Internet Lawyer Blog

United States Government Surveillance Programs – Part II

Published on: February 8, 2021 | by Law Offices of Salar Atrizadeh

The governments of many countries have initiated surveillance programs to protect national security. These programs were allegedly designed and instigated to fight against terrorism and other criminal activities. For example, the British Government has setup a similar program to the United States government’s PRISM program which is called TEMPORA. The GCHQ, which stands for Government Communications Headquarters, is the British government’s spy agency that operates similar to the United States National Security Agency (“NSA”). There is information that confirms the GCHQ has placed data interceptors on fiber optic cables to analyze internet communications. There is also information that confirms approximately 10 gigabits of data per second (or 21 petabytes of data per day) is being reviewed per day by this spy agency. Its agents are charged with the task of storing all sorts of information – e.g., electronic information with correlating metadata – on computer servers for as long as thirty days. This spy agency uses a technique called Massive Volume Reduction (“MVR”) to conduct its analysis.

Government spy agencies share their intelligence with other nation’s agencies as part of a partnership program. In fact, several years ago, The Guardian publicized this massive information gathering after it was reported by Edward Snowden. It seems the GCHQ is operating under two principles: (1) Mastering the Internet; and (2) Global Telecoms Exploitation. These surveillance programs are meant to gather as much information as possible for evaluation and assessment. However, it seems these principles have not been opened up for public debate and are being carried out without warrants.

The government spy agencies are gathering phone records, email message content, social media communications, and other types of information in an effort to curtail criminal violations. Their targets may include the unsuspecting innocent and suspicious or guilty individuals. Therefore, there are two schools of thought here. First, the spy agencies should carry out their intelligence gathering to prevent another international tragedy such as 9/11. Second, the spy agencies should be subject to certain limitations and should be forced to obtain lawful warrants before conducting surveillance. On the other side, the government officials argue that this type of unprecedented wiretapping is necessary to properly safeguard the country from terrorists.

United States Government Surveillance Programs – Part I

Published on: February 1, 2021 | by Law Offices of Salar Atrizadeh

The United States government has implemented surveillance programs to promote national security. These programs are designed to gather and process electronic information that could arguably assist government agencies in their efforts to enhance national security. However, there is an argument being made that the federal government is using the resources of major communication service providers to obtain records of citizens without legal justification. In other words, the government is engaging in unlawful surveillance programs without probable cause.

What kind of programs have been implemented?

The National Security Agency (“NSA”) has been intercepting internet communications for several years without fully disclosing the nature and extent of its surveillance programs to the general public. It’s also collecting other types of communication records such as phone records and related electronic information. There is evidence that proves AT&T is cooperating with government surveillance programs. The evidence seems to indicate the telecommunication giant has installed fiberoptic splitters to copy and send information to the government. Experts have argued this kind of activity is beyond “wiretapping” since it’s surveilling the entire communication channels without a warrant. So, in essence, the government is engaging in the mass collection of telephone metadata of all domestic customers. The government officials have argued that this type of broad surveillance is justified under the USA Patriot Act which is meant to deter and punish terrorism and enhance law enforcement investigations for the following reasons:

Cybersecurity Risk Management – Part III

Published on: January 25, 2021 | by Law Offices of Salar Atrizadeh

Cybersecurity risk management has become a more challenging endeavor recently. It was never an easy task for commercial enterprises, but now that we’re facing a global pandemic and economic recession, there are additional challenges. At this point, most of our personal information is being transmitted and stored on the internet. Third-party cloud service providers have become a useful variable in the equation but they can also become a liability if there is a cybersecurity incident. Therefore, cybersecurity risk management has become more difficult especially since commercial enterprises share personal or confidential information with third parties.

The fact that our personal information is no longer in our possession or control makes cybersecurity risk management more challenging. Now, if, our personal information was stored in one location, and as such, was in one company’s possession, life would have been easier. However, multiple vendors, and third-party service providers gain access to our confidential information. So, the level of liability rises to a different stage since there is additional potential responsibilities that must be managed. In addition, some companies have allowed their employees to work from home and this business model makes it more difficult to manage cybersecurity risks. In other words, remote employees can become the proverbial “weakest link” which can be quite dangerous for the commercial enterprise.

A problem in the cybersecurity risk management formula is that change is never ending. The constant change in technology and law makes it more difficult for companies and their information technology managers to keep up. Our law firm’s cybersecurity lawyers generally recommend working with computer technology experts on a regular basis. This way, they can develop the necessary policies on their networks. They should identify the risks by understanding the cybersecurity rules and regulations. An information technology manager should implement internal and external policies to secure the network which usually holds confidential information. For example, the network should have a secure software or hardware firewall, encryption algorithm, and multi-factor authentication system. The information technology manager should develop and implement regular training sessions for employees.

Cybersecurity Risk Management – Part II

Published on: January 18, 2021 | by Law Offices of Salar Atrizadeh

Cybersecurity risk management requires proper due diligence on the company’s cybersecurity program. This is an important aspect because the company’s executives owe a fiduciary duty towards their shareholders and customers. In other words, a company’s manager or director should take every reasonable measure to ensure the safety and security of the company’s intellectual properties, trade secrets, and other sensitive or confidential information. As such, a claim or cause of action for breach of fiduciary duty can seriously hinder business operations and should be avoided by any means necessary.

We recommend properly assessing internal and external threats such as disgruntled employees or third-party contractors who were given access to the computer network system. It’s certainly possible for a disgruntled employee to insert a flash drive which yields malware into the network server to cause a malfunction. Therefore, it is important to have the right security measures implemented on the computer network system. For example, our cybersecurity lawyers recommend installing an Intrusion Detection System (“IDS”) to detect unauthorized access to sensitive or confidential files. It is important to review and understand the laws related to workplace monitoring because it could trigger workplace privacy right violations. There are state and federal laws that would impact the legal rights and responsibilities of employers and employees so it’s important to understand them. In fact, companies that fall under the definition of “critical infrastructure” organizations pursuant to Executive Order 13636 should consider implementing insider threat programs as a precautionary measure.

It’s recommended to have an enterprise risk assessment program that involves cybersecurity experts and lawyers. These computer and legal experts should join forces to establish a program that addresses the key issues – e.g., data privacy, data protection, insider threats, breach notification protocols. It’s important to have a plan before the so-called “cyber incident” so the key players will know their responsibilities. This way, when an incident takes place, there will be a preexisting protocol for everyone. Moreover, having access to a cybersecurity attorney is crucial to the company’s legal and ethical responsibilities. Our law firm advises its clients regarding the relevant state, federal, and international rules and regulations as we have the necessary background and expertise in internet, technology, and cybersecurity laws.

Cybersecurity Risk Management – Part I

Published on: January 11, 2021 | by Law Offices of Salar Atrizadeh

Cybersecurity risk management is a key component in avoiding cybersecurity incidents. Our law firm assists clients with breach response plans pursuant to the rules and regulations. An Incident Response Plan (“IRP”) should be carefully created to address cybersecurity incidents. There are strategic challenges with implementing an effective IRP within the organization but there could also be legal challenges. Hence, we encourage clients to implement a cybersecurity framework that can effectively prevent breaches. This can be done by working with qualified legal and computer experts.

We encourage clients to coordinate communications with their employees and representatives. The company’s partners and affiliates should also be aware of the breach notification and prevention protocols. This is especially important if the company has various locations and satellite offices. The company must act quickly when it finds out about a breach so that it can follow the rules and regulations. In fact, the European Union’s General Data Protection Regulation (a/k/a “GDPR”) mandates breach notification to the proper authorities within three days. In addition, in California, the law imposes a 72-hour breach notification obligation under the California Consumer Privacy Act (“CCPA”) which became effective on January 1, 2020.

We encourage clients to develop different types of response plans for various cybersecurity incidents. There are different types of breach that can take place on the computer network. In general, the bad actors compromise the computer network to steal personal information. However, availability attacks have also increased which in essence deny access to the system. For example, installing ransomware on the computers or launching a Distributed Denial of Service (“DDoS”) attack on the computer network can accomplish this task. There could be serious legal consequences if the company cannot properly protect its network which yields private and confidential information – e.g., intellectual property, trade secrets. There are various state, federal, and international laws in this context. For example, the Philippines Data Privacy Act defines a “security incident” as an event or occurrence that affects or tends to affect data protection or may compromise availability, integrity, or confidentiality.

Smart Devices and Privacy Laws

Published on: January 4, 2021 | by Law Offices of Salar Atrizadeh

Smart devices are being sold to consumers and businesses on a regular basis. They include smart phones, smart cars, smart televisions, smart thermostats, smart doorbells, smart bulbs, smart locks, smart watches, smart speakers, smart refrigerators, and other electronic devices. These smart devices can be recording you or collecting personal data without your knowledge or consent.

Privacy in the internet and technology age has become a major concern. This is primarily due to the existence and availability of smart devices which are even referred to as “smart spies” because they can record and transfer personal information to the hackers who use technical flaws to install spyware. This is why it’s important to review the security settings of the smart device on a regular basis. For example, smart televisions are connected to the internet, and if they are hacked into, they can easily be used for nefarious purposes. Smart speakers and digital assistants are listening to voices and that is why they can be a threat source for their users. They are constantly collecting information with or without the user’s knowledge or consent. There may be a way to delete the recently-recorded information by telling the smart device to delete the last conversation but consumers should read the user’s manual to learn about the options.

Smart doorbells, which are part of a home’s security surveillance system, have cameras and are connected to the internet. Therefore, they can be hacked into and used to record activities. For example, Ring has been questioned for sharing video recordings with police departments and third-party service providers such as Facebook and Google without the user’s knowledge or consent. It is important to view the “authorized client devices” feature to understand which device is accessing the account.

Internet Dispute Resolution – Part III

Published on: December 28, 2020 | by Law Offices of Salar Atrizadeh

Internet dispute resolution has evolved and become more prevalent in recent years. The internet has offered many advantages when it comes to electronic commercial transactions and communications. It has enabled e-commerce websites to gain access to domestic and foreign customers. Naturally, there could be disputes between the e-commerce websites and their customers, or alternatively, between the customers themselves. These disputes are usually related to contractual rights and responsibilities which can be resolved through alternative dispute resolution – e.g., arbitration, mediation.

Geographic location of the parties can create an impediment for dispute resolution purposes. This is especially true because in most circumstances the parties hire a third-party neutral to review their files and issue a final decision. Internet dispute resolution provides an option to have the parties reach a practical solution even though they may be in different jurisdictions. The parties and their neutral judge can be in geographically different locations and need not meet in person to reach a final decision. This, in and of itself, provides a huge advantage from a logistical point. It also brings down the cost of traveling since they can use videoconferencing technologies.

Technology tools and techniques have provided a relatively stable platform for internet dispute resolution procedures. The software and hardware technologies that are available today allow the neutral judge (e.g., arbitrator, mediator), and interested parties, to effectively participate in the dispute resolution procedure. They can securely send and receive files which may include sensitive or confidential information such as financial information. These technologies are using encryption for security reasons. This way, the parties can have trust and confidence in the process and effectively use it.

Internet Dispute Resolution – Part II

Published on: December 21, 2020 | by Law Offices of Salar Atrizadeh

Internet dispute resolution is paramount in the age of technology and innovation. Cyber-negotiation strategies have proved to be effective for online dispute resolution providers. These providers allow the parties to resolve their disputes by submitting settlement offers and negotiating over the internet.

Cyber-mediation and cyber-arbitration are part of the online dispute resolution services. They present certain advantages and disadvantages when compared to traditional mediation and arbitration. For example, online dispute resolution is effective and easy especially since it does not require the parties to travel anywhere. It is less costly and time consuming when compared to the traditional options. However, the disadvantage may be that it is impersonal as the parties do not meet the neutral judge in person. So, in essence, the entire process takes place online and no one has the opportunity to have an in-person meeting.

In most contracts, there is some kind of dispute resolution provision that allows the parties to avoid a formal lawsuit. The provision can include language about a preselection of the service provider the parties have chosen for administering the dispute resolution process. This way, they can agree beforehand that all disputes will be resolved without a formal lawsuit in state or federal court. It is important to note that litigation can be time consuming and expensive and online dispute resolution providers can deliver an alternative option.

Internet Dispute Resolution – Part I

Published on: December 14, 2020 | by Law Offices of Salar Atrizadeh

Internet dispute resolution procedures such as arbitration or mediation are necessary when there is an actual case or controversy between the parties. These types of alternative dispute resolution procedures provide a viable option for the parties to solve their legal claims before or during litigation. So, in general, an appointed neutral third party (i.e., arbitrator, mediator) reviews the case and renders a decision with the following caveat: Arbitration is usually a binding process but mediation is not binding between the parties.

Internet disputes arise in several areas such as business transactions that take place between commercial organizations and their customers. They take place during international e-commerce transactions. Internet disputes may also occur between users or subscribers of social media websites. In any event, all kinds of online disputes are taking place which should be addressed and resolved by a qualified neutral third-party – i.e., arbitrator, mediator.

International e-commerce transactions have expanded in recent years especially since there are multiple websites that provide a way to find and order products or services. These e-commerce websites (e.g., Amazon, eBay, Alibaba) sell a variety of products or services to their users or subscribers. So, naturally, there will be problems which is why there should be a fair and efficient resolution system.

Cybersecurity and Privacy Rules

Published on: December 7, 2020 | by Law Offices of Salar Atrizadeh

Cybersecurity and privacy rules have changed the private and public sectors’ landscapes. The state and federal rules are changing the ways private and public organizations are managing their operations. These rules are focusing on privacy, security and regulations in all jurisdictions but uniformity is an issue. Therefore, state and federal legislators should ensure uniformity to avoid regulatory and enforcement contradictions.

The State of California has enacted laws to promote cybersecurity within its jurisdiction. For example, Assembly Bill 89 (“AB 89”) was enacted to ensure information sharing should be conducted in a way that protects an individual’s privacy and civil liberties, confidential information, preserves business confidentiality, and enables public officials to detect, investigate, and prevent network security breaches. It has also enacted the California Consumer Privacy Act (“CCPA”) that allows individuals to file a legal action against businesses that fail to implement and maintain reasonable security measures to protect their personal information. Now, “reasonable security measures” may include using a firewall, encryption, and intrusion detection software on their computer networks.

The State of New York has enacted laws to promote cybersecurity within its jurisdiction. For example, it has passed the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) to protect consumers from exposure of private information from cybersecurity attacks. This statute is designed to increase data protection and data breach notification requirements for commercial enterprises. It is meant to hold business organizations responsible for gathering and storing consumer personal information which may include a name, address, telephone number, email address, date-of-birth, and social security number.