On Wednesday, April 29, the US Department of Justice released guidance titled “Best Practices for Victim Response and Reporting of Cyber Incidents.” The guidance outlines steps companies should take before, during, and after an incident, and includes a summary checklist. The guidance also states the Justice Department’s positions on the legal permissibility of a number of monitoring techniques and the impermissibility of many forms of so-called “hacking back.”


[Guidelines are here .]

Source: Department of Justice issues best practices guidance on cyber incidents (WilmerHale, 1 May 2015) via MIRLN (miscellaneous IT related law news)

Photo: Washington DC – Federal Triangle: Robert F. Kennedy Department of Justice Building via Wally Gobetz [Creative Commons Attribution-NonCommercial-NoDerivs]

Facebook and Google privacy heads disagreed on Wednesday April 23, 2015, with White House claims that the government needs ways around encryption of consumer data. Cryptography experts claim that a system designed to allow the U.S. government cirvumvent encryption could be exploited. Google’s chief privacy officer, Keith Enright, said the ability to access encrypted data could also decrease law enforcement’s accountability in data search and access.

Read full article via MIT Technology Review here.

System Code” by Yuri Samoilov is licensed under CC BY 2.0


US District Judge Andrew P. Gordon shot down evidence collected by the FBI during a search early this year investigating an illegal online betting ring. Agents cut Internet access to $25,000-per-night villas at Caesar’s Palace Hotel and Casino and searched the premises, posing as service repair providers.

“Permitting the government to create the need for the occupant to invite a third party into his or her home would effectively allow the government to conduct warrantless searches of the vast majority of residents and hotel rooms in America,” Gordon wrote. “Authorities would need only to disrupt phone, Internet, cable, or other ‘non-essential’ service and then pose as technicians to gain warrantless entry to the vast majority of homes, hotel rooms, and similarly protected premises across America.”

Thomas Goldstein, one of the nation’s top Supreme Court litigators who runs the SCOTUSblog, labelled the ruling as “monumental” in protecting privacy in the digital age.

Read more via Ars Technica.

Cables – The Missing Link” by JordanHill School D&T Dept is licensed under CC BY 2.0







Hackers often carry out massive cyberattacks to gain access to financial data through banks and retail companies , but this week’s cybercrime hit a seemingly new target: medical data, taken from the health insurance company Premera Blue Cross. The attack affected 11 million patients, making it the largest cyberattack involving medical information to date . The healthcare industry has been catching hackers’ attention lately. In February, the health insurance company Anthem reported a breach in which hackers accessed to about 80 million records , and in 2014, the Tennessee-based hospital operator Community Health Systems saw 4.5 million records accessed, though both companies said no medical data was exposed. Even so, as Pat Calhoun, the senior vice president of network security at Intel Security, puts it, the healthcare industry is just beginning to find itself in cyber-criminals’ crosshairs, making it slow to shield people’s records. Calhoun points out that healthcare breaches aren’t unheard of: In fact, according to Intel Security and the Atlantic Council’s latest report on cyber risks , about 44 percent of all registered data breaches in 2013 targeted medical companies, with the number of breaches increasing 60 percent between 2013 and 2014. Medical data is also becoming a highly lucrative target. “Financial data has always been a priority, because it’s low-hanging fruit,” Calhoun says. “But over the past couple of years, we’ve identified that medical information has a higher value on the black market than credit card information.”

Medical data has become the next cybersecurity target (NextGov, 20 March 2015)

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/stockimages

Investigator admits guilt in hiring of a hacker (NYT, 6 March 2015) – A private investigator who has done work for small New York City law firms that specialize in personal injury and medical malpractice litigation pleaded guilty on Friday in federal court in Manhattan to one charge of conspiracy in hiring a hacker to help with his investigation. The guilty plea, by Eric Saldarriaga, an investigator from Queens, stems from an inquiry by federal prosecutors and the Federal Bureau of Investigation into the so-called hacker-for-hire business. Mr. Saldarriaga entered his plea before Judge Richard J. Sullivan of Federal District Court in Manhattan. In the court proceeding and a five-page “criminal information” charge, the clients of Mr. Saldarriaga were not identified. The charge said Mr. Saldarriaga, 41, operated under the alias “Emmanuela Gelpi” in seeking out the services of hackers to help him gain “unauthorized access” to at least 60 email accounts. The investigation of Mr. Saldarriaga and his company, Iona Research and Security Services, could now turn attention onto some of his clients, assuming they were aware he was hiring hackers to break into email accounts. In a posting on an older Yahoo message board used by private investigators, Mr. Saldarriaga said his company did work for about 20 law firms. Last month, federal prosecutors in San Francisco, in an unrelated case, announced the indictment of two private investigators and two computer hackers on charges that they had illegally entered email and Skype accounts to gather information for matters they were working on for clients. Some of the illegally gathered information was intended to support a lawsuit, authorities said. In that case, there has been no indication that the private investigators were working on behalf of a particular law firm.


Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/jesadaphorn

New study provides cybersecurity insights for corporate counsel (Hogan Lovells, 24 Feb 2015) – A recently-released research study published by Indiana University’s Bloomington School of Law highlights the rising importance of cybersecurity law and provides current insights on the role lawyers are playing to help protect companies from cyber threats. The study, entitled “ The Emergence of Cybersecurity Law ,” is based on a survey of corporate law departments as well as interviews conducted with lawyers, consultants, and academic experts. The report finds that although companies increasingly recognize the importance of cybersecurity, few are fully prepared to face the challenge. Substantial numbers of corporate leaders lack confidence in their organizations’ level of preparedness-in part the result of a shortfall of cybersecurity literacy within organizations. While cybersecurity may once have been the domain of IT professionals, companies now recognize that having legal and other disciplines engaged is also necessary. The implication is that lawyers must master the patchwork of legal issues and regulations relevant to cybersecurity risk management, while developing sufficient technical vocabulary to ask the right questions of their IT counterparts. Despite the accelerating frequency of cybersecurity incidents, the report finds that companies still too often turn to lawyers only as a reactive measure rather than as part of a proactive process. To help companies protect their employees and customers from cyber threats, the report recommends that corporate counsel follow a 10-point cybersecurity agenda first proposed in 2012 by Hogan Lovells Partner Harriet Pearson: * * *


Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/StuartMiles