This article was originally published in the July/Aug 2021 issue of San Diego Lawyer Magazine.
By Bill Kammer
Amazon Sidewalk
You might have missed the news of the launch of Amazon Sidewalk on June 8. On that day, Amazon embarked on an effort to establish neighborhood mesh networks that allow neighbors to use your Wi-Fi to access the internet. If you didn’t opt out by that day, Amazon immediately enrolled your Amazon devices such as Ring and Echo. Ordinarily, few people change their default settings, so most will probably be participants in the system. Sidewalk allows sharing a small, encrypted slice of your internet bandwidth with neighboring Sidewalk devices lacking connectivity, but you can still reverse that default by going into settings and turning off Amazon Sidewalk. That’s all you must do to bail out of this novel experience. In this cybersecurity age, prudence favors opting out, especially when you consider how much personal information Alexa knows and your Ring camera has observed.
Operating System and Software Updates
Every day brings more suggestions of required updates to operating systems, software, and applications. Many delay or ignore them because of the interruptions and time consumptions occasioned by downloading and installing those updates, particularly if multiple devices require updates: computers, tablets, and phones. Given the many ransomware and malware attacks in the news, we ignore those prompts at our peril. Although many update announcements suggest they are improving our experience, they often mask the reality that the update patches a vulnerability to a recently discovered security risk. For instance, “[t]his version holds performance improvements and small bug fixes to enhance your experience.”
Email Discovery
Despite the proliferation of social media data and the growing utilization and content of messaging apps day-to-day, email remains the major component of ESI to preserve, harvest, review, and produce. Often, the attachments to the emails also constitute a significant portion of reviewable ESI. Because the pandemic has affected work locations, lawyers must be alert to the reality that custodian emails may be found at many locations and in multiple folders. Much of that data may be redundant or duplicative, but it still must be preserved and reviewed until those conclusions can be reached. This is a brief list of locations that must be searched: MS Exchange Server; RM365/O365 via Exchange Web Service (EWS); Microsoft Graph API; PST email archives; Gmail and Google Suite; IMAP and POP3; and MSG or EML Files. This list is not meant as a test but as a suggestion that forensically sound collections must include access to and collection of email residing in multiple forms at different locations, potentially requiring different tools.
Security Checklist for Vendor Contracts
The ABA recently published the second edition of its Cybersecurity Checklist. Small firms and solos often outsource certain tasks to vendors and provide them access to clients’ sensitive data or even the attorneys’ internal systems and confidential data. The checklist will aid attorneys lacking great experience with the nuances of privacy and data security to minimize the cybersecurity risks resulting from those vendor relationships. The list is $25, but free to members, and can be found at www.americanbar.org/products/ecd/ebk/411859099.
Malware and Ransomware
Colonial Pipeline; Scripps Health; Tulsa, Oklahoma; GEICO Insurance; New York City’s MTA; meat processors; the list goes on and on. The availability of do-it-yourself resources for hackers has elevated an occasional threat to a national crisis. Average ransomware paid in 2020 was about $310,000, up 177% from 2019. It is so potentially lucrative to criminals that urgent action is necessary. The Department of Justice (DOJ) sent guidance in June to all U.S. attorneys, elevating investigations of ransomware attacks. They are now to give ransomware investigations the same priority as terrorism. Additionally, the DOJ announced the formation of a task force to confront the growing challenges.
White House Guidance on Ransomware Defenses
In early June, the White House alerted American businesses to take urgent action to improve their defenses against ransomware. The memo contained basic steps, which are as appropriate for lawyers as they are for the companies addressed in the warnings. These include 2FA or multifactor authentication (MFA); regular backups; segregation of backups from principal systems so that both cannot be compromised; penetration testing; segmenting networks, separating administrative from operations; and planning for the inevitable breach including an incident response plan.
Random Notes About Ransomware
There is abundant information and reference material that lawyers might consider in minimizing their cybersecurity risks and dealing with ransomware. For instance, some advise that encryption in place of sensitive data may avoid the most major costs of a data breach because the loss of that data may not invoke data-breach notification laws. Others advise following the FBI’s advice to never pay ransom to get your data back. The FBI’s focus is probably to prevent criminals from profiting, but there are other reasons for not paying. A recent report found that only 8% of those who paid ransom got all their data back and 29% got back less than half. Some companies have found that the slow decryptors provided after paying ransom are next to worthless for the recovery of the data. Colonial Pipeline was a good example of that experience. They ended up restoring their systems from backups.
It’s not whether, but only when. Though one paragraph can never encapsulate the most appropriate advice, lawyers are not without assistance. The Cybersecurity and Infrastructure Security Agency (CISA), the government’s cybersecurity expert, has issued best practices for minimizing the risk of ransomware impacts upon operations at https://us-cert.cisa.gov/ncas/alerts/aa21-131a. CISA also maintains a resource website specifically for lawyers at www.cisa.gov/resources-lawyers. Finally, remember that the FBI is the lead agency for the investigation of cyber attacks. Prompt notice to the FBI can often result in substantial assistance. Its recovery of Colonial Pipeline’s ransom payment is a perfect example.
Bill Kammer (wkammer@swsslaw.com) is a partner with Solomon Ward Seidenwurm & Smith, LLP.