Spears Legal Technology


This blog is a resource guide for informational purposes only, and not the delivery of legal, technical or other professional advice. Using the information provided on this blog does not constitute an attorney-client relationship. If you need legal advice, please consult your lawyer.

Wireless Live CD Alternative: ZeusGard

Brian Krebs discusses ZeusGard, a little USB flash drive that boots into a usable browser within about 30 seconds after starting the machine to avoid potential issues with banking malware such as Zeus or its variants.

Zeusgard allows you to safely bank online from any machine — even from a system that is already riddled with malware. That’s because it lets you boot your existing PC into an entirely different operating system. Even better, it is capable of connecting to the wireless network.

Priced at $40 for both the flash drive and the wireless adapter, it
may be a perfect tool for small to medium-sized businesses who conduct online banking.


2014: The Year Extortion Went Mainstream

Screen Shot 2014-06-27 at 1.21.21 PM
Another must-read article from Brian Krebs. After discussing an ill-conceived and amateurish blackmail effort against restaurant owners, Krebs takes a closer look as to why we are seeing an increase in reported extortion attempts:

Fueled largely by the relative anonymity of cryptocurrencies like Bitcoin, extortion attacks are increasingly being incorporated into all manner of cyberattacks today. Today’s thieves are no longer content merely to hijack your computer and bandwidth and steal all of your personal and financial data; increasingly, these crooks are likely to hold all of your important documents for ransom as well.

“In the early days, they’d steal your credit card data and then threaten to disclose it only after they’d already sold it on the underground,” said Alan Paller, director of research at the SANS Institute, a Bethesda, Md. based security training firm. “But today, extortion is the fastest way for the bad guys to make money, because it’s the shortest path from cybercrime to cash. It’s really a great crime for the criminals.”



Ruling Raises Stakes for Cyberheist Victims

Small businesses take heed: Depending on the terms of your bank account you may be responsible for fraudulent ACH transfers. Background information is available here and here.

Regulatory agencies and courts need to start recognizing true two-factor authentication as more than mere guidance for high-risk transactions. Holding the plaintiffs responsible for the banks’ legal fees on top of losing their funds will have a chilling effect on future lawsuits.

BancorpSouth’s most secure option for Internet-based authentication at the time was “dual control,” which required the customer to have one user ID and password to approve a wire transfer and another user ID and password to release the same wire transfer. The other option — if the customer chose not to use choose dual control — required one user ID and password to both approve and release a wire transfer.

Choice Escrow’s lawyers argued that because BancorpSouth allowed wire or funds transfers using two options which were both password-based, its commercial online banking security procedures fell short of 2005 guidance from the Federal Financial Institutions Examination Council (FFIEC), which warned that single-factor authentication as the only control mechanism is inadequate for high-risk transactions involving the movement of funds to other parties.

A trial court
was unconvinced, and last week The 8th Circuit Court of Appeals found essentially the same thing, while leaning even more toward the defendants.



Cyber Insurance May Assist in Addressing Risk Posed by OpenSSL Vulnerabilities and Malware

The Department of Justice estimates that the GameOver Zeus malware has infected between 500,000 and 1,000,000 computers and so far caused “direct and indirect losses to consumers and businesses exceeding $100 million.” Antivirus software alone does not always prevent such infection; a leading antivirus developer recently stated that, as a result of advances in malicious code, antivirus software is now “dead.”

With technology capable of providing only partial security solutions, a proactive approach to address cyber risk should include evaluation of risk transfer mechanisms, such as insurance. In April 2014, members of Hunton & Williams LLP’s
Insurance Counseling and Litigation and Global Privacy and Cybersecurity practices participated in a webinar regarding cyber insurance, discussing the nature of cyber risk and possible insurance solutions.

Listen to a recording of the seminar.


Breaches take 7 months to detect; 67% of Companies Are Informed by 3rd party

Via CSO:

There is room for improvement – vast improvement – in the detection of breaches. A large majority of enterprises fail to detect breaches on their own – they find out about them from somebody else, as a couple of recent reports show.

The security firm Mandiant, now part of FireEye,
reported recently that while the average time it took to detect breaches declined slightly from 2012 to 2013, from 243 to 229 days (more than seven months), the number of firms that detected their own breaches actually dropped, from 37% to 33%.

The results in a
report from security firm Trustwave were more encouraging, at least for the time between intrusion and detection – it found the median was 87 days. But the ability of firms to detect malware in their systems on their own was only 29%, which Karl Sigler, Trustwave’s manager of threat intelligence called, “just a horrible statistic in general.”



eBay Demonstrates How Not to Respond to a Huge Data Breach

Companies need to have an incident response plan in place before the breach occurs. This kind of publicity only makes an already bad situation worse.

In the wake of eBay’s revelation earlier this week that it had lost as many as 145 million customers’ data, eBay users and security response professionals say they’ve been increasingly angered and amazed at the company’s ham-fisted public response to an incident that’s already sparked multiple government investigations. EBay’s mistakes include taking days to post a notice about the breach on eBay.com and confusing users as to whether their PayPal accounts had also been affected. As of Friday afternoon, many–if not the majority–of the site’s users still had received no email notification about the breach.

“It just seems like their response has been complete disarray and disorganization,” says Dave Kennedy, the CEO of security consultancy and breach response firm TrustedSec. “This is one of the worst responses I’ve seen in the past ten years from a company that’s experienced a breach.”



Network Engineer Sentenced to Four Years for Destroying Company Data

Having a written Employee Termination Checklist designed to flag the many operational issues involved in wrapping up an individual’s employment with the company is not only common sense, it’s an important part of a holistic data protection strategy.

Before his access to EnerVest was terminated, Mitchell went to the office after business hours, disconnected critical pieces of computer-network equipment and disabled the equipment's cooling system. EnerVest was unable to fully communicate or conduct business operations for nearly 30 days.

The company spent hundreds of thousands of dollars trying to recover historical data from its network servers. Some data was lost forever.



‘Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys

Oh my. The potential ramifications...

This vulnerability is particularly unique because the sequence of the fix is important. If the keys and certificates have to be replaced, folks must wait to change their passwords until they confirm that action has been taken. Otherwise the new password is vulnerable as well.

Jamie Blasco, director of AlienVault Labs, said this bug has “epic repercussions” because not only does it expose passwords and cryptographic keys, but in order to ensure that attackers won’t be able to use any data that does get compromised by this flaw, affected providers have to replace the private keys and certificates after patching the vulnerable OpenSSL service for each of the services that are using the OpenSSL library.



HIPAA Omnibus Rule Released

It’s been a long wait but the HIPAA Omnibus Rule has arrived and it is big, weighing in at over 500 pages.

Mintz Levin has created a
handy reference chart detailing the changes from the 2009 update, or you can download the entire rule here. Business Associates (and your subcontractors), take note.


Online Service Offers Bank Robbers for Hire

Via Brian Krebs:

The proprietors of this service say it will take 40-45 percent of the value of the theft, depending on the amount stolen. In a follow-up Q&A with potential buyers, the vendors behind this service say it regularly moves $30,000 – $100,000 per day for clients. Specifically, it specializes in cashing out high-dollar bank accounts belonging to hacked businesses, hence the mention high up in the ad of fraudulent wire transfers and automated clearinghouse or ACH payments (ACH is typically how companies execute direct deposit of payroll for their employees).



Expectation of Privacy Regarding Emails Among Business Co-Owners

Citing a test to measure an employee's expectation of privacy in email on an employer's server, a Minnesota court held that a co-owner of a limited liability company had a reasonable expectation of privacy for personal email on the company's server because he had divided his email account into personal and business files.

You can read more about the case


Borders' Customer Data Will Not Disappear With The Company


With all the attention on the closing of the almost 400 remaining Borders stores, the chain's IT jewel—purchase history and other CRM data on tens of millions of its customers—is still to be sold to the highest bidder. When that happens, any privacy promises Borders made to loyalty-program customers are out the window.



Does HIPAA Apply To ISPs That Transmit Health Information?

In 2009, the HITECH Act expanded HIPAA's reach to include "Business Associates" (BAs) of the health care provider. A BA is defined as "a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity."

Under this analysis, are ISPs also governed by HIPAA regulations? It depends, according to Adam Greene and Michael Sloan of the law firm Davis Wright Tremaine. While the Department of Health and Human Services has stated the BA tag does not apply to entities serving as "conduits" by transmitting data from location to another, Green and Sloan suggest that ISPs who provide additional services may still reach BA status.

[T]o the extent a telecommunications carrier stores protected health information (PHI) by offering Internet access and related data services, it potentially faces obligations under HIPAA as a business associate. For example, an ISP may provide a limited number of e-mail accounts to all customers. If a small health care provider maintains unencrypted protected health information on an e-mail account where the emails are stored on an ISP’s servers, then this may take the ISP outside of the conduit exception and the ISP may become a business associate of the covered entity.

Green and Sloan recommend that ISPs:

  • Evaluate whether they are maintaining health information;
  • Determine whether they are a business associate under HIPAA; and
  • Assess whether a HIPAA-specific compliance program is required to meet existing requirements.

Read the whole advisory here.

This reasoning also applies to companies that provide network hardware for health care providers. When connectivity issues occur, these vendors may receive patient data in the form of tcpdumps or other network monitoring tools. According to HHS, If that data qualifies as identifiable PHI, then vendors should secure its transmission and storage.


PCI Mobile Payment Guidelines At Least 10 Months Away

First, a bit of background for those that might be new to PCI:

The PCI Security Standards Council (PCI SSC) was formed in 2006 by five global payment companies: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. These five companies agreed to incorporate the PCI Data Security Standards (PCI DSS), to provide technical and operational requirements for protecting cardholder data. Generally these requirements are not laws, but are enforceable under private contract and stipulated by each card brand. A few states however, including Minnesota, have passed laws that force components of the PCI DSS into law.

But as technology evolves, so must the standards. One major development has been the emergence of mobile payment options. As retailers like Starbucks busily develop their own mobile payment applications, the PCI SSC must now formulate a strategy to deal with the changing environment. According to the website Storefront Backtalk, that evaluation may take a while:

Even if the 10 months estimate is correct—and it certainly sounds reasonable—that’s the earliest point for the guidelines to be released. It will still be many months after that before it would be the law of payment and potentially more months after that before compliant applications are available, not to mention compliance with carriers, handsets, chips, readers and all the other elements of the just-barely-already-defined mobile-payment infrastructure.

In the meantime, retailers are sure to continue developing their mobile payment systems in spite of this uncertainty. Evan Schuman from Storefront Backtalk provides an excellent analysis of the pros and cons related to moving forward without PCI standards in place. It's worth reading the entire article.

UPDATE (6/24): Schuman now reports that there may be an interim fix before the end of summer.

How the Stolen Card Market Works

Walt Conway at PCI DSS News and Information for Higher Education points out a couple of interesting reports on NPR last Friday. Each covers much of the same ground, but they provide some interesting background regarding the market for stolen credit cards. Here are the links:

How to Buy a Stolen Credit Card (NPR, 6/17/2011)

The FBI Agent who Broke the Black Market (NPR, 6/17/2011)

Conway also links to a podcast from PlanetMoney on the dark market and the how credit cards get stolen and fenced, summing up the issue in two sentences: "The bad guys are out there. They go for credit cards because (of course) that's where the money is."

Finally I recommend reading Kimberly Kiefer Peretti's 2008 law review article on the topic. Peretti is the former Senior Counsel with the United States Department of Justice's Computer Crime & Intellectual Property Section (CCIPS).


LulzSec for Hire?

From PC World:

Have you ever felt so angry at a company that you wished its website was hacked to shreds, but you didn't have the technical expertise required? Here comes LulzSec to the rescue. The marauding hackers, with their huge and growing list of conquests -- including PBS, the FBI and the U.S. Senate, pornography and gaming sites, and most of all, Sony -- opened a hack request line during their latest merry jaunt, Titanic Takeover Tuesday.


Question to Technology Attorney Benjamin Wright: Is It Time To Revisit UCC 4A?

I have previously discussed how viruses pose increased risks of electronic fund transfer (EFT) fraud for small businesses that conduct online banking. In those posts I noted that commercial transfers are generally governed by Uniform Commercial Code Article 4A, specifically UCC §§4A-201-204. §4A-202(b) says that all payment orders, authorized or not, will be allowed once a bank and its customer have agreed on a security procedure for their authenticity so long as: (1) the bank's security procedure is "commercially reasonable", and (2) the payment order was accepted by the bank in good faith and in compliance with their agreement with the customer.

This week a Maine District Court tackled the issue of whether a bank who lost customer funds had a "commercially reasonable" security procedure in place. Brian Krebs, who has been in front of this story from the beginning, summarizes the case and the bank's security measures at the heart of the dispute here.

In light of the Maine ruling, I sought the opinion of Benjamin Wright, a long-time technology attorney and author of several books on technology law. In 1993 Mr. Wright wrote an extensive article on the ways UCC 4A balances the interests and risks of the banks with the interests and risks of the business consumer. However, in January of 2010 he posted that he may need to update his views in light of risks related to EFT fraud.
So I asked Mr. Wright his opinion on the following: iI the Maine ruling reflects the trend for the future, has UCC 4A's balance shifted too far against business customers?

Mr. Wright was gracious enough to respond with an update (including my actual question, which was much longer) at the bottom of his original post. In short he suggests that it may be time to revisit UCC 4A in order to align it more closely to the modern business banking environment. He also proposes that it may be better to split the loss between the parties according to the degree of negligence by each party.

That seems like a logical solution, though I suspect that determining the standards by which the degree of negligence is calculated will be a painful process indeed.

I strongly encourage you to read the entire article, and thanks to Mr. Wright for his time and thoughtful response.


Proposed HITECH Accounting of Disclosures Rule Generates Controversy

The HITECH Act, passed in 2009, made available incentive money through Medicare and Medicaid reimbursements for health care providers to adopt and meaningfully use certified electronic health record technology. To ensure patient privacy and protect the integrity of the electronic medical record, HITECH also strengthened existing HIPAA privacy and security regulations in a number of ways. One of these ways was to seek to hold health care providers accountable by providing patients the right to know how their health information has been used or disclosed.

On Tuesday the first rule toward reaching that goal was proposed by the Department of Health and Human Services, and it is generating some controversy. The proposal would grant the patient the right to request an access report, documenting the specific individuals who electronically accessed and viewed their protected health information (PHI). Physical access of PHI would not be covered. The proposed rule also includes a provision that the health care provider or business associate must detail the reason PHI was disclosed to a third party, such as law enforcement, judicial proceedings and public health.

Not everyone is pleased with the proposed rule's requirements. Some are suggesting that in order for many health care providers to comply, the rule effectively mandates implementing new technology and processes that were previously voluntary. Others suggest these steps should have been taken long ago under existing HIPAA rules.

My take: The proposed rule would be a big change for providers that have not taken the protection of patient data seriously. But the impact of the rule reaches far beyond the practices of health care providers, because the HITECH Act also extended HIPAA's scope to include business associates. That means insurance companies, vendors and other third party associates must also be able to account for how they disclose patient data. For organizations that were not governed by HIPAA until 2009, this may represent a significant change in business practice. The one caveat is that the patient rights only apply to PHI maintained in a designated record set as defined in 45 CFR §164.501. Business associates that possess patient data not part of a designated record set need not account for the disclosure.

It will be interesting to see how this plays out. Even if the rule isn't passed as written, health care providers need to take a hard look at the systems in place to protect patient data because this issue isn't going away.

Image credit: kilokilo at www.sxc.hu.

Jim Tressel Reminds Us About the Dangers of Email

Like so many other college football fans across the country, for the last several months I have been closely watching Ohio State's difficulties with the NCAA. Things came to a head on Monday as legendary-but-embattled head coach Jim Tressel's tenure at Ohio State officially came to an end.

For those who don't know the story, Tressel's unraveling began in April of 2010 when former Buckeye Christopher T. Cicero emailed the coach that players were selling memorabilia to Edward Rife, a local tattoo parlor owner who currently faces federal charges of drug trafficking and money laundering. Cicero, an attorney, eventually exchanged 12 emails with Tressel on the topic. If true, the players' behavior would be in violation of NCAA rules.

Then, in September of 2010 Tressel effectively lied to the NCAA by signing a compliance form stating that he knows of no NCAA infractions committed by the Buckeyes. No players were suspended for any part of the 2010 season, but in December of 2010 the U.S. Attorney's Office notified Ohio St. that player memorabilia was found during a raid of Rife's home. Five players were eventually suspended for five games of the 2011 season, but allowed to play in the Sugar Bowl. Before the bowl game Tressel lied again and said the notice from the U.S. Attorney's Office was the first time he had heard of players selling their memorabilia.

He would have gotten away with the lies too, if it weren't for those meddling emails. In January of 2011 the Ohio St. legal affairs department discovered Tressel's email exchanges with Cicero while seeking information in an effort to reduce the players' suspensions.

I am consistently amazed at how people treat their work email as if it were an unrecorded phone conversation. Even people who should know better have forgotten from time to time. So consider this another public reminder that employers and employees alike should understand that emails can be stored for a long time, whether or not they have been deleted from the computer of the sender.

Though social media, smartphones, instant messaging, peer-to-peer networks and other modern communication tools have recently garnered the attention of businesses and HR-types, a good email policy shouldn't be overlooked. Some things to include:

  • Employers' email, Internet and network resources are meant for legitimate business purposes only.
  • Email sent from business computers or while using business networks may not be private.
  • The employer may potentially access or disclose data found on company resources.

There's more of this type of common-sense language that can be included to meet any business environment. These concepts aren't new, and they aren't rocket science. But crises like Ohio State's current predicament can flare up when you least expect them due to long-forgotten emails, so understand your environment before you hit "send".


The Ins and Outs of Encryption

Yesterday I mentioned that encrypting data often is considered a safe harbor when a data breach results in the loss of information that would normally trigger breach notification requirements. Today, we discuss encryption in a little more detail.

Data at Rest and Data in Motion

When considering encryption from a technical perspective, the first step is to determine the environment in which the data exists. For example, data stored on external hard drives, USB sticks, or PDAs would be considered Data at Rest. Securing data at rest may require encrypting the entire medium it resides on, such as a hard drive or USB drive. This is called whole-disk encryption, and is often used on laptops checked out of organizations. Alternatively, data at rest may also be secured by encrypting a single folder or file. The appropriate encryption solution varies depending on its environment, the amount of data to be secured and the type of storage device on which it is stored.

If the data needs to be encrypted over a company network or the Internet, it is considered Data in Motion. Data in motion is most often secured by connecting over an SSL (Secure Socket Layer) protocol, recognizable to the end user by the "https://" displayed in the web browser.

NIST Standards

When considering the implementation of encryption from a legal perspective, your best bet is to start with the standards established by the National Institute of Standards and Technology (NIST):

Data at Rest: NIST 800-111. This publication discusses full disk encryption, virtual disk and volume encryption, and file/folder encryption.

Data in Motion: NIST 800-52.

Check out NIST's site for additional publications, including their recent Cloud Computing Synopsis and Recommendations draft.


Minnesota's Data Breach Notification Law


Earlier this month, President Obama proposed a federal breach notification bill designed to inform those who may be at greater risk of fraud or identity theft due to the loss of personal information. But there is already a breach notification law on Minnesota's books that I suspect is frequently ignored: 325E.61.

The Minnesota law says in part that "any person or business that maintains [personal] data . . . shall notify the owner . . . of any [security] breach . . . immediately following discovery, if the personal information is reasonably believed to have been, acquired by an unauthorized person."

So, what exactly is personal information? For the purposes of the statute it is an individual's first name or first initial and last name in combination with:

(1) a Social Security number;
(2) driver's license number or Minnesota identification card number; or
(3) account number or credit or debit card number, in combination with any security code such as a PIN.

There's more to the law, but that's the gist of it.

But 325E.61 does provide a safe harbor: encryption. If the data is encrypted notifications are not required. This has been a common thread among federal and state breach notification requirements, as well as contractual obligations with credit vendors through the PCI-DSS standards.

So encrypt your data, folks. Tomorrow we will talk about what exactly "encryption" means.

Image credit: s-s at www.sxc.hu.


P.S., Where Does the Money Go?

A quick note to wrap up last week's posts discussing fraudulent electronic fund transfers . . .

I was talking with a friend who works in network security about the issue. He was outlining ways banking networks could be more secure when he went a little off-topic.

"I wonder what the thieves - especially abroad - are doing with the money," he mused. "Not enough people seem to ask that question. All I ever hear about are the costs involved for the company."

Later, I came across a couple of facts that provide one frightening possibility. Kimberly Kiefer Peretti, former Senior Counsel with the United States Department of Justice's Computer Crime & Intellectual Property Section (CCIPS), discussed the national security implications of credit card breaches in a 2008 law review article. Among her points:

  • In his 280-page autobiography, Imam Samudra, a convicted terrorist in Indonesia, specifically referred to credit card fraud as a means to fund terrorist activities.
  • The 2002 Bali nightclub bombing funded partly funded through online credit card fraud.
  • In 2007, a “Terror Webmaster” in Britain used $3.5 million in fraudulent charges to aid jihadi groups in the field.

I'm not an alarmist by nature, but just like credit card breaches fraudulent EFT transfers would seem to have national security implications. And it turns out that I'm not alone in thinking so: in 2010 FBI special agents were embedded with police forces in Romania, Estonia, and the Netherlands to combat cybercrime.


Businesses, Viruses & Online Banking Pt. II

This is the second of a two part series discussing how small businesses need to be aware of the threats posed by fraudulent electronic fund transfers (EFTs), and why the banks may not lend a helping hand. To read Part I, click here.

How do cyberthieves get the authentication credentials again?

Victims of online EFT fraud have frequently had their credentials stolen through a virus - often a version of the Zeus trojan - that has infected the computer used to access the business’ online banking system. The infection usually occurs after employees click on a link to an infected website, or open an infected email attachment through a process known as “phishing.”

Once a victim’s computer is infected, Zeus records the keystrokes used when logging into specified online banking websites. After the user successfully logs in, Zeus may intercept and modify the details of the transaction, initiate a new transaction without the user’s knowledge, or use the network connection to transmit the recorded authentication credentials to the cyberthief.

Who do they target?
Small and medium sized . . .

Read More . . .

Businesses, Viruses & Online Banking Pt. I

This weekend Joseph Flanders at Solo in Minneapolis added to his “Starting a Law Firm” series by discussing how to choose a business bank account. His post brought to mind a major topic that I feel still isn’t getting enough attention among small business owners (or the attorneys that advise them): fraudulent electronic funds transfers that result from the theft of the business’ online authentication credentials due to a computer virus.

This is the first of a two part series discussing how small businesses need to be aware of the risks fraudulent electronic funds transfers pose, and why the banks may not lend a helping hand.

Image credit: frko at stock.xchng
The Scenario:

A medium-sized business discovers that over $800,000 in unauthorized wire transfers was removed from their business account without their knowledge. $600,000 is eventually recovered, but $200,000 remains outstanding. The business claims that evidence in the form of IP addresses logged by the bank show that the transfer requests were initiated from Europe and sent to accounts in eastern Europe and the former Soviet Union. This behavior was unprecedented and according to the business should have raised a red flag with the bank.

The bank, on the other hand, alleges that the business is responsible for the lost funds because the business computer used to initiate online transfers was found to have a virus. This particular virus (the Zeus trojan) intercepted the business’ authentication credentials (username/password), then transmitted that information to foreign cyber-criminals who initiated the fraudulent transfer. Because the computer systems of the business are beyond the bank’s control, the bank argues that the business is solely responsible for the loss.

Read More . . .

If we spoke a different language, we would perceive a somewhat different world.

Attorneys and technology specialists have more in common than you might think. Both groups spend a great deal of time troubleshooting an existing situation, or planning ways to prevent one from occurring. Both analyze the issue’s boundaries by referencing written standards and searching a vast history of prior cases to provide context. And both communicate in a specialized language filled with lingo that leaves everyone else scratching their head.

Unfortunately, they usually don’t speak the same specialized language.

Read More . . .