Internet Lawyer Blog

As cyberspace becomes a larger part of everyday life, the threat of cybercrimes becomes more prevalent. Consumers conduct all sorts of business over the Internet, which involves storing and transferring personal information on various online sites. Accordingly, the wealth of personal information available over the Internet has drawn in a new type of crime--phishing and spoofing. Cybercriminals disguise as other people, or legitimate business entities, and they entice consumers to give out personal information, such as bank account numbers. These tactics also help cybercriminals steal people's identities.

What is the Difference Between Phishing and Spoofing?

Phishing is the practice of posing as a legitimate business entity to trick consumers into turning over personal information, such as passwords and bank account numbers. The cybercriminals then use this information to break into accounts and transfer money. They may also use this personal information to apply for credit cards, spend extravagant amounts of money, and ruin people's credit. This is how cyber criminals perpetuate identify theft through phishing. With the right personal or financial information, cybercriminals disguise as other people, building up exorbitant debt against the victim.

Spoofing is much like phishing in that it involves people and programs that pose as another person or business in order to gain information or any sort of advantage. For instance, spoofing agents use technology to alter their caller ID, so that when they call, the ID reads as a legitimate business. The consumer sees the name of the business and willingly gives out personal information. A lesser-known type of spoofing involves a copyright holder's practice of placing damaged files on file sharing networks to discourage illegal downloads.

How Can Consumers Protect Against Phishing or Spoofing?

The California State Department of Justice warns consumers to look for emails that look very official. The cyber thieves will often disguise emails to look formal and convince people to turn over personal information. The most common technique is to use familiar company names to come across as a legitimate business venture. The Consumer Federation of America also warns that spoofing attempts to single out employee emails, and disguise their message, so that it appears to be from their employer.

Consumers can protect themselves by taking extra care before sending any personal information via email. Make sure that links in emails are trusted before clicking on any such links or opening attachments. Phishing and spoofing threats also exist over the phone, so consumers should be careful before giving out any personal information to callers.

At the Law Offices of Salar Atrizadeh, we guide our clients in legal matters regarding all aspects of copyright law by using extensive knowledge and skills to create innovative solutions. Please contact us today to set up a confidential consultation.

Few crimes affect as broad a scope of people as identity theft. With social networks, credit cards, personal information, and contact information so interconnected, perpetrators can trespass into a person's life by breaking past a single password-protected account. Accordingly, the Los Angeles County District Attorney's Office has created a special division to aggressively prosecute this serious crime. Indeed, the District Attorney's Office has indicated that it would pursue all cases of identity theft, regardless of how minor. This category of illegal activity includes everything from simply possessing information on another's identity without their permission to using such information to obtain a credit card or make purchases.

In California, identity theft laws are especially strict because perpetrators can be convicted of felony identity theft regardless of whether the victim suffers financial harm as a result of the identity theft. In fact, signing someone else's name on an official document may constitute identity theft, depending on the circumstances. Often, identity thieves work as members of larger organizations, which assemble and carry on large networks of identity theft. Someone may be accused of identity theft simply by association with members of such a network. Under California Penal Code § 530.5(a) to maintain a case of identity theft, the district attorney will need to show that a defendant intentionally obtained "personal identifying information" without the consent of the person, to use "for any unlawful purpose." Defendants may be able to avoid prosecution for identity theft if they can present evidence to show that they obtained the identifying information with the person's consent.

The most common identity theft cases include illegal credit cards, fake identification cards, stolen social security numbers, purchases with stolen credit cards, and skimming. Skimming involves installing a skimmer to illegal obtain identification and credit card information from card machines in retail stores and gas stations. Identity theft also involves cyber crimes such as phishing or spoofing.

The Federal Trade Commission ("FTC") provides a general guide for consumers and business owners to help victims of identity theft take immediate action to prevent excessive harm to their reputation and credit. This guide also provides suggestions to help protect against potential identity theft. For example, the FTC suggests that consumers take steps to ensure that personal records are safely locked away. Additionally, the FTC warns consumers to keep passwords private to help protect online security.

The federal government is also taking steps to protect consumers against identity theft. In 1998, Congress passed the Identity Theft and Assumption Deterrence Act, which established identity theft as an offense. Under 18 U.S.C. § 1028, a defendant guilty of identity theft may serve up to fifteen years in prison, pay a fine, and lose any property gained by virtue of the identity theft.

At the Law Offices of Salar Atrizadeh, we guide our clients in legal matters by using extensive knowledge and skills to create innovative solutions. Please contact us today to set up a confidential consultation.

After an investigation by U.S. Immigration Customs Enforcement's Homeland Security Investigations unit, U.S. District Judge Arenda L. Wright found members of IMAGiNE Group guilty of criminal copyright infringement. The court found IMAGiNE Group, an Internet piracy circle, guilty of perpetuating an effort to release movies available only in movie theaters. A representative of the Motion Picture Association of America testified that IMAGiNE was responsible for the most expansive effort to release pirated films between September 2009 and September 2011.

Judge Wright sentenced Jeremiah B. Perkins, a leading member of IMAGiNE, to prison and ordered him to pay $15,000 in restitution damages. After prison, Perkins will also face three years of supervised release. Perkins was responsible for recording films in theaters and compiling data into complete movie files to share on the Internet. Perkins admitted to renting computers, registering domain names, and opening email and PayPal accounts to help run IMAGiNE's operation.

The National Intellectual Property Rights Coordination Center ("IPR Center") within the United States Department of Homeland Security has supported the underlying investigation in this case. This center is one of the federal government's greatest weapons in the fight against counterfeiting and piracy. The IPR Center works closely with other agencies within the Department of Justice to facilitate information sharing in an effort to establish and enforce initiatives that deter intellectual property theft. This case was part of the IPR Center's greater effort to hinder and stop the spread of intellectual property theft. Attorney General Eric Holder instigated these efforts in response to the increasing crimes against intellectual property. Additionally, in light of recent news concerning threats of international cyber attacks, these efforts also go a long way towards protecting American consumers, their health, and their safety. Preventing intellectually property theft also protects the American economy by prohibiting outside parties from profiting on American products and intellectual property. The IPR Center aims to increase intellectual property right protections by implementing stricter criminal and civil liability for property right infringements. Additionally, the IPR Center seeks to organize greater coordination among federal, state, and local law enforcement agencies. Finally, the task force aims to refocus efforts on international property right protections by establishing and strengthening relationships with foreign governments.

The IPR Center was also responsible for facilitating an investigation into Hana A. Beshari, founder of NinjaVideo.net. NinjaVideo provided a forum for downloading high quality infringing copies of copyrighted movies and television shows. Beshari pleaded guilty to conspiracy and criminal copyright infringement. She could face up to five years in prison for her role in this intellectual property theft endeavor.

At the Law Offices of Salar Atrizadeh, we guide our clients in legal matters by using extensive knowledge and skills to create innovative solutions. Please contact us to set up a confidential consultation.

The news outlets have been reporting that the Chinese have allegedly been hacking into American infrastructures. Assuming this report is accurate, the United States is not equipped to handle the consequences of such an attack. These hackers would possess the power to disable the critical infrastructure in this country, eliminating electricity, gas, water, and all major transit systems. Indeed, earlier this year, both The New York Times and The Wall Street reported that hackers had infiltrated their systems and stolen confidential employee information. The New York Times has further reported that it has been experiencing constant attacks from the Chinese in an attempt to control information that pertains to China. The Ministry of National Defense in China denies any such cyberattack on The New York Times. In light of these recent developments, it has become increasingly important for individuals and businesses to take steps to ensure their cyber protection. By serving California and Washington D.C., the skilled attorneys at the Law Offices of Salar Atrizadeh successfully work on legal matters pertaining to cybersecurity and Internet law.

The former Secretary of Defense, Leon Panetta, has described the scene that will unfold after such an attack as a "cyber Pearl Harbor." Indeed, these hackers could possess software with the capacity to destroy infrastructure hardware. Such an attack would spread chaos throughout the country for months while the government works to restore its vital systems. Pointing to the failed Cybersecurity Act of 2012, Panetta has called upon the private citizens and businesses to act to secure their cybersecurity. Hillary Clinton, former Secretary of State, confirmed that this was a crisis that required global attention.

These instances of "cyberterrorism" threaten to cause damage far beyond the destruction of 9/11. Mandiant, a cyber-security company based in the United States, traces these cyber-attacks to the People's Liberation Army, the Chinese military. The efforts in America to make sense of these attacks have not led to any definitive answers. The dangers of cyber-attacks are apparent in the recent attack on Aramco, the Saudi Arabian oil company. The attack consisted of a virus, which destroyed 30,000 Aramco computers, and replaced essential files within the system with an image of an American flag burning. There was also a reported cyber-attack on Telvent (now known as Schneider Electric), an international corporation that provides companies with the network and connections to remotely control power grids, oil pipelines, and gas pipelines. It remains unclear whether the hacking efforts are meant to steal confidential information, or whether the hacking is part of a larger scheme to derail vital American infrastructures. Indeed, the threat may not be limited to the Chinese, but rather part of a greater effort to launch an attack against American cybersecurity. This certainly poses a threat not only for national security, but also for individual cyber-security involving consumers and businesses that compose and participate in the crucial business and technology infrastructures.

At the Law Offices of Salar Atrizadeh, we guide our clients in legal matters by using extensive knowledge and skills to create innovative solutions. Please contact us today to set up a confidential consultation.

In light of recent news that America's cyber-network is vulnerable to outside attack, President Obama signed an Executive Order to improve cyber-security for the nation's "critical infrastructure." According to the Order, "critical infrastructure" applies to the vital physical and virtual systems in the United States that are essential to the country's economic security, public health, and safety. This definition is in line with the definition of "critical infrastructure" in the Cybersecurity Act of 2012, which the federal government failed to pass.

The Executive Order is meant to promote greater information sharing among members of the same network. This will ensure that all network providers are adequately aware of potential threats to the system in time to plan and implement an effective response. Accordingly, American companies now bear the responsibility of evaluating whether "critical infrastructure" applies to their operations. Alternatively, the Executive Order may also apply to companies that provide goods or services to other companies that the Executive Order implicates. In this case, the Executive Order would also apply to the companies that provide the goods or services. These companies would then bear the same responsibility to abide by the Executive Order and participate in the information-sharing network.

The Executive Order also requires various federal agencies to participate in this network. The Office of the Attorney General, the Department of Homeland Security, and the Office of National Intelligence, among others, are responsible for participating to create an information-sharing network. Such a network will make it easier to detect and ward off cyber-threats. Additionally, the information-sharing network will allow the participating agencies to quickly notify the President of any legislation that is necessary to further protect the nation's cyber-network. Furthermore, a working and productive network will incentivize other agencies and companies to join the network. Increased participants will improve the breadth of the network, work to expand the reach of the network, and add to the information that is available within the network.

President Obama addressed the Executive Order in his State of the Union speech. The President explained that while the Executive Order was not a substitute for cybersecurity legislation, the Executive Order would prohibit further threats to the nation's cyber-network before Congress implements such legislation. Accordingly, Congress revisited the Cyber Intelligence Sharing and Protection Act ("CISPA") the day after President Obama signed the Executive Order. Meanwhile, the Senate is reviewing the Cybersecurity and American Cyber Competitiveness Act of 2013. Past attempts at passing cybersecurity legislation have alarmed associations that aim to protect civil liberties. Specifically, there is an underlying concern that such expansive information sharing stands to violate individual privacy rights. However, the American Civil Liberties Union has already spoken out in support of the Executive Order and the national security the Executive Order seeks to implement.

At the Law Offices of Salar Atrizadeh, we guide our clients in legal matters by using extensive knowledge and skills to create innovative solutions. Please contact us today to set up a confidential consultation.

In 1998, Congress passed the Children's Online Privacy Protection Act ("COPPA") to ensure online privacy for children under the age of thirteen. Under this Act, online operators must obtain parental consent before they begin to collect information about online users under the age of thirteen. The Federal Trade Commission ("FTC") implements and enforces COPPA. In December 2012, the FTC adopted the first significant amendments to COPPA since the inception of this federal law in 2000.

In 2010, the FTC began to review the terms of COPPA to determine whether changes in the cyber community would require amendments to the Act. The FTC felt that COPPA would potentially require amendments in order to keep pace with the fast-changing nature of the Internet. Before drafting any such amendments, the FTC invited interested businesses and third parties to communicate their suggestions for changes that would help improve this law. After this process, the FTC adopted three significant changes to the Act.

First, the FTC expanded COPPA's reach to include applications, plug-ins, and advertisement networks that could potentially gather personal information about children under the age of thirteen. Although, this was a controversial addition to COPPA, the FTC was able to compromise by indicating that COPPA will only apply to these online operators if the operator is aware that it is collecting information about children. Next, the FTC expanded COPPA substantially so that it applies to a wider range of personal information subject to the Act's regulations. Under the 2012 amendments, "personal information" now includes online contact information such as instant messaging usernames, voice over Internet protocol ("VOIP") identifiers, video chat user data, any other screen names that serve to identify users individually. The Act will also cover "persistent identifiers," which include IP addresses, profile pictures, or audio files that contain a child's voice. Finally, the FTC has revised the acceptable means of obtaining parental consent. Pursuant to COPPA, online operators must obtain parental consent before collecting personal information about a child. Under the 2012 amendments, these online operators can now accept consent by a parent's use of an online payment system, by a parent's confirmation through video conference with trained personnel, and by verifying a parent's identification with government-issued identification. These amendments aim to protect children's privacy in the quickly changing environment of online operators and in light of the constant advancements in the Internet community.

At the Law Offices of Salar Atrizadeh, we guide our clients in legal matters by using extensive knowledge and skills to create innovative solutions. Please contact us today to set up a confidential consultation.

The possibility of identity theft is a growing concern. However, banks, credit card companies, and various other institutions that house private information regularly take steps to protect customers' identities. Nonetheless, a different type of identity theft continues to thrive. Online impersonation is a quick and easy form of identity theft that takes place over the Internet. It is an easy type of identity theft given the breadth and convenience of social media and expanding networking sites. However, in light of the Sandy Hook Elementary School incident, state and federal authorities are considering the possibility of bringing criminal charges for online impersonation.

State legislatures called for laws against online impersonation following the case of Megan Meier, a 13-year-old girl who killed herself after a woman impersonated a boy and engaged in cyberbullying. After the Sandy Hook shooting, people began posting incorrect information about the shooting and the suspect. Others began posing as the shooter and staging crime scenes similar to the shooting. Connecticut State Police Lieutenant J. Paul Vance called attention to this matter in a public press conference. He noted that these posts, in addition to being highly inappropriate, were also threatening and criminal in nature.

A spokesman for Commissioner Reuben Bradford stated that, harassing anyone who was a victim of the shooting would be criminally prosecuted. He noted that harassment would not only include in person contact, but also harassment through via the Internet and social media sites. Charges could include criminal impersonation and criminal misrepresentation. California and several other states have established online impersonation as a criminal offense. Critics argue that criminal regulations that prohibit online impersonation may arm interest groups with the power to suppress speech. For example, Electronic Frontier Foundation argues that such laws could silence groups like The Yes Men, which utilizes online impersonation as a form of commentary on the government and large corporations.

However, it is much harder to identify potential suspects online because they are able to operate behind the safety of false identities or even anonymity. Even though investigators could connect an account to an IP address, they would then have the responsibility of showing who was accessing the IP address at the time. With family computers and public computers, it is difficult to establish who was using the computer when multiple people had access to the same computer. There may also be an added burden of establishing that the online impersonation posed an actual threat. In order to sustain a case for online impersonation, prosecutors must also show that the online communication went beyond protected speech and crossed into criminal behavior.

At the Law Offices of Salar Atrizadeh, we guide our clients in legal matters by using extensive knowledge and skills to create innovative solutions. Please contact us today to set up a confidential consultation.

Cloud computing offers a revolutionary new way to conduct business over the Internet. This service is a form of cyber-outsourcing where virtual servers provide certain services or applications for consumers online. Cloud computing vendors include, IBM SmartCloud, Cisco Cloud Computing, Amazon Elastic Compute Cloud (aka Amazon EC2), and various smaller vendors. These providers offer a range of services including storage services and spam filtering.

There are various forms of cloud computing available over the Internet. Managed Service Providers ("MSPs") are the oldest form of cloud computing. A "managed service" is an application such as virus scanning for email or anti-spam services. The most common form of cloud computing is through Software as a Service ("SaaS"), which delivers an application to multiple customers through a browser using a multi-tenant architecture. Customers benefit because they do not have to invest in servers or purchase software licenses. Providers benefit because they are able to reduce costs because they only need maintain one application for their multiple customers. Salesforce.com is a well-known example of SaaS cloud computing, but Google Cloud Storage is a fast growing option as well.

Similar to SaaS computing, some providers offer Application Programming Interfaces ("APIs"), which allow developers to offer certain functions over the Internet without having to offer entire applications. These functionalities range from specific business services to wider-ranging APIs, such as Google Maps. Another version of SaaS computing allows users to develop their own application and offer the application through a provider's infrastructure over the Internet. The developers are limited by the provider's capabilities, but the developers benefit from the established predictability. Google App Engine is an example of such cloud computing.

Commerce Service Providers (CSP) are a combination of SaaS and MSPs. This form of cloud computing offers a service community wherein users interact. This is most common in trading environments that allow users to order services from a platform, which arranges delivery and pricing within the consumers set specifications. Ariba is a common example of such cloud computing. Utility Computing is another form of cloud computing that provides storage and virtual servers on demand. Entities generally use this option for supplemental storage in addition to their primary datacenters.

The innovative nature of cloud computing has introduced novel legal implications. Senator Amy Klobuchar has proposed the Cloud Computing Act of 2012, which aims to "improve the enforcement of criminal and civil law with respect to cloud computing." This law's main purpose is to protect "cloud computing services" under the Computer Fraud and Abuse Act ("CFAA"), which is codified under Title 18 U.S.C. § 1030. The Cloud Computing Act suggests that each unauthorized access of a cloud computing account should count as a separate CFAA offense with a minimum of $500 in damages for each offense.

At the Law Offices of Salar Atrizadeh, we guide our clients in legal matters by using extensive knowledge and skills to create innovative solutions. Please contact us today to set up a confidential consultation.

The technological advancements and the ever-expansive world of cyberspace are in a perpetual state of conflict with individual privacy concerns. For example, a recent research project by the Massachusetts Institute of Technology demonstrates that independent component analysis allows companies to track changes in pulse by the subsequent change in skin color that is readily visible through a video signal. In addition, employers, credit agencies, and health insurance providers can now purchase indexes that contain consumer profiles based on individual consumer's browsing history, site membership, and online purchases.

The Federal Trade Commission has issued a report that proposes the steps companies can take to ensure optimal protection of consumer privacy. The report, "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers," urges companies to incorporate privacy protection in every stage of their products, provide a mechanism against online activity tracking, and fully disclose what user information it shares with other entities.

The California legislature has proposed a new bill that would impose new restrictions on social networking sites, which would limit the information available about users. The proposed legislation would allow users to select privacy settings before ever using the site, which limits the sites accessibility. Social Networking sites, such as Facebook, have responded that such legislation would inappropriately burden the sites, in turn devastating cyber-business in California.

The American Civil Liberties Union ("ACLU") is also heavily involved in efforts to compel companies to improve privacy protection measures on their respective websites. Digital Due Process, a broad coalition that includes the ACLU, Google, and AT&T, is working with legislatures and law enforcement agencies to update the Electronic Communications Privacy Act ("ECPA"). Congress enacted the ECPA in 1986 as a means of extending government restrictions on telephone wiretaps to include electronic transmissions via computers. However, in the changing face of the Internet, the ECPA has failed to keep up. Congress has not updated the ECPA to reflect the privacy concerns that exist today because of the existence of the Internet. The mission of the Digital Due Process includes efforts to initiate changes that will restrict sharing of users' location and limit electronic communication tracking.

In 2011, Senator Patrick Leahy introduced the Electronic Communications Privacy Act Amendments Act. The amendment will establish heightened privacy protections for email content and electronic communications that would otherwise be subject to search warrants under the guise of probable cause. Growing security concerns and the threat of cyber-terrorism have caused government officials to increase cyber security for the purpose of maintaining national security.

At the Law Offices of Salar Atrizadeh, we guide our clients in matters related to Business, Internet and Cyberspace by using legal knowledge and skills to create solutions for our clients. Please contact us today to set up a confidential consultation.

The internet and social media have allowed people, businesses, and brands to communicate and interact more than ever before. As much benefit as that brings, it also brings significant risks to the reputation of both people and brands. The internet allows people to post using a pseudonym, or to appropriate someone else's name. The appropriated name could be that of a prominent individual or ("public figure"), but online "persona hijacking" can affect anyone.

Generally, the motive of most persona hijacking is profit or fraud. Someone may appropriate the name or likeness of a famous person to profit from public goodwill towards that person. It could include setting up social media accounts, e-mail addresses, or websites using the person's name, or some other effort to spoof the person's identity. For a person who is not famous, persona hijacking may serve a function much like identity theft, using that person's credentials to obtain, for example, fraudulent credit.

In some cases, the purpose of persona hijacking is to submit a person's name to criticism or parody. The line between legitimate commentary and unlawful harassment, however, can be very fine, and parody can easily become a "false light" portrayal of a person. Use of a person's name or likeness for the purpose of criticism or parody may, in certain limited circumstances, be protected by the First Amendment. In other cases, it may constitute unlawful infringement of a person's trademark rights or right of publicity.

A person who uses their own name in commerce, usually someone prominent in business or entertainment, may obtain trademark protection. This generally prohibits others from using the name commercially. For most people, the right of publicity prohibits use of their name or likeness without their consent, especially for commercial purposes. The Fair Use doctrine, however, may allow use of a name or likeness for legitimate criticism or parody, where it is clear that the work is not originating from the person being appropriated.

You can take several steps to protect yourself from online persona hijacking:

Continue reading "How to Protect Your Reputation from Online Impostors and Infringers" »

Cyberattacks can hit businesses of any size, causing catastrophic damage to a business's finances and to the integrity of its information security. Hundreds of breaches occurred at large corporations during 2011, affecting over thirty million sensitive or confidential records. Hackers went after Sony, NASDAQ, and other giant businesses, but small companies are also vulnerable to attack. According to a report in the Business Journals, as many as eighty-five percent of small business owners do not see cyberattacks, which may include hackers or malicious software, as a serious threat. Heightened security at these big companies, though, could lead hackers and other cyber criminals to focus their attacks on smaller businesses who may not be so prepared.

Guarding against cybercrime is simply good business for small companies. A hacker targeting a small business can cripple the business or even force it to shut down with a very simple series of hacks or viruses. If a cyber criminal targets a small business' banking system, it could empty its cash reserves and leave it unable to operate. A hacker who compromises a business' confidential client data could expose the business to enough liability to put it out of business.

The "Common Sense Guide to Cyber Security," published by a coalition of government agencies and organizations, including the Federal Emergency Management Agency and the U.S. Chamber of Commerce, offers a set of security practices small businesses can use to protect themselves from cyberattack. After an initial set-up period, most practices involve simple daily maintenance and monitoring.

Risk Management Planning. Businesses should carefully assess the risks and weaknesses in their computing systems to see where protection is most needed. They should prepare contingency plans in case a breach or loss occurs, including how to continue business operations with alternate computing systems or at an alternate location.

Access Control and Accountability. A business's network security plan should include access controls that limit who may access critical systems and information. A single department or officer should have responsibility for information security and for approving new hardware and software, thus ensuring accountability for decisions and errors. At the same time, a business should educate all employees and officers as a means of creating a "culture of security." All employees should sign an agreement committing to the company's cybersecurity policies.

Firewalls and Other Security Measures. Firewalls can protect businesses from many common attacks, particularly from viruses and malware. Companies should also encourage use of complex passwords that combine upper- and lowercase letters, numbers, and other symbols; avoid common words and phrases; and change at least every three months.

Continue reading "Protecting Your Company's Data from Cybercrime" »

Computers and computing activities play an increasingly integral role in daily life in America, affecting our financial activity, social interactions, and more. With an increased level of dependence on networked devices comes the risk of theft, or even attacks, on and through our computer networks. While the business community has already recognized the importance of cybersecurity, the government and legal system are finally responding in five key areas.

National security. The federal government has made cybersecurity a central feature of its national security strategy. Recognizing the risk of an attack on the nation's computer networks by a foreign power or sub-national group, the Department of Defense created a comprehensive strategy for cybersecurity (PDF file) in 2011. The strategy treats "cyberspace" as its own "operational domain," requiring specialized training and organization. The government has also taken steps to combat online theft, which can include not only monetary theft but theft of intellectual property and identity theft. The latter has become more and more sophisticated as thieves find ways to exploit personally identifiable information (PII) stored online.

Federal legislation. The Obama administration proposed legislation outlining ten points for cybersecurity protection. These generally included protection of the American people, the nation's infrastructure, and the federal government's networks and computer systems. Several bills pending in Congress address aspects of cybersecurity. The controversial Cyber Intelligence Sharing and Protection Act (CISPA), for example, allows sharing of data between companies and the National Security Agency in order to investigate and combat cybersecurity threats.

State legislation. Protection of government data, PII, and personal privacy have informed numerous state statutes enacted in the past ten years. California passed a law requiring notification of cybersecurity breaches in 2003, and forty-six other states and the District of Columbia followed suit. Laws requiring "reasonable" levels of security for protected information exist in at least ten states, and numerous states are enacting statutes protecting people from wiretapping and other monitoring of electronic activity.

Regulatory initiatives. Multiple regulatory agencies have addressed cybersecurity concerns through additional regulations, guidelines, and enforcement actions. The U.S. Security and Exchange Commission (SEC), for example, recently issued a new set of guidelines for publicly-traded companies. The guidelines address disclosure of cybersecurity breaches as a means of making information available to investors. The FBI, meanwhile, established a joint task force to investigate cyber threats.

Continue reading "Legal Developments and Trends in Cybersecurity for 2012" »

When hackers breached the e-commerce firm Zappos in January, they may have compromised the personal information of as many as 24 million users. Legislatures in several states, including California, have responded to attacks such as this one by passing laws enhancing cybersecurity investigation and enforcement, and increasing requirements for disclosure of cyberattacks. The U.S. Securities and Exchange Commission (SEC) has also issued new guidelines for businesses and individuals under attack. The key issue to consider, in light of these new laws and regulations, is how much disclosure is not enough, and how much is too much.

The SEC is recommending disclosure of cyberattacks to an unprecedented degree. A new set of guidelines issued in October 2011 advises publicly-traded companies to disclose details of cybersecurity breaches as part of the quarterly 10-K report. Companies should disclose any and all cyberattacks, regardless of whether they caused a loss. The SEC even encourages companies to disclose "cyberrisks," even in the absence of a breach. This potentially benefits investors, the SEC says, by providing comprehensive information about both actual and potential losses due to hacking and other cyberattacks. At the same time, extensive disclosure could put companies at greater risk by exposing weaknesses to hackers. Companies must carefully consider how much, or how little, to disclose. Too much disclosure could make them vulnerable to attack. Too little disclosure could make them vulnerable to lawsuits by investors.

State laws regarding cybersecurity disclosures are typically not as stringent as the SEC's guidelines. California passed the first such law a decade ago. That law applies to any person or business that owns or licenses computer data containing a California resident's "personal information," such as social security number, home address, driver's license number, and so forth. In the event of a breach that would reasonably lead to an unauthorized person obtaining the personal information, an owner or licensor of personal data must notify the person whose personal information may have been breached.

Forty-six states have followed California's lead and passed similar laws. California has actually fallen behind some states that have passed laws with stricter disclosure requirements. A new law that took effect on January 1, 2012, requires an individual or business to notify the state attorney general of a cybersecurity breach if the breach affects more than five hundred California residents. The notice must include specific details of the type and size of the breach, and a toll-free number to allow users to contact credit agencies.

Continue reading "New Laws and Guidelines on Cybersecurity Disclosures Both Protect and Endanger Personal Information" »

In California, the stalking laws are included under Section 646.9 of the Penal Code, which states that any person who willfully and maliciously, and repeatedly follows or harasses another person and who makes a credible threat with the intent to place that person in reasonable fear for his or her safety or that of an immediate family member is guilty of stalking. Stalking cases may include additional related charges such as: (1) Trespassing; (2) Vandalism; (3) Burglary; (4) Criminal Threats; and (5) Obscene, Threatening, or Annoying Phone Calls.

Please keep in mind that willfulness is a standard related to the culprit's state of mind. For example, when the person is acting purposefully, then he/she has the "conscious object" of engaging in conduct and believes or hopes that the attendant circumstances exist. If the person is acting knowingly, then he/she is practically certain that his conduct will lead to the result. If the person is acting recklessly, then he/she is aware that the attendant circumstances exist, but nevertheless engages in the conduct that a "law-abiding person" would have refrained from. If the person acts negligently, then he/she is unaware of the attendant circumstances and the consequences of his conduct, but a "reasonable person" would have been aware. Finally, if the person acts with strict liability, then mental state is irrelevant and he/she is strictly liable.

In the last few years and with the emerging of the world wide web, a new kind of stalking has developed which is also called "cyber stalking." This type of misconduct occurs when the violator utilizes the Internet, electronic mail (e-mail) or other communication devices to harass and stalk others. For example, it can occur by sending e-mails to the victim, impersonating another person in online chat rooms and e-mail messages, and disseminating lies in cyberspace. It is also important to note that the Internet is a cheap and efficient method for "cyber stalkers" to anonymously cause harm to their victims.

If you have any questions, contact me, Salar Atrizadeh, Esq. to discuss your options.

The threats from cyberspace grow more powerful and pernicious. Companies like Sony Corporation, Google Inc., and Lockheed Martin have admitted startling security lapses. The International Monetary Fund, last month suffered a breach leading to the loss of highly sensitive data. The United States Congress and executive branch agencies face approximately 2 billion attacks in cyberspace per month in 2010.