5.06.2017

High Emotion Words

This week #phishing was in the headlines again as we learned over one million Gmail users had received a fraudulent Google docs sharing request: https://threatpost.com/1-million-gmail-users-impacted-by-google-docs-phishing-attack/125436/ .

While #InfoSec professionals generally agree that employee training is one way to raise awareness of this type of attack, there is still a lot of room to learn with regard to phishing education best practices, with one EU based study asserting: “There is a lack of empirical data on the consequences of using deception in organizational phishing studies.”(https://ethicalencountershci.files.wordpress.com/2016/03/chi2016_workshop_ethicalphishing_cameraready_final.pdf )

We know that email users are sometimes tempted by the lure of easy money, as in the now ubiquitous “I’m a prince & I won the lottery!” type scams. Others may have their cognitive judgment impaired by the use of emotionally loaded words. Here is a link to a list of words that are considered to be emotionally persuasive: http://www.thepersuasionrevolution.com/380-high-emotion-persuasive-words/

Some legal professionals focus on bringing or defending suits for pecuniary losses associated with, for example, identity theft that sometimes follows from a data breach, or on complying with data protection regulations generally. There is implicit in these types of legal actions some type of culpability on the part of the hacked entity (“failure to exercise reasonable care in protecting… information”).

However, phishers often use well-known brand names without authorization. The perpetrator of the latest news grabbing phishing attack is unlikely to have a licensing agreement with the brand they are purporting to be. Phishing attacks, thus may also, at least tangentially, be diminishing the value of said brands with no fault at all attributable to the damaged brand.


What do you think is the best way to address a method of redress for the copyright and trademark holders who are harmed when the value of a global brand is affected by a criminal phishing spree?   

5.02.2017

Data in Baskets

            In August of 2014, hackers, evidently specialists in cloud security, released to 4Chan, candid iPhone (amongst other smartphones) photographs taken by Hollywood celebrities, who apparently believed that the photos would not be automatically uploaded to Apple’s iCloud cloud storage service. Clearly, they were mistaken in that assumption; iPhone users upload their photos to iCloud by default. As iOS devices become an increasingly popular item in the lawyer’s toolkit, this episode should have been especially instructive for practicing legal professionals.

     Attorneys are, of course, generally obligated to keep information relating to their representations of clients confidential. New York’s Rules of Professional Conduct make clear that a lawyer shall exercise “reasonable care” in preventing the disclosure of confidential information.

     Various state bar associations’ ethics committees have opined on the propriety of using cloud services. The New York State Bar Association’s Ethics Committee has stated that the “reasonable care” standard in maintaining confidentiality should include the lawyer’s ensuring that the cloud computing service has an enforceable security obligation, investigating what security is used, and how the cloud computing service deletes or manages data.  The opinion distinguishes between the storage and the transmittal of data, while at the same time avoiding the use of the phrases “data in motion” and “data at rest.”


     Cloud computing and storage have become very popular in recent years with mega cap tech companies providing such services for little to no cost. As reliance on cloud services has grown, so have the risks. Attorneys may want to consider mitigating these potential risks by diversifying; they may want to consider allocating their data assets with a variety of cloud services, rather than putting all of their easter eggs in one digital basket.

     How has Apple’s security posture changed since 2014? How have data protection regulations evolved since 2014?


With thanks to Aaron Collins, Esq.

Artwork by Martha C. Chemas, Esq. using Google Autodraw 

3.30.2017

#Throwback Thursday Privacy

Privacy has, again, been in the news a lot this week. Here is a link to a recording of a panel discussion from 2012 in New York City that addressed this issue: https://archive.org/details/IsPrivacyOverhyped-FourViewsOfTechnologySecurityAndDemocracyOnline.

And here is a link to some media coverage that the event received at the time: http://observer.com/2012/04/is-privacy-overhyped-a-panel-discusses/. 

The media doesn't mention it, but I was there also, standing behind Jacob Appelbaum and his attorney in the audience, and apprehensively and curiously observing the interplay between the stated positions of these various personalities.


Are we making progress or nah? J      

-Martha




1.08.2017

Delightful Vacation Technicality

Even though, technically J I am on vacay, I found myself reading and researching; perhaps the true markings of a workaholic, or perhaps just an indication that doing what I enjoy most, is its own vacation.

One of the big frustrations in life is writing and thinking that no one cares, or that no one listening. Another is feeling that people have missed your point.

When I composed the cyberlaw big bang (http://stanza28.blogspot.com/2011/05/big-bang.html), about seven years ago, I was toiling in obscurity. Since then I have had the wonderful honor of being given a central role in the development of cybersecurity jurisprudence via my role at the American Bar Association, as immediate past chair of the Information Security Committee. Along the way I got to meet with incredibly sharp people from the intelligence community, the Assistant Attorney General For National Security, some nice people at the UN, deputy governors, all manner of legislators and Supreme Court Justices; not a bad way to spend the last seven years. J

The big bang was composed in a stream of thought, dreamlike, incoherent-ish writing fashion to reflect the state of cybersecurity at that time.

Good things come to those who wait, or so they say, and today I turn your attention to this great piece, written in part, by the PEOTUS’s pick to Chair the SEC:


On the issue of cybersecurity, the world is in the early stages of the Socratic Process.

Cheers, Gentlemen.  -MCC

12.22.2016

Short Rebuttal to “Why Verizon Can’t Quit Yahoo”

Well, I don’t usually spend my free time writing point by point rebuttals of New York Times articles written by laypeople, but… I took a break from wrapping Christmas gifts, so here goes:

Please first read this:


Let me begin by saying I will not address at all any information that is not publically available, so please feel free to keep reading without any concerns about running afoul of the SEC or your employer, or whomever.

The article looks to suggest all of this speculation is taking place because: “All of these people are buying into the easy narrative that Yahoo is a loser in the tech industry, unable to keep up with the likes of relative newcomers like Snap.”

Well, I will make no comment on Snap. I will say that it is not an easy narrative.

The writer compares the scenario to the hacking of the DNC, by saying: “ At this point in history, there have been repeated digital thefts of information, including from the Democratic National Committee.”

However at least one of the hackings that has allegedly taken place with regard to Yahoo involves an issue with authentication; “counterfeit cookies” so to speak. Is this what happened with the DNC? Further, the DNC is a non-profit, and Yahoo is a for profit entity. Reread this last sentence because it is an extremely relevant distinction since we are in the M&A area. It would be more appropriate, if making comparisons for the purpose of making an argument to support the writer’s above contention, to only make comparisons to other for profit (and public) entities.

The writer then goes on to go over Yahoo’s numbers from the last quarter, but again, in the M&A space what is relevant is that there are “changed circumstances” at least in terms of disclosure and risk (ie compliance regarding notice and disclosure of these breaches).

The writer goes on: “Under the parties’ acquisition agreement, Verizon can terminate only if there is a so-called material adverse effect to Yahoo.” Please see above about counterfeit cookies, assuming this is, in fact, how one of the breaches took place, Yahoo’s source code has been profoundly compromised. Please feel free to ask any IP attorney you know how material this might be.

The analysis then continues by comparing Yahoo to Target. Wrong again. Yahoo is not a retail organization that experienced a POS intrusion due to a third party HVAC contractor (or who knows, maybe they also have problems with 3rd party contractors, but that is not what has been recently alleged).


The writer closes by noting: “In the meantime, we should change our passwords.” Well, that is certainly true, if you even still use that service J 

Happy Holidays All & Here's to a wonderful New Year. 


(Post publish edit/postscript: OMG apologies, had no idea the writer was not in fact a layperson but a professor of law. No disrespect intended, the rest stands. Cheers!)