Tag: cybersecurity

By Ken Kajihiro

Email Encryption – Just do it!  Email encryption is quick and easy to install, easy to use, and provides enhanced client confidentiality.  In fact, the American Bar Association states “a lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”[1]  Email encryption will help you ensure client confidentiality.

In 2017, the American Bar Association stated that email encryption may be warranted in some circumstances.[2]  However, in modern times, with COVID-19, cyberattacks have greatly increased, “amplifying the threat to individuals and organizations.”[3]  Thus, email encryption is highly recommended.

Not all law firms and offices have an information technology support department to set up email encryption; however, all law firms and offices have a duty to protect confidential client information.[4]  Inadvertent or unauthorized disclosure could include an intercepted email by someone other than the intended recipient.  Imagine the damage caused if a client’s tax return, medical records, or even credit card payment information were intercepted by an unauthorized party.  Now, imagine the damage caused if a client’s confidential settlement agreement, merger and acquisition information, or intellectual property were intercepted by an unauthorized party.  The damage would be immense.  Email encryption will mitigate the risk of an inadvertent or unauthorized disclosure.

So, what are the options?  Let’s start with the free options.  If your law firm or office uses a Gmail-based email, you have got it easy!  Mailvelope, FlowCrypt, and LockMagic are only a few of the many free Google Extensions for email encryption.[5]  If your law firm or office uses an Outlook-based email, you have got it almost as easy!  Secure/Multipurpose Internet Mail Extensions (S/MIME) or Azure Rights Management Services (RMS) are some of your choices.[6]  Although, these email encryption options are free, they get the job done![7]

Next, the paid options.  Many of the paid options are paid because they combine email encryption with a private email server for maximum client confidentiality.[8]  Paying for a private email server removes the free-email-provider business incentive of making money with your data.[9]  ProtonMail, HushMail, and CounterMail are only a few of the many paid options.[10]  How much do these paid options cost?  Not much.  ProtonMail Professional is approximately $7.00 per month.[11]  HushMail for Law is approximately $10.00 per month.[12]  CounterMail Premium is approximately $5.00 per month.[13]

Overall, between the free options and paying approximately $5.00 to $10.00 per month, email encryption is well worth the time and money to ensure client confidentiality.  Again, email encryption is quick and easy to install, easy to use, and provides enhanced client confidentiality.  Email Encryption – Just do it!

[1] Model Rules of Pro. Conduct r. 1.6(c) (Am. Bar Ass’n 2020).

[2] ABA Comm. on Ethics & Pro. Resp., Formal Op. 17-477, at 5 (2017).

[3] COVID-19 Exploited by Malicious Cyber Actors, Cybersecurity and Infrastructure Security Agency (Apr. 8, 2020), https://us-cert.cisa.gov/ncas/alerts/aa20-099a.

[4] See Model Rules of Pro. Conduct r. 1.6(c) (Am. Bar Ass’n 2020).

[5] Stephanie Faris, Use These 4 Chrome Plugins to Encrypt Your Gmail Messages, Help Desk Geeks (Sept. 1, 2019), https://helpdeskgeek.com/free-tools-review/use-these-4-chrome-plugins-to-encrypt-your-gmail-messages.

[6] Bryan Peace, How to Encrypt Email in Microsoft Outlook, Virtru (Aug. 14, 2019), https://www.virtru.com/blog/encrypt-email-outlook.

[7] For instructions on how to install and use these email encryption methods, conduct a YouTube search for that specific email encryption method.

[8] See Alexander Fox, Are Private Email Services Worth the Money?, Make Tech Easier (June 13, 2019), https://www.maketecheasier.com/private-email-services-worth-the-money.

[9] Free email providers, such as Google, are free because they scan your email for targeted advertising purposes, to which they use to show you a personalized advertisement; although Google does not sell your information to third-parties, these third-parties pay Google to show advertisements to Google users who are most likely to purchase the advertiser’s product.  Privacy Policy: Why You’re Seeing an Ad, Google, https://support.google.com/ads/answer/1634057?p=privpol_whyad&hl=en&visit_id=637374566438757927-831058077&rd=1 (last visited Oct. 6, 2020).

[10] Fox, supra note 8.

[11] Select Your ProtonMail Account Type, ProtonMail, https://protonmail.com/signup?plan=business (last visited Oct. 6, 2020).

[12] Email and Encryption in One Solution, HushMail, https://www.hushmail.com/business/legal/features/?source=website&tag=page_business_legal,btn_features (last visited Oct. 6, 2020).

[13] Services, CounterMail, https://countermail.com/?p=services (last visited Oct. 6, 2020).

Image source: https://www.techadvisor.co.uk/how-to/internet/how-encrypt-email-3636950

By Melisa Azak

In the past decade, data breaches have become more common with nearly 38 billion records reached in 2010.[1] To put that number in perspective, if all of those records belonged to American residents, each person would have nearly 116 accounts hacked.[2]

Some of the largest companies in the world have been plagued with how to deal with hackers. Equifax suffered one of the largest breaches in American history with 147 million Americans affected by their 2017 breach, which released highly sensitive information like credit cards, social security numbers, and dates of birth.[3] The company later settled with consumers for $671 million to resolve a multi-district consumer class action litigation, which created a resolution fund to restore “actual out-of-pocket losses related to the breach” as well as “other consumer benefits such as identity restoration services.”[4]

The particular danger of data breaches is that culpable hackers rarely get caught and prosecuted, leaving businesses and governments continuously vulnerable to targeted attacks. The Third Way, a center-left think tank, estimates that only 0.3% of cybercrime complaints are prosecuted and enforced.[5] Further, only one in six victims of cybercrime actually report to law enforcement, making the effective enforcement rate about 0.05%.[6]

And even when hackers are found, diplomatic relations can draw out complex prosecutions. Yevgeniy Aleksandrovich Nikulin, for instance, was found guilty earlier this year of numerous charges including computer intrusion and data theft eight years after he hacked LinkedIn and Drobox in 2012.[7] His defense team argued unsuccessfully that prosecutors relied improperly on misinformation from the Russian government and “asked the jury to consider the possibility that the U.S. government was prosecuting the wrong person.”[8] Nikulin’s case seems to demonstrate a broader tactic by the United States to send a firm message to foreign hackers that although they may rarely be found, they will be severely punished when caught.[9]

However, with breaches becoming more severe and ubiquitous, forceful prosecution may not be enough to stop hackers from obtaining sensitive information and hacking with near impunity. The Third Way recommends the United States adopt ten key strategies in order to meet the growing cybersecurity threat.[10] One of the key goals of the country, the think tank suggests, should be to expand law enforcement’s role in combatting hackers.[11] Currently, state and local law enforcement officers, prosecutors, and judges in digital/cybercrime investigations are grossly underfunded.[12] Further, less than a quarter of publicly funded crime labs offered “dedicated digital evidence support services.”[13] Effectively meeting the cybersecurity threat requires that the country allots more resources to already existing law enforcement organizations to meet the growing threat.

Some other key findings include amping up international efforts by seeking mutual legal assistance treaties and agreements, which are binding documents “typically bilaterally signed between the United States and other countries to formalize the parameters of their criminal justice cooperation.”[14] Given the global nature of successful hacks, these treaties can be “critical tools for sharing data and digital evidence in cyber investigations and prosecutions.”[15]

Another effective tactic may be to adopt the old adage “if you can’t beat them, join them.” A new start-up company called Synack provides ways for companies to discover their security flaws, and then turns those problems over to hackers “who use their powers for good” to see how they can use the flaws to breach the client, better preparing the client for future attacks from hackers who want use their powers for nefarious purposes.[16]

However, too offensive a cyber security approach may raise legal complications. Although the Justice Department officials find that the “the optics would be ‘awfully poor’ if the department prosecuted a company that had retaliated against foreign hackers”, the Computer Fraud and Abuse Act prohibits any form of hacking.[17] Many cybersecurity firms “hack back” by creating “honeypots” or “caches of documents that fool hackers into think they are inside a target’s system” so they can trace the identities of hackers from their digital trails.[18] Considering the growing cyber security threat and the need for new strategies to meet it, the Act may have to be modernized to allow companies to add “hacking back” to their arsenal of tools of cybersecurity defense.[19]

The growing cyber security threat is not unlike 9/11. Before 9/11, the government struggled with “lack of prioritization of the [terrorist] threat, competing priorities and immense bureaucratic challenges.”[20] If the United States wants to avoid repeating history’s mistakes and avoid a “digital” 9/11 incident, it must take an unprecedented, comprehensive approach and meet elusive hackers head on.

[1] Megan Leonhardt, The 10 Biggest Data Hacks of the Decade, Make It, CNBC (Dec. 27, 2019 9:01 AM), https://www.cnbc.com/2019/12/23/the-10-biggest-data-hacks-of-the-decade.html.

[2] Id.

[3] Id.

[4] See Press Release, Equifax Announces Comprehensive Consumer Settlement Arising from 2017 Cybersecurity Incident (Jul. 22, 2019), https://investor.equifax.com/news-and-events/press-releases/2019/07-22-2019-125543228.

[5] Mieke Eoyang et al., To Catch a Hacker: Toward a Comprehensive Strategy to Identify, Pursue, and Punish Malicious Cyber Actors, Third Way 7 (Oct. 29, 2018), https://thirdway.imgix.net/pdfs/override/To_Catch_A_Hacker_Report.pdf.

[6] Id.

[7] Hannah Albarazi, Russian LinkedIn, Dropbox Hacker Gets 7-Year Sentence, Law360 (Sep. 29, 2020 11:26 PM), https://www.law360.com/articles/1315137.

[8] Hannah Albarazi, Russian Convicted in LinkedIn, Dropbox Cyberattacks, Law360 (Jul. 10, 2020 9:13 PM), https://www.law360.com/articles/1291090?scroll=1&related=1.

[9] See supra note 7 (“Assistant U.S. Attorney Michelle Kane sought out a tougher sentence; one that would send a message to other foreign hackers that they cannot act with impunity.”).

[10] See supra note 5 at 2.

[11] Id. at 13–15.

[12] Id. at 15.

[13] Id.

[14] Id. at 20.

[15] Id. at 20–21.

[16] See Kate Fazzini, Why Some of the World’s Top Cybersecurity Hackers Are Being Paid Millions to Use Their Powers for Good, Disrupter 50, CNBC (May 18, 2019 10:00 AM), https://www.cnbc.com/2019/05/17/cybersecurity-hackers-are-paid-millions-to-use-their-powers-for-good.html.

[17] See Nicholas Schmidle, The Digital Vigilantes Who Hack Back, New Yorker (Apr. 30, 2018), https://www.newyorker.com/magazine/2018/05/07/the-digital-vigilantes-who-hack-back.

[18] Id.

[19] Id.

[20] See supra note 5, at 26.

Image Source: https://newconomy.media/news/hacker-claims-to-steal-personal-data-of-840-million-users