High Emotion Words

This week #phishing was in the headlines again as we learned over one million Gmail users had received a fraudulent Google docs sharing request: https://threatpost.com/1-million-gmail-users-impacted-by-google-docs-phishing-attack/125436/ .

While #InfoSec professionals generally agree that employee training is one way to raise awareness of this type of attack, there is still a lot of room to learn with regard to phishing education best practices, with one EU based study asserting: “There is a lack of empirical data on the consequences of using deception in organizational phishing studies.”(https://ethicalencountershci.files.wordpress.com/2016/03/chi2016_workshop_ethicalphishing_cameraready_final.pdf )

We know that email users are sometimes tempted by the lure of easy money, as in the now ubiquitous “I’m a prince & I won the lottery!” type scams. Others may have their cognitive judgment impaired by the use of emotionally loaded words. Here is a link to a list of words that are considered to be emotionally persuasive: http://www.thepersuasionrevolution.com/380-high-emotion-persuasive-words/

Some legal professionals focus on bringing or defending suits for pecuniary losses associated with, for example, identity theft that sometimes follows from a data breach, or on complying with data protection regulations generally. There is implicit in these types of legal actions some type of culpability on the part of the hacked entity (“failure to exercise reasonable care in protecting… information”).

However, phishers often use well-known brand names without authorization. The perpetrator of the latest news grabbing phishing attack is unlikely to have a licensing agreement with the brand they are purporting to be. Phishing attacks, thus may also, at least tangentially, be diminishing the value of said brands with no fault at all attributable to the damaged brand.

What do you think is the best way to address a method of redress for the copyright and trademark holders who are harmed when the value of a global brand is affected by a criminal phishing spree?   

Data in Baskets

            In August of 2014, hackers, evidently specialists in cloud security, released to 4Chan, candid iPhone (amongst other smartphones) photographs taken by Hollywood celebrities, who apparently believed that the photos would not be automatically uploaded to Apple’s iCloud cloud storage service. Clearly, they were mistaken in that assumption; iPhone users upload their photos to iCloud by default. As iOS devices become an increasingly popular item in the lawyer’s toolkit, this episode should have been especially instructive for practicing legal professionals.

     Attorneys are, of course, generally obligated to keep information relating to their representations of clients confidential. New York’s Rules of Professional Conduct make clear that a lawyer shall exercise “reasonable care” in preventing the disclosure of confidential information.

     Various state bar associations’ ethics committees have opined on the propriety of using cloud services. The New York State Bar Association’s Ethics Committee has stated that the “reasonable care” standard in maintaining confidentiality should include the lawyer’s ensuring that the cloud computing service has an enforceable security obligation, investigating what security is used, and how the cloud computing service deletes or manages data.  The opinion distinguishes between the storage and the transmittal of data, while at the same time avoiding the use of the phrases “data in motion” and “data at rest.”

     Cloud computing and storage have become very popular in recent years with mega cap tech companies providing such services for little to no cost. As reliance on cloud services has grown, so have the risks. Attorneys may want to consider mitigating these potential risks by diversifying; they may want to consider allocating their data assets with a variety of cloud services, rather than putting all of their easter eggs in one digital basket.

     How has Apple’s security posture changed since 2014? How have data protection regulations evolved since 2014?

With thanks to Aaron Collins, Esq.

Artwork by Martha C. Chemas, Esq. using Google Autodraw