Articles Posted in Cybersecurity

Cybersecurity and privacy rules have changed the private and public sectors’ landscapes. The state and federal rules are changing the ways private and public organizations are managing their operations. These rules are focusing on privacy, security and regulations in all jurisdictions but uniformity is an issue. Therefore, state and federal legislators should ensure uniformity to avoid regulatory and enforcement contradictions.

The State of California has enacted laws to promote cybersecurity within its jurisdiction. For example, Assembly Bill 89 (“AB 89”) was enacted to ensure information sharing should be conducted in a way that protects an individual’s privacy and civil liberties, confidential information, preserves business confidentiality, and enables public officials to detect, investigate, and prevent network security breaches. It has also enacted the California Consumer Privacy Act (“CCPA”) that allows individuals to file a legal action against businesses that fail to implement and maintain reasonable security measures to protect their personal information. Now, “reasonable security measures” may include using a firewall, encryption, and intrusion detection software on their computer networks.

The State of New York has enacted laws to promote cybersecurity within its jurisdiction. For example, it has passed the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) to protect consumers from exposure of private information from cybersecurity attacks. This statute is designed to increase data protection and data breach notification requirements for commercial enterprises. It is meant to hold business organizations responsible for gathering and storing consumer personal information which may include a name, address, telephone number, email address, date-of-birth, and social security number.

Cybersecurity is the most important measure for protecting your personal and confidential information. There are cybersecurity incidents taking place on a daily basis. In general, most targets are companies and individuals who yield confidential information such as financial documents. This way, the hackers can use the information to promote their illegal acts or violations. In fact, it is known they use malware and spam to infiltrate electronic devices and extract confidential information.

Spam has been prolifically used by hackers to target victims. The hackers use this method to send unsolicited emails to victims. In other words, they ask them to click on a link or download a file which unbeknownst to the victim contains malware. Then, once the victim has downloaded the malware, his or her computer will be infected. The virus will extract personal information and send it back to the hacker. The virus may also use a “keylogger” to track the victim’s activities. It can track and record the victim’s financial transactions and find a way to log into his/her bank accounts.

Hackers can find their victims by using several methods. For example, phishing scams have been used to lure their victims into traps. They use instant messages and text messages to contact their victims. The hackers use these methods to take the victim’s usernames and passwords without authorization. They will try to gain access to the victim’s financial accounts and extract funds without authorization. As a result, the hackers will ruin the victim’s credit by opening up credit card or mortgage accounts without authorization. They can obtain cash advances if they gain access to the financial information. They will also utilize the victim’s social security number to engage in fraudulent activities.

Data breach incidents have caused a significant amount of complications for business owners and their customers. The statistics show that at least 50% or more of companies have been targeted by hackers. So, the lawmakers have taken steps to promulgate laws to protect the victims and penalize the bad actors.

Data Breach Notification Laws

Every state has some form of data breach notification legislation that requires business owners to give notice to consumers about a data breach that has resulted in the unauthorized acquisition of unencrypted personal information. These laws usually require the business owners to give notice to the consumers in the most efficient manner. They may require the business owners to notify the Attorney General’s office if the business is required to notify a significant number of residents in that state. They also grant a “private right of action” (i.e., the right to file a lawsuit) to the victim in order to seek legal and equitable damages.

Cybersecurity is paramount to secure online communications whether they are for sending or receiving sensitive or confidential information – e.g., trade secrets, intellectual properties, financial information. Many people assume they are protected on the internet when transferring or receiving files over computer networks. They may attach tax-related documents to their message and press the send button without hesitation. What most people do not realize is that information may be intercepted without authorization. Now, most laws require “reasonable security measures” to ensure the privacy of confidential records.

What are the state laws?

There is no single state law that applies to all cybersecurity-related issues. So, every state has promulgated several statutes in order to address and promote cybersecurity. These state laws are usually similar in their nature and scope. For example, California recently passed the California Consumer Privacy Act (“CCPA”) codified under Civil Code Sections 1798.100, et seq., to enhance consumer privacy rights. It grants consumers the right to know what kind of personal information is being collected about them, whether the personal information is sold or disclosed, to refuse the sale of their personal information, to gain access to their personal information, to request deletion of their personal information, and to not be discriminated against for exercising their privacy rights.

Internet fraud and scams have exponentially increased in recent years. There are several reasons for this development which include the expansion of technology and usage of electronic devices in our daily lives.

The fraudsters find different ways to retrieve sensitive or confidential information in order to commit their crimes. For example, they may extract the information by dumpster diving next to corporations and financial institutions. There have been cases where sensitive information of a corporation’s employees was extracted without authorization. They may also engage in “shoulder surfing” which is another way to surreptitiously extract confidential information from the unsuspecting victim. These activities usually take place close to a bank’s ATM in order to steal the victim’s debit card PIN. They can also use what is referred to as a “skimming device” as a way to obtain sensitive information from debit or credit cards. These devices can be placed on ATMs to procure the confidential information without suspicion. The fraudsters can also obtain sensitive or confidential information by breaking and entering into the victim’s property. This way, they can look into the victim’s house or vehicle for valuable items or confidential documents.

There is a long list of internet fraud methods such as auction scams, rental scams, dating scams, lottery scams, and charity scams. The criminals are finding new ways to trick their victims into relinquishing valuable information – e.g., address, telephone, date-of-birth, social security number, debit or credit card number. Social engineering is another method to obtain information which is usually done by gaining the victim’s trust. It has become one of the main methods for extracting valuable information from unsuspecting victims. The internet allows culprits to anonymously communicate with their victims which is the major issue in lawsuits simply because it takes time and effort to launch an investigation. Our law firm is able to unmask the anonymous culprit’s identity by using the proper tools and techniques. We have access to a network of experts and investigators who can help our clients. We have also established relationships with local, state, and federal law enforcement agencies.

Sextortion is a type of online blackmail. It’s one kind of sexual exploitation that takes place on the internet when an anonymous individual threatens to distribute the victim’s explicit videos or pictures if he or she does not comply with the demands which can include transferring funds through digital currencies. The culprit may use a webcam to extract private information and make threats to harm the victim if the victim fails or refuses to comply with the demands.

The culprit usually follows his victims on websites and chatrooms to gain their trust. The culprit may send a message to the victim that has malware in an effort to hack into the victim’s electronic devices. The victim can make the mistake of clicking on the link which releases the virus on to the computer. The infected computer is now compromised and can be used for nefarious purposes.

The courts have been dealing with sextortion since it is a new problem in the technology age. The law prohibits the non-consensual dissemination of intimate pictures or videos but the litigants or their lawyers have been using laws related to harassment, extortion, bribery, or child pornography. For example, 18 U.S.C. § 2251 prohibits sexual exploitation of children. The following federal statutes could be relevant to these activities: 18 U.S.C. § 2252, 18 U.S.C. § 2422, and 18 U.S.C. § 875.

There are state and federal privacy laws that are applicable to consumers and commercial organizations. There has been much activity with the collection and distribution of private or confidential information in recent years. Personal information can be collected through several methods such as voluntary disclosures, cookies, website bugs, tracking software, malware (e.g., worms, trojans, spyware), and phishing. For example, tracking software can be used to collect information but there must be proper disclosure. Nonetheless, criminals do not follow the rules or guidelines and it is a known fact they have access to the tools and techniques to extract customer information without obtaining authorization.

Personal information is certainly valuable to its owner. It is also valuable to a bad actor who is seeking to misuse the personal information without authorization. The bad actors who obtain personal information in a secretive manner are planning to gain a profit. They may engage in identity theft or online impersonation by using the wrongfully obtained personal information. Identity theft has caused a significant amount of monetary damages to the victims. There are state and federal laws that prohibit identity theft in every jurisdiction. The National Conference of State Legislatures provides a comprehensive list of these laws. In California, the following state laws prohibit identity theft and provide remedies:

  1. California Penal Code § 368: It prohibits identity theft against elders and disabled persons;

Quantum computing technology will certainly have an effect on state, federal, and international laws. A quantum computer is a much more capable electronic device and has the ability to process data faster.  In general, computers can manage, control, and process information by using individual bits that store information as binary 0 and 1 states. The so-called “bits” are electrical or optical pulses that come in the form of 0s and 1s. Now, quantum computers leverage quantum mechanics to process information by depending on quantum bits – i.e., qubits. The so-called “qubits” are subatomic particles like electrons or photons that are isolated in a controlled quantum state.

What is a quantum computer?

A quantum computer is a complicated electronic device that has several components such as a Qubit Signal Amplifier, Input Microwave Lines, Superconducting Coaxial Lines, Cryogenic Isolators, Quantum Amplifiers, Cryoperm Shield, and Mixing Chamber. It is a sophisticated system that works through “quantum superposition” and “quantum entanglement” for enhanced computing processes.

Cryptojacking (or “malicious cryptomining”) happens when the culprits hijack a third party’s network bandwidth without authorization to use for their cryptocurrency mining efforts. The malicious software conceals itself on the electronic communication device and utilizes its resources. Obviously, the culprits engage in such clandestine activities to gain profit or else they would spend their time and energy on other matters.

Cryptocurrencies are digital funds stored on electronic wallets (also known as “virtual wallets”) that are encrypted and exist on electronic communication devices. They are considered a new kind of digital assets. Coins are cryptocurrency units which are entered into a database for recording the transactions. The digital transaction takes place online between the virtual wallet owners and recorded on a public ledger. Then, special computers transform the digital transaction into a complicated mathematical puzzle, and thereafter miners independently solve and confirm the digital transaction. The reward for solving the mathematical puzzle is to receive a new cryptocoin. So, as time has progressed, the mining efforts have increased and caused a significant amount of money to be spent on the process. There are miners who have created “computer farms” and dedicated a vast amount of specialized hardware and software programs.

Unfortunately, in most cases, when you fall victim to cryptojacking it will go unnoticed. You may realize your electronic communication devices are slowing down or using too much bandwidth even though it’s not necessary. There are reports indicating the culprits have been detected on mobile devices, cloud servers, and critical datacenters. Now, some companies have been able to defend against cryptojacking by upgrading browsers and malware scanners. However, as always, the culprits will try to circumvent these defense mechanisms. For example, there is a report from an international cybersecurity firm confirming a cryptojacking campaign against a specific brand of routers. This attack exploited a flaw in the network routers and infected them. So, in short, the culprits used the flaw to promote their cryptojacking scheme.

The coronavirus pandemic has affected us on a national and global level. This pandemic has caused a financial and health crisis for most of us. Now, the bad actors are taking advantage of this tragic situation by engaging in online scams. For example, our law firm’s investigation has determined that they are sending emails and other types of messages to unwary individuals as a way to extract sensitive or confidential information.

The Federal Trade Commission has outlined the following steps to avoid coronavirus scams:

  • Do not pick up any kind of robocalls and do not press any numbers. Scammers are using illegal robocalls to pitch everything from scam Coronavirus treatments to work-at-home schemes.