DLA Piper Falls Victim to Latest Cyberattack

By on June 28, 2017

After last month’s WannaCry ransomware attack infected thousands of businesses and individuals across the globe, law firms were identified as likely targets of future, similar attacks. On Tuesday, multinational firm DLA Piper became the latest victim of a major cyber hack.

The Petrwrap/Petya attack, which was found to have originated in the firm’s office in Spain, caused DLA’s network and phone system to be shut down. Employees were instructed to turn off their computers and to unplug their laptops from the network as a precaution. During the shutdown, a DLA Piper spokesperson said in a statement: “The firm, like many other reported companies, has experienced issues with some of its systems due to suspected malware. We are taking steps to remedy the issue as quickly as possible.” DLA worked with external forensic experts, including the FBI and UK National Crime Agency, to get its systems back online and recover from the attack. Nonetheless, the firm’s lawyers were without access to company phones and email due to the lockdown.

In addition to DLA Piper, other large companies were hit, including Russian oil producer Rosneft and Danish shipping company Maersk. Though first reported in the Ukraine, where the most severe damage has been sustained, the virus quickly spread to the United States and Europe. United States-based pharmaceutical company Merck was also infected. DLA Piper has experienced effects of the attack in its offices globally.

While DLA Piper is the only law firm that has been reportedly attacked by the Petrwrap/Petya ransomware thus far, experts have indicated that law firms, generally, are attractive targets for hackers, as they maintain an abundance of highly-sensitive client information on their systems. Many smaller firms are vulnerable and easily exploited because they do not have the infrastructure to protect themselves against cyber threats. Yet, as can be seen, these increasingly pervasive attacks can cripple even the most prepared companies. In fact, DLA Piper, a firm with a global cybersecurity team, published an article in the wake of the WannaCry, titled “9 Things You Should Know to Protect Your Company from the Next Attack.”

Details about the Petrwrap/Petya ransomware, including how it is spread, are still being investigated. Researchers have reported that it is both similar to and different from WannaCry in various ways. Needless to say, in the face of another widespread attack, it is more important than ever for law firms to be vigilant against cyber threats.

 

Filed under Cyberattacks, Cybercrime, Hacker, Ransomware

SCOTUS to Address Whether There is a Reasonable Expectation of Privacy in Mobile Phone Location Data

By on June 27, 2017

On June 5, 2017, the United States Supreme Court granted a petition for a writ of certiorari in Carpenter v. United States, from the Sixth Circuit Court of Appeals. The Supreme Court will have to address whether or not the Fourth Amendment protects government access to historical cellular phonesite records. In Carpenter, the government seized several months’ worth of cell phone location records from robbery suspects without obtaining a probable cause warrant. For one suspect, Timothy Carpenter, the records revealed 12,898 separate points of location data. For another suspect, Timothy Sanders, the records revealed 23,034 separate points of location data.

FBI agent Christopher Hess offered expert testimony explaining that the cell phone data acquired under the  Stored Communications Act (“SCA”)(18 U.S.C. Chapter 121 §§ 2701–2712) indicated that Carpenter and Sanders’ phones were within one-half mile to two miles of the location of each of the robberies around the time the event occurred. Carpenter and Sanders sought to suppress this evidence under the Fourth Amendment, but the district court denied their motion.

The SCA permits the government to obtain records where “specific and articulable facts show that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation”—a much lower bar than the probable cause needed to obtain a run-of-the-mill search warrant.

A divided panel of the Sixth Circuit stated that, “although the content of personal communications is private, the information necessary to get those communications from point A to point B is not.” For example, while individuals may enjoy a reasonable expectation of privacy regarding the content of their telephone calls, they do not have the same expectation for the numbers dialed. The court concluded that, “[t]oday, the same distinction applies to internet communications,” i.e., while the Fourth Amendment protects the contents of an email, it does not protect metadata. The Sixth Circuit joins the Fourth, Fifth, and Eleventh Circuits in holding that there is no reasonable expectation of privacy in historical cell site location information under the Fourth Amendment, and therefore no warrant is required.

Numerous lower court judges encountering the issue have followed the Supreme Court’s third-party-doctrine cases, which hold that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties. However, this line of thinking has been deemed antiquated by some in light of the vast amounts of data that are collected on a daily basis. Justice Sotomayor noted in United States v. Jones, that it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties and that this approach is ill-suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. 132 S. Ct. 945, 957 (2012).

In recognition of this changing tide, and relevant to the issue presented in Carpenter, some courts have concluded that individuals have a reasonable expectation of privacy in their location. For example, in United States v. Maynard, 615 F.3d 544 (D.C. Cir. 2010), aff’d on other grounds sub nom. Jones, 132 S. Ct. 945, the D.C. Circuit held that using a GPS device to surreptitiously track a car over the course of 28 days violated reasonable expectations of privacy and was therefore a Fourth Amendment search. Id. at 563. The court explained that “[p]rolonged surveillance reveals types of information not revealed by short-term surveillance, such as what a person does repeatedly, what he does not do, and what he does ensemble. These types of information can each reveal more about a person than any individual trip viewed in isolation.” Id. at 562. Therefore, people have a reasonable expectation of privacy in the intimate and private information.

Collecting and analyzing cell phone records can, and often does, reveal extraordinarily sensitive details about a person’s life. This case will have an enormous impact on the Fourth Amendment in connection with data collected and an individual’s expectation of privacy in the ever progressing digital age.

Filed under Stored Communications Act

The Border Search Exception to the Warrant Requirement

By on June 19, 2017

You are sitting in O’Hare airport or in a Starbucks in Tucson, Arizona skyping with a friend when an ICE agent approaches you, asks you to produce evidence of your legal presence, and demands that you hand over your laptop and cell phone and give him the passcodes. You refuse. Can he detain you or confiscate your devices? Maybe.

The Supreme Court has long recognized that the “border search exception to the warrant requirement” allows the government to conduct search and seizure in proximity to the international border without reasonable suspicion. United States v. Martinez-Fuerte, 428 U.S. 561-61 (1976). This allows the government to conduct warrantless searches of laptop computers and cell phones at the border without reasonable suspicion of illegal content. United States v. Arnold, 533 F.3d 1003 (9th Cir. 2008). Albeit, an agent must have “reasonable suspicion” (but still not a probable cause warrant) to conduct an extensive forensic search of a laptop. United States v. Cotterman, 709 F.3d 952, 957 (9th Cir. 2013).

The border search exception applies well beyond geographic borders. It applies anywhere within a zone extending 100 miles from such borders and from all ports of entry. See 8 CFR § 287.1 (a). About 2/3 of the US population lives within this zone. Thus, without reasonable suspicion, ICE agents can stop you throughout much of the USA and inquire as to your immigration status. If they do, you would be subject to immediate deportation, without getting the opportunity to go before a judge, unless you can establish your legal presence in the country. See M. Shear & R. Nixon, “New Trump deportation Rules Allow Far More Expulsions,” New York Times (Feb. 21, 2017) (available online at https://www.nytimes.com/2017/02/21/us/politics/dhs-immigration-trump.html).

Arguably, if you were overheard conversing in Spanish or a foreign language unintelligible to the agent (Arabic?) and aggressively objected to the agent’s demands, the agent could determine reasonable suspicion and, on that basis, could confiscate your devices and conduct an extensive forensic search. If you did not have identification establishing legal presence, the agent could detain you until you can provide such proof. Happy travels.

Filed under Border Search Exception

Blockchain Technology: Balancing Benefits & Evolving Risks

By on June 13, 2017

The “blockchain” has the potential to transform the way financial institutions process transactions and corporations conduct business. While first introduced as the technology underlying cryptocurrencies such as bitcoin, financial institutions have partnered to apply the blockchain to streamline cross-border payment settlement and interbank settlement solutions. Implementing blockchain technology in pursuit of these types of efficiencies may fundamentally change how financial institutions conduct business and alter the risks banks face.

Fundamentally, the blockchain stores data about individual financial transactions in a decentralized way that should, in theory, provide greater security and limit the risk of fraud. It relies on cutting-edge cryptography to secure the authentication process. Before recording a block of transactions, “miners” authenticate them by applying a mathematical formula that results in a seemingly random sequence of letters and numbers known as a hash. The hash is produced using the hash of the preceding block, in a math problem. Although the math is difficult to solve, the solution is easy to verify.

The hash becomes the digital version of a wax seal. After using this process to authenticate a transaction, miners store the “block,” along with its hash, in a unique “chain.” If you change just one character in a block, its hash will change completely. The ramification for security is that if someone tampers with the block, the change becomes public.

A blockchain documents each transaction’s details, identifying the sender, recipient, input amount, and output amount. Only the parties to a transaction can unlock the contents of the block because only they hold the private key necessary to open the data. But since each entry bears a hash, anyone can verify the existence of a transaction within the block.

The application of blockchain technology could potentially increase the risk of fraud. That’s because a comprehensive review of fraud, alteration, and forgery may not occur in a blockchain transaction. The participating financial institutions may not receive the transaction’s original documents, on which the transaction is based, and thus may not have an opportunity to analyze those documents for fraud. Since parties using blockchain for transactions appear to be moving towards competing blockchain-based platforms, there is a potential for assets to be double-pledged or for conflicting financial transactions to be entered into on different platforms.

As financial institutions and their corporate clients move forward into the brave new world of blockchain technology, they must remain mindful of the fact that this is just another means of conducting business transactions, and the time honored principle of caveat emptor still applies. Parties entering into blockchain transactions should ensure that they are doing their due diligence on the representations underlying those transactions. This includes, when applicable, examining original documents on which transactions are based. Also, participants should be mindful that there may be multiple blockchain-based platforms on which business is conducted, meaning that the lack of a conflict on the platform in which the transaction is entered into does not mean that a competing or conflicting transaction will not be entered into on another platform.

Filed under Blockchain

Target Settlement a First Step for Companies Looking to Avoid Data Breach Litigation

By on June 2, 2017

Target ends its multi-state data breach litigation over its 2013 data breach with an $18.5 million settlement to 47 states. While the settlement outlines the type of security measures companies should employ in order to not be found negligent with customer data, it doesn’t go far enough to improve organizational security. The bulk of the settlement terms are still defensive in nature when it comes to data breaches. As such, companies looking to follow the terms of Target’s settlement should be cautioned to use offensive tactics to prevent such attacks if they want to avoid litigation.

In 2013, while Target’s security systems had detected the breach, no one understood the significance of, or acted upon, the alerts, resulting in the massive data breach given the delay in response time. Target has since toughened its security systems and made significant improvements. The terms of the settlement give Target 180 days to develop, implement, and maintain a comprehensive security program. However, this requirement refers to the changes the retailer has already implemented. While the settlement reiterates some of the basics, such as having a comprehensive security program, segmenting the network, and implementing stricter access control policies to sensitive networks and data, future data breach lawsuits may use the Target settlement to try to prove an organization did not go far enough in protecting personal information and other sensitive data. As such, abiding by the terms of the Target settlement is a first step for companies looking to avoid data breach litigation, but further tactics will be required for companies to go on the offensive to prevent breaches as the plaintiffs’ bar will try to use the Target settlement as a varying degree of negligence in pushing forward with future litigation.

Filed under Data Breach