Cities reluctant to reveal whether they’re using fake cell tower devices (ArsTechnica, 25 March 2014) – For some time now, the American Civil Liberties Union (ACLU) has been on a quest to better understand the use and legality of “stingrays.” These devices, which are also known as international mobile subscriber identity (IMSI) catchers, or fake cell towers, can be used to track phones or, in some cases, intercept calls and text messages. The “Stingray” itself is a trademarked product manufactured by a Florida-based company, the Harris Corporation. (It has since come to be used as a generic term, like Xerox or Kleenex.) Harris is notoriously secretive about the capabilities of its devices and generally won’t talk to the press about their capabilities or deployments. Earlier in March, the ACLU filed a motion for public access request , requesting documents and information related to stingray use by nearly 30 Florida police and sheriff’s departments. Among the responses published for the first time on Tuesday was the curious reply from the city of Sunrise, Florida, a town of about 88,000 people, just northwest of Miami. Through its lawyers, Sunrise officially denied the request , noting that the city would neither confirm nor deny “whether any records responsive to the Request exist and, if any responsive records do exist, cannot and will not public disclose those records.” (In a footnote, the lawyers also cited this Ars story from September 2013 detailing stingrays and other related surveillance devices.) The ACLU published its response to the city’s denial on Tuesday. As the ACLU points out in a Tuesday blog post , the city of Sunrise has already published an invoice from Harris on its own website dated March 13, 2013, showing that the city paid over $65,000 for a stingray. That document clearly states, in all-caps on each page, that “disclosure of this document and the information it contains are strictly prohibited by Federal Law.”

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/photoexplorer.

Law firms are pressed on security for data (NYT, 26 March 2014) – A growing number of big corporate clients are demanding that their law firms take more steps to guard against online intrusions that could compromise sensitive information as global concerns about hacker threats mount. Wall Street banks are pressing outside law firms to demonstrate that their computer systems are employing top-tier technologies to detect and deter attacks from hackers bent on getting their hands on corporate secrets either for their own use or sale to others, said people briefed on the matter who spoke on the condition of anonymity. Some financial institutions are asking law firms to fill out lengthy 60-page questionnaires detailing their cybersecurity measures, while others are doing on-site inspections. In some cases, banks and companies are threatening to withhold legal work from law firms that balk at the increased scrutiny or requesting that firms add insurance coverage for data breaches to their malpractice policies. The vulnerability of American law firms to online attacks is a particular concern to law enforcement agencies because the firms are a rich repository of corporate secrets, business strategies and intellectual property. One concern is the potential for hackers to access information about potential corporate deals before they get announced. Law enforcement has long worried that law firms are not doing enough to guard against intrusions by hackers. Despite the concern, it’s hard to gauge just how vulnerable law firms are to attacks from hackers. There are few rules requiring firms to make public any breaches, and because the firms have little direct interaction with consumers, there is no need for them to publicly report a hacking incident the way a bank or a retailer would. In 2012, Mandiant, a security consulting firm, put out a report estimating that 80 percent of the 100 largest American law firms had some malicious computer breach in 2011. Actual reports of confidential information hacked from a law firm computer system and later winding up on some overseas server are rare, however. Representatives for several large law firms, all of whom declined to discuss the topic publicly, said privately that the threat assessments from the F.B.I. and consulting firms were overstated. The law firm representatives said hacker attacks were usually email “phishing” schemes seeking to access personal information or account passwords, the kind of intrusions that have become commonplace and are easily contained. But Vincent I. Polley, a lawyer and co-author of recent book for the American Bar Association on cybersecurity, said many law firms were not even aware they had been hacked. He said a lot of law firm managers were in denial about the potential threat. “A lot of firms have been hacked, and like most entities that are hacked, they don’t know that for some period of time,” said Mr. Polley. “Sometimes, it may not be discovered for a minute or months and even years.” [ Polley : The referenced book is “The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals”, available here .]

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/watcharakun.

US notified 3,000 companies in 2013 about cyberattacks (Washington Post, 24 March 2013) – Federal agents notified more than 3,000 U.S. companies last year that their computer systems had been hacked, White House officials have told industry executives, marking the first time the government has revealed how often it tipped off the private sector to cyberintrusions. The alerts went to firms large and small, from local banks to major defense contractors to national retailers such as Target, which suffered a breach last fall that led to the theft of tens of millions of Americans’ credit card and personal data, according to government and industry officials. “Three thousand companies is astounding,” said James A. Lewis, a senior fellow and cyberpolicy expert at the Center for Strategic and International Studies. “The problem is as big or bigger than we thought.” The number reflects only a fraction of the true scale of cyberintrusions into the private sector by criminal groups and foreign governments and their proxies, particularly in China and Eastern Europe. The estimated cost to U.S. companies and consumers is up to $100 billion annually, analysts say. In most cases, the company had no idea it had been breached, officials say. According to Verizon, which compiles an annual data-breach survey, in seven out of 10 cases, companies learn from an external party – usually a government agency – that they’ve been victimized.

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/Stuart Miles.

New French law authorizes the CNIL to conduct online inspections (Hunton & Williams, 18 March 2014) – On March 18, 2014, a new French consumer law (Law No. 2014-344) was published in the Journal Officiel de la République Fran?aise. The new law strengthens the investigative powers of the French Data Protection Authority (the “CNIL”) by giving the CNIL the ability to conduct online inspections. Currently, the CNIL may conduct three types of investigations: (1) On-site inspections – the CNIL may visit a company’s facilities and access anything that stores personal data ( e.g. , servers, computers, applications). On-site inspections currently represent the vast majority of the inspections conducted by the CNIL; (2) Document reviews – these inspections allow the CNIL to require an entity to disclose documents or files (upon written request); and (3) Hearings – the CNIL may summon representatives of organizations to appear for questioning and to provide other necessary information. Further to its new online inspection authority, now the CNIL also may identify violations of the French Data Protection Act through remote investigations. For example, this new investigative power will enable the CNIL to check whether online privacy notices comply with French data protection law, and to verify whether entities obtain users’ prior consent before sending electronic marketing communications. The CNIL emphasized that the new online investigations will concern only publicly available data, and that the law does not give the CNIL the right to circumvent security measures to gain access to information systems.

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/Stuart Miles.

A new “target” on their backs: Target’s officers and directors face derivative action arising out of data breach (Global Regulatory Enforcement Law Blog, 30 Jan 2014) – In the wake of its massive data breach, Target now faces a shareholder derivative lawsuit, filed January 29, 2014. The suit alleges that Target’s board members and directors breached their fiduciary duties to the company by ignoring warning signs that such a breach could occur, and misleading affected consumers about the scope of the breach after it occurred. Target already faces dozens of consumer class actions filed by those affected by the breach, putative class actions filed by banks, federal and state law enforcement investigations, and congressional inquiries. This derivative action alleges that Target’s board members and directors failed to comply with internal processes related to data security and “participated in the maintenance of inadequate cyber-security controls.” In addition, the suit alleges that Target was likely not in compliance with the Payment Card Industry’s (PCI) Data Security Standards for handling payment card information. The complaint goes on to allege that Target is damaged by having to expend significant resources to: investigate the breach, notify affected customers, provide credit monitoring to affected customers, cooperate with federal and state law enforcement agency investigations, and defend the multitude of class actions. The derivate action also alleges that Target has suffered significant reputational damage that has directly impacted the retailer’s revenue.

Provided by MERL

Image courtesy of FreeDigitalPhotos.net/Grant Cochran

Five things your IT department wants [the GC] to know about data security (Thomson Reuters, 30 Jan 2014) – The year 2013 was pretty terrifying when it comes to data security. Amid the fears created by the breaches at Adobe and Target, plus the knowledge that big brother really has been watching us through the NSA, every corporate counsel ought to be concerned about data security at their organization. However, as the senior manager of IT Operations for Serengeti, a SaaS (software as a service) e-billing and matter management company, Anne-Marie Scollay explains that there is no “silver bullet that provides an impervious layer of security around data.” Anne-Marie frequently collaborates with legal departments and their IT teams as they evaluate Serengeti’s cloud solution and shares insights regarding data security.

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/Stuart Miles.