Category: Cybersecurity

CybersecurityEmailHackingPhishing

Yahoo! Latest Dangerous Place to Be

 

 

 

I read Oregon’s Attorney General Ellen Rosenblum’s fraud alert on the Yahoo data breach. Makes me unhappy to read because 500 million users includes lawyers and many friends and family members. Why anyone would use yahoo for email if they are a lawyer is a question for another day. Or not. Please beware that the old adage: there’s no such thing as a free lunch has important lessons. Encrypt, encrypt, encrypt. Or plain avoid using free email platforms for your business. Google has business mail that is different from their free gmail. Your business is your business. But so is your clients’ business so you have an ethical duty to protect your clients’ business.

Ok, I am off my soapbox. Here below is AG Rosenblum’s post. Sign up for her alerts here. 

 

ag-fraud-alert

Was your information exposed in the Yahoo data breach?

Yahoo has confirmed data “associated with at least 500 million user accounts” has been stolen in what may be one of the largest cybersecurity breaches ever.

The stolen data may include names, email addresses, telephone numbers, dates of birth, passwords, as well as security questions and answers.

“This latest hacking “bombshell” — and the huge number of people affected by it — is a real reminder of something we often don’t take the time to do: We must be vigilant about changing our email passwords regularly! If you use any Yahoo product, you should make sure you change your password immediately, and closely monitor any credit cards associated with your account,” Attorney General Rosenblum said.

If you use Yahoo services and have an account with Yahoo, you should do the following as soon as possible:

  • Change your Yahoo password, as well as your Yahoo secret questions and answers; and
  • If you reused any passwords, secret questions and answers from your Yahoo account to any other account (Gmail, Hotmail, etc.), change that information in those accounts as well.

In addition, Oregonians who have shopped and used a debit or credit card on a Yahoo account, or on a Yahoo web service, should:

  • Monitor your credit report. Visit www.annualcreditreport.com or call 1-877-322-8228 to order a free credit report and review it for errors.
  • Avoid clicking on links or downloading attachments from suspicious emails. Yahoo will be contacting affected users about this issue, but these emails will not ask you to click on any links or contain attachments and Yahoo will not ask for your personal information.
  • Beware of “phishing” (the activity of posing as a legitimate company to gain access to financial accounts) attempts and unsolicited calls or emails offering credit monitoring or identity theft services. These offers are attempts to steal your personal information.

If you find unexplained activity on your credit report or if you believe you are a victim of a “phishing” scam, there are important steps you can take to protect yourself. Contact the Attorney General’s consumer hotline at 1-877-877-9392, review the Attorney General’s website – www.oregonconsumer.gov – for information on identity theft, or view the Federal Trade Commission’s identity theft resource, available at www.consumer.gov/idtheft/.
Thank you, Attorney General, Rosenblum!

ag-rosenbloom

copyright September 23, 2016 Sheila Blackford

Client relationsCybersecurityEthicsTechnology

Acting Competently: Complying with data security laws

image    by Sheila Blackford   ©2016      Lawyers have a fiduciary duty to preserve client confidentiality that has long been codified in Oregon under ORPC 1.6 Confidentiality of Information. For more than a quarter of a century, paper-based client files have become electronic files. The need to protect electronic client records has only become more imperative as lawyer have transmitted and stored their client files on the Internet.

ORPC 1.6 (7) (c):

A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.

 ABA Model Rule 1.6 Comments 18 and 19:

 Acting Competently to Preserve Confidentiality

[18]   Paragraph (c) requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision. See Rules 1.1, 5.1 and 5.3.  The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.  Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forgo security measures that would otherwise be required by this Rule.  Whether a lawyer may be required to take additional steps to safeguard a client’s information in order to comply with other law, such as state and federal laws that govern data privacy or that impose notification requirements upon the loss of, or unauthorized access to, electronic information, is beyond the scope of these Rules.  For a lawyer’s duties when sharing information with nonlawyers outside the lawyer’s own firm, see Rule 5.3, Comments [3]-[4].     

[19]   When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule.  Whether a lawyer may be required to take additional steps in order to comply with other law, such as state and federal laws that govern data privacy, is beyond the scope of these Rules.

DATA BREACH.

The words should fill you with dread. Then you will have the proper mindset to address the necessary protections so that you can prevent a data breach or at least insure that if data is breached, the data has been rendered unreadable because it is encrypted.

Be concerned about a breach of security and personal information. Both are defined terms in the Oregon Identity Theft Protection Act.  ORS §§646A.600-646A.628.

 What is a breach of security?

ORS §646A.602 (1)(a) “Breach of security” means unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the person. 

 What is encryption?

ORS §646A.602 (6) “Encryption” means the use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without the use of a confidential process or key.

What is personal information?

 ORS §646A.602 (11) “Personal information”:

(a) Means a consumer’s first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are not rendered unusable through encryption, redaction or other methods, or when the data elements are encrypted and the encryption key has also been acquired:

(A) Social Security number;

(B) Driver license number or state identification card number issued by the Department of Transportation;

(C) Passport number or other United States issued identification number; or

(D) Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to a consumer’s financial account.

(b) Means any of the data elements or any combination of the data elements described in paragraph (a) of this subsection when not combined with the consumer’s first name or first initial and last name and when the data elements are not rendered unusable through encryption, redaction or other methods, if the information obtained would be sufficient to permit a person to commit identity theft against the consumer whose information was compromised.

(c) Does not include information, other than a Social Security number, in a federal, state or local government record that is lawfully made available to the public.

How do we develop safeguards for this personal information?

 Requirement to Develop Safeguards for Personal Information ORS §646A.622

646A.622 Requirement to develop safeguards for personal information; conduct deemed to comply with requirement. (1) Any person that owns, maintains or otherwise possesses data that includes a consumer’s personal information that is used in the course of the person’s business, vocation, occupation or volunteer activities must develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the personal information, including disposal of the data.

(2) The following shall be deemed in compliance with subsection (1) of this section:

(a) A person that complies with a state or federal law providing greater protection to personal information than that provided by this section.

(b) A person that is subject to and complies with regulations promulgated pursuant to Title V of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 to 6809) as that Act existed on October 1, 2007.

(c) A person that is subject to and complies with regulations implementing the Health Insurance Portability and Accountability Act of 1996 (45 C.F.R. parts 160 and 164) as that Act existed on October 1, 2007.

      (d) A person that implements an information security program that includes the following:

(A) Administrative safeguards such as the following, in which the person:

(i) Designates one or more employees to coordinate the security program;

(ii) Identifies reasonably foreseeable internal and external risks;

(iii) Assesses the sufficiency of safeguards in place to control the identified risks;

(iv) Trains and manages employees in the security program practices and procedures;

(v) Selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and

(vi) Adjusts the security program in light of business changes or new circumstances;

(B) Technical safeguards such as the following, in which the person:

(i) Assesses risks in network and software design;

(ii) Assesses risks in information processing, transmission and storage;

(iii) Detects, prevents and responds to attacks or system failures; and

(iv) Regularly tests and monitors the effectiveness of key controls, systems and procedures; and

(C) Physical safeguards such as the following, in which the person:

(i) Assesses risks of information storage and disposal;

(ii) Detects, prevents and responds to intrusions;

(iii) Protects against unauthorized access to or use of personal information during or after the collection, transportation and destruction or disposal of the information; and

(iv) Disposes of personal information after it is no longer needed for business purposes or as required by local, state or federal law by burning, pulverizing, shredding or modifying a physical record and by destroying or erasing electronic media so that the information cannot be read or reconstructed.

(3) A person complies with subsection (2)(d)(C)(iv) of this section if the person contracts with another person engaged in the business of record destruction to dispose of personal information in a manner consistent with subsection (2)(d)(C)(iv) of this section.

(4) Notwithstanding subsection (2) of this section, a person that is an owner of a small business as defined in ORS 285B.123 (2) complies with subsection (1) of this section if the person’s information security and disposal program contains administrative, technical and physical safeguards and disposal measures appropriate to the size and complexity of the small business, the nature and scope of its activities, and the sensitivity of the personal information collected from or about consumers. [2007 c.759 §12]

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Patients have federal legal rights to their protected health information. We sign forms about our privacy every time we go to the doctor’s office, treatment clinic, or hospital. Doubtful the average lawyer let alone average person has ever read the HIPAA rule which is nearly 700 pages long. Where this impact lawyers is when they are business entity that deals with health care providers, which includes CPAs, doctors, and lawyers.

HIPAA in Oregon. Oregon acknowledges a number of health-care provider/patient privileges that include preventing others from disclosing communications made with the health care provider for the purposes of treatment and diagnosis.  See OR. REV. STAT §§40.230, 430.235. Remember, that federal privacy regulations under HIPAA will preempt state laws unless the pertinent state law is more stringent.  See 65 Fed. Reg. 82,462, 82,464.

Lawyers need to be careful of individually identifiable health information. The best way to protect confidential client data: ENCRYPTION. Encrypting data which is then properly backed up and stored is the easiest way to begin fulfilling your obligations under HIPAA and under ORPC 1.6.

Gramm-Leach-Bliley Act 15 U.S.C. §§ 6801-6809 and §§ 6821-6827, as amended

  Under the Gramm-Leach-Bliley Act, financial institutions must protect the privacy of consumers’ personal financial information. This is why your financial institution provides you with annual notice of their privacy policies and why they must give notice and an opportunity to opt of before disclosing any of the consumer’s personal financial information to an unaffiliated party.

For lawyers, consider that you contain personal financial information in your client files, such as credit card numbers and bank account numbers. There may be a number of reasons that you have copies of your clients’ financial account statements, loan applications, tax returns, financial documents used in bankruptcies and dissolutions of marriages and business partnerships. How are you protecting the confidentiality of this information? Where are you storing it?

The best way to protect confidential client data: ENCRYPTION. Encrypting data which is then properly backed up and stored is the easiest way to begin fulfilling your obligations under Gramm-Leach-Bliley Act and under ORPC 1.6.   

CybersecurityEmailLaw Practice ManagementTechnology

Watch and Authenticate Email Sender Before Opening an Attachment

 

image  by Sheila Blackford   ©2016

Senders of malware are tricky, but lawyers and their staff are smart enough to thwart the sender’s efforts.

Recently a colleague here at the PLF was contacted by a concerned Oregon lawyer who received an email eCourt notice that turned out to be fake and trying to deliver an attachment that was a virus.  The facts are instructive.

Lawyer had an upcoming hearing in lawyer’s local county court. Let’s say the date of the court appearance was for May 18, 2016. The reminder purported to be from the local county court providing a court reminder of the upcoming hearing. The date was accurate. The attachment was labelled “Court Notice.” Lawyer’s virus , Oregon’s 4th Judicial District scanner detected this email as being a problem so flagged it as a virus. Although the email ‘said’ it was from the county court, the domain name was completely different. Lawyer did not open that “Court Notice” which would have launched a virus. Lawyer called to share the lesson.

What is the lesson? You can never be too careful with email mail attachment and emailed hyperlinks. Spoofers pretend to be legitimate companies. But if you look close, you can catch the spoof, whether the domain name doesn’t properly match or the email message reads a bit off. It calls for paying closer attention. For example Multnomah County Circuit Court has a very nice website. http://courts.oregon.gov/Multnomah/Pages/index.aspx A specific judge at Multnomah County Circuit court would have their email address looking like this: FirstName.LastName@ojd.state.or.us. Don’t just rely on the name, look for the actual email address coming from the expected domain name.

My email may show up in your email inbox as coming from ‘Sheila M. Blackford’ but pressing on the name, you will see my actual email address domain which will be SheilaBatOSBdotPLFdotORG.  I really don’t like spam or malware in my inbox. That’s why my email address spells out the proper email punctuation in the previous sentence. There are robots that harvest email addresses from the Internet so I wanted to be careful here.

A lesson about attachments, be careful before opening any attachment. It could be malware, not what you are expecting. Hopefully your malware protection software will flag it. But it may not. Unless you are downloading a program from the internet from a verified trusted site– you should never be opening a document that ends with .exe.  CAVEAT: Be certain that you are about to download a safe program from a  legitimate website such as downloading Windows 10 from Microsoft.com.  Microsoft Word 2016 documents end with .docx  You may notice that your malware protect software provides an option to scan a document before opening it.

I will never forget my own malware experience while in law school at University of the Pacific, McGeorge School of Law. I was about 80% done with the law review article to be submitted for making law review. It was good. Past tense. When I  booted up to finish the last 20%, a virus executed and wiped everything out. Everything. Ah! I tried to reconstruct that article which took hours and hours. Sleepless in the Bay Area, my husband volunteered to drive me the 3 hours to get to law school in Sacramento on time to turn it in at the last minute. But it bore a poor resemblance to the article I had lost. I did not make the main law review journal. I did not make the second tier law review journal. I ended up as an editor on the California Initiative Review. Better than nothing but a bummer.Sad story, huh? But a malware virus could have even worse consequences for you lawyers. Seriously, think if your hard work was destroyed. AH! So be careful. You don’t need to learn lessons the hard way.

Be safe.

 

 

 

 

CybersecurityFraud & EmbezzlementLaw Practice ManagementTechnology

Ransomware Alert: 7 Prevention Considerations

image   by Sheila  Blackford   ©2016   It is time to be scared about Ransomware, but not paralyzed by fear. The bad news is that there are more cases of ransomware – malware that seizes control of your data, encrypts the data, then demands a ransom to turn over the key to decrypt the data, though many are finding the ransom payment is no guarantee of the data. The good news is that there are things you can do proactively to protect your data, and that is empowering.

The FBI requested that the ABA share Private Industry Notification cybersecurity alerts with the legal community.  I want you to read this Ransomware alert then do at least one of its recommendations but I honestly hope you will be scared enough to do them all. To sign up for receiving future alerts, use this link to the ABA. https://shop.americanbar.org/eBus/MyABA/MyLists.aspx  

‘While the FBI normally recommends organizations invest in measures to prevent, detect, and remediate cyber exploitation, the key areas to focus on with ransomware are prevention, business continuity, and remediation. “

7 Prevention Considerations from the FBI:

1.  Focus on awareness and training. Since end users are targeted, employees should be made aware of the threat of ransomware, how it is delivered, and trained on information security principles and techniques.

2.  Patch the operating system, software, and firmware on devices. All endpoints should be patched as vulnerabilities are discovered. This can be made easier through a centralized patch management system.

3.  Ensure anti-virus and anti-malware solutions are set to automatically update and regular scans are conducted.

4.  Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary; and they should operate with standard user accounts at all other times.

5.  Implement least privilege for file, directory, and network share permissions. If a user only needs to read specific files, they should not have write access to those files, directories, or shares. Configure access controls with least privilege in mind.

6.  Disable macro scripts from office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full office suite applications.

7.  Implement software restriction policies (SRP) or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular Internet browsers, or compression/decompression programs, including those located in the AppData/LocalAppData folder.