Daily Archives: June 9, 2016

US warns of hacking threat to interbank payment network

Posted on June 9, 2016 | Leave a comment

_89909468_thinkstockphotos-507473994

US regulators have warned banks about potential cyber attacks linked to the interbank messaging system.

The statement came two weeks after the Federal Bureau of Investigations sent a notice cautioning US banks after the hacking of Bangladesh’s central bank.

The FBI message warned of a “malicious cyber group” that had already targeted foreign banks.

In February, hackers stole $81m (£56m) from Bangladesh’s account with the Federal Reserve Bank of New York.

The hackers used the Bangladesh central bank’s Swift credentials to transfer money to accounts in the Philippines. Swift is the system banks use to exchange messages and transfer requests.

The hackers attempted to steal nearly $1bn, but several of their requests were rejected because of irregularities.

The Federal Financial Institutions Examination Council (FFIEC) – a group of US banking regulators- issued a statement encouraging banks to check the security of their links with interbank messaging and payment systems.

The council said that following recent attacks banks should “actively manage the risks associated with interbank messaging and wholesale payment networks”.

The FFIEC said the statement was intended to alert banks to specific security steps that could protect their messaging and payment networks from “unauthorized entry”.

It warned that unauthorised transactions may subject the originating bank to losses and compliance breaches.

The Bangladesh central bank and Swift have blamed each other for the security shortfalls that led to the February hacking.

The FBI sent its warning to US banks on 23 May, telling them to pay particular attention to potentially fraudulent international transfer requests.

“The actors have exploited vulnerabilities in the internal environments of the banks and initiated unauthorised monetary transfers over an international payment messaging system,” the alert said.

The Bureau said it would not comment on these alerts, but a spokesman added: “The FBI routinely advises private industry of various cyber threat indicators observed during the course of our investigations. This data is provided in order to help systems administrators guard against the actions of persistent cyber criminals.”

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged ,

Attorney Confidentiality, Cybersecurity, and the Cloud

Posted on June 9, 2016 | Leave a comment

Legal

There is a significant degree of confusion and lack of awareness about attorney confidentiality and cybersecurity obligations.  This issue is especially acute when it comes to using the cloud to store privileged documents.  A common myth is that storing privileged documents in the cloud is a breach of attorney-client confidentiality.  In other instances, many attorneys and firms are not paying sufficient attention to their obligation to protect the confidentiality and security of the client data they maintain.

Attorney Ethical Rules in the Digital Age

The general rules of professional conduct are written broadly, without specifically addressing privacy and cybersecurity issues.  Under Rule 1.6 of the ABA Model Rules of Professional Conduct, “a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent.” Lawyers must “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

The application of this rule to digital technologies has been dealt with by resolutions and commentary.  Fairly recently, the ABA published Resolution 109, calling for firms to “develop, implement, and maintain an appropriate cybersecurity program.” And few years ago, the ABA amended Comment 8 to Model Rule 1.1 (requiring “competent representation to a client”) to state that “a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” (added language italicized).

Attorney-Client Privilege in the Cloud

Is it ethical for attorneys and law firms to store privileged documents in the cloud?  After all, they are storing such documents on a third party’s computer.

White_Cloud

This question has been a widespread concern, enough so that several state bar associations have issued guidance.  Their consistent conclusion is that it is ethical to store privileged documents in the cloud.  For example, according to the Pennsylvania Bar Association Formal Opinion 2011-200: “An attorney may ethically allow client confidential material to be stored in ‘the cloud’ provided the attorney takes reasonable care to assure that (1) all such materials remain confidential, and (2) reasonable safeguards are employed to ensure that the data is protected from breaches, data loss and other risks.”

According to the Florida Bar Association Opinion 12-3, “Cloud computing is permissible as long as the lawyer adequately addresses the potential risks associated with it.” The Massachusetts Bar Association Opinion 12-03 provides that lawyers “may store and synchronize electronic work files containing confidential client information across different platforms and devices using an Internet based storage solution” if they undertake “reasonable efforts to ensure that the provider’s terms of use and data privacy policies, practices and procedures are compatible with the lawyer’s professional obligations, including the obligation to protect confidential client information.”

The New York Bar Association Ethics Opinion 842 concludes that “a lawyer may use an online ‘cloud’ computer data backup system to store client files provided that the lawyer takes reasonable care to ensure that the system is secure and that client confidentiality will be maintained.”

Other state bars have reached similar conclusions.  The ABA maintains a page that tracks what state bars are holding on this issue.  The states in blue have all issued opinions on the use of the cloud, and all state essentially the same thing: Using the cloud is ethical as long as reasonable care is taken.

US_Map

In many situations, data stored in the Cloud might have stronger security protections than when stored on the attorney or firm’s own network.  This is because some of the best cloud service providers have more sophisticated security practices and more robust technical and other resources to protect the data than a law office or firm.  For example, the Panama Papers breach at Mossack Fonseca occurred on the firm’s network, which had numerous security vulnerabilities.

Attorneys don’t have a blank check to store anything with any third party.  There still are cybersecurity obligations.  According to widespread standards in other industries, there are certain essential practices when selecting and contracting with a cloud service provider.  The Pennsylvania Bar Association guidance notes that “reasonable safeguards” must be used “to ensure that the data is protected from breaches, data loss and other risks.”  What are such reasonable safeguards?  I will discuss that in the part below.

Confidentiality and Cybersecurity Responsibilities

Attorneys and law firms have significant confidentiality and cybersecurity responsibilities.   These typically involve using “reasonable care,” which is a standard grounded in common best practices and norms.  These standards are mentioned in various state bar opinions and guidance, as well as in data security regulation of other industries.

For example, the FTC cases on data security are useful to study to learn about common best practices across a wide array of industries.  The FTC typically enforces standards that are commonly accepted as the norm for reasonable security practices.  I have written about the FTC extensively in my article, The FTC and the New Common Law of Privacy, 114 Columbia Law Review 584 (2014) (with Woodrow Hartzog), and this piece includes a listing of the data security deficiencies that the FTC has identified as problematic.

I have written an earlier post about the cybersecurity risks that law firms face and about how a number of firms and attorneys need to step up their efforts to protect data.

State bars have also provided many useful examples.  Some of these include (1) eliminating metadata when documents are transmitted to adverse parties; (2) taking precautions when using public wireless connections to communicate with clients, such as using firewalls and encryption; (3) backing up data; (3) implementing audit logging to monitor who is accessing data; (4) having a data breach response plan; and (5) having a firewall on the firm or office network.

With regard to using cloud service providers, relevant responsibilities of attorneys include (1) performing due diligence in selecting a cloud service provider; (2) having an appropriate contract in place with the cloud service provider; (3) exercising good security practices on their own network and when accessing data stored in the cloud; and (4) engaging in continued monitoring of the cloud service provider to ensure that the provider is living up to its obligations.

Due Diligence When Selecting a Cloud Service Provider

Cloud_Mag

Due diligence should involve examining whether a cloud service provider has:

  • adequate safeguards in place to maintain accessibility of data in the event of disasters
  • sufficient stability and resources
  • appropriate procedures to comply with a litigation hold
  • appropriate written policies and procedures to protect confidentiality and security
  • appropriate back up
  • appropriate security protections, including employee training, penetration testing, etc.

Appropriate Provisions in Contracts with Cloud Service Providers

Contract

Contracts with cloud service providers should require, among other things:

  • Ownership of the data remains with the attorney or firm, not the cloud service provider.
  • Attorneys must have adequate access to the data.
  • Data should be routinely backed up.
  • There should be an enforcement provision if the provider fails to meet its obligations.
  • The cloud service provider should provide reasonable and appropriate security protections.
  • The data is hosted in countries with sufficient legal protections of privacy and security and adequate rules regulating government access.
  • The data is returned in the event of termination of the contract.

Good Data Security Practices

Additionally, attorneys and support personnel have obligations for their own behavior when using cloud service providers such as being trained about data security best practices, use of strong passwords, safe practices when using public Wi-Fi, avoiding falling for phishing scams, and so on.

Ongoing Vigilance of Cloud Service Providers

Finally, attorneys or firms must continue to monitor any cloud service provider they use to ensure that the provider is complying with the agreement and to ensure that the provider is keeping up with new technological developments and protecting against emerging security threats.

The above are not exclusive lists, but are examples of some of the kinds of things that are encompassed by the duty to exercise “reasonable care.”

Conclusion

It is clear that attorneys and firms can use cloud services consistent with their obligations to maintain the confidentiality of client information.  Reasonable care must be exercised in the process, and that involves due diligence when selecting a cloud service provider, having the appropriate contractual provisions in the agreement with the cloud service provider, and continuing to be vigilant about how well the provider is living up to its obligations.

Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School and the founder of TeachPrivacy, a privacy awareness and security training company. He is the author of 10 books and more than 50 articles.  Thanks to Microsoft for its support of this piece.  All views in this piece are my own.

Leave a comment

Posted in Cyber Security, eDiscovery, Public Cloud, Security

Tagged , ,

NFL’s Twitter account is sacked by hackers

Posted on June 9, 2016 | Leave a comment

Looks like the NFL needs to change its Twitter password.

The league’s official Twitter account was hacked Tuesday with a fake tweet saying Commissioner Roger Goodell had died.

nfl-hacked-tweet.jpg

A screenshot of a fake tweet saying NFL Commissioner Roger Goodell died.

“We regret to inform our fans that our commissioner, Roger Goodell, has passed away. He was 57. #RIP.”

The NFL responded quicker than a strong side safety blitz, announcing the league’s Twitter account was hacked. NFL spokesman Brian McCarthy, who tweeted to confirm the hacking, added that Goodell “is alive and well.”

The hack is the latest involving big-name Twitter accounts, including pop stars Katy Perry, Drake and reality star Kylie Jenner. On Sunday, Ourmine, a hacker group with 41,000 followers on Twitter, claimed to have compromised Facebook CEO Mark Zuckerberg’s Twitter, Instagram and LinkedIn accounts. In a tweet, the group bragged about the alleged hacks and invited Zuckerberg to contact the group.

The hacks come after LinkedIn said last month more than 100 million members’ email and password combinations had been posted online. The data was taken during a 2012 data breach.

A separate set of 6.5 million encrypted passwords stolen during that attack had previously been posted.

Although the NFL deleted Tuesday’s bogus tweet, the hacker didn’t stop. In a second tweet, the hacker wrote, “Oi, I said Roger Goodell has died. Don’t delete that tweet.”

In a third tweet the hacker gave up, saying, “OK, OK, you amateur detectives win. Good job.”

The hacker’s tweets have been retweeted thousands of times.
No word if Goodell’s Deflategate nemesis, New England Patriots quarterback Tom Brady, has seen the bogus tweets.

Goodell, who has been commissioner since 2006, later joked about the matter on Twitter:

Leave a comment

Posted in Cyber Security, Data Breach, Hacking

Tagged ,