Articles Posted in Cybersecurity

There are state and federal privacy laws that are applicable to consumers and commercial organizations. There has been much activity with the collection and distribution of private or confidential information in recent years. Personal information can be collected through several methods such as voluntary disclosures, cookies, website bugs, tracking software, malware (e.g., worms, trojans, spyware), and phishing. For example, tracking software can be used to collect information but there must be proper disclosure. Nonetheless, criminals do not follow the rules or guidelines and it is a known fact they have access to the tools and techniques to extract customer information without obtaining authorization.

Personal information is certainly valuable to its owner. It is also valuable to a bad actor who is seeking to misuse the personal information without authorization. The bad actors who obtain personal information in a secretive manner are planning to gain a profit. They may engage in identity theft or online impersonation by using the wrongfully obtained personal information. Identity theft has caused a significant amount of monetary damages to the victims. There are state and federal laws that prohibit identity theft in every jurisdiction. The National Conference of State Legislatures provides a comprehensive list of these laws. In California, the following state laws prohibit identity theft and provide remedies:

  1. California Penal Code § 368: It prohibits identity theft against elders and disabled persons;

Quantum computing technology will certainly have an effect on state, federal, and international laws. A quantum computer is a much more capable electronic device and has the ability to process data faster.  In general, computers can manage, control, and process information by using individual bits that store information as binary 0 and 1 states. The so-called “bits” are electrical or optical pulses that come in the form of 0s and 1s. Now, quantum computers leverage quantum mechanics to process information by depending on quantum bits – i.e., qubits. The so-called “qubits” are subatomic particles like electrons or photons that are isolated in a controlled quantum state.

What is a quantum computer?

A quantum computer is a complicated electronic device that has several components such as a Qubit Signal Amplifier, Input Microwave Lines, Superconducting Coaxial Lines, Cryogenic Isolators, Quantum Amplifiers, Cryoperm Shield, and Mixing Chamber. It is a sophisticated system that works through “quantum superposition” and “quantum entanglement” for enhanced computing processes.

Cryptojacking (or “malicious cryptomining”) happens when the culprits hijack a third party’s network bandwidth without authorization to use for their cryptocurrency mining efforts. The malicious software conceals itself on the electronic communication device and utilizes its resources. Obviously, the culprits engage in such clandestine activities to gain profit or else they would spend their time and energy on other matters.

Cryptocurrencies are digital funds stored on electronic wallets (also known as “virtual wallets”) that are encrypted and exist on electronic communication devices. They are considered a new kind of digital assets. Coins are cryptocurrency units which are entered into a database for recording the transactions. The digital transaction takes place online between the virtual wallet owners and recorded on a public ledger. Then, special computers transform the digital transaction into a complicated mathematical puzzle, and thereafter miners independently solve and confirm the digital transaction. The reward for solving the mathematical puzzle is to receive a new cryptocoin. So, as time has progressed, the mining efforts have increased and caused a significant amount of money to be spent on the process. There are miners who have created “computer farms” and dedicated a vast amount of specialized hardware and software programs.

Unfortunately, in most cases, when you fall victim to cryptojacking it will go unnoticed. You may realize your electronic communication devices are slowing down or using too much bandwidth even though it’s not necessary. There are reports indicating the culprits have been detected on mobile devices, cloud servers, and critical datacenters. Now, some companies have been able to defend against cryptojacking by upgrading browsers and malware scanners. However, as always, the culprits will try to circumvent these defense mechanisms. For example, there is a report from an international cybersecurity firm confirming a cryptojacking campaign against a specific brand of routers. This attack exploited a flaw in the network routers and infected them. So, in short, the culprits used the flaw to promote their cryptojacking scheme.

The coronavirus pandemic has affected us on a national and global level. This pandemic has caused a financial and health crisis for most of us. Now, the bad actors are taking advantage of this tragic situation by engaging in online scams. For example, our law firm’s investigation has determined that they are sending emails and other types of messages to unwary individuals as a way to extract sensitive or confidential information.

The Federal Trade Commission has outlined the following steps to avoid coronavirus scams:

  • Do not pick up any kind of robocalls and do not press any numbers. Scammers are using illegal robocalls to pitch everything from scam Coronavirus treatments to work-at-home schemes.

Identity theft has been described as the use of one person’s identity by another to commit fraud. See Remsburg v. Docusearch, Inc. (2003) 149 N.H. 148, 155, 816 A.2d 1001, 1007.  This case was about an individual seeking personal information (e.g., date-of-birth, social security number, work address) about someone else from an internet-based investigation and information service company. Unfortunately, the culprit, who obtained the personal information, located and fatally shot the victim as she left work. Thereafter, the victim’s mother sued the defendants for negligence, invasion of privacy, and violation of the state consumer protection act. In response, the federal court issued an order of certification and outlined the following factual questions to be determined by the state Supreme Court:

(1) Under the common law of New Hampshire and in light of the undisputed facts presented by this case, does a private investigator or information broker who sells information to a client pertaining to a third party have a cognizable legal duty to that third party with respect to the sale of the information?

(2) If a private investigator or information broker obtains a person’s social security number from a credit reporting agency as a part of a credit header without the person’s knowledge or permission and sells the social security number to a client, does the individual whose social security number was sold have a cause of action for intrusion upon her seclusion against the private investigator or information broker for damages caused by the sale of the information?

The Information Age has brought many advantages for us all across the globe. Now, we can instantaneously communicate with each other by email or text messages. We can connect by using videoconferencing software and see each other in real time. We can send and receive files in a very efficient manner.

Our clients want to know if a cyberthreat can be prevented before it happens. The usual answer is that a complete prevention is not possible for several reasons. First, the technology that is being used may be susceptible for using legacy or open source technologies. In most cases, the network architecture is outdated and the electronic devices may not be able to properly communicate with each other. In other words, they are as smart as the least smart device within the framework. Second, most individuals do not update their software programs on a constant basis and do not participate in training programs. Third, the executive team of an organization must ensure that their technology experts understand and efficiently use the latest tools and techniques. Fourth, it has been proven that not one organization can have sufficient threat intelligence to fend off all kinds of cyberthreats by itself. As such, it is important to strive for real-time sharing of threat intelligence.

What Is a Cyberthreat and How Does It Happen?

We have discussed the Fifth Amendment’s application to encryption and biometric information in the past. So now, the purpose of this article is to discuss biometric privacy laws. The State of Illinois has already passed several pieces of legislation to regulate biometric privacy laws. For example, it has passed the Biometric Information Privacy Act (“BIPA”) which addresses the protective measures of biometric information. The statute defines biometric information as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.” It defines a biometric identifier as follows:

A retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs, tissues, or parts as defined in the Illinois Anatomical Gift Act or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include biological materials regulated under the Genetic Information Privacy Act. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.

However, these rules seem to miss the mark by imposing statutory damages and fee-shifting provisions on commercial organizations. As a result, the legislators have opened the floodgates to class action lawsuits. It is important to note that biometric technology has evolved in recent years and the statutes that have attempted to regulate the technology may be outdated. Also, the recently-developed biometric equipment are capable of transforming the biometric identifier into an encrypted format which makes it unreadable or unidentifiable. Therefore, this kind of advanced technology prevents the anticipated harm, and as such, the statutory provisions should be updated by the lawmakers.

Internet privacy laws have been implemented to protect us from legal violations. These laws are meant to protect us against cyber threats and data intrusions which are designed to extract personal or confidential information (e.g., intellectual properties, trade secrets) without authorization. Data privacy is paramount when it comes to the collection, use, and storage of personal or confidential information. However, not many are taking proper steps to ensure security. These steps can include encryption, firewalls, intrusion detection systems, and two-factor authentication.

It is important to realize that even though the criminals are not personally entering your private space or domain, however, they are still able to follow your digital footprints. These digital footprints can be followed by using special tools – e.g., keylogger – which can follow you without your knowledge and consent. Also, cookies can be used to follow you around in a clandestine manner.

What are the internet privacy rules or regulations?

In general, ransomware is a type of malware (i.e., malicious software) that is designed to take control of an electronic communication device, prevent its owner from accessing the electronic communication device, notify its owner that the electronic communication device has been held ransom, demand payment from the owner, and return access to electronic communication device after payment. There have been many instances of ransomware attacks when the hackers have taken control of a company’s servers and prevented its employees from accessing the network and database servers. The hackers would notify the employees by email and demand payment of funds in order to return access to their computers. Now, in some instances, a payment was necessary, but in some exceptional cases the company owners can have an advantage over the hackers and not be required to transfer the funds.

There are several types of ransomware. First, there are applications that fall under the category of scareware and intended to create fear for the recipients and force them to purchase unnecessary software. Second, there is prankware which is intended to cause fear by sending unanticipated pictures, sounds, or videos. For example, NightMare was a type of prankware that would remain dormant on the recipient’s computer and launch itself by changing the computer screen to a skull and playing a loud noise. Third, there is a group of crypto-ransomware named as GPCode or PGPCoder that claims to use PGP encryption to prevent file access. So, in other words, it’s a virus that encrypts files on the infected computer and demands a ransom to release access to the encrypted files. The hackers have been able to become more effective with their tools. The new generation of this type of ransomware denies user access to files by writing encrypted files to a new location and deleting the original file. However, this strategy was ineffective since a file restoration would allow the victim to recover the files. Fourth, CryptoLocker became the new generation of ransomware. It shares similar distribution models of previous ransomware variants and relied on phishing attacks with portable executable attachments. It would install itself on the user’s profile folder and add a registry key to run on startup to maintain persistence. Then, it would start to communicate with the command and control server to generate an RSA-2048 key pair and send the public key to the victim host.

What are the relevant laws?

Cloud computing has become the normal protocol to store data for most individuals and businesses. The fact that online storage is cheaper these days has contributed to the expansion of this technology. There are numerous companies out there that provide cloud storage facilities which may be inside or outside of your jurisdiction. Now, the question is why is that important at all? Well, the answer is because the laws of each jurisdiction may be different when it comes to interstate commerce and cybersecurity. This is one good reason to make sure you read and understand the cloud service provider’s terms and conditions before you sign up. There will be provisions that can help you understand your rights and responsibilities. For example, where and how the parties can resolve their disputes? Also, the laws of which state will be used to resolve the dispute? The answers will be in the venue, choice of law, or governing law provisions. In some cases, the cloud service provider includes an arbitration clause which requires the parties to resolve their dispute through arbitration.

There are various cloud computing platforms that allow the users to send and receive information. So, obviously the users should use precautions when transferring data towards the cloud service provider. For example, it’s recommended to encrypt the data before transferring it. Also, it’s a good idea to confirm that data integrity will be protected after the transfer. The users should also have a functioning backup of their files in a safe place in case the data is lost, stolen, or destroyed.

The Privacy Shield Program applies to cloud computing platforms that do business with other countries – e.g., European Commission, Switzerland. This program is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce and enables U.S.-based organizations to join the Privacy Shield Frameworks. For example, a U.S.-based organization must self-certify to the Department of Commerce and commit to the Framework’s requirements. It’s not mandatory to join the Privacy Shield Program, but once the organization makes the public commitment to comply with the Framework’s requirements, the commitment will become legally enforceable. The participating organization will receive the following benefits: