One Thing You Need To Do Before Buying Cyber Liability Insurance

So a few weeks back I was interviewed about several current issues in cyber liability insurance. As part of the lead-up to the interview, I was sent a couple of links concerning issues that the interviewer wanted my take on. Most of them I’d seen before. However, there was one that was new to me: After reading the article, I was stunned that a law firm – as in a business that performs at least most of its work in the practice of law – would even consider filing such a lawsuit. Turns out they even got an attorney in a different firm to represent them. They were at least smart enough about not being – or having – a fool for a client. While you might disagree with me on the merits of this particular lawsuit – as an attorney whose practice includes insurance coverage matters, I can concede that insurance is treated differently from state to state – there’s definitely something that everyone can take away from this incident. There is one thing you absolutely, positively must do before purchasing cyber liability insurance: Talk to a lawyer! Not just any lawyer. A lawyer who understands insurance coverage. And who has at least a basic familiarity with cyber security. They don’t need to have a side career in IT, just an understanding about how cyber attacks work. This knowledge is particularly important concerning how the interpretation of your cyber insurance policy may apply to a real-world cyber attack. Here’s an example of what happens when you wait until after a cyber attack to understand what your insurance covers: The Case: Moses Alfonso Ryan, Ltd. v. Sentinel... read more

5 Things You Need to Know About the New War on Encryption

On Saturday night, the city of London experienced yet another tragic attack, apparently carried out in the name of terror. The city’s second in two months, and England’s third – the terrible bombing in Manchester just two weeks ago, has already led to numerous statements of solidarity and support from (most) leaders around the world. Unfortunately, during that time, Theresa May, British Prime Minister, also said this: That’s right, among the many things we can expect in the near future is another battle over government surveillance powers. In that battle, it’s a virtual guarantee that the British or U.S. government will resume its call for technology companies be able to decrypt any data or communications within their ecosystem, purportedly in the name of fighting terrorism, on demand. Whether it starts now, or as a result of a tragedy yet to come, the new war on encryption is about to begin. The War on Encryption Following any terrorist attack, it’s inevitable that some government official throws out the phrase “gone dark.” Since law enforcement officers have a hard time cracking encryption, the theory goes, terrorists use encrypted messages because they know their terrorist planning and terrorist conversations and terrorist grocery lists can’t be read by Dudley Do Right. They’ve “gone dark,” and as such, new laws are needed to improve the ability of law enforcement and intelligence agencies to monitor and track potential terrorists. Just as inevitable as the “going dark” comment – a proposed new law or regulation expanding the ability of the government to surveil its citizens, including but not limited to a weakening of encryption protocols. Talk... read more

How NIST Made Me Excited About New Password Rules

I’m going to go ahead and say it: I’m Pumped! About something in the NEWS! How has your recent news feed looked? A bit dismal, if you’re anything like me. There’s the whole “we prefer the frog-in-a-boiling pot method of extinction” thing coming from the White House. Well, and then there’s everything else coming from the White House. It can all seem like it’s too much. We’ve got a government deliberately ignoring science, publishing a budget that cuts the estate tax – but relies on its revenue continuing because… rich dead people are generous? Oh, and then there’s the whole double counting thing. (But don’t worry, Mick Mulvaney now says it was on purpose.) Fortunately for us all, there’s great news. It’s about… passwords! Who would have ever expected that good news in the “reality and practical experience” matters arena would come from password guidelines? Yeah, me neither. And yet, we have the outlines of the new recommendations from the National Institute on Standards and Technology (“NIST”). Even more importantly, it turns out I was totally right! Totally! Yeah, I’ll get to that. But the best part… IT’S A PRAGMATIC SOLUTION THAT IS BASED ON HOW THE WORLD ACTUALLY WORKS!!! That’s right, I’m getting pumped about a government agency evaluating the collective experiences we’ve had related to their rules, using that collective experience to determine what works and what doesn’t, and then taking that information and applying it. PUMPED. Why am I so excited about this? Mostly, it’s because for years, the rules our companies have used to get their employees to password protect their computers and devices have been... read more

What You Need to Learn from the Biggest Cyber Attack in History

Last weekend, a virus called “WannaCry” swept through Asia, Africa, and Europe, encrypting the data of thousands of individuals and businesses. Although it demanded a ransom that, if paid, promised the user access to encrypted data, few paid the ransom, and many who did never regained access to their data. It was the largest ransomware attack ever, even though it was stopped before it impacted much in the United States. Since the attack, I have read numerous security posts about why this attack is just more proof that people and businesses should adopt the security measures those writers had previously published. While I agree with (most) of those posts, I think that the unprecedented nature of this attack creates a different opportunity – to discuss some fundamental lessons that every business owner needs to accept as the modern reality. Here are Six Lessons You Need to Learn from the WannaCry Cyber Attack: 1) Everyone is a target When it comes to hacking, I’m fond of the metaphor of the fisherman. When a fisherman is going after a specific type of fish, a lot of preparation and knowledge about that specific fish is needed: what type of pole and line works best, what type of body of water, and where in that specific body of water can the fish be found, how deep should the line be dropped, and what bait is needed? Most businesses are prepared for hackers who are looking for a specific fish – the “important” data in their systems. Unfortunately, just like in the fishing industry, the vast majority of successful hackers aren’t using a fishing pole,... read more

The Five Essential Elements of a CYA Cyber Liability Policy

If you’ve been conscious for 15 consecutive minutes or more at any point over the past five years or so, you’ve no doubt heard news about a major hack. It’s everywhere, extending even to domination of the presidential election campaign. Your business is at risk, your clients’ data is at risk, and you need to be involved. Sure, but even the best laid plans can suffer the same fate of the great city of Constantinople – one unlocked door and your city has fallen! Fortunately, you’ve actually got the opportunity to protect your business in a way that the Byzantine Empire couldn’t – insurance. Specifically Cyber Liability Insurance. There’s a lot to cyber liability insurance, so we’ll take this in several parts. In this part, we’ll be talking about the expenses you’ll likely run into in the event of a cyber-attack, and therefore need to ensure your cyber liability policy covers: The 5 Major Expenses Your Cyber Liability Policy Better Cover! 1) Parachuting Professionals You need an emergency response team. Think of them as a really nerdy version of Seal Team Six. Think I’m being overly-dramatic? Well, you’re right. However, you should be aware that most cyber liability claims that exhaust the policy limits do so covering the costs in this category! So, you’re going to need… Forensic IT Specialists You need immediate and effective analysis of your system to determine the size and scope of any breach, and professionals with the experience and training to eliminate any active threats to your system, limit the damage being caused by existing penetrations, and shore up your short-term defenses. Legal Advisors... read more

You Need to Prioritize Cyber Security Fundamentals Immediately

Special Guest: Joseph Marquette Download this Episode: Download Audio For lawyers and law firms, there’s no one standard for the adoption of technology. There are about one million. Unfortunately, this idiosyncratic approach has consequences in the realm of cyber security. Cyber Security in the Law Firm The means and art of practicing law has not historically been reliant on technology. As a result, many law firms have not made technology adoption a central element of their practice. Generally speaking, the rate and type of technology adoption in any one law firm is generally based on how that law firm’s decision makers see how effectively new technology can help their practice. Other firms, whether it’s about personalities or business practices, some just aren’t going to jump on the technology bandwagon. As far as cyber security goes, most law firms track this same idiosyncratic approach. Depending on whether the attorneys in the law firm have a fundamental understanding of the threats, any individual law firm may be significantly ahead of or behind the curve in responding to cyber threats. What are the biggest Cyber Security threats that law firms face? The best way to understand how law firms should address cyber security is to look at the potential threats. Unfortunately, there is an attitude problem: most lawyers want to talk about their obligations to protect against cyber security in light of their ethical obligations to protect confidential information. That is to say, lawyers tend to view cyber security ONLY as a tool to prevent data theft, ignoring the other motives behind cyber attacks. Unfortunately, the threats lawyers fear simply don’t match... read more

The Best VPN Technology to Secure Your Confidential Data

In my post last week, I posed this question: Aside from your law firm’s office firewall and VPN system, do you need to have a personal VPN on your computers and mobile devices. Helpfully, I then told you YES!! So, in the interest of being helpful, I’ve written this post on how to determine the best VPN technology for you, and I’ve gone ahead and included a review of some of the best VPN solutions on the market. So, without further ado: How to Choose the Best VPN for You? Go ahead, ask if you’re going to need one. The answer is yes, yes you do. So now it becomes a question of what type. First, do you need an enterprise level VPN? Your law firm probably does, and you might even want a more serious VPN option for your home network if you do a lot of work there as well. The benefit to those types of VPN is that they protect your connections with your office server, and also go a long way to protecting your web browsing while you’re using the same router. For these, the available solutions are myriad, and a little too varied and purpose-specific for me to discuss in great detail here. I’d strongly recommend speaking to your IT people/contractor about this. Second, do you need personal VPN technology? Once you’re outside of your office environment, you’ll no longer be protected by your office’s VPN. So, if you use your laptop, tablet, or smartphone both for personal web browsing/email and to connect to your office network, then you absolutely need to have VPN technology... read more

6 Simple Reasons You Need to Use a VPN

One of the most important things that we do as lawyers is to protect. We protect our clients from the harms of others, from the government, from competitors. We frequently protect our clients from themselves. Unfortunately, based on recent surveys, we don’t usually consider our own actions to be much of a threat to our clients, or we’d be doing more to protect our clients from us. Well, we’re certainly not harboring ill intentions – that’s part of the problem. We have an ethical duty to protect our clients, and more specifically, the confidential information that they entrust us with. What’s one thing you could do, today, to dramatically improve the protection you give to your client’s confidential information? Start using a VPN on your computer and mobile devices. Immediately. What is a VPN? A VPN is a “Virtual Private Network.” In its most basic form, a VPN creates a secure, encrypted connection between your computer or device and the server owned or operated (or in some cases merely rented) by your VPN. The effect of this connection is that it’s as if you were accessing the internet from the location of your VPN’s server. Between your actual computer and the VPN server, the traffic is encrypted, so nobody can see what information is being passed along the connection. In Howard Hawk movie-parlance, it’s basically like switching cabs to avoid being followed. VPNs are an important security tool for pretty much anyone who uses the internet today, but much more important for anyone who regularly traffic in protected or confidential information. (No, that wasn’t a subtle hint!) Do You... read more

Phishing: When One Email Shuts Down Your Law Firm

It can happen. It almost happened to me yesterday. I opened up my email and saw one from a familiar sender, but with a strange subject line entry. The body of the email instructed me to remit payment based on instructions in the attached invoice, referring to the information below. What I saw there was a poor copy-paste job of a local bank’s information page, with a link in the center (written out as a file ending in “.doc”). There was nothing attached, and the email instructed me to view the “attachment.” Our IT vendor was immediately notified. But what if I’d clicked on the link? Phishing may be the biggest Cybersecurity threat to your law firm No, that’s not hyperbole. Phishing, which is basically any attempt to obtain sensitive information or to lure targets to perform a specific action, is a powerful tool for hackers. Phishing used to be made up mostly of attempts to convince people to provide information such as login credentials, social security numbers, or other personal information. Today, the phishing scam has evolved. No longer a simple method of attack, phishing scams come in many forms. However, by far the most dangerous to your law firm is the attack that infects your computer with malware. The malware du jour for hackers? You’ve probably heard quite a bit about it recently: Ransomware. With just one errant click, one infected file opened, a malware infection can enter your law firm’s network. It then really goes to work – it turns out that (at least at this point) they’re not interested in taking your information. It turns out there’s a... read more

How to Ignore the Experts: Most Popular Passwords of 2015

Isaac Newton famously said: “If I have seen further than others, it is by standing upon the shoulders of giants.” On the other hand, H.L. Mencken said: “Nobody ever went broke underestimating the intelligence of the American public.” Based on the recently released list of the top 25 most popular passwords of 2015, I empathize more with the second quote. The inescapable conclusion: we’re morons. To understand specifically how I came to this conclusion, let’s begin with this little, uncomfortable fact: 40% of Americans have either had a personal account hacked, been notified that their personal information had been compromised, or had a password stolen. So, with that in mind, you’d think we’d take security more seriously. Or maybe listened just a little to the advice security experts have given. We don’t. Every year, SplashData releases its list of the 25 most popular passwords, and it’s always a humbling reminder that although some of our great thinkers might have stood on the shoulders of giants, the rest of us… not so much. The Most Popular Passwords of 2015: Here are some of the most popular passwords from last year. For the full list, check out the infographic below: 1. 123456 2. password 3. 12345678 4. qwerty 5. 12345 … 7. football … 10. baseball … 15. 1qaz2wsx … 19. letmein … 21. princess … 23. solo … 25. starwars Yep, you read that right, the end of the list certainly had a timely Star Wars-based flavor to it. Unfortunately, when one fictional character group does well, another usually suffers. Several of last year’s Top 25 most popular passwords had to get bumped off the... read more
Page 1 of 41234