Have you ever been involved in a meet and confer regarding electronically stored information and felt your adversary was speaking a foreign language?  Is active machine learning an unfamiliar concept to you?  Is BYOD an acronym for who-knows-what?

If you answered yes to any of the above, or if you lack fluency in the language of e-discovery and digital information management, allow me to introduce you to The Sedona Conference (TSC).  TSC is a nonprofit 501(c)(3) research and educational institute dedicated to the advanced study of law and policy in certain areas including complex litigation.  TSC launched in 2002 its Working Group Series, which was designed to address some of the most challenging issues faced by our legal system.  In this regard, TSC is an invaluable resource for litigators.  For all of the self-proclaimed luddites who practice litigation, there are a number of Working Groups that inform the ESI and cyber-landscape that I encourage you to familiarize yourself with including, for example, Group 1 (Electronic Document Retention an Production), Group 6 (International Electronic Information Management, Discovery and Disclosure), and Group 11 (Data Security and Privacy Liability).  However, if you do nothing else after reading this Blog, please download The Sedona Conference Glossary: eDiscovery & Digital Management, Fifth Edition, 21 SEDONA CONF. J. 263 (2020) (available at: https://thesedonaconference.org/publications).  This glossary, “published as a tool to assist in the understanding and discussion of electronic discovery and electronic information management issues,” is a comprehensive resource for empowering litigators to better understand current technologies and the language of e-discovery.

Have questions?  Please contact me at kcole@farrellfritz.com.

With the ever evolving cyber threats, it is important to we understand our social media accounts and the way in which they make us vulnerable.

Social media (i.e., Facebook, Instagram, WhatsApp, Snapchat…) is free to members because the companies make money by selling targeted advertisements to their users.  Ever wonder why, after “liking” a particular pair of shoes that advertisements for those very shoes/shoe brand are littered through your account?   Users have been sharing for years their “likes” and “dislikes,” giving the various companies all the data they need to match an advertisement with individuals who may be interested in the particular content.  Our “likes” and “dislikes” are tracked as are the posts we “share,” the groups we belong to, location information about the photos we post, and the events we attend.  With all this data readily available to social media companies, it is no surprise they track it for purposes of matching users with advertisers.  After all, internet advertising revenue in the United States totaled more than $107 billion dollars in 2018 and last year’s projection is even greater.

But, while targeted advertisements may be appreciated, the risk of having all of this data collected cannot be ignored.  For example, data collection can be easily stolen as the past data breaches, including that suffered by Facebook in December 2019, have shown.  The other, lesser appreciated issue is that bad actors are using online advertisements to effectuate identity theft.  In fact, experts indicate that 10% (1 in every 10) of all online advertisements are actually “malvertisements” – an advertisement that actually serves to scam the user and/or spread malware.   In fact, many of these scams are disguised as surveys from reputable companies (https://sidechannel.tempestsi.com/digital-adverstising-tools-are-being-used-to-disseminate-phishing-campaigns-eed3da31ac25).

The reality is people will continue to use social media notwithstanding these risks but is there any way to use social media while protecting one’s self?  The answer is, yes.  Consider the following:

  • Opt out of online advertising by using resources from the Digital Advertising Alliance;
  • Routinely delete cookies from your browsers;
  • Delete social media accounts from your smartphone.  I know this may upset users but, the mobile apps collect even more data (and real time data) than the web-based versions;
  • Disable ad tracking on your computer and devices;
  • Beware of advertisements from companies you do not know and do not take online quizzes; and
  • Be aware of your privacy settings on these various social media accounts.

Regarding privacy settings, consider Facebook.  If you go to your Settings and click “Privacy Shortcuts” you will be able to set your Account Security, Ad Preferences and Privacy settings among other settings.  I encourage anyone reading this blog to take a few minutes and consult their settings on their various accounts to enhance their privacy and the potential security of their respective accounts.

Have questions?  Please contact me at kcole@farrellfritz.com.

As we become increasingly reliant upon our phones, we make ourselves more vulnerable to cyberattacks.  Indeed, Experian’s 2020 edition of its annual Data Breach Industry Forecast details five predictions for data breach trends, including three that are likely to impact the smartphone user.*

One of Experian’s predictions is that cyber criminals will move to “smishing” attacks.  What the heck is a smishing attack?  Think “phishing” meets SMS.  That’s right, text-based phishing attacks.  This is similar to email spoofing. The text message may appear to come from a legitimate source, such as your bank or a friend. It may request that you call a certain phone number or click on a link within the message, with the goal of getting you to divulge personal information. So, be cautious when opening a text.  These scams are intended to obtain your personal information by pretending to be a legitimate business, or some other innocent party.   If you get an inquiry seeking personal information, don’t provide it. Hang up, note the number (perhaps block the number) or log off.  Consider looking up the phone number or customer service email address from the entity purportedly contacting you for your personal information and filing a report with the FCC’s Consumer Complaint Center.**

Another prediction is that cyber criminals will leverage mobile point of sale systems at event venues and e-skim credentials.  Mobile payment options are popping up everywhere – think concert venues, sporting events, craft fairs.  E-Skimming involves the introduction of a skimming code to a vulnerable credit card processing webpage.  The malicious code is embedded and then captures credit card data as the end user enters it in real time.  The information, once captured, is sent to an internet-connected server where it is gathered and can be later used or sold.   In some ways, e-skimming is an easier attack because unlike credit card skimming, no physical skimming device has to be installed.

Experian also anticipates an uptick in risk attendant to using (by phone or computer) public Wi-Fi networks.  Experts are predicting that identity thieves will use any number of spoofing devices, like the Pineapple (which is a small hand-held device that identifies unsecured Wi-Fi networks) attached to drones to steal personal information from unsuspecting people using unsecured public Wi-Fi networks.

With these predictions ahead, it is critically important that everyone remain vigilant and implement best practices for data security.  (See The Department of Homeland Security Reminds us of the Importance of Cybersecurity,” “Some Cyber-Musts For Maximizing Security,” and “What is New York’s Data Breach Notification Statute? And Does it Impact Me?“).  If nothing else, consider three small steps: (1) make sure to use passwords – good, long, strong, different passwords.  And, change them often; (2) set up dual factor authentication on all of your accounts – credit card, banking, email, etc.; and (3) treat yourself to identity theft protection.  For the minimal annual expense associated with identity monitoring services, the protection will bring great peace of mind.

* See Experian’s “2020 Data Breach Industry Forecast

**The report also warns that cyber criminals will continue to target children for identity theft.  So, be careful when oversharing about your offspring on social media platforms.  You don’t want to unwittingly expose your children.  And, have the conversation with your children who are users of email or smartphones to empower them to avoid becoming a victim.

Have questions?  Please contact me at kcole@farrellfritz.com.

Cybersecurity remains a real concern for businesses and individuals alike.  We are reminded of this by a recent Department of Homeland Security (“DHS”) warning wherein the DHS indicates there will likely be an increase in cyber threats due to heightened tensions with Iran.  In addition to advising that we should be prepared for increased phishing attacks, the DHS also recommended implementing cybersecurity best practices.  Previous blogs available, “Some Cyber-Musts For Maximizing Security” and “What is New York’s Data Breach Notification Statute? And Does it Impact Me?” remind you of what these best practices are.  As always, do not hesitate to contact me with questions.

Have questions?  Please contact me at kcole@farrellfritz.com.

 

Yikes!  No practitioner wants to be on the receiving end of a decision that starts with the title of this post.  And yet, that’s precisely how Magistrate Judge Bloom started her decision in Abbott Laboratories v. Adelphia Supply USA (15 cv 5826 [CBA] [LB]), ECF No. 1545 Abbott serves as an important reminder to practitioners that we need to be competent in matters of electronic discovery, or partner with someone steeped in the area of ESI.

Factual Background

In October 2015, Plaintiffs filed an action against hundreds of defendants alleging trademark diversion predicated upon improper sales in the United States of Abbott’s international diabetes test strips (“Abbott I”).  At a discovery conference the Magistrate Judge ordered all defendants to “review all formal and informal communications regarding defendants’ purchases and sales of [the international test strips] in 2014, including emails, text messages, purchase orders…” (ECF No. 925).

Soon thereafter, counsel for defendant H&H claimed the production of documents beyond one year would be unduly burdensome in light of the fact that the 2014 responsive documents totaled 6,000.  And so, the Court directed H&H to produce only the 2014 documents due to the high volume of responsive documents they identified (ECF No. 963).  H&H produced 314 emails and a separate collection of invoices.   Plaintiffs objected to this production because the documents were printed “in hard copy, scanning them all together, and producing them as a single, 1941-page PDF file.” (ECF No. 1075).  The Court then ordered H&H to produce “an electronic copy of the 2014 emails (1941 pages), including metadata” (ECF No. 1080).  In response, H&H produced 4,074 pages of responsive documents.  Note, the page numbers of what they initially produced (and were ordered to produce electronically) did not marry up with the re-production.

In May 2017, plaintiffs commenced a counterfeiting action against the H&H defendants, alleging they were selling the international test strips repackaged into counterfeit U.S. packages (Abbott Laboratories v H&H Wholesale Services, Inc., No. 17-cv-3095) (“Abbott II”).   In Abbott II, the Court entered a seizure order authorizing Abbott to seize, among other things, a copy of H&H’s email server.  Armed with the server, plaintiff raised again concerns that defendants failed to comply with the Court’s discovery orders in Abbott I.  And so, the Court directed the H&H defendants in Abbott I to re-run the document searches outlined in the Court’s various discovery orders, produce the resulting documents, and provide the affidavit of someone with knowledge to detail the technical errors that purportedly affected the prior productions (ECF No. 1156).   In response, H&H re-ran the searches and this time produced 3,569 responsive documents.

Sanction Motion

Plaintiffs moved, pursuant to FRCP Rule 37, requesting the Court strike the H&H defendants’ pleading, enter a default judgment against them, and for an order directing defendants to pay plaintiffs’ attorney’s fees for investigating and litigating the discovery fraud defendants perpetrated against the Court.

In reaching her decision, Magistrate Judge Bloom noted that “[w]hile sanctions under Rule 37 would be proper [to the extent defendants failed to comply with two discovery orders], defendants’ misconduct herein is more egregious and goes well beyond defendants’ failure to comply with the Court’s January 2017 discovery orders.  The Court then detailed that a fraud upon the Court occurs when it has been established by clear and convincing evidence that “a party has set in motion some unconscionable scheme calculated to interfere with the judicial system’s ability impartially to adjudicate a matter”  and occurs “when a party lies to the court and his adversary intentionally, repeatedly, and about issues that are central to the truth-finding process.”

Here, in reaching its ultimate conclusion, the Court observed the following:

  • The H&H defendants initially represented to the Court that for the year 2014 there were 6,000 responsive documents.
  •  The H&H defendants then clarified that it was 6,000 pages, not documents.
  • Given the large volume, the court modified its order to only documents from 2014.
  • H&H then produced 314 documents, totaling 2,034 pages.
  • After the seizure of H&H’s server, and the re-run of search terms by H&H’s vendor Transperfect, the H&H defendants produced 3,569 documents.
  • The outside vendor included a declaration stating that H&H used an email archive system that had two different accounts – Administrator and Auditor – and the original search was run using only the Auditor account.
      • When Transperfect replicated the search using the Adminstrator account they returned 1,737 emails and
      • When Transperfect replicated the search using the Auditor account they returned 1,540 emails.
      • And so, 197 emails were not “viewable” when the original search was performed.

However, as the Court noted, even when you include the 197 emails, defendants’ math did not add up.  And, the H&H defendants’ explanation that the differentials were the result of de-duplicating and threading did not carry water.  Rather, the Court noted that the H&H defendants “proffered serial representations to the Court, many of which have been proven false.”  And, the Court noted that the defendants materially misrepresented the number of responsive documents/pages to the Court, which facilitated their objective – the modification and limit by the Court of the search for responsive materials.   The Court further observed that defendants cannot be obviated of any blame by pointing fingers at prior counsel.*

This was just the tip of the iceberg regarding defendant H&H’s discovery misconduct.  As the investigation continued, it became apparent that H&H withheld every responsive email that referenced Howard Goldman, the owner and president of H&H, and all documents that concerned or referenced his wife, Lori Goldman.   While Mr. and Mrs. Goldman claimed in declarations that Mrs. Goldman had no involvement in, and did not direct or control any business activities of H&H, but was instead a housewife who dropped in and out of the office, the re-run searches demonstrated otherwise.  Indeed, 16 documents demonstrated Mrs. Goldman interfacing with suppliers and forwarding to her husband offers from suppliers about the test strips.   The Court found there was no credible explanation for why these documents were not produced except that they were willfully withheld.**

Based on the full record of the case, the Court found there was clear and convincing evidence that the H&H defendants perpetrated a fraud upon the Court, with the harshest sanction being warranted.  And so, the Court granted plaintiffs’ motion for sanctions and entered a default judgment against the H&H defendants.

Conclusion

While this case is an egregious example of discovery misconduct that goes beyond ESI incompetence, it serves as an important reminder that electronic discovery is a reality of today’s litigations.  And that we, as counsel, must be competent and conversant in the intricacies of searching for, and producing, responsive ESI.

 

* The Opinion also discusses the search terms the H&H Defendants used, which were inadequate and “designed to fail.”  For example, using only “International FreeStyle” rather than “FSL,” the abbreviation the company used to refer to the FreeStyle strips.  Nor can it be overlooked that the H&H defendants employed more than three different, successive law firms throughout the lawsuit.

** The court observed, “Defendants’ explanations that there were no documents withheld, then that any documents that weren’t produced were due to technical glitches, then that the documents didn’t appear in [the] original search, then that if documents were intentionally removed, they were removed per [prior counsel’s] instruction cannot all be true.  The H&H defendants have always had one or more excuses up their sleeve in this ‘series of episodes of nonfeasance,'” which amounts to “deliberate tactical intransigence.”

Have questions?  Please contact me at kcole@farrellfritz.com.

Data destruction is the process of removing information in a way that renders it unreadable (paper) or irretrievable (digital data). And, while it is critically important for companies to manage data in a way that is effective, defensible, and efficient, people/companies are often hesitant to dispose of data.  The cause of the hesitance is varied:  why get rid of our beloved data when storage space is inexpensive and retention is easy; how do I determine which data no longer has business value; how do I analyze which data is subject to regulatory obligations or litigation holds in place; who has the time/money to assess these questions.  And yet, with data breaches on the rise (See Some Cyber-Musts For Maximizing Security ), the SHIELD Act soon to be in effect (See What is New York’s Data Breach Notification Statute? And Does it Impact Me? ), and the cost of e-discovery in litigation substantial, it is important (and seemingly required by SHIELD) for companies to implement a data disposal policy and practice.

The benefits of having a consistent data destruction policy cannot be overstated. A proper destruction policy will minimize the chances of having to preserve, collect and review inordinately large volumes of data.*  In turn, less data to preserve, collect, and review means less expense.  Additionally, many of the new data privacy laws require destruction.  For example, the SHIELD Act requires the implementation of reasonable safeguards to protect the private information of New York residents.  Among the safeguards defined in the Act is a procedure to dispose of private information within a “reasonable amount of time” after it is no longer needed for business purposes.  And so it appears that a data destruction policy for companies obligated to comply with SHIELD may be required.  And having less data retained means less data is potentially compromised in the event of a breach.

Although every company should consider implementing a destruction policy, whether your company is obligated to take certain steps in destroying that data depends on the regulations that apply to your company. For example, depending on the industry in which you operate, you may have to look to HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley, the Fair and Accurate Credit Transactions Act, or the Department of Financial Services for guidance.**

*Often the volume of data subject to a litigation hold (and thus potentially collected, reviewed and produced) is substantial.   Many companies have the proverbial packrat – the employee who has not deleted an email since s/he first started working at the company.  Because in today’s e-centric world it is not uncommon to have tens of thousands of emails involved in a small litigation, where the entity has a documented destruction policy, imagine the volume when individuals or companies do not have, or do not follow, a data destruction policy.

** These laws, among other things, dictate the period of time for which you need to retain data.

Have questions?  Please contact me at kcole@farrellfritz.com.

 

In my search for ESI-centric information that would pique my readers’ interest, I came across an interesting article/blog about digital privacy written by Thorin Klosowski, in which he details seven (i.e., one per day) simple ways to secure your digital life.*  Because I found the plan easy to implement and steeped in wisdom, I decided to share Klowoski’s recommendations.  While today’s blog summarizes those ideas, I have provided below a link to Klowoski’s article because, when you sign up to read the full article, you will receive a daily email (one per day for seven days) with easy to follow instructions on how to implement each of the below seven suggestions.  There is no time like the present to implement these steps and secure your digital life.

  1. Install a Password Manager. A password manager is software that generates and then securely stores strong passwords for the websites you use. So for example, the manager will allow you to create and store Gx4$!kcF but not icecream!  Additionally, when you use a password manager, you will be notified to change a password if a website you access is compromised.  There are plenty of managers to choose from – some are free, others charge a fee – but it is important to find one that works on smartphones and in all major browsers.  If you opt not to do anything else, Klowoski recommends you install a password manager.  It is a simple way to have a significant impact on your e-security.
  2. Check Your Phone’s Privacy Settings. Smartphone applications often run in the background of your phone.  In doing so, they gather private data about you.  For example, they collect your location, your contact lists, your browsing history.  You can easily audit these permissions so that certain applications do not gain access to data that you prefer they not have access to (e.g., why does OpenTable or Words with Friends need access to your location?).
  3. Protect Your Browsing.  Companies can track everything we do on the internet.  Seriously.  They can (and do) track the advertisements we see, our physical location, our browsing habits, the buttons we click, etc.  All of this data gets collected for the purpose of targeted advertisement campaigns.  Ever wonder why after perusing the internet for a certain pair of sneakers that advertisements for that very sneaker appears in your Instagram and Facebook accounts?  The good news is there are various steps we can take to minimize companies’ ability to track us, without compromising your ability to use the internet.  And, all that is required is downloading browser extensions to your computer or phone.
  4. Protect Your Laptop. You’ve lost your laptop! Panic may likely set in because of the voluminous personal information on the laptop that will be available to the person who finds the lost computer.  Now what?  In an effort to prevent such a nightmare,  Klowoski recommends we all encrypt our hard drives. It is incredibly simple and can save you hours of worry and headache. What encryption allows is that no one can access the laptop without a password.  And, at the same time, nothing about the daily use of your laptop will change. Windows and MacBooks can both be encrypted relatively easily.  Critically important, however, is to keep the encryption password somewhere safe. Because while encrypting a laptop keeps a bad actor out, you can also lock yourself out.
  5. Anti-Virus Software is Key.  Antivirus software, while sometimes criticized as clunky and disruptive, is highly advisable. For example, if you share your computer with others, download software or visit websites that may not be secure, the recommendation is to install and maintain on your computer antivirus software.  And, if you are super-conscientious, consider additional protection (recommendation is Malwarebytes), which performs real-time scans of downloads and works in the background for additional protection.
  6. Stay Current.  Enabling automatic updates on a computer, smartphone and any other “smart” device ensures the device is current with security updates.  While some people ignore updates because the update can cause temporary issues (e.g., my internet got slower) the security improvements are really important.
  7. Double Down.  Set up dual-factor authentication for any accounts that are important.  What dual-factor authentication means is that any account requires two separate data entries: a password and a special one-time code that is typically sent by text messages to your phone.  Once set up, it becomes significantly more difficult for anyone to access your account because even if they learn/hack/guess your password, they cannot receive the special one-time numerical code unless they also have physical access to your phone.  There are many dual-authentication apps available to choose from.  And, despite claims that dual-authentication delays access to important accounts, it is really a seamless and secure process that should be implemented.

* Secure Your Digital Life in 7 (Easy) Days

Have questions?  Please contact me at kcole@farrellfritz.com.

 

As mentioned in my last blog post, there are data breach notification laws on the books in 48 states, including New York.  On July 25, Governor Cuomo signed into law Senate Bill 5575, the “Stop Hacks and Improve Electronic Data Security Act” (the SHIELD Act), which had passed the Legislature on June 17, 2019.

The SHIELD Act amends New York’s data breach notification statute, General Business Law §899-aa, to update its definitions.*  The Act also creates a new §899-bb, requiring substantive data security controls by any person or business that owns or licenses computerized data, including the defined “private information” of a New York resident.** In doing this, New York has brought itself into line with a number of states concerning how they define a data breach, and, where applicable, what substantive security controls they require. The SHIELD Act’s jurisdictional reach is expansive – if you own or license computerized private information concerning New York residents, you fall within the statute’s requirements.

When is a Company/Individual Compliant with SHIELD?

The SHIELD Act requires employers in possession of New York residents’ private information to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”  “Private information” is robustly defined to include, among other things, a driver’s license number, credit or debit card number, financial account number, biometric information, and username or e-mail address with a password that permits access to an online account.  Because “private information” includes an individual’s name and their social security number, every employer with employees in New York must comply with the SHIELD Act.

While the SHIELD Act does not mandate specific safeguards, it does provide that a business will “be deemed to be in compliance with” the SHIELD Act if it implements a “data security program” that includes certain administrative and technical safeguards enumerated in the SHIELD Act.  Those elements include, for example:

  • Designating an employee or employees to coordinate a data security program.
  • Training all employees of the business in the data security program’s practices and procedures.
  • Assessing internal and external risks and implementing procedures to reduce those risks.
  • Vetting vendors and service providers to ensure they, too, safeguard private information.
  • Properly and securely disposing of private information after it is no longer needed for business purposes.

A person or business can also demonstrate compliance with SHIELD by being a “compliant regulated entity” (i.e., it is in compliance with other regulatory schemes requiring information security, such as the Health Insurance Portability and Accountability Act Security Rule, or the New York State Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies).

When Does a Company/Individual Have to Provide a Breach Notification to a New York Resident?

In addition to requiring reasonable safeguards to protect the private information of New York residents, the SHIELD Act also amends New York’s existing security breach notification law to broaden notification obligations.  As mentioned above, “private information” is robustly defined in the SHIELD Act. And, if private information is compromised, it could trigger notification obligations.   For example, the inclusion of biometric information as “private” means that employers who rely upon biometric time clocks to record employee time will have a disclosure obligation if that information is compromised.

The SHIELD Act also expands the definition of “breach,” to include unauthorized access, rather than unauthorized acquisition.

The SHIELD Act adds an important carve-out from the breach notification requirement for inadvertent disclosures of private information that are not likely to result in misuse of information. To benefit from this exception, the employer must:

  • Document its determination that the inadvertent disclosure is not likely to result in misuse.
  • Maintain that documentation for five years.

Moreover, if the incident were to involve the private information of more than 500 New York residents, the employer would be required to submit the documentation to the state’s attorney general within ten days of that determination.

While the SHIELD Act does not permit a private right of action, enforcement by the state’s attorney general is provided for. The SHIELD Act also doubles the penalty recoverable by the attorney general per failed notification, and increases the maximum penalty from $100,000 to $250,000.

Although what exactly the SHIELD Act means for individuals and businesses remains to be seen as enforcement actions are initiated and consent decrees and judicial interpretations are provided, I suspect many residents welcome the SHIELD Act, given that New York’s reporting obligations have lagged somewhat behind other states.

* The breach notification amendments take effect on October 23, 2019.

** The data security safeguard implementation takes effect on March 21, 2020.

Have questions?  Please contact me at kcole@farrellfritz.com.

Although there are data breach notification laws on the books in 48 States that require companies to inform consumers about potential breaches, companies are loathe to make such disclosures.  In fact, a data breach disclosure opens the door to litigation, invites scrutiny from investors and the consuming public, and hardly bodes well for a company’s reputation.  But, the harsh reality is that, data breaches happen, happen often, and will likely happen with greater frequency as businesses and individuals become more digital.  Consider the below statistics:

  • In 2018, the total cost of cybercrime was estimated to be $600 billion, with more than 143 million US customers impacted (that does not take into account consumers outside of the United States). *
  • In 2018, $7.9 million was the average cost to a company to respond to a data breach.**
  • One in five small and medium businesses are targeted in cyber-attacks.
  • The average number of days that an “attacker” stays undetected in a network is 146.
  • The Federal Bureau of Investigations stated that losses caused by BEC scams doubled in 2018 and reached $1.3 billion, based on victim reports received by the agency’s Internet Crime Complaint Center.

When it comes to calculating the costs of a cyber-attack, there are many considerations you must take into account: the cost of any ransom you may be expected to pay, the cost of any data that may be lost, sustained system outages, downtime, non-compliance fines, legal fees – not to mention potential lawsuits.  And, if the above figures aren’t alarming enough, it was reported recently that business email compromise (BEC) has surpassed data breaches as the main reason companies filed a cyber-claim. In 2018, 23% of all cyber insurance claims insurance-giant, AIG, received were BEC-related insurance filings.    https://www.zdnet.com/article/bec-overtakes-ransomware-and-data-breaches-in-cyber-insurance-claims/

In fact, the Federal Bureau of Investigations stated that losses caused by BEC scams doubled in 2018 and reached $1.3 billion, based on victim reports received by the agency’s Internet Crime Complaint Center.

According to various secondary sources, the rise in BEC-related cyber insurance claims is directly attributable to poor security measures victim companies had in place.  But what is a company to do?  Below are some suggestions to consider to protect your email system and your system’s security.

  • Secure a Cyber Liability Insurance Policy (which often includes access to an array of experts should an attack occur).
  • Educate your staff – train everyone on email-based attacks, phishing awareness, suspect domain addresses.  And, after training, deploy tests to assess risk. Mechanical drawing incorporated by reference to MSA states Employees who lack the knowledge or training to avoid cyber threats are in positions to unwittingly put your company at risk by something as simple as clicking on the link in one phishing email.
  • Require complex passwords – those that require a combination of numbers, symbols, and capitalized letters – that must be managed/changed regularly.
  • Encourage all employees to implement different passwords for each online account they maintain/access (i.e., work email login vs. personal email login vs. credit card login vs. online banking login vs. Amazon login).
  • Implement advanced endpoint protection (i.e., those that protect endpoints against known and unknown threats).
  • Discourage use of public Wi-Fi.
  • Password protect thumb drives and other external media.
  • Implement a robust firewall that allows for site blocking and web filtering.
  • Devise an Internet usage policy.
  • Devise a computer use policy.
  • Consider email encryption where the email contains confidential information (protected health information, payment card data, Social Security numbers, dates of birth, phone numbers, email addresses, confirmation numbers, travel reward numbers – hackers want it all).
  • Require multi-factor authentication when using remote access, website logins.
  • Consider regular backups (i.e., hourly backups of data during business hours, and at least daily backups).
  • Ensure that backup is not connected to your system so as to not compromise its integrity in the event the system is compromised.
  • Deploy network penetration testing.
  • Implement patches as soon as available, and be sure to keep software and operating systems up to date.
  • Install a program that can remotely lock and/or wipe a lost device.
  • Create an incident response plan detailing steps to follow in the event of a compromise (i.e., who to call, what to do, what to implement).
  • Perform due diligence on all third parties and vendors with whom you work.

The above suggestions are hardly exhaustive but worth considering and implementing to create multi-layered protection for your small-medium business.

* See new report

** https://www.forbes.com/sites/niallmccarthy/2018/07/13/the-average-cost-of-a-data-breach-is-highest-in-the-u-s-infographic/#362e43152f37

For a particularly interesting article about cybersecurity and cyberwar consider reading, Warzel, Charlie, “The Privacy Project.” The New York Times, 10 Sept. 2019.

Have questions?  Please contact me at kcole@farrellfritz.com.

 

 

Technology has revolutionized, among other things, the way people conduct business, store information and communicate with others.  And, despite the many efficiencies and benefits of technology, a downside of this “revolution” is the creation of countless files that may later be subject to review and potential production during litigation /investigation proceedings.  Indeed, even relatively small cases routinely involve the collection of tens and hundreds of thousands of documents and files.  This in turn makes for a costly, and potentially complicated discovery process.  And so, it is critically important to identify early in the litigation life-cycle, defensible ways to cull this data and isolate relevant material without sacrificing accuracy.

Although many attorneys have different approaches to electronic discovery, I believe certain steps should be taken in every litigation involving ESI (which, let’s face it, is every litigation in today’s E-age).  In my opinion, among the most effective tools for reducing e-data is early case assessment efforts to analyze the data collected.  More specifically, after the data collection is complete, one should review a file extension report with an eye toward eliminating file types that are not relevant.  Another report that can provide actionable insight for counsel is a search term report.  Indeed, this report can illustrate what search “hits” are likely to yield documents responsive to the litigation/investigation and which terms are more likely “misses.”  Revising search terms (often multiple times) based upon this report is highly recommended and a sound way to cull data.

Another step that should be implemented to minimize the data universe is deduplication (either within or across custodian).  What this means is that identical duplicates of documents (or near duplicates should you opt for same) will be eliminated from the data set.  If you opt to deduplicate within a custodian, then any identical duplicate in an individual’s data will be eliminated and only one copy of the document available for review and production.  If you opt to de-duplicate across custodians, then, for example, only one copy of the email that appeared in three different custodians’ email, will be available for review and production.  However, in the latter situation, it will be disclosed through the meta-data that the document existed in the other two custodians’ mailboxes.

A final tool to implement in any review is email threading.  Threading allows for only the most inclusive versions of email documents to be included in the review whereby reducing the attorney hours required to review documents.  For example, the attorney will review only the most inclusive email chain of ten, rather than each of the ten chains leading up to the most inclusive version.

There are ample other opportunities to introduce additional efficiencies into the review (clustering, bulk-coding, etc., to name a few), but it is advisable to work with an attorney or vendor to develop a defensible methodology and workflow to achieve the most efficient and effective discovery outcome for the client.

Have questions?  Please contact me at kcole@farrellfritz.com.