Articles Posted in Cybersecurity

Data disposal is a key process in a legal entity’s policies and procedures for managing personal and confidential information. In general, private and public entities store data on their servers. This information may include financial and health information which should not fall into the wrong hands. So, there must be a proper procedure for destroying and disposing that information by using industry approved methods.

The Federal Trade Commission has implemented a data disposal rule in relation to consumer reports and records to prevent unauthorized access to or use of that information. In California, several statutes have been promulgated to address this issue. For example, California Civil Code Sections 1798.81, 1798.81.5, and 1798.84 are applicable. In fact, Civil Code 1798.81 states as follows: “A business shall take all reasonable steps to dispose, or arrange for the disposal, of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by (a) shredding, (b) erasing, or (c) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means.” Therefore, there are standards to follow and implement to avoid unnecessary complications. The state legislature has encouraged the implementation of “reasonable security” for personal information under Civil Code 1798.81.5. Also, Civil Code 1798.84 outlines the legal remedies which include initiating a civil action.

The proper retention of emails is paramount especially if the electronic messages include private, confidential or proprietary information. For example, “email archiving” is one method to retain electronic messages especially if there is the possibility of litigation. The emails should be backed up in a searchable format for practical reasons. Electronic discovery allows the parties to request and obtain electronic documents during litigation. In most cases, the electronic discovery process is time consuming and complicated especially because there is a large volume of data involved in the lawsuit. Also, more importantly, the failure to comply with electronic discovery requests may result in sanctions.

Artificial intelligence (“AI”) is defined as a system that imitates human intelligence to conduct similar tasks by improving itself based on the submitted or collected information. Artificial intelligence can be used in various industries such as manufacturing, automobiles, education, medicine, and financial services. Artificial intelligence can be used to detect and defend against cybersecurity intrusions, solve technical problems, lower production management tasks, and assess internal compliance for accepted vendors. Artificial intelligence technology is affordable and can produce faster results when compared to human interactions.

The terms artificial intelligence, machine learning, neural networks, and deep learning are not the same. Machine learning is a subset of artificial intelligence. Deep learning is a subset of machine learning. Neural networks create the backbone of deep learning algorithms and imitate the human brain by using specialized algorithms. It’s also important to realize that deep learning is different from machine learning. There are three main types of artificial intelligence: (1) Artificial Narrow Intelligence; (2) Artificial General Intelligence; and (3) Artificial Super Intelligence. For example, chatbots and virtual assistants (e.g., Alexa, Siri) are considered artificial narrow intelligence since they’re unable to incorporate human behaviors or interpret emotions, reactions, or tones.

What are the potential cybersecurity issues?

The term “metaverse” is a combination of “meta” and “universe.” This new concept allows users to interact with each other in virtual worlds and buy and sell names, goods/services, properties, and avatars. They can also organize, host, and attend events in virtual worlds.

The consumers will be using blockchain technologies and digital currencies. Blockchain is a database that includes network computers that share information across the internet. For example, Bitcoin uses blockchain technology to update its ledgers. So, several of these newer platforms are powered by blockchain technologies that use digital currencies and non-fungible tokens (“NFTs”) which allow a new type of decentralized digital asset to be designed, owned, and monetized. The NFT is a virtual asset that promotes the metaverse. It’s an intangible digital product that links ownership to unique physical or digital items (e.g., artistic work, real estate, music videos). In other words, each NFT cannot be replaced with another one because it’s unique and irreplaceable. So, for example, if you own an NFT, it will be recorded on blockchain and you can use it for electronic transactions. In fact, with NFTs, artifacts can be tokenized to create ownership digital certificates for electronic transactions.

What are the potential legal issues?

The internet is a combination of computer networks and electronic devices (e.g., smartphones, laptops) that can communicate with each other on various platforms. The internet has allowed people to immerse themselves in a world where they can create profiles on social media websites and freely interact with each other. It is certainly an intriguing phenomenon and an interesting part of today’s technological advancements. However, at this stage, technology companies are working on a different project called the “metaverse” which would combine the internet with augmented and virtual realities where the users can interact with each other as avatars.

What is metaverse?

It is made up of the prefix “meta” which means above or beyond and the stem “verse” which is a back-formation from “universe.” It’s generally used to describe the concept of a future iteration of the internet, made up of persistent, shared, three-dimensional virtual spaces linked into a perceived virtual universe.  It may not only refer to virtual worlds, but the internet as a whole, including the entire spectrum of augmented and virtual realities. It refers to an immersive digital environment where people interact as avatars. Its concept encompasses an extensive online world transcending individual tech platforms, where people exist in immersive and shared virtual spaces

There are a series of online scams that have been taking place in the recent years. The culprits are becoming more sophisticated as they’re coming up with new schemes. The law enforcement agencies have been trying to keep up with the new schemes. However, given their limited resources, it is a challenging task. Nonetheless, our law firm has been representing clients in state and federal courts who have been victims of online scams.

Online auction scams have become prevalent on the internet. For example, the scammer gets involved in the online auction and purchases the item by overpaying for it via an international money order. Then, the seller who is eager to sell the item to the buyer in good faith, sends the item along with the overpayment. So, at the end, the seller loses the item and the funds.

Online rental and real estate scams involve the same type of practice where the scammer poses as the interested renter or buyer and sends the funds towards the seller or landlord. Then, the scammer reneges on the deal and requests a refund. The seller or landlord returns the funds but later realizes the initial check was counterfeit.

We’ve already described the definition of doxing in the prior article. We will turn to the various doxing methods and relevant laws. Doxing works by tracking someone’s information by accessing the internet or other databases. Big data has allowed individuals to extract personal information which was impossible to find in the past. Nowadays, the doxing party can track usernames, run a WHOIS search on a domain or website, engage in phishing activities, look into social media profiles, go through state/federal government records, tracking an Internet Protocol (“IP”) address, or conduct a reverse phone number lookup. The doxing party can also engage into what is referred to as “packet sniffing” which can be prevented by using a virtual private network.

The doxing party (i.e., culprit) can release the victim’s sensitive or personal information on the internet and instruct others to harass or intimidate the victim. There have been instances of such transgressions in recent years. For example, a popular adult dating website was hacked and the users’ private information was released into the web. Obviously, this incident was embarrassing for the adult dating website and its members. There have been other incidents where the victim had engaged in questionable conduct and was targeted on the internet.

Is doxing illegal?

The question is what is doxing and what are the laws? Doxing, which is short for dropping documents, takes place when the malicious actor gathers personally identifiable information and publicly discloses it to annoy, harass, intimidate, or stalk the victim for no legitimate purpose. The malicious actors engage in these types of activities to publicly humiliate or target their victims. For example, they may intentionally identify law enforcement personnel or show off their hacking abilities.

How does doxing work?

The malicious actors utilize different techniques for their doxing activities. They can hack, social engineer, or steal personal and confidential information. They can gain access to the victim’s email account and extract private information from the victim’s account. They can break into web-based accounts such as social media, cloud storage, or bank records. They can also use the same email address and password to gain access to other accounts. There have been incidents where the malicious actors used the victim’s Department of Homeland Security username and password to gain access to its network.

Augmented and virtual realities are cutting-edge technologies that are changing the world. Now, with that comes a significant amount of legal issues such as cybersecurity, privacy and regulations at the state, federal, and international levels.

Augmented reality (“AR”) technology is currently being used by several companies such as Nintendo, IKEA, Instagram and Snapchat. Virtual reality (“VR”) technology has been used by companies such as Oculus Rift, PlayStation, and HTC Vive.

The courts have been grappling with online or offline violations for many years. Now, with the advent with these technologies, they will be facing new issues related to online or e-commerce transactions. The question is how will the courts deal with street crimes in the virtual world? What if a known or unknown individual engages in “indecent exposure” or “virtual groping” against another person? What if the culprit commits a tort (e.g., negligence, invasion of privacy, intentional infliction of emotional distress) against the victim in the AR/VR world? What if the victim’s privacy is invaded by spreading his or her intimate pictures or videos towards unauthorized parties?

Our law firm’s attorneys have been able to manage unexpected data breaches since they take place on a regular basis. Our legal team and group of technology experts have implemented specific protocols to mitigate the damages. One of the most important factors is assessing your company’s security weaknesses which may include proper training of all personnel including full/part-time employees and independent contractors. Training is a key factor and should be conducted in a methodical manner. The information technology department should implement the procedures for setting up personnel training sessions.

The first step is to setup a framework for proper incident responses. Then, incident notification procedures should be published for all personnel and should be part of the hiring process. The company should be able to validate the data breach by examining the information. All sensitive and confidential documents (e.g., trade secrets) should be protected and preserved on a regular basis. The incident response team should immediately investigate and monitor the breach. The company should mitigate the damages by securing electronic devices and the stored information. Also, the company should ensure the existing encryption software is functional, and if not, it should be replaced with another type of encryption software. The data owners should be formally notified since their information has been affected by the data breach. In most cases, law enforcement officials should be notified about the data breach. Finally, the company should assess and improve its data breach and incident response plans to avoid similar problems in the future.

Any organization that collects, stores, or manages sensitive or confidential information is susceptible to cyberattacks. Therefore, it must setup and manage a proper incident response plan. It must be able to engage in preventive and reactive measures such as proper data retention policies. The chain of custody in preserving information is a key factor. So, the data must be located, identified, and protected to avoid unnecessary complications. Data protection and preservation are key components from a legal perspective. The organization should have access to legal counsel to prepare for potential legal actions. The legal team should work closely with the Incident Response Team (“IRT”) to protect confidential client information such as medical or financial records. This way, the attorney-client privilege can be properly established by them.