Give up?  Each recently made headlines in connection with ransomware — a form of malware that encrypts a victim’s electronic files.  The attacker then demands a ransom – typically payable in bitcoin – from the victim to restore access to the data upon payment.*

In fact, in the span of one week, the Texas Office of Court Administration announced that the online Court network had fallen victim to ransomware, which caused the Court website and case management system to be disabled temporarily** and a prominent New York law firm, Grubman Shire Meiselas & Sacks, was also the victim of a ransomware attack.  The cybercriminals who attacked Grubman Shire claim they stole highly confidential information of the firm’s high profile clients; they also threatened to release that information unless paid $42 million in ransom.***

These cyberattacks come at an inopportune time, as courts and law firms have become increasingly reliant on virtual and electronic means of conducting business during the current pandemic.  Although no evidence suggests these attacks were the result of the recent increase in a remote work environment, the attacks serve as a good reminder that we all must remain vigilant and implement as many defensive steps as possible to prevent ransomware infection.

Below are some helpful ways to protect yourself and your employer from cyberattacks:

  • Keep your operating system patched and up to date to ensure you have fewer vulnerabilities to exploit.
  • Exercise caution when opening emails, even if you believe it is from a known source.  And, if you receive an email that seems unusual or is from an unfamiliar sender, consider deleting it, or reporting it to your information technology department.  Under no circumstances should you click any links or open any attachments in the email.
  • Install antivirus software, which detects malicious programs like ransomware, and whitelisting software, which prevents unauthorized applications from executing.
  • And, back up your files frequently!  While this will not prevent a malware attack, it can minimize the damage that results from an attack.

In addition to the tips above, prior posts provide more detailed information:

*There are a number of ways in which ransomware can access a computer.  One of the more common delivery systems is phishing spam – an email or attachment that masquerades as a file the email recipient should trust.

**See https://www.washingtonpost.com/national/texas-high-courts-hit-by-ransomware-attack-refuse-to-pay/2020/05/12/f4d35fa4-948f-11ea-87a3-22d324235636_story.html.

***The firm, which specializes in entertainment and media law, represents many high profile celebrities, including Lady Gaga, Madonna, and LeBron James.

As we continue to conduct business virtually, non-traditional means of document execution are becoming increasingly popular. It is critical, however, to understand the laws and requirements associated with these non-traditional means so that a document that is electronically signed, or remotely notarized enjoys the same legal validity and effect as if signed, or attested to in person.

In New York, electronic signature laws have long been in place.  The current realities of remote business, however, has required more frequent electronic execution of documents.   Because electronic execution requirements vary among states and differ from their federal counterpart, it is important to consult the laws of the jurisdictions that may govern the document, especially when the parties sign the same document in different jurisdictions.

The operative law in New York is the Electronic Signatures and Records Act (“ESRA”), which permits electronic signatures on various legal documents, with limited exceptions.  The federal counterpart to ESRA is the Electronic Signature in Global and National Commerce Act (ESIGN).   Generally speaking, provided that the signer(s) demonstrate a proper intent and no other defect exists, the electronic signature gives the document the same legal validity and effect as if it were signed by hand.

Less common among states are laws allowing for the remote and electronic notarization of documents.*  Prior to the COVID-19 pandemic, only a handful of states permitted remote notarization of documents.  Many states, including New York, required the signer and notary to be physically present together when the document was signed, as well as the notary’s hand-written signature on the document.  This changed when New York Governor Andrew Cuomo issued Executive Order Number 202.7 (“E.O. 202.7”).  Recently extended through June 6, 2020, E.O. 202.7 temporarily permits the remote notarization of documents subject to various conditions set forth therein.  For example, the virtual meeting must allow for direct interaction between the signer and the notary, the signer must be physically present within the State of New York, and the notary must notarize the original signed document within thirty days of its execution.  Notably, E.O. 202.7 does not permit a notary to electronically sign a document (see Footnote *).  Rather, after the signatory transmits an electronic copy of the executed document to the notary, the notary must sign that copy by hand and transmit a notarized copy back to the signatory.  Like the laws governing electronic signatures, the temporary measures allowing for remote notarization also vary by state.  And so, it is critical to understand the laws of your jurisdiction before remotely notarizing a document.

As we move forward into reopening and the new realities attendant thereto it will be important to remain aware of the laws associated with these remote /electronic methods including whether EO 202.7 is further extended.

*Do not confuse remote notarization with electronic notarization.  Remote notarization involves notarizing a document when the signatory and notary are not physically present in the same location.  Electronic notarization is the use of a notary’s electronic, rather than hand-written, signature on the document.

A recent federal district court decision, Lawson et al. v Love’s Travel Stops & Country Stores, Inc., US Dist Ct, MD Pa, 1:17-CV-1266, Carlson, J., 2019, reminds litigants of the need to tailor discovery requests for electronically stored information (“ESI”).

Before the Court was plaintiffs’ motion to compel defendants’ production of “all” text messages on approximately 100 company-owned cell phones.  The underlying discovery demand, “not bound or defined by any considerations of factual relevance to the issues in this litigation” (Lawson at *1), was deemed not relevant and overly broad.  And so, the motion was denied by the Court.

In reaching its conclusion the Court referenced the scope of discovery under the Federal Rules, observing that discovery is limited to that which “is relevant to any party’s claim or defense and proportional to the needs of the case” (Fed Rules Civ Pro rule 26 [b] [1]).  Relying upon this standard the Court noted that “no party would be entitled to all text messages contained on an opposing party’s cellphones, [but only to] those messages that were relevant to the issues in th[e] litigation” (Lawson at *1).  The Court further noted that the “element of pervasiveness that characterizes cell phones,” coupled with the fact that many people maintain “the most personal and intimate facts of their lives … in their personal electronic devices” (id. at *2, quoting Riley v California, 573 US 373, 395 [2014]), makes compliance with plaintiff’s demand, as written, significantly burdensome for defendant and steeped in issues that implicate privacy concerns.

Ultimately, the Court declined to order disclosure.  The Court, however, noted that “a more narrowly tailored request, supported by a more specific showing of relevance, might be appropriate” (id. at *5).

While this case serves as a reminder to all litigants that discovery demands must be specifically tailored, a few helpful tips for avoiding a dispute similar to the one in Lawson include:

  • Know the Facts – Once you appreciate fully the facts and issues relevant to your lawsuit, it will be easier to craft discovery demands that seek information that is relevant.
  • Tailor Your Demands – The goal is to draft Demands that encompass all information relevant to the litigation, while avoiding over breadth.
  • Be Prepared to Justify Your Demands – Discovery disputes often involve the issue of relevance.  In the event of a dispute, be prepared to educate the Court as to why a specific demand is relevant and tailored.

 

With much of the American workforce (and educational systems) working remotely, reliance upon videoconferencing software for workplace and educational collaboration has increased significantly. One of the more widely embraced platforms during the pandemic is Zoom Video Communications, Inc. (“Zoom”). According to the New York Times, around 600,000 people downloaded the Zoom application on March 15, 2020. And, for anyone who has used Zoom, you’re probably not surprised by its growth because Zoom is, after all, user-friendly; effective and convenient; and easy to share documents and screens among many participants for collaboration.

In a word, Zoom makes remote work and studies significantly less inconvenient. But, it is important to remember the convenience is not without risk.  Indeed, recent articles have detailed the myriad security issues posed by Zoom including the undisclosed way in which Zoom share(s) user data with LinkedIn and Facebook, for example; the company does not support end-to-end encryption; and a growing trend in which internet trolls jump onto public Zoom conferences and utilize the screen-sharing feature to project inappropriate, graphic content.*  According to security experts, there is an “automated Zoom meeting discover tool called ‘zWarDial’ ” that disrupters are using to find non-password protected Zoom meetings that could be “bombed.” This prompted the FBI to issue a warning to Zoom users.  In addition to the disruption caused by a “bomber,” once a Zoom meeting is infiltrated, any private, sensitive or confidential information may be at risk of compromise.

Because reliance on videoconferencing software is likely to continue for the foreseeable future, it is important for everyone hosting and participating in videoconference meetings to be cognizant of the risks and take necessary precautions including:**

  • Keep Your Meetings Private – Be sure that all business meetings are set as “private” and not “public” and do not post links to meetings on public forums or social media websites.
  • Set a Password – There is no good reason not to set a password to require participants to enter a meeting. Further, use a different password for every meeting. This is a simple and easy, yet effective, way to make your meetings more secure.
  • Manage Screen Sharing – The meeting host has the option to prevent participants from sharing their screens. If possible, consider this measure to prevent hackers from displaying inappropriate content.
  • Know Your Participants – If you notice that someone unfamiliar has joined the meeting, remove them. You can always allow them to rejoin later. Further, once you see that all invited participants have joined, lock the meeting. This prevents others from joining.
  • Be Cautious – While taking these precautions will decrease your vulnerability to hackers, be aware that hackers still may find their way into your private meetings. You should always be aware of this. To the extent possible, refrain from discussing highly confidential personal or business information that may put you, other employees, or your company at risk.

*Even before the current pandemic, Zoom was addressing security issues that allowed its users to be vulnerable to hackers. (See Forbes article from January 2020).

**Zoom has offered its own guidance with respect to these concerns, accessible here 

 

As the coronavirus (“COVID-19”) causes countless companies and employers to implement remote working environments, millions of Americans will be working from home.  It is, therefore, critically important to remain vigilant about cybersecurity best practices.

As observed in recent news alerts, cybersecurity threats, perpetuated by opportunistic cyber-criminals preying on a vulnerable virtual workforce, are on the rise.   In fact, hackers around the globe are latching on to news items and exploiting interest in the global epidemic to spread malicious activity. Consider, for example, that more than 4,000 coronavirus-related domains were registered globally since January. These domains are 50% more likely to be malicious than other domains registered during that same time period.  See https://www.cybertalk.org/2020/03/06/coronavirus-themed-domains-50-more-likely-to-be-malicious-than-other-domains/

An additional malware campaign involved disseminating real-time, accurate information about global infection rates tied to the COVID-19 pandemic in a bid to infect computers with malicious software. In one scheme, the interactive dashboard of virus infections and death produced by Johns Hopkins University was used in malicious Web sites (and possibly spam emails) to spread password-stealing malware. https://krebsonsecurity.com/2020/03/live-coronavirus-map-used-to-spread-malware/

And so, there is no time like the present to review the critical, minimal steps you can take to protect yourself from falling victim to a cyber-threat.

See these prior posts for a summary of those steps:

“The Department of Homeland Security Reminds us of the Importance of Cybersecurity,”

“Some Cyber-Musts For Maximizing Security,” and

“Seven Simple (Cyber) Security Suggestions for September”

Have you ever been involved in a meet and confer regarding electronically stored information and felt your adversary was speaking a foreign language?  Is active machine learning an unfamiliar concept to you?  Is BYOD an acronym for who-knows-what?

If you answered yes to any of the above, or if you lack fluency in the language of e-discovery and digital information management, allow me to introduce you to The Sedona Conference (TSC).  TSC is a nonprofit 501(c)(3) research and educational institute dedicated to the advanced study of law and policy in certain areas including complex litigation.  TSC launched in 2002 its Working Group Series, which was designed to address some of the most challenging issues faced by our legal system.  In this regard, TSC is an invaluable resource for litigators.  For all of the self-proclaimed luddites who practice litigation, there are a number of Working Groups that inform the ESI and cyber-landscape that I encourage you to familiarize yourself with including, for example, Group 1 (Electronic Document Retention an Production), Group 6 (International Electronic Information Management, Discovery and Disclosure), and Group 11 (Data Security and Privacy Liability).  However, if you do nothing else after reading this Blog, please download The Sedona Conference Glossary: eDiscovery & Digital Management, Fifth Edition, 21 SEDONA CONF. J. 263 (2020) (available at: https://thesedonaconference.org/publications).  This glossary, “published as a tool to assist in the understanding and discussion of electronic discovery and electronic information management issues,” is a comprehensive resource for empowering litigators to better understand current technologies and the language of e-discovery.

With the ever evolving cyber threats, it is important to we understand our social media accounts and the way in which they make us vulnerable.

Social media (i.e., Facebook, Instagram, WhatsApp, Snapchat…) is free to members because the companies make money by selling targeted advertisements to their users.  Ever wonder why, after “liking” a particular pair of shoes that advertisements for those very shoes/shoe brand are littered through your account?   Users have been sharing for years their “likes” and “dislikes,” giving the various companies all the data they need to match an advertisement with individuals who may be interested in the particular content.  Our “likes” and “dislikes” are tracked as are the posts we “share,” the groups we belong to, location information about the photos we post, and the events we attend.  With all this data readily available to social media companies, it is no surprise they track it for purposes of matching users with advertisers.  After all, internet advertising revenue in the United States totaled more than $107 billion dollars in 2018 and last year’s projection is even greater.

But, while targeted advertisements may be appreciated, the risk of having all of this data collected cannot be ignored.  For example, data collection can be easily stolen as the past data breaches, including that suffered by Facebook in December 2019, have shown.  The other, lesser appreciated issue is that bad actors are using online advertisements to effectuate identity theft.  In fact, experts indicate that 10% (1 in every 10) of all online advertisements are actually “malvertisements” – an advertisement that actually serves to scam the user and/or spread malware.   In fact, many of these scams are disguised as surveys from reputable companies (https://sidechannel.tempestsi.com/digital-adverstising-tools-are-being-used-to-disseminate-phishing-campaigns-eed3da31ac25).

The reality is people will continue to use social media notwithstanding these risks but is there any way to use social media while protecting one’s self?  The answer is, yes.  Consider the following:

  • Opt out of online advertising by using resources from the Digital Advertising Alliance;
  • Routinely delete cookies from your browsers;
  • Delete social media accounts from your smartphone.  I know this may upset users but, the mobile apps collect even more data (and real time data) than the web-based versions;
  • Disable ad tracking on your computer and devices;
  • Beware of advertisements from companies you do not know and do not take online quizzes; and
  • Be aware of your privacy settings on these various social media accounts.

Regarding privacy settings, consider Facebook.  If you go to your Settings and click “Privacy Shortcuts” you will be able to set your Account Security, Ad Preferences and Privacy settings among other settings.  I encourage anyone reading this blog to take a few minutes and consult their settings on their various accounts to enhance their privacy and the potential security of their respective accounts.

As we become increasingly reliant upon our phones, we make ourselves more vulnerable to cyberattacks.  Indeed, Experian’s 2020 edition of its annual Data Breach Industry Forecast details five predictions for data breach trends, including three that are likely to impact the smartphone user.*

One of Experian’s predictions is that cyber criminals will move to “smishing” attacks.  What the heck is a smishing attack?  Think “phishing” meets SMS.  That’s right, text-based phishing attacks.  This is similar to email spoofing. The text message may appear to come from a legitimate source, such as your bank or a friend. It may request that you call a certain phone number or click on a link within the message, with the goal of getting you to divulge personal information. So, be cautious when opening a text.  These scams are intended to obtain your personal information by pretending to be a legitimate business, or some other innocent party.   If you get an inquiry seeking personal information, don’t provide it. Hang up, note the number (perhaps block the number) or log off.  Consider looking up the phone number or customer service email address from the entity purportedly contacting you for your personal information and filing a report with the FCC’s Consumer Complaint Center.**

Another prediction is that cyber criminals will leverage mobile point of sale systems at event venues and e-skim credentials.  Mobile payment options are popping up everywhere – think concert venues, sporting events, craft fairs.  E-Skimming involves the introduction of a skimming code to a vulnerable credit card processing webpage.  The malicious code is embedded and then captures credit card data as the end user enters it in real time.  The information, once captured, is sent to an internet-connected server where it is gathered and can be later used or sold.   In some ways, e-skimming is an easier attack because unlike credit card skimming, no physical skimming device has to be installed.

Experian also anticipates an uptick in risk attendant to using (by phone or computer) public Wi-Fi networks.  Experts are predicting that identity thieves will use any number of spoofing devices, like the Pineapple (which is a small hand-held device that identifies unsecured Wi-Fi networks) attached to drones to steal personal information from unsuspecting people using unsecured public Wi-Fi networks.

With these predictions ahead, it is critically important that everyone remain vigilant and implement best practices for data security.  (See The Department of Homeland Security Reminds us of the Importance of Cybersecurity,” “Some Cyber-Musts For Maximizing Security,” and “What is New York’s Data Breach Notification Statute? And Does it Impact Me?“).  If nothing else, consider three small steps: (1) make sure to use passwords – good, long, strong, different passwords.  And, change them often; (2) set up dual factor authentication on all of your accounts – credit card, banking, email, etc.; and (3) treat yourself to identity theft protection.  For the minimal annual expense associated with identity monitoring services, the protection will bring great peace of mind.

* See Experian’s “2020 Data Breach Industry Forecast

**The report also warns that cyber criminals will continue to target children for identity theft.  So, be careful when oversharing about your offspring on social media platforms.  You don’t want to unwittingly expose your children.  And, have the conversation with your children who are users of email or smartphones to empower them to avoid becoming a victim.

Cybersecurity remains a real concern for businesses and individuals alike.  We are reminded of this by a recent Department of Homeland Security (“DHS”) warning wherein the DHS indicates there will likely be an increase in cyber threats due to heightened tensions with Iran.  In addition to advising that we should be prepared for increased phishing attacks, the DHS also recommended implementing cybersecurity best practices.  Previous blogs available, “Some Cyber-Musts For Maximizing Security” and “What is New York’s Data Breach Notification Statute? And Does it Impact Me?” remind you of what these best practices are.  As always, do not hesitate to contact me with questions.

Yikes!  No practitioner wants to be on the receiving end of a decision that starts with the title of this post.  And yet, that’s precisely how Magistrate Judge Bloom started her decision in Abbott Laboratories v. Adelphia Supply USA (15 cv 5826 [CBA] [LB]), ECF No. 1545 Abbott serves as an important reminder to practitioners that we need to be competent in matters of electronic discovery, or partner with someone steeped in the area of ESI.

Factual Background

In October 2015, Plaintiffs filed an action against hundreds of defendants alleging trademark diversion predicated upon improper sales in the United States of Abbott’s international diabetes test strips (“Abbott I”).  At a discovery conference the Magistrate Judge ordered all defendants to “review all formal and informal communications regarding defendants’ purchases and sales of [the international test strips] in 2014, including emails, text messages, purchase orders…” (ECF No. 925).

Soon thereafter, counsel for defendant H&H claimed the production of documents beyond one year would be unduly burdensome in light of the fact that the 2014 responsive documents totaled 6,000.  And so, the Court directed H&H to produce only the 2014 documents due to the high volume of responsive documents they identified (ECF No. 963).  H&H produced 314 emails and a separate collection of invoices.   Plaintiffs objected to this production because the documents were printed “in hard copy, scanning them all together, and producing them as a single, 1941-page PDF file.” (ECF No. 1075).  The Court then ordered H&H to produce “an electronic copy of the 2014 emails (1941 pages), including metadata” (ECF No. 1080).  In response, H&H produced 4,074 pages of responsive documents.  Note, the page numbers of what they initially produced (and were ordered to produce electronically) did not marry up with the re-production.

In May 2017, plaintiffs commenced a counterfeiting action against the H&H defendants, alleging they were selling the international test strips repackaged into counterfeit U.S. packages (Abbott Laboratories v H&H Wholesale Services, Inc., No. 17-cv-3095) (“Abbott II”).   In Abbott II, the Court entered a seizure order authorizing Abbott to seize, among other things, a copy of H&H’s email server.  Armed with the server, plaintiff raised again concerns that defendants failed to comply with the Court’s discovery orders in Abbott I.  And so, the Court directed the H&H defendants in Abbott I to re-run the document searches outlined in the Court’s various discovery orders, produce the resulting documents, and provide the affidavit of someone with knowledge to detail the technical errors that purportedly affected the prior productions (ECF No. 1156).   In response, H&H re-ran the searches and this time produced 3,569 responsive documents.

Sanction Motion

Plaintiffs moved, pursuant to FRCP Rule 37, requesting the Court strike the H&H defendants’ pleading, enter a default judgment against them, and for an order directing defendants to pay plaintiffs’ attorney’s fees for investigating and litigating the discovery fraud defendants perpetrated against the Court.

In reaching her decision, Magistrate Judge Bloom noted that “[w]hile sanctions under Rule 37 would be proper [to the extent defendants failed to comply with two discovery orders], defendants’ misconduct herein is more egregious and goes well beyond defendants’ failure to comply with the Court’s January 2017 discovery orders.  The Court then detailed that a fraud upon the Court occurs when it has been established by clear and convincing evidence that “a party has set in motion some unconscionable scheme calculated to interfere with the judicial system’s ability impartially to adjudicate a matter”  and occurs “when a party lies to the court and his adversary intentionally, repeatedly, and about issues that are central to the truth-finding process.”

Here, in reaching its ultimate conclusion, the Court observed the following:

  • The H&H defendants initially represented to the Court that for the year 2014 there were 6,000 responsive documents.
  •  The H&H defendants then clarified that it was 6,000 pages, not documents.
  • Given the large volume, the court modified its order to only documents from 2014.
  • H&H then produced 314 documents, totaling 2,034 pages.
  • After the seizure of H&H’s server, and the re-run of search terms by H&H’s vendor Transperfect, the H&H defendants produced 3,569 documents.
  • The outside vendor included a declaration stating that H&H used an email archive system that had two different accounts – Administrator and Auditor – and the original search was run using only the Auditor account.
      • When Transperfect replicated the search using the Adminstrator account they returned 1,737 emails and
      • When Transperfect replicated the search using the Auditor account they returned 1,540 emails.
      • And so, 197 emails were not “viewable” when the original search was performed.

However, as the Court noted, even when you include the 197 emails, defendants’ math did not add up.  And, the H&H defendants’ explanation that the differentials were the result of de-duplicating and threading did not carry water.  Rather, the Court noted that the H&H defendants “proffered serial representations to the Court, many of which have been proven false.”  And, the Court noted that the defendants materially misrepresented the number of responsive documents/pages to the Court, which facilitated their objective – the modification and limit by the Court of the search for responsive materials.   The Court further observed that defendants cannot be obviated of any blame by pointing fingers at prior counsel.*

This was just the tip of the iceberg regarding defendant H&H’s discovery misconduct.  As the investigation continued, it became apparent that H&H withheld every responsive email that referenced Howard Goldman, the owner and president of H&H, and all documents that concerned or referenced his wife, Lori Goldman.   While Mr. and Mrs. Goldman claimed in declarations that Mrs. Goldman had no involvement in, and did not direct or control any business activities of H&H, but was instead a housewife who dropped in and out of the office, the re-run searches demonstrated otherwise.  Indeed, 16 documents demonstrated Mrs. Goldman interfacing with suppliers and forwarding to her husband offers from suppliers about the test strips.   The Court found there was no credible explanation for why these documents were not produced except that they were willfully withheld.**

Based on the full record of the case, the Court found there was clear and convincing evidence that the H&H defendants perpetrated a fraud upon the Court, with the harshest sanction being warranted.  And so, the Court granted plaintiffs’ motion for sanctions and entered a default judgment against the H&H defendants.

Conclusion

While this case is an egregious example of discovery misconduct that goes beyond ESI incompetence, it serves as an important reminder that electronic discovery is a reality of today’s litigations.  And that we, as counsel, must be competent and conversant in the intricacies of searching for, and producing, responsive ESI.

 

* The Opinion also discusses the search terms the H&H Defendants used, which were inadequate and “designed to fail.”  For example, using only “International FreeStyle” rather than “FSL,” the abbreviation the company used to refer to the FreeStyle strips.  Nor can it be overlooked that the H&H defendants employed more than three different, successive law firms throughout the lawsuit.

** The court observed, “Defendants’ explanations that there were no documents withheld, then that any documents that weren’t produced were due to technical glitches, then that the documents didn’t appear in [the] original search, then that if documents were intentionally removed, they were removed per [prior counsel’s] instruction cannot all be true.  The H&H defendants have always had one or more excuses up their sleeve in this ‘series of episodes of nonfeasance,'” which amounts to “deliberate tactical intransigence.”