You are here


Police Partner with Law Firms in Asset Seizure Cases

The City of London Police are embarking on a "radical" pilot project in which the details of fraud suspects will be shared with law firms so they can try to use the civil courts to seize the suspects' assets, The Guardian's Vikram Dodd reports.

Questions are being raised on whether the profit motive for the law firms could damage the fairness of the process. Questions are also being raised on the wisdom of transferring punishment from the state system to private law firms and to civil courts.

British law enforcement is turning to the law firms and civil courts because of the high volume of cybercrime.

Online Reviews Protected Speech, Appellate Court Rules

Submitted by Amaris Elliott-Engel on Sun, 03/20/2016 - 14:09

The Oregon Supreme Court has ruled that a negative review of a wedding venue is protected by the First Amendment. In doing so, the court also set precedent for how to distinguish whether speech is protected opinion or a defamatory assertion of fact.

Justice Richard C. Baldwin, writing for the court, applied a Ninth Circuit test in Unelko Corp v. Rooney: "whether a reasonable factfinder could conclude that an allegedly defamatory statement touching on a matter of public concern implies an assertion of objective fact and is therefore not constitutionally protected." The Oregon Supreme Court set out a three-part test to answer that question: 1) whether the general tenor of the entire publication negates the impression that the defendant was asserting an objective fact; 2) whether the defendant used figurative or hyperbolic language that negates that impression; and 3) whether the statement in question is susceptible of being proved true or false.

The defendant was a wedding guest who made a negative review of the venue on Google Reviews, including complaining that the owners were rude, the owners made wedding guests leave 45 minutes early and that the bridal suite was "'a tool shed that was painted pretty.'"

The case is only the second time that the Oregon Supreme Court has applied the U.S. Supreme Court's ruling in Milkovich v. Lorain Journal Co., which held that, in determining whether a defamatory statement is constitutionally protected, it must be decided if a reasonable factfinder could conclude that the statement implies an assertion of objective fact about the plaintiff. The Oregon Supreme Court decided to follow the Ninth Circuit's test in Unelko and found that the review did not imply an assertion of objective fact and instead was an opinion on a matter of public concern. 

The trial court struck down the wedding venue's defamation lawsuit under Oregon's anti-SLAPP law, but the Oregon Court of Appeals reversed.

Bitcoin Determined to Be a Commodity By Regulator

The Commodity Futures Trading Commission has determined that virtual money is a commodity  that can be regulated, Bloomberg's Luke Kawa reports. That determination was made as part of the CFTC settling charges against a Bitcoin exchange for facilitating the trading of options contracts.

That means that a company that wants to operate a trading platform for Bitcoin derivatives or futures must register as a swap execution facility or designated contract market, Kawa reports.

Court Affirms FTC Authority to Regulate Cybersecurity Issues

The Federal Trade Commission has the authority to regulate lax cybersecurity as an unfair business practice, the U.S. Court of Appeals for the Third Circuit has ruled, Bank Info Security's Tracy Kitten reports. Hotel chain Wyndham Worldwide Corp. was sued by the FTC for allegedly having inadequate security measures to protect consumer data, which the agency said violated the FTC Act's unfair business practice provisions.

Cybersecurity attorney Chris Pierson said the case "'is a seminal case for the FTC for the proposition that the FTC has the power and ability to oversee cybersecurity breach issues as the nation's default regulator."'

First Amendment Doesn't Protect Cyberharassment, MA High Court Rules

The Massachusetts Supreme Judicial Court ruled that cyberharassment and lies posted online encouraging that bullying is not speech protected by the First Amendment, the Boston Herald reports. The court upheld the criminal harassment convictions of two real estate developers who arranged postings online to harass two business executives they were feuding with. The postings falsely claimed the couple had golf carts free for the taking and wanted to sell their "fictitious dead son’s Harley Davidson motorcycle for $300," the Herald further reports. The husband also was sent an email from a "make-believe former teenage male employee accusing him of sexual molestation."

The speech was unprotected, the court ruled, because their conduct was a "'hybrid of conduct and speech integral to the commission of a crime ... Their conduct served solely to harass the (victims) by luring numerous strangers and prompting incessant late-night telephone calls to their home by way of false representations, by overtly and aggressively threatening to misuse their personal identifying information, and by falsely accusing (the husband) of a serious crime.'"


What 'Mostly Clueless' Lawyers Can Learn from Jennifer Lawrence Hack

Jeff Bennion, writing in Above the Law, has a helpful post about the lessons lawyers can learn from the leaked nude photos of Jennifer Lawrence that were apparently hacked out of her iCloud account: "Celebrities with nude photos in their cloud accounts are targets for the same reason lawyers with confidential client files in cloud accounts are: they are easy targets with highly bribable files. Lawyers are mostly clueless when it comes to cybersecurity, yet they use it to store their most valuable information." Bennion suggests that lawyers encrypt their files kept on the cloud in zip files, empty the trash in their cloud storage and make file sharing links temporary. The risk of a data breach, he says, is losing current clients, future clietns and your reputation.

And here's an article I wrote a few months back about the risk hackers pose to law firm's data security:

Hacking of Health Records Only a Matter of Time

A series of data breaches have put higher pressure on Corporate America, including retailers like Target, to tighten its cybersecurity. But the health care sector is not engaged on the security of electronic health records and faces the risk of hackers exposing sensitive patient information, Politico reports: "As health data become increasingly digital and the use of electronic health records booms, thieves see patient records in a vulnerable health care system as attractive bait, according to experts interviewed by POLITICO. On the black market, a full identity profile contained in a single record can bring as much as $500."

Politico also points out that information in a patient's health record, including medical history and family contacts, can't be undone.

Microsoft Makes First Challenge to Warrant Seeking Email Stored Abroad

Microsoft is making the first-ever challenge to a domestic search warrant seeking a customer's email stored in an Irish data center, the New York Times' Steve Lohr reports. Microsoft argues that having to turn over the email “would violate international law and treaties, and reduce the privacy protection of everyone on the planet.” But U.S. Attorney Preet Bharara argues that Internet firms can't avoid search warrants “simply by storing the data abroad.”

Legislators Express Doubt About a First Sale Doctrine for Digital Goods

Gigaom's Jeff John Roberts reports on a Congressional hearing held last week on whether the first sale doctrine should apply to digital goods. Buyers of e-books or e-music can't resell those digital goods or leave them behind when they die because they are licensing the goods from companies like Amazon and Apple, Roberts writes. Congressional members were skeptical about creating a digital-based first sale doctrine, but expressed concern that licenses for digital goods were too lopsided against consumers. "The most popular solution to the problem of diminished property rights appears to be better licenses," Roberts concludes.

Risk of Hackers to Corporate America Extends to Law Firms

Submitted by Amaris Elliott-Engel on Thu, 05/29/2014 - 19:04

The Connecticut Law Tribune published my piece this week about the risk law firms, including small ones, face from data breaches:

In recent months, corporate America has been shaken by several headline-grabbing data breaches.

Retailer Target's first quarter profits were down 16 percent after credit card and personal information of millions of its customers was stolen. Daily-deal website LivingSocial was hacked with more than 50 million users impacted. Last week, hackers gained access to the personal data of 145 million of online eBay's customers.

Lawyers are among the specialists called in to help with these security crises. But data breach risk doesn't belong to clients alone. Law firms of all sizes risk having client data and other sensitive materials exposed, legal and technical experts say.

In Massachusetts, state officials felt so strongly about the threat to law firms that they've planned a seminar for May 29. In an email pitching the program to the state's lawyers says: "Hackers are now targeting small law firms because of the wealth of info in client files that can be used for identity theft – in family law, estate planning, real estate, elder law and other matters. And Mass. law requires you to notify clients of a data breach – do you really want to have to do that?"

Anthony Minchella says Connecticut lawyers shouldn't feel any more comfortable.

The owner of Minchella & Associates in Middlebury and the vice-chair of the Connecticut Bar Association's small firm practice management section, said in an email that "small firms or solos sometimes feel safe from cybersecurity threats, but that is completely false. No business is safe. Practices that obtain sensitive information, such as credit card numbers, often have the entire package of information a cyber-thief would need to steal an identity."

Monique Ferraro, a general practitioner in Waterbury who also runs a forensic technology business and lectures on IT security, said data breaches can be as simple as the loss of a lawyer's laptop or smartphone that isn't protected by a password. "I see a lot of lawyers who are not securing their data appropriately," Ferraro said.

Connecticut has put businesses of all types on notice that they have to take safeguards to prevent data breaches. Unfair trade practice charges can be brought against companies and organizations if they expose personal information like social security numbers, credit card numbers and driver's license numbers. And lawyers must provide notice to their clients and the Office of the Attorney General if they've suffered a data security breach.

There are at least three other ways that data breaches can occur, says Ellen Giblin, lead privacy and data security counsel with the Ashcroft Law Firm in Boston and manager of the data breach response teams for clients.

Hackers can keep pinging away at a law firm's information security apparatus until they break in. They can use an insider to provide them with sensitive information. Or they can "socially engineer" their way past IT security protocols by using phishing scams that entice lawyers to respond to fraudulent e-mails which, in turn, provide entree to their firms' electronic data.

Under the law, law firms are considered to be vendors, and vendors are required to have the appropriate "administrative, physical and technological safeguards in place" to ensure data security, Giblin said.

"It's important for law firms to always safeguard and keep confidential their client information, whether it's to protect attorney-client privilege" or to follow federal, state or other laws enacted to protect privacy and confidential information.

Not even the experts agree on how to best protect client data.

Lawyers Dan Siegel and Molly Gilligan, whose company, Integrated Technology Services, advises small and mid-sized law firms, said the best practice is to store client data with a cloud vendor on the web and on a hard drive in one's legal office.

It's the practice they use in their own businesses. Siegel, who is based in the Philadelphia suburbs, and Gilligan, a Quinnipiac University School of Law graduate now based in Maine, are using a remote case management system so they can work together in a law practice as well as in their technology business.

Cloud vendors can provide better security than a smaller law firm typically can come up with on its own, Siegel said.

But lawyers must do their due diligence and ensure that the vendor's terms of service acknowledges that the data belongs to the client, and not the vendor or the law firm, Siegel said. Lawyers should only use vendors that store the data in the U.S., he said.

The agreement with a cloud vendor also should cover what happens if the vendor goes out of business, Siegel said. If a vendor does go out of business, Siegel's firm has the encrypted data backed up on a hard drive, he said.

Connecticut bar officials have not issued an ethics opinion on whether its appropriate for lawyers to entrust client data to a cloud computing service where the data is accessed over the Internet via a web browser, according to a tally by the American Bar Association. New York and Massachusetts have released ethics opinions on the topic; both jurisdictions require that lawyers exercise reasonable care in putting client data on the cloud.

Ferraro, however, does not recommend using cloud vendors, saying that law firms should be leery about trusting an outside company with such sensitive client information. "If you have control of your data," she said, "you have control over your data."

If lawyers choose to go the cloud route, Ferraro says they should get client consent before storing their data remotely. She prefers that lawyers stores their own files, making sure they are encrypted. She recommends that attorneys install a self-encrypting hard-drive on their computers.

Heidi Alexander, a law practice advisor with the Massachusetts Law Office Management Assistance Program, said that Dropbox, one of the most popular cloud providers, may not be the safest and most secure vendor to use because it has experienced some data breaches of its own. She, too, said that encryption is the best way to protect documents. She added that attorneys should make sure that passwords are strong and unique.

Both Ferraro and Giblin recommend a number of other data security policies. They said law firms should have policies that forbid the use of computers for personal purpose. Along the same lines, Ferraro said lawyers should have separate business and personal smartphones. Those phones should be password-controlled and include features that allow their digital contents to be erased from a remote location in case they are lost or stolen.

A law firm is going to be experience a data breach and get into hot water, Ferraro and Giblin predicted.

Even though lawyers are supposed to notify their clients of data breaches under Connecticut law, "they don't do it and it's just a matter of time before this implodes upon itself," Ferraro said. There will be a class action lawsuits or criminal investigations, she said.

Giblin predicts federal action at some point against a law firm. The Federal Trade Commission has prosecuted data security breaches as an unfair trade practice, she said. "If they haven't gone after a law firm, they will," Giblin said.

Gilligan said that there is a balance to be struck between security and efficiency with technology. Lawyers need to take reasonable steps to use technology to protect their clients' data, Gilligan said, but technology also is about "making your office more efficient and better able to serve your clients. There is a trade-off."




Subscribe to RSS - cyberlaw