Page 11 - Cybersecurity
P. 11

NYLJ.COM |
Cybersecurity | MONDAY, JUNE 5, 2017 | S11
claims of malpractice as well, as a recent dispute over law firm data security reminds us. The case, Shore et al. v. Johnson & Bell, Ltd., is the first of its kind: a cybersecurity malpractice suit stemming from a Chicago firm’s representation of a digital currency exchange website. The firm handled client trade secrets and confidential information, but its security measures were obsolete, according to the plaintiffs, such that the law firm “systematically exposed confidential client information”—though the plaintiffs did not allege that an actual data breach had occurred.
While that dispute was ordered into arbi- tration in February, the mere filing of the complaint serves as a foreboding reminder of the high stakes involved with law firm data security.
The most forward-thinking firms and orga- nizations are starting to recognize not only that e-discovery is risky, but that many of those risks can be mitigated. A secure, cloud- based platform that encrypts data in motion and at rest can provide important protections, housing and safeguarding documents as long as is necessary. Permission-based access can make sure documents are retrievable instant- ly, avoiding needless reproductions while also ensuring easy access—but only to those who should have it.
By hosting information in one centralized, protected hub, attorneys can entrust much of the security infrastructure to experts. The result is fewer opportunities for data to be put at risk, whether by hackers, sloppy security procedures, or archaic discovery practices.
The cloud isn’t the only solution, however. Attorneys can also safeguard their and their clients’ data by making sure that the data is encrypted in transit. That means ensuring that sensitive data is only exchanged via SSL connections. This security protocol estab- lishes an encrypted link between a server and client; it’s the sort of encryption used by banks and e-commerce websites that often handle sensitive data.
Lawyers should also make sure that data remains safe even when it’s in the other par- ty’s hands. That means insisting that opposing parties abide by the same strict standards attorneys would demand for themselves.
This can be accomplished by asking the court to impose a protective order governing the treatment of discovery materials or by objecting to the production of documents without the other party providing a suffi- cient data security protocol. Offering a pre- approved list of vendors or technologies can often make such demands more acceptable to the other side.
Whatever approach attorneys take, it is beyond debate at this point that e-discovery will be fertile hunting ground for hackers in the days and years to come. Failing to account for this and to keep abreast of other emerging technology issues relevant to legal practice could put lawyers’ licenses, reputations and clients at risk, especially given the recent crackdown by state bar associations on attorneys who fail to understand technology. Smart firms will start taking action now to make sure they don’t fall victim to the next damaging cyberattack.
Bharara
« Continued from page S6
punishing those who commit cybercrimes, and that criminal prosecution must remain an important part of our effort to protect the public from the cyber threat. For example, in the summer of 2014, it was widely reported that unknown hackers had infiltrated certain systems of J.P. Morgan Chase and compro- mised the personal information of 83 million individuals and small businesses. It was one of the largest scale cyber thefts of personal information in history and some reports spec- ulated that only a state actor or some similar large-scale enterprise could have pulled it off.
A little over one year later, however, Bhar- ara announced that the Southern District had indicted three men for this heist, and had determined that the theft was part of a broader criminal scheme that had affected multiple institutions. While charges against the three men remain pending, all three have been extradited to the United States from abroad, and it recently emerged that the alleged ringleader, Gery Shalon, is in talks about a possible guilty plea and has agreed to forfeit 81 bank accounts to U.S. authorities.
Bharara’s record in cyber prosecutions was certainly not limited to tracking down thefts of personal information. It also extended to the so-called “dark web.” For years, an unknown criminal using the moniker the “Dread Pirate Roberts” operated a site on the dark web known as the “Silk Road,” from which cus- tomers were able to anonymously order all manner of illegal goods and services, includ- ing dangerous illegal drugs. Due to the coor- dinated efforts of law enforcement, under the Southern District’s leadership, that site was shut down in October 2013, and the “Dread Pirate Roberts” was unmasked to be Ross Ulbricht, a 29-year-old college graduate who had been running the site, at least in part, from his laptop at a public library in San Fran- cisco. In February 2015, after a four-week trial in open court, Ulbricht was convicted by a Manhattan federal jury of computer hack- ing, drug trafficking, money laundering, and other crimes and was later sentenced to life imprisonment.
Cyber criminals like Ulbricht and the JP Morgan hackers often use digital currencies like Bitcoin in furtherance of their schemes. During Bharara’s tenure, the Southern District also prosecuted the operators of one of the largest and most notorious digital currency services in the world, Liberty Reserve. At its peak, Liberty Reserve was believed to have had more than one million users worldwide, including more than 200,000 in the United States. It was estimated to have laundered
more than $6 billion in suspected proceeds of crimes including credit card fraud, identity theft, investment fraud, computer hacking, child pornography, and narcotics trafficking. In May 2016, after a dogged Southern District investigation, Arthur Budovsky, the founder and lead operator of Liberty Reserve, was sentenced to 20 years in prison for money laundering and operating an unlicensed money transmitting business, after previously pleading guilty to those crimes.
During Bharara’s tenure, the Southern Dis- trict also prosecuted and secured lengthy prison sentences for the developers of the Blackshades malware, a software tool used to record a victim’s keystrokes and thereby steal passwords, hack social media accounts or other sensitive information; Alonzo Knowles, a hacker who infiltrated the email accounts of Hollywood celebrities as part of a plot to demand ransom payments in exchange for the return of pilfered items, such as unreleased television scripts and sexually explicit pho- tographs and videos; and Jeremy Hammond, a so-called political “hacktivist,” who pled guilty to participating in the Stratfor hack, among others.
Even in cases where arrests and prosecu- tions have not yet been possible, the South- ern District has demonstrated the value of criminal prosecution in this area by bringing indictments that “name and shame” the per- petrators of cyber attacks. In December 2016, Bharara announced an indictment charging three Chinese nationals with hacking into the systems of law firms advising on merg- ers and acquisitions and then trading on the information they stole. Whether or not those defendants will eventually face justice in an American courtroom, the indictment itself demonstrates that those who engage in cyber attacks will not remain anonymous, and also served to raise awareness about the threat hackers pose to law firms and other corporate advisers. Similarly, in March 2016, the South- ern District charged seven Iranian nationals associated with Iran’s Islamic Revolution- ary Guard with conducting a coordinated campaign of cyber attacks on U.S. targets, including the Bowman Dam located in Rye, New York.
The lesson of this remarkable string of prosecutions is clear. Cyber criminals can be identified, apprehended, and prosecuted. While the cyber threat undoubtedly requires responses grounded in national security, pri- vacy, and business continuity concerns, the role of criminal prosecutions can’t be over- looked. Though cyber investigations involve novel challenges, those challenges can be met and overcome. Cyber criminals are criminals, just like any other, and they deserve to be prosecuted.
Be sure to reserve your space in the upcoming
Litigation
Tabloid Pull-Out Sections please contact:
Mayra Sinchi Phone:212 457-9473
[email protected]


































































































   9   10   11   12   13