchain Technology: Balancing Benefits & Evolving Risks

The “blockchain” has the potential to transform the way financial institutions process transactions and corporations conduct business. While first introduced as the technology underlying cryptocurrencies such as bitcoin, financial institutions have partnered to apply the blockchain to streamline cross-border payment settlement and interbank settlement solutions. Implementing blockchain technology in pursuit of these types of efficiencies may fundamentally change how financial institutions conduct business and alter the risks banks face.

Fundamentally, the blockchain stores data about individual financial transactions in a decentralized way that should, in theory, provide greater security and limit the risk of fraud. It relies on cutting-edge cryptography to secure the authentication process. Before recording a block of transactions, “miners” authenticate them by applying a mathematical formula that results in a seemingly random sequence of letters and numbers known as a hash. The hash is produced using the hash of the preceding block, in a math problem. Although the math is difficult to solve, the solution is easy to verify.

The hash becomes the digital version of a wax seal. After using this process to authenticate a transaction, miners store the “block,” along with its hash, in a unique “chain.” If you change just one character in a block, its hash will change completely. The ramification for security is that if someone tampers with the block, the change becomes public.

A blockchain documents each transaction’s details, identifying the sender, recipient, input amount, and output amount. Only the parties to a transaction can unlock the contents of the block because only they hold the private key necessary to open the data. But since each entry bears a hash, anyone can verify the existence of a transaction within the block.

The application of blockchain technology could potentially increase the risk of fraud. That’s because a comprehensive review of fraud, alteration, and forgery may not occur in a blockchain transaction. The participating financial institutions may not receive the transaction’s original documents, on which the transaction is based, and thus may not have an opportunity to analyze those documents for fraud. Since parties using blockchain for transactions appear to be moving towards competing blockchain-based platforms, there is a potential for assets to be double-pledged or for conflicting financial transactions to be entered into on different platforms.

As financial institutions and their corporate clients move forward into the brave new world of blockchain technology, they must remain mindful of the fact that this is just another means of conducting business transactions, and the time honored principle of caveat emptor still applies. Parties entering into blockchain transactions should ensure that they are doing their due diligence on the representations underlying those transactions. This includes, when applicable, examining original documents on which transactions are based. Also, participants should be mindful that there may be multiple blockchain-based platforms on which business is conducted, meaning that the lack of a conflict on the platform in which the transaction is entered into does not mean that a competing or conflicting transaction will not be entered into on another platform.

Target Settlement a First Step for Companies Looking to Avoid Data Breach Litigation

Target ends its multi-state data breach litigation over its 2013 data breach with an $18.5 million settlement to 47 states. While the settlement outlines the type of security measures companies should employ in order to not be found negligent with customer data, it doesn’t go far enough to improve organizational security. The bulk of the settlement terms are still defensive in nature when it comes to data breaches. As such, companies looking to follow the terms of Target’s settlement should be cautioned to use offensive tactics to prevent such attacks if they want to avoid litigation.

In 2013, while Target’s security systems had detected the breach, no one understood the significance of, or acted upon, the alerts, resulting in the massive data breach given the delay in response time. Target has since toughened its security systems and made significant improvements. The terms of the settlement give Target 180 days to develop, implement, and maintain a comprehensive security program. However, this requirement refers to the changes the retailer has already implemented. While the settlement reiterates some of the basics, such as having a comprehensive security program, segmenting the network, and implementing stricter access control policies to sensitive networks and data, future data breach lawsuits may use the Target settlement to try to prove an organization did not go far enough in protecting personal information and other sensitive data. As such, abiding by the terms of the Target settlement is a first step for companies looking to avoid data breach litigation, but further tactics will be required for companies to go on the offensive to prevent breaches as the plaintiffs’ bar will try to use the Target settlement as a varying degree of negligence in pushing forward with future litigation.

Recent Massive Ransomware Attack Underscores Importance of Keeping Operating System Software Updated and Vigilance Against Suspicious Emails

On May 12, 2017, countless individuals and businesses worldwide were the targets of what experts deem the largest ransomware attack in history. In this attack, hackers sent emails containing encrypted .zip file attachments, which, when downloaded by the email recipient, infected the recipient’s computer with ransomware that commandeered and locked the computer’s files. The files were rendered inaccessible and released only upon payment of a bitcoin ransom to the hacker. According to reports, over 74 countries were hit by the attack, and hospitals and government agencies were among the victims. The damage, monetary or otherwise, resulting from the attack remains to be determined.

“Wannacry,” the name of the ransomware variant used in this attack, is reportedly derived from a stolen NSA hacking tool. The ransomware exploited Windows-based operating system vulnerabilities in computers that were not patched with the latest software update from Microsoft.

Although individuals and businesses in the United States remained largely unaffected, many experts say that this recent attack merely foreshadows future attacks of this scale that may potentially reach users stateside. As hackers become more sophisticated, attacks of this type may become the new normal. Given this new reality in the world of computing, it is increasingly important that computer users, particularly organizational users with databases and systems that house confidential and sensitive information, such as personally identifiable information (“PII”) or protected health information (“PHI”), ensure that computer systems are regularly updated with operating system software and security patches. Equally important is implementing organizational policies and procedures that require and encourage users to be vigilant against indiscriminate accessing and opening of suspicious emails with infected attachments and links.

Recent Study Reveals Interesting Trends in Cyber Attacks in First Quarter of 2017

A recent study issued by Navigant Global Technology Solutions has indicated that “2017 is poised to be a year of significant awareness and development in the area of cybersecurity regulation.” The study indicates that the ferocity of cybersecurity attacks has continued unabated since 2016 and that 2017 is shaping up to be another “watershed year” for cybersecurity threats and attacks.

Statistics (Q1 2017):

  • The overall average breach size decreased from 58,882 records in Q3 2016 to 49,877 in Q4 2016.
  • Healthcare accounted for the largest percentage of reported data breaches (42.77%).
  • Hacking incidents were the most common type of breach.
  • An average of more than 4,000 ransomware attacks occurred per day.
  • 73% of IT security professionals at critical infrastructure utilities say their organizations have suffered a breach.

Additionally, there has been a significant increase in the number of security incidents caused by remote desktop protocol (“RDP”) hacking in the first quarter of 2017. Not surprising in light of the increasing “work-from-home” trend, this hacking technique involves technology to allow users and system administrators to remotely access computers that they are not physically able to access. The attackers gain access to the network through phishing emails or other social engineering techniques. The study also noted that TeamViewer, a major RDP provider, has also seen a spike in the number of RDP security breaches. However, TeamViewer and Navigant both note that the exposure is not due to a “flaw” in the technology, but rather the usage of poor password policies by users. Once again, the findings indicate that human error appears to be one of the most difficult problems to safeguard against.

The second quarter of 2017 is poised to be no exception to the spike in cybersecurity breaches. The 2016 tax year is coming to a close and a plethora of sensitive personal information is available to hackers across multiple platforms. Recognizing that a majority of cyber attacks are the result of the usage of poor/duplicative passwords by users, the use of “two-factor authentication” on all account logins continues to be a focus in designing effective cyber security programs.

Two-factor authentication (also referred to as “2FA”) is a process requiring two different authentication methods to prevent unauthorized access of private and sensitive information. The three main categories of authentication factors are: something you know (password, pin code, social security number); something you have (USB security token, bank card, key); and something you are (fingerprint, eye, voice, face). The two-factor authentication process requires two of these factors.

According to Symantec’s 2016 Internet Security Threat Report, 80% of breaches can be prevented by using multi-factor authentication. Thus, by using basic, two-factor authentication, an organization can immediately reduce its cybersecurity threat profile in a fast and meaningful way.

As we continue in 2017, these statistics and studies must inform the development of practical, effective means of combating countless threats to cyber security. Being attacked is only a question of when, not if. In cyber security, the best offense is a strong defense, including accommodations for the likelihood of human error.

Japan’s High Court Holds that Individual With Certain Criminal History Had No Right to Be Forgotten

In late January 2017, the Supreme Court of Japan held that a man who had been convicted of breaking child prostitution and pornography laws had no right to require Google to remove his name and address from Google search results. The decision reversed the Saitama District Court’s ruling of December 2015 that the man could require Google to delete news reports of his arrest and conviction three years earlier.

The district court had held that the man had a “right to be forgotten,” the first such ruling in Japan. Presiding Judge Hisaki Kobayashi reportedly stated that, depending on the nature of the crime, after a certain period of time has elapsed individuals should be able to undergo rehabilitation with a clean online slate.

The Japanese Supreme Court, however, disagreed. It held that the public’s right to know outweighed the man’s right to privacy given the serious nature of his crimes. According to the court’s website, the deletion of references in search engine results to such charges can be required only where the value of privacy protection clearly exceeds or outweighs that of information disclosure. According to the Kyodo news agency, at least Supreme Court Justice Kiyoko Okabe found that the scales tipped more heavily to disclosure because child prostitution is prohibited under the penal code and is subject to strong social condemnation.

The Supreme Court of Japan, according to its website report on the case, said that in determining whether search engine results should be deleted, relevant factors include the degree of damage the information may cause to the person’s privacy interests, how broadly specific searches can be carried out, and the social standing of the individual in question. Website operators would need to perform a case-by-case analysis but these factors alone would not seem to give them much guidance.

The Japanese high court did not mention a “right to be forgotten.” Such a principle has been publicized within the past few years in the European Union and some other jurisdictions. The term “right to be forgotten” became widely known following a May 2014 ruling by the European Court of Justice involving a Spanish man who demanded his past debt record be removed from the Internet.

More nuanced discussions of the doctrine sometimes distinguish between a “right” of an individual to stop the circulation of embarrassing personal facts, statements, or graphics that the person himself or herself originally published on the internet, versus the right to stop the circulation of information placed there by unrelated third parties, such as companies and government agencies, for a broader public purpose. In the first case, the person may have been under age or have acted precipitously, and could be considered the “owner” of the information. In the second case, those circumstances would seem to be missing.

Neither the U.S. nor Japanese constitutions contain an express right of privacy. For example, the Japanese 2003 Personal Information Protection Law states what businesses should do in handling personal information but does not specify an individual’s corresponding right to privacy. In contrast, the U.S. and Japan both expressly protect a right to freedom of speech. Article 21 of the Japanese Constitution expressly provides that the freedom of speech, press and all other forms of expression are guaranteed, and that no censorship shall be maintained.

The case in Japan may have been the first for that country’s high court on this issue, but there will likely be other cases, both there and elsewhere. In political systems, there is generally an inverse relationship between the widespread availability of information and the government’s ability to rule coercively. In other words, the more that information can be controlled and limited, the more coercive can be the government. North Korea is a prime example. The balance between a right to be forgotten and the right to free speech may develop differently in countries that are based on democratic principles than in other countries.

“From the Office to Cyberspace: Workplace Violence in the Twenty-First Century” Article Published by DRI

Gordon & Rees Partner Diane Krebs and Associate Jamie Haar authored an article, “From the Office to Cyberspace: Workplace Violence in the Twenty-First Century,” published in the January 2017 issue of DRI’s magazine, For The Defense.

In their article, Krebs and Haar, both members of Gordon & Rees’s Employment Practice Group, offer key legal considerations for employers on how to navigate workplace violence and bullying  in today’s social media-heavy world.

The article discusses the many forms of workplace violence and bullying, with a particular focus on workplace cyberbullying, as well as identifies legal implications and an employer’s potential liability. Among other things, the article discusses the privacy concerns implicated by the Stored Communications Act to assist employers in crafting their investigatory procedures.

To read the full article, click here.

Five Steps to Lower the Risk of Trade Secret Theft from Business Partners

As stories of international and domestic hacking and espionage dominate the news cycle, it’s easy to forget that when it comes to trade secrets, employees and business partners—not hackers—pose the biggest threat. See David S. Almeling et al., A Statistical Analysis of Trade Secret Litigation in Federal Courts, 45 Gonz. L. Rev. 291 (2009/2010).

In a recent webinar, Gordon & Rees addressed protection of trade secrets and proprietary information from employee theft. Here, we address some steps to help prevent business partners from misusing your trade secrets.

  1. Identify your trade secrets and control access to them

Before any agreements are drafted or any information or documents are exchanged, be sure you have identified your trade secrets (see also the definition under the Uniform Trade Secrets Act). You can’t protect them unless you know what they are. This sounds like common sense, but surprisingly, in the hustle and bustle of everyday work, not all companies take the time to do this until they’ve realized their trade secrets have ended up in the wrong hands. (Unless it is appropriate for your industry, referring to everything as a “trade secret” is not helpful, either—for example, your business partners are less likely to take your actual trade secrets seriously if you claim that information you have made public are also trade secrets.)

A trade secret “registry” could be considered favorable evidence in court—as long as it is timely updated and actually distributed to employees. See Schalk v. State, 823 S.W.2d 633, 643 (Tex. Crim. App. 1991). This registry will also help your own employees with the marking the proper designations when such information is exchanged with a business partner.

Securing your trade secrets in-house will not only help your case in court, it also helps when it comes to disclosure to third parties, particularly inadvertent disclosure. Chances are, not every employee will require access to every trade secret. Secure physical and electronic access to the appropriate trade secrets to the appropriate personnel.

What measures are appropriate will depend on the circumstances and will likely evolve with time and technology. Information stored on secure servers that had three layers of physical security passwords, 256-character PuTTY keys, with portions possessed by only a single person was found by a court sufficient evidence for a jury to conclude that a trade secrets owner took appropriate measures to protect its trade secrets. Xtec, Inc. v. CardSmart Techs., Inc., No. 11-22866-CIV-ROSENBAUM, 2014 U.S. Dist. LEXIS 184604, at *26 (S.D. Fla. May 15, 2014).

On the other hand, where information was distributed to 600-700 people where at most only 190 people signed confidentiality agreements, and where that same information was not stamped as “confidential,” a court found that no reasonable jury could conclude that “reasonable efforts” were made. Tax Track Sys. Corp. v. New Inv’r World, Inc., 478 F.3d 783, 788 (7th Cir. 2007).

  1. Draft tailored non-disclosure agreements (“NDAs”)

Before any information is exchanged with a business partner, have your attorneys help you draft a non-disclosure/confidentiality agreement tailored to the arrangement. Not only will this agreement help you in case you need to litigate the matter, it will provide the protocols for your business partner to follow.

Some provisions you and your attorneys will want to consider are the return/destruction of trade secrets at certain stages (and certainly when the relationship is terminated), a perpetual non-disclosure and non-use clause when it comes to trade secrets (as opposed to an expiring one), how trade secrets will be identified/marked (and the ability to later identify/mark previously exchanged documents), and requirements for the business partner’s employees to sign individual NDAs and/or obtain training on how to handle trade secrets.  This is not an exhaustive list—work with your attorney to flesh out the agreement.

Be wary of stock or template agreements; many of them may not contemplate the specific issues that may arise in your situation. Many “standard” agreements also contain language that relieve the business partner of its contractual obligations of non-disclosure and non-use as soon as the trade secrets are made public—without specifying that such public disclosure must have been authorized by the owner of the trade secret, and without giving the owner the chance to mitigate the effects and damage of the unauthorized disclosure.

But no matter how perfect the agreement, it won’t matter if it isn’t properly implemented.

  1. Train your own employees

Identify all the employees who will be corresponding with the business partner and make sure you train them. Let them know what information can be exchanged, what cannot, which individuals from the business partner they can exchange information with. Provide them with a written checklist and designate a person most knowledgeable—or better yet, a specialized team to direct their questions to. This team should also conduct some “spot checks” throughout the relationship to make sure protocols are being followed.

If the relationship with the business partner will span more than a couple months, also have a plan in place to retrain your employees in regular intervals.

  1. Train the business partner’s employees

Even if you require individuals from the business partner’s company to sign an NDA, that may not be enough. You may want to provide the partner’s employees with the necessary training, or at least provide the partner with the necessary materials to provide the training themselves (and require them to do so as part of the NDA). Regularly communicate with the partner to make sure they are protecting your trade secrets, and have your employees and your specialized team pay attention to how the business partner is using this information as well.

  1. Create a contingency/emergency plan

Did an employee send a trade secret to the business partner without marking it as such? Has the business partner communicated plans that may violate the NDA?  Has the relationship with the business partner begun to go sour?

Your team should already have a contingency plan in place to deal with these—and other—situations, and protocols to continually improve security and access. Make sure you follow through on enforcing contractual provisions, and make sure you act swiftly.

In closing, remember that when dealing with trade secrets or handling other proprietary, confidential or otherwise private information, nothing beats being prepared.

The Joint Commission Issues Clarification on Texting of Patient Care Orders

“The use of secure text orders is not permitted at this time.”

In 2011, the technology to provide for the safety and security of text messaging was not available and, at that time, The Joint Commission (“TJC”) said it was not acceptable for practitioners to text orders for patient care and treatment. Then, in May 2016, TJC revised its position in recognition of technological advances and said physicians could text message when done in accordance with standards of practice, laws, regulations, policies and practices “as long as the system met specific requirements.”

Since then, however, TJC got together with the Centers for Medicare & Medicaid Services (CMS) and issued updated recommendations that include the following:

  • Providers should have policies prohibiting the use of unsecured text messaging of protected health information (PHI).
  • CPOE (computerized provider order entry) should be the preferred method for submitting orders, which are directly entered into the electronic health record.
  • The use of secure text orders is not permitted at this time.

This turnaround came after TJC and CMS discussed the issues with numerous stakeholders, including text messaging platform vendors and experts in electronic health records (EHRs). The identified concerns for maintaining the existing status quo were:

  • Increased burden on nurses to manually transcribe text orders into the EHR.
  • Verbal orders are preferred when CPOE not used, because they allow for real-time clarification and confirmation of the order as it is given by the practitioner.
  • Text messaging could cause delay in treatment where a clinical decision support (“CDS”) recommendation or alert is triggered during data entry, requiring the nurse to contact the practitioner for additional information.

To view the full text article on the TJC website click here.

Recent Suit Highlights the Importance of Data Security for Law Firms

In what undoubtedly portends things to come, recently unsealed court files reveal that the first data security class action complaint against a domestic law firm was formally filed. Chicago-based Johnson & Bell, a firm of more than 100 attorneys that recently celebrated its 40th anniversary, was recently named in a lawsuit that alleged it failed to appropriately protect confidential client information. That lawsuit was filed by Johnson & Bell’s former clients, bitcoin-to-gold exchange Coinabul LLC, and its Chief Operating Officer, Jason Shore.

Coinabul and Mr. Shore set forth a four-count Complaint alleging breach of contract, negligence, unjust enrichment, and breach of fiduciary duty. Underpinning all of theses claims were the following core allegations: the defendant law firm’s time-tracking system (“Webtime”) was built on a “JBoss Application Server” which was out-of-date and suffered from a critical vulnerability, leaving it susceptible to hacking; its virtual private network (“VPN”) supported insecure renegotiation, leaving it vulnerable to man-in-the-middle attacks; and, finally, the firm’s email system had broken security that left it susceptible to attack. In short, plaintiffs allege the firm failed to implement industry standard data security measures with respect to its Webtime, VPN, and email services, resulting in certain vulnerabilities that could expose confidential client information.

The hypothetical exposure of confidential client information makes this lawsuit all the more interesting – plaintiffs did not actually allege that Johnson & Bell’s Webtime, VPN, or email services were ever compromised, or that that confidential information was ever leaked. These points were all raised in Johnson & Bell’s subsequently-filed motion to dismiss. That motion was ultimately never ruled upon, as the parties are now engaged in a confidential arbitration.

While the outcome of this suit might never become public, the takeaway lesson is apparent – attorneys and law firms must remain diligent, and continue to take reasonable efforts to maintain client confidentiality and properly secure data.