Law Firms and Wall Street Team Up on Online Security

March 16, 2015 Administrator Leave a comment Security

Wall St. and law firms plan cooperative body to bolster online security (NYT, 23 Feb 2015) – The threat of ever-larger online attacks is bringing together Wall Street banks and the big law firms that do work for them in an alliance that could result in some sharing of basic information about digital security issues. For nearly a year, banks and law firms have discussed setting up a legal group that would be affiliated with the banking industry’s main forum for sharing information about threats from hackers, online criminals and even nation states – the Financial Services Information Sharing and Analysis Center . Several people briefed on those discussions said those talks would most likely lead to the establishment of such a group by the end of the year, a recognition that hackers are increasingly focusing on big law firms to glean information about their corporate clients. Law enforcement agencies have long been concerned about the vulnerability of United States law firms to online attacks because they are seen by hackers and nations bent on corporate espionage as a rich repository of company secrets, business strategies and intellectual property. But attacks on law firms often go unreported because the firms are private and not subject to the same kind of data-breach reporting requirements as public companies that handle sensitive consumer information. Over the last several months, Mandiant, the security firm that is a division of FireEye, has been advising a half-dozen law firms that were the subject of a breach, said a person briefed on the matter who spoke on the condition of anonymity. Mandiant, during a recent presentation at a legal conference, said many of the bigger hackings of law firms had ties to the Chinese government, which was seeking information on patent applications, trade secrets, military weapons systems and contract negotiations. The law firm group under consideration would be set up as an organization to share and analyze information and would permit firms to share anonymously information about hackings and threats on computer networks in much the same way that bank and brokerage firms share similar information with the financial services group. And while the two groups would not necessarily share information with each other, the law firms would have access to some of the resources of the financial center, which has existed since 1999 and is one of the better-funded industry threat-sharing organizations. [ Polley : I’m helping the ABA assess whether/how it might facilitate similar ISAC-like activities; we fear that most firms (other than the very largest) wouldn’t grok the value-proposition. Reactions?]

 

Provided by MIRLN

Photo courtesy of Creative Commons: https://www.flickr.com/photos/albertocarrasco

UK Courts to Develop Internet-Based Dispute Resolution System

February 27, 2015 Administrator Leave a comment Court

Online court proposed to resolve claims of up to £25,000 (The Guardian, 15 Feb 2015) – The UK justice system should receive a radical overhaul for the digital age with the creation of an online court to expand access to justice and resolve claims of up to £25,000, the official body that oversees civil courts has recommended. In a transformative proposal for largely lawyer-free, virtual courtrooms, the civil justice council is calling for an internet-based dispute resolution system to be available within two years. Backed by Lord Dyson, the master of the rolls, who is head of the civil judiciary in England and Wales, the report says existing services – such as eBay’s disagreement negotiation procedure and Cybersettle’s blind-bidding operations – provide prototypes worth studying. The online dispute resolution (ODR) model proposed in the report envisages a three-tier process: evaluation through interactive services and information, negotiation with online “facilitators” and finally, if agreement has not been reached, resolution by a trained judge relying on electronic submissions. Only the judge need be legally qualified. If necessary, telephone hearings could be built into the last stage. Rulings by the online judge would be as enforceable as any courtroom judgment. The report’s principal author, Prof Richard Susskind, who is president of the Society for Computers and Law, said the UK was falling behind other countries that have begun to incorporate online elements into their judicial systems. His recommendations include “automated negotiation” where differences may be resolved “without the intervention of human experts” by relying on blind bidding processes.

 

Provided by MIRLN.

Image courtesy of OTA Photos (Creative Commons) http://bit.ly/1zm0SNx

http://www.tradingacademy.com

U.S. Senators Question FBI Decoy Cellphone Towers

January 22, 2015 Administrator Leave a comment Privacy

Senators question FBI’s legal reasoning behind cell-tower spoofing (Washington Post, 2 Jan 2015) – Two U.S. senators are questioning whether the FBI has granted itself too much leeway on when it can use decoy cellphone towers to scoop up data on the identities and locations of cellphone users. The lawmakers say the agency now says it doesn’t need a search warrant when gathering data about people milling around in public spaces. Sen. Patrick Leahy (D-Vt.) and Chuck Grassley (R-Iowa), the chairman and ranking member on the Senate Judiciary Committee respectively, have written a letter to Attorney General Eric Holder and Department of Homeland Security Jeh Johnson about the use of the surveillance technology called an IMSI catcher, though also referred to by the trade name “Stingray.”

 

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/KROMKRATHOG

Tech Companies Wrestle With DOJ Over Data Request Transparency

January 6, 2015 Administrator Leave a comment Privacy

Tech firms tussle with DOJ over the right to say ‘zero’ (WaPo, 16 Dec 2014) – A growing number of technology companies seeking to promote transparency have been testing the limits of new government guidelines on how they can disclose national security orders for their customers’ data. Over the past year or so, about a dozen online and communications firms have reported that they have never received such a request, effectively breaching the spirit if not the letter of government guidance issued in January intended to make it more difficult for would-be terrorists or spies to identify services that could be used to evade detection. Their decisions have frustrated U.S. officials, even as they privately acknowledge there is little they have been able to do about it. In October, Twitter sued the government , charging that its First Amendment rights were squelched when the Justice Department blocked it from publishing a transparency report that sought to disclose the specific number of orders it had received and the fact that the number was limited. The firm also alleged that preventing a company from reporting “zero” national security requests is an unconstitutional restraint on speech. The guidelines take the form of an agreement reached with five major tech companies that allowed for reporting of government national security requests in broad ranges, such as 0-999. There is no “zero” option. Some firms began issuing warrant canaries shortly after the first disclosures by former intelligence contractor Edward Snowden, who revealed a National Security Agency program to gather data about millions of Americans’ phone calls (though not the content) from phone companies. Wickr, a San Francisco-based company that provides an encrypted text message service to more than 4 million users, planted a warrant canary in its transparency report in the summer of 2013, becoming the first company, it said, to do so. The report said, “If the canary flies the coop, the tone of this report will change as well because things will have shifted.”

 

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/jscreationzs

 

First Amendment Interpretation to Make or Break Lawsuits for Sony

December 29, 2014 Administrator Leave a comment Justice

Can Sony get around the First Amendment to sue the media over the hack? (Eriq Gardner, 15 Dec 2014) – On Sunday night, famed attorney David Boies sent a threatening letter on behalf of Sony Pictures toThe Hollywood Reporter , The New York Times and other news organizations demanding destruction of stolen information and warning of consequences for publishing the company’s secrets. If Sony does decide to go to court against the media over revelations that keep coming – Channing Tatum and Chris Pratt wish to rebootGhostbusters , George Clooney lost faith in The Monuments Men , Sony executives weren’t thrilled by Leonardo DiCaprio dropping out of a Steve Jobs biopic – the First Amendment stands as a roadblock. But maybe not an impenetrable one. Many attorneys are now carefully reading every word from a 2001 Supreme Court decision,Bartnicki v. Vopper . The case concerned union officials whose intercepted cell phone conversations landed in the hands of a radio commentator who broadcast the contents. At the high court, the media defendants were given a pass from violating a federal wiretap law as they “played no part in the illegal interception,” “their access to the information on the tapes was obtained lawfully, even though the information itself was intercepted unlawfully by someone else” and finally, “the subject matter of the conversation was a matter of public concern.” That decision offers tremendous hope for news organizations that Sony’s threats against the news media are empty. “Unless the media is involved in the hacks themselves, the Bartnicki case puts the law on the side of the media,” says Andy Sellars at Harvard University’s Berkman Center for Internet & Society. However, some caution might be in order for two reasons.

 

Provided by MIRLN.

Image courtesy of Creative Commons / Mr. TinDC

 

FCC Imposes Record-Breaking Security Breach Fines

December 22, 2014 Administrator Leave a comment Security

The FCC takes a seat at the cyber-regulation table (Cyber Risk Network, 8 Dec 2014) – The FCC recently slid up its chair to the fiscal feast that is cyber security and data breach regulation and took a hefty piece of the pie. In late October the FCC announced that it charged a record $10 million fine against two telecommunication companies after the telecoms reportedly posted the private information of nearly 300,000 people in a manner making the people eligible for identity theft. Taking a cue from the Federal Trade Commission (“FTC”), the FCC action was not based on any new set of concrete regulations or laws established to give organizations a minimum bar for data protection, but rather on existing FCC powers established under the Communications Act of 1934. The action serves as good warning not only to communications providers that the FCC will be examining data breaches and, more expressly, data storage issues, but also that in the absence of clear cybersecurity regulations, federal agencies will take an expansive view of their existing authority to address cybersecurity-related incidents involving companies subject to their jurisdiction. Similar to the FTC’s response, the FCC’s first foray into data beach regulation was born from its interpretation of its existing authority under the Communications Act of 1934 (the “Act”). Under the Act, the FCC is responsible for regulating interstate and international communications by radio, television, wire, satellite, and cable throughout the United States and its territories. Moreover, under 503(b)(1) of the Act, the FCC is authorized to impose a forfeiture penalty against “any person who willfully or repeatedly fails to comply with any provision of the Act.” As the FCC described in its Notice of Forfeiture, that is exactly what two companies did, YourTel America and TerraCom Inc., when they collected the data of up to 300,000 customers to determine eligibility for the FCC’s low-income discount phone program, “Lifeline.” In order to enroll, potential participants had to demonstrate eligibility by submitting personal information to the Companies, including the applicant’s name, address, date of birth, social security number, and driver’s license information. Between September 2012 and April 2013, the FCC alleges that applicants’ information was stored on data servers that were publicly accessible via the Internet, a fact made known to the FCC after reporters from the Scripps Howard News Service advised the FCC that they were able to access at least 128,066 confidential records by using a simple Google search. Acting under the authority provided by the Communications Act, as amended by the Telecommunications Act of 1996 , the FCC charged the Companies with violations of Sections 222(a) and 201(b) Under 222(a), a carrier has a duty “to protect the confidentiality of proprietary information of, and relating to . .. customers.” Similarly, 201(b) makes it unlawful for a carrier to employ “unjust or unreasonable” data security practices related to its “practices,” such as, in this case, holding customers’ “proprietary information.”

 

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/SergeBerstasiusPhotography