MIRLN --- 23 April - 13 May 2017 (v20.07)

MIRLN --- 23 April - 13 May 2017 (v20.07) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

The emerging need for cybersecurity diligence in M&A (Skadden, 19 April 2017) - Cybercrime has emerged as one of the foremost threats a company faces. As a result of a few keystrokes, a company may find its customers’ data sold on the dark web, its intellectual property in the hands of a competitor or its operations paralyzed by ransomware. It should come as little surprise, then, that cybersecurity has become a key risk factor in mergers and acquisitions. A 2016 survey by West Monroe Partners and Mergermarket found that 77 percent of top-level corporate executives and private equity partners reported that the importance of cybersecurity at M&A targets had increased significantly in recent years. Given this trend, executives and directors contemplating acquisitions should consider the following cyber-related issues when conducting due diligence. * * * [ Polley : The ABA’s Business Law Section is about to publish “ A Guide to Cybersecurity Due Diligence in M&A Transactions “ (240pp); Skadden’s Stuart Levi is one of the contributing authors.] top

Torching the modern-day library of Alexandria; “Somewhere at Google there is a database containing 25 million books and nobody is allowed to read them.” (The Atlantic, 20 April 2017) - You were going to get one-click access to the full text of nearly every book that’s ever been published. Books still in print you’d have to pay for, but everything else-a collection slated to grow larger than the holdings at the Library of Congress, Harvard, the University of Michigan, at any of the great national libraries of Europe-would have been available for free at terminals that were going to be placed in every local library that wanted one. At the terminal you were going to be able to search tens of millions of books and read every page of any book you found. You’d be able to highlight passages and make annotations and share them; for the first time, you’d be able to pinpoint an idea somewhere inside the vastness of the printed record, and send somebody straight to it with a link. Books would become as instantly available, searchable, copy-pasteable-as alive in the digital world-as web pages. It was to be the realization of a long-held dream. “The universal library has been talked about for millennia,” Richard Ovenden, the head of Oxford’s Bodleian Libraries, has said. “It was possible to think in the Renaissance that you might be able to amass the whole of published knowledge in a single room or a single institution.” In the spring of 2011, it seemed we’d amassed it in a terminal small enough to fit on a desk. “This is a watershed event and can serve as a catalyst for the reinvention of education, research, and intellectual life,” one eager observer wrote at the time. On March 22 of that year, however, the legal agreement that would have unlocked a century’s worth of books and peppered the country with access terminals to a universal library was rejected under Rule 23(e)(2) of the Federal Rules of Civil Procedure by the U.S. District Court for the Southern District of New York. When the library at Alexandria burned it was said to be an “international catastrophe.” When the most significant humanities project of our time was dismantled in court, the scholars, archivists, and librarians who’d had a hand in its undoing breathed a sigh of relief, for they believed, at the time, that they had narrowly averted disaster. * * * [ Polley : fairly long piece; interesting, fun to read, and well-written.] top

FBI allays some critics with first use of new mass-hacking warrant (ArsTechnica, 24 April 2017) - Mass hacking seems to be all the rage currently. A vigilante hacker apparently slipped secure code into vulnerable cameras and other insecure networked objects in the “Internet of Things” so that bad guys can’t corral those devices into an army of zombie computers, like what happened with the record-breaking Mirai denial-of-service botnet. The Homeland Security Department issued alerts with instructions for fending off similar “Brickerbot malware,” so-named because it bricks IoT devices. And perhaps most unusual, the FBI recently obtained a single warrant in Alaska to hack the computers of thousands of victims in a bid to free them from the global botnet, Kelihos. On April 5, Deborah M. Smith, chief magistrate judge of the US District Court in Alaska, greenlighted this first use of a controversial court order. Critics have since likened it to a license for mass hacking. The FBI sought the 30-day warrant to liberate victims through a new procedural rule change that took effect in December amid worries among privacy advocates that the update would open a new door for government abuse. But the first use of the amendments to Rule 41 of the Federal Rules of Criminal Procedure has assuaged fears, at least for the moment, because the feds used their power to kill a botnet. The Electronic Frontier Foundation, for example, commended the feds for asking a judge to review exactly what data the FBI would and would not touch in victimized devices, which were located across the country. It was a “positive step” toward accountability and transparency in FBI computer break-ins, EFF staff attorney Andrew Crocker said. This wasn’t the first time the government has gained permission from a federal court to jump in and clean infected computers worldwide. To dismantle Gameover Zeus , once considered the most damaging botnet, the US obtained civil and criminal court orders in federal court in Pittsburgh “authorizing measures to redirect the automated requests by victim computers for additional instructions away from the criminal operators to substitute servers,” as well as “to collect dialing, routing, addressing and signaling ("DRAS") information from the infected computers ,” Justice Department officials said at the time in 2014. top

Analyzing cyber insurance policies (Bruce Schneier, 26 April 2017) - There’s a really interesting new paper [from the RAND Corporation] analyzing over 100 different cyber insurance policies. From the abstract:  In this research paper, we seek to answer fundamental questions concerning the current state of the cyber insurance market.  Specifically, by collecting over 100 full insurance policies, we examine the composition and variation across three primary components:  The coverage and exclusions of first and third party losses which define what is and is not covered; The security application questionnaires which are used to help assess an applicant’s security posture; and the rate schedules which define the algorithms used to compute premiums. Overall, our research shows a much greater consistency among loss coverage and exclusions of insurance policies than is often assumed. For example, after examining only 5 policies, all coverage topics were identified, while it took only 13 policies to capture all exclusion topics. However, while each policy may include commonly covered losses or exclusions, there was often additional language further describing exceptions, conditions, or limits to the coverage. The application questionnaires provide insights into the security technologies and management practices that are (and are not) examined by carriers. For example, our analysis identified four main topic areas: Organizational, Technical, Policies and Procedures, and Legal and Compliance. Despite these sometimes lengthy questionnaires, however, there still appeared to be relevant gaps. For instance, information about the security posture of third-party service and supply chain providers and are notoriously difficult to assess properly (despite numerous breaches occurring from such compromise). In regard to the rate schedules, we found a surprising variation in the sophistication of the equations and metrics used to price premiums.  Many policies examined used a very simple, flat rate pricing (based simply on expected loss), while others incorporated more parameters such as the firm’s asset value (or firm revenue), or standard insurance metrics (e.g. limits, retention, coinsurance), and industry type. More sophisticated policies also included information specific information security controls and practices as collected from the security questionnaires. By examining these components of insurance contracts, we hope to provide the first-ever insights into how insurance carriers understand and price cyber risks.  top

- and -

Victimized by ransomware, law firm sues insurer for $700K in lost billings (ABA Journal, 2 May 2017) - A Rhode Island law firm has filed a lawsuit against its insurer over coverage for a ransomware attack that locked down the firm’s computer files for three months. Moses Afonso Ryan, a 10-lawyer law firm in Providence, says it paid $25,000 in ransom, but the amount is far less than its lost billings, the Providence Journal reports. A review of records for the same three months last year shows the firm had more than $700,000 in billings during the time period, according to the suit. The suit (PDF) was originally filed in state court and removed to federal court. It claims that Sentinel Insurance Co. is responsible for the loss under policy coverage for lost income. In its answer (PDF) to the complaint, Sentinel denies an unjustified refusal to provide coverage under the law firm’s business owner’s policy. The policy form “speaks for itself,” the answer says. Sentinel says it has paid the law firm the policy maximum of $20,000 for losses caused by computer viruses, which are covered under a computers and media endorsement. The insurer says it has no legal obligation to cover other ransomware losses. The policy coverage for lost business income applies only when there is physical loss or damage to property at the business premises, according to Sentinel. top

‘Need to know’ security: New standard of care, new competitive advantage (InsideCounsel, 27 April 2017) - The Association of Corporate Counsel (ACC) recently released their “ Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information ,” which specify baseline security measures that legal departments may require of outside counsel and set expectations with respect to their data security practices. This comes just as the New York State Department of Financial Services (NYS DFS) cybersecurity requirements went into effect on March 1 this year. Law firms need to pay attention to both developments. The ACC guidelines will set client expectations of law firms while the DFS regulations mandate requirements for financial institutions operating in New York which extend to their service providers, including law firms. Most of the world’s notable brands have a presence in New York, so it’s hard to imagine many firms not being subject to compliance. Together, the ACC recommendations and the NYS DFS regulations create an impactful story for the legal services industry: They establish an effective standard of care with regard to the handling of client data. When it comes to the protection of client data by law firms, we are already seeing the definitions of this standard being tested in the class action suit against Chicago law firm Johnson & Bell . Much of the information protection security controls proposed by the ACC and contained within the NYS DFS cybersecurity regulation already are considered best practices for both physical and electronic assets. Many already may be in place at most law firms. However, much remains to implement. Firms located in some regions have not traditionally been as concerned about physical access inside their offices; they will need to adjust, taking steps such as securing certain areas. Most firms provide remote desktop access, yet many still have not implemented two-factor authentication; they will need to do so. However, the most significant change-and one which will require most firms to take immediate action-impacts the standard of care for protecting of non-public, electronic information. In short, the old standard of care that allowed firms to operate ‘optimistic’ or open environments inside their firewall is dead. The former standard which consisted of locking-down a firm’s perimeter via a firewall and allowing anyone inside the firewall (i.e. everyone working at the firm) full access to non-public client information is no longer acceptable. The new standard, clearly established by both the ACC guidelines and the NYS DFS regulations, is ‘need-to-know’ access. top

Data breach lawsuit survives motion to dismiss (Bracewell, 28 April 2017) - In an April 13, 2017 decision in Walters v. Kimpton Hotel , a California federal judge rejected the bid of hotel chain Kimpton Hotel and Restaurant Group, LLC to dismiss a proposed class action arising from a data breach last year. Judge Vince Chhabria found that the named plaintiff sufficiently alleged imminent harm to establish standing notwithstanding the absence of allegations that his personal information had been misused. * * * Judge Chhabria found that a plaintiff does not need to “actually suffer the misuse of his data or an unauthorized charge before he has an injury for standing purposes,” and that Walters’ allegations of imminent harm were sufficient to confer standing to survive Kimpton’s motion to dismiss. Judge Chhabria adopted the standing approach applied by the Sixth and Seventh Circuits in Galaria v. Nationwide Mut. Ins. Co. and Lewert v. P.F. Chang’s China Bistro . In Galaria , the Sixth Circuit held that allegations of a continuing, increased risk of fraud and identify theft were more than just speculative allegations of injury, emphasizing that there is “no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals.” Similarly, in P.F. Chang’s , the Seventh Circuit explained that “it is plausible to infer a substantial risk of harm from the data breach, because a primary incentive for hackers is sooner or later to make fraudulent charges or assume those consumers’ identities.” Additionally, Walters’ allegations of purchasing credit-monitoring services and other out-of-pocket expenses were actual damages sufficient to allow claims of breach of implied contract, negligence, and a violation of California’s unfair competition law to survive. The breach of implied contract claim was based on allegations that Kimpton’s privacy policy, which states that the company is committed to protecting customer personal data, created an enforceable promise to customers in that it was a voluntary duty and constituted valid consideration. top

New tools allow voice patterns to be cloned to produce realistic but fake sounds of anyone saying anything (TechDirt, 2 May 2017) - Fake images, often produced using sophisticated software like Photoshop or the GIMP, were around long before so-called “fake news” became an issue. They are part and parcel of the Internet’s fast-moving creative culture, and a trap for anyone that passes on striking images without checking their provenance or plausibility. Until now, this kind of artful manipulation has been limited to the visual sphere. But a new generation of tools will soon allow entire voice patterns to be cloned from relatively small samples with increasing fidelity such that it can be hard to spot they are fake. For example, in November last year, the Verge wrote about Adobe’s Project VoCo:  “When recording voiceovers, dialog, and narration, people would often like to change or insert a word or a few words due to either a mistake they made or simply because they would like to change part of the narrative,” reads an official Adobe statement. “We have developed a technology called Project VoCo in which you can simply type in the word or words that you would like to change or insert into the voiceover.  The algorithm does the rest and makes it sound like the original speaker said those words.” Since then, things have moved on apace. Last week, the Economist wrote about the French company CandyVoice:  Utter 160 or so French or English phrases into a phone app developed by CandyVoice, a new Parisian company, and the app’s software will reassemble tiny slices of those sounds to enunciate, in a plausible simulacrum of your own dulcet tones, whatever typed words it is subsequently fed. In effect, the app has cloned your voice.  The Montreal company Lyrebird has a page full of fascinating demos of its own voice cloning technology, which requires even less in the way of samples. * * * top

Court upholds enforceability of open source licenses (O’Melveny & Myers, 3 May 2017) - The District Court for the Northern District of California1 recently issued an opinion that is being hailed as a victory for open source software. In this case, the court denied a motion to dismiss a lawsuit alleging violation of an open source software license, paving the way for further action enforcing the conditions of the GNU General Public License ("GPL"). * * * Hancom moved to dismiss Artifex’s complaint on several grounds. The District Court denied Hancom’s motion to dismiss on each ground. A few aspects of the decision are of particular interest to the open source community. For example, Hancom argued that Artifex could not plead breach of contract for violation of GPL and could not request specific performance of the terms of GPL. Hancom also argued that copyright damages were not available because the GPL grants royalty-free rights. As part of its motion to dismiss, Hancom argued that using open source code offered under open source licensing terms does not form a contract. Whether open source licenses can be contracts in addition to conditional licenses has been an unsettled area of law. In the seminal case on enforcement of open source licenses in the United States, Jacobsen v. Katzer,2 the Federal Circuit Court of Appeals held that open source violations could be brought as copyright claims, but did not foreclose the possibility of bringing contract claims as well. In Artifex, the District Court ruled that Artifex’s breach of contract claim could proceed, finding that the GPL, by its express terms, requires that third parties agree to the GPL’s obligations if they distribute the open-source-licensed software. * * * Here, in denying a motion to dismiss, the District Court only holds that the claims may proceed on the theories enunciated by Artifex, not necessarily that they will ultimately succeed. Still, the case represents a significant step forward for open source plaintiffs. Many open source compliance claims have been brought as copyright infringement claims, and Jacobsen affirmed this approach. Generally, copyright claims may afford plaintiffs more damages and stronger remedies than contract claims. However, contract claims may help a plaintiff pursue a violator’s worldwide conduct in a way that jurisdictional limits on copyright claims might not allow. Breach of contract claims may also be able to address reputational harm and other indirect non-economic benefits that a plaintiff might derive from enforcing open source license conditions. A breach of contract claim might also, in certain instances, allow for specific performance of open source obligations. top

Hundreds of privacy-invading apps are using ultrasonic sounds to track you (ZDnet, 3 May 2017) - A new privacy-busting technique that tracks consumers through the use of ultrasonic tones may have once sounded like the stuff of science fiction novels, but today it’s reality. These near-silent tones can’t be picked up by the human ear, but there are apps in your phone that are always listening for them. This technology is called ultrasonic cross-device tracking, and it works by emitting high-frequency tones in advertisements and billboards, web pages, and across brick-and-mortar retail outlets or sports stadiums. Apps with access to your phone’s microphone can pick up these tones and build up a profile about what you’ve seen, where, and in some cases even the websites you’ve visited. In the past year, researchers found 234 Android apps that include the ability to listen for ultrasonic tones “without the user’s knowledge,”.  one paper said . The researchers note that some apps use the beacons to display location-specific advertising content on user’s phones, like tickets and vouchers for festivals. Several stores in two unnamed European cities have already installed these ultrasonic beacons. Worst of all, the researchers say that this ultrasonic tracking technology can de-anonymize users of bitcoin, which is designed to be used without the need for a name. A similar technique can be.  used for those who are browsing the web using the Tor anonymity network , which prevents eavesdroppers from monitoring your web traffic and browsing history. top

How hackers get past the defenses of large law firms (Ride The Lightning, 3 May 2017) - Law 360 (sub.req.) published an article about how cybercriminals get past the defenses of large law firms. One point of reference was to the scheming of Oleras, a cybercriminal seeking help in the Dark Web to hack into some of the biggest American law firms - in return for major monies. His vision was a scheme to spear-phish high-powered lawyers. A group Oleras was working with suggested the bait would be a phishing e-mail with a purported award announcement from a well-known British publication called Business Worldwide , and it would say that the lawyer was being honored for deal making achievements. High-powered lawyers are not known for modest egos - and that was their edge. To figure out who to phish, they looked at the social media accounts and online profiles of lawyers at the targeted firms, searching for those who seemed to list every award and honor. We can’t know how the scheme fared, but Oleras pronounced himself happy with the results in online postings. The article talks about the Legal Services Information Sharing and Analysis Organization (LS-ISIO), which now has more than 100 law firm members, many of them large firms. It likens itself to a “Neighborhood Watch” - the motto being “If you see something, say something.” We’ve certainly heard that line before. This 16-page article, full of real-life stories and helpful tips, should be mandatory reading for lawyers. If you can’t think like the enemy, you can’t effectively fight the enemy. top

- and -

Hackers face $8.9 million fine for law firm breaches (Dark Reading, 9 May 2017) - Three Chinese stock traders were ordered to pay $8.9 million in fines and penalties for hacking into two law firms and stealing information on upcoming mergers and acquisitions and then leveraging the information to trade stocks. A federal court in New York ordered Iat Hong, Bo Zheng, and Hung Chin to pay fines, as well as Hong’s mother Sou Cheng Lai who held a bank account where the proceeds from the stock sales were kept, according to a copy of the judgment posted by SC Media. The three hackers installed malware on the law firms’ computer networks, enabling them to view emails on mergers and acquisitions in which the firms were involved. With the information, the attackers purchased stock in at least three public companies prior to their merger announcements, according to the Securities and Exchange Commission (SEC), which filed the lawsuit against the hackers . The hackers shelled out roughly $7.5 million within a month’s time to buy shares in Altera prior to its 2015 acquisition by Intel. The defendants also snapped up shares in Borderfree before its 2015 buyout by Pitney Bowes, and also acquired shares in InterMune before its 2014 merger deal with Roche, according to the SEC. With these transactions, the trio racked up nearly $3 million in illegal profits, the SEC stated. top

ABA expresses concern about border searches of lawyer laptops and other electronic devices (ABA Journal, 5 May 2017) - ABA President Linda Klein is expressing serious concern about standards that permit searches of lawyer laptops and other electronic devices at the border in the absence of reasonable suspicion. In a May 5 letter (PDF) to the Department of Homeland Security, Klein seeks policies and procedures to ensure the confidentiality of privileged or confidential client material on the devices. A summary is here . The letter says the ABA supports the critical role played by customs and immigration officers in protecting national security. “But just as border security is fundamental to national security,” Klein writes, “so too is the principle of client confidentiality fundamental to the American legal system.” The letter urges DHS to clarify directives governing border searches of electronic devices by U.S. Customs and Border Protection and by Immigration and Customs Enforcement. Current policies do call for special handling of privileged and confidential legal materials in border searches, but the ABA is concerned that the provisions are not sufficiently clear or comprehensive, Klein writes. Klein says the directives should state that privileged or confidential client information on lawyers’ electronic devices should not be read, duplicated, seized or shared absent a subpoena based on reasonable suspicion or a warrant supported by probable cause. [ see also ACLU says demanding US citizens unlock phones at the border is unconstitutional (The Verge, 4 May 2017)] top

Taser/Axon separating defense lawyers from body camera footage with license agreements (TechDirt, 8 May 2017) - Taser Inc.’s quiet takeover of evidence generation and storage—through extensive body camera offerings—was put on public display when the company rebranded as Axon. The company was willing to give away cameras in exchange for something far more lucrative: software licensing and footage access fees in perpetuity. Axon even nailed down a choice URL: Evidence.com. This is the portal to law enforcement body camera footage stored in Axon’s cloud—the real moneymaker for Axon. The cameras are just the gateway drug. But much of what’s stored at Evidence.com could be considered public records. Much of what’s stored there could also be subject to discovery by defense attorneys during criminal proceedings. But no one asked defense attorneys if this arrangement worked for them. It was enough that it worked for cops. Defense attorney Rick Horowitz has a problem with contractual agreements he’s being asked to sign when attempting to gain access to records regarding his client. Instead of handing out files, prosecutors are handing out URLs. To obtain the records he needs, Horowitz is forced to use Axon’s portal… and sign agreements with Axon before he’s allowed to access anything : * * * top

Vendors approve of NIST password draft (CSO Online, 9 May 2017) - A recently released draft of the National Institute of Standards and Technology’s (NIST’s) digital identity guidelines has met with approval by vendors.  The draft guidelines revise password security recommendations and altering many of the standards and best practices security professionals use when forming policies for their companies. The new framework recommends, among other things [to] remove periodic password change requirements. There have been multiple studies that have shown requiring frequent password changes to actually be counterproductive to good password security, said Mike Wilson, founder of PasswordPing. NIST said this guideline was suggested because passwords should be changed when a user wants to change it or if there is indication of breach. * * * top

RESOURCES

“Securing Communication of Protected Client Information” (ABA Formal Opinion 477, 11 May 2017) - A lawyer generally may transmit information relating to the representation of a client over the internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security. [ Polley : Thorough and interesting (cites the ABA Cybersecurity Handbook ; a second edition of the Handbook will be published this summer). However, this opinion falls into the trap of making assumptions/recommendations based on current technology, and thus risks obsolescence - e.g., it suggests changing passwords periodically, which has been called into question by experts - see the NIST story immediately above.] top

LOOKING BACK - MIRLN TEN YEARS AGO .

(note: link-rot has affected about 50% of these original URLs)

German police barred from secretly searching computers over Internet (SiliconValley.com, 5 Feb 2007)—Police cannot secretly search suspects’ computer hard drives over the Internet, a German court ruled Monday. The decision of the Federal Court of Justice in Karlsruhe bars police from using software to search through remote hard drives unless parliament passes a law explicitly allowing the technique. Police, however, still will be allowed to seize evidence from PCs when conducting searches in person. Arguing that stealth searches were indispensable to investigating criminals and terrorists, Interior Minister Wolfgang Schaeuble, the country’s top security official responsible for police, called on the government to seek swift changes in the law. ``It is indispensable for criminal investigators to be able to carry out online searches secretly and with a corresponding order from a judge,” he said in a statement. The decision came in response to a request by the Federal Prosecutor’s Office, which had sought to use Trojan horse programs to investigate a possible terrorist group. Prosecutors argued the legal reasoning used to allow telephone surveillance and other electronic eavesdropping techniques should be applicable to gathering evidence over the Internet. top

SEC publishes rule requiring internet posting of proxy materials (Duane Morris client alert, 28 August 2007) - The SEC recently published final regulations on Shareholder Choice Regarding Proxy Materials. The amendments to the proxy rules under the Securities Exchange Act of 1934 ("Amendments") require issuers and other soliciting persons to post proxy materials on a publicly accessible Internet web site and to provide notice to shareholders of the availability of those materials. Issuers and other soliciting persons must follow a notice and access model, which allows two options to issuers to provide proxy materials to shareholders: (1) the “notice only” option and (2) the “full set delivery” paper option. If the issuer chooses to post its proxy materials on the Internet web site, under the “notice only” option, shareholders may elect to receive these proxy materials in paper copy format. top