Articles Posted in Cybersecurity

It’s important to implement practical corporate cybersecurity measures especially in today’s volatile climate. The number of reported cyber threats are increasing as we progress and it will most likely continue on the same trajectory. All businesses and commercial enterprises are a target especially if they have access or control over valuable information such as trade secrets and intellectual properties.

The common tools or methods of infiltrating the corporation’s cybersecurity infrastructure is by using some form of malicious software (i.e., malware) that’s designed to penetrate the network and cause havoc. Malware includes viruses and ransomware. The hackers can also use other methods to infiltrate the system such as “phishing” which is usually done by sending an email to encourage the recipient to click on the link. Now, once the recipient clicks on the link or opens the attachment, the malicious software is released into the network.

It’s important to have a dedicated team of information technology experts who can evaluate the network and improve the cybersecurity measures. They can use all sorts of tools and techniques (e.g., penetration testing) to evaluate the strengths and weaknesses of the network infrastructure. It is crucial to have a “cybersecurity planning tool” to assist the company with building a robust cybersecurity strategy. There are various governmental tools and resources that the company can use to achieve this goal.

Electronic data has been growing in size and proportion for several decades. The sheer amount of electronic files (e.g., emails, pictures, videos) has consumed local and remote databases. The cloud storage facilities have been put together to hold this information for us. Cloud storage facilities have certain obligations towards their customers which include secure storage of electronic files by using industry-approved protocols. The rules for proper storage should not change based on the particular industry. In fact, the cloud storage facilities are supposed to use similar protection measures for all electronic files – e.g., encryption – to ensure safety.

Encryption is a tool or resource that allows the files to be scrambled and hidden from plain sight. The encrypted data is called “ciphertext” which can only be decrypted with the right key. There are two types of encryption. First, is symmetric encryption. Second, is asymmetric encryption. Symmetric encryption uses one key for encryption and decryption. Asymmetric encryption uses two different keys for encryption and decryption – i.e., the private and public key. The public key can be shared with the general public but the private key remains a secret and is only accessible by the right individual. There are various encryption technologies such as AES, Triple DES, RSA, and Blowfish.

Electronic data retention includes collecting, storing, and managing information. Private and public organizations should have the right rules and regulations that help define how electronic information should be located, identified, and stored. There are government regulations, international standards, industry regulations and internal policies. Government regulations are set by state or federal governmental agencies such as the Federal Trade Commission and Internal Revenue Service. International standards are set by the International Organization for Standardization like ISO/IEC 27040, IS 9001, ISO 17068:2017. Industry regulations include the GDPR, PCI-DSS, and CCPA. Finally, internal policies include data version controls and employee record retention.

Data disposal is a key process in a legal entity’s policies and procedures for managing personal and confidential information. In general, private and public entities store data on their servers. This information may include financial and health information which should not fall into the wrong hands. So, there must be a proper procedure for destroying and disposing that information by using industry approved methods.

The Federal Trade Commission has implemented a data disposal rule in relation to consumer reports and records to prevent unauthorized access to or use of that information. In California, several statutes have been promulgated to address this issue. For example, California Civil Code Sections 1798.81, 1798.81.5, and 1798.84 are applicable. In fact, Civil Code 1798.81 states as follows: “A business shall take all reasonable steps to dispose, or arrange for the disposal, of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by (a) shredding, (b) erasing, or (c) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means.” Therefore, there are standards to follow and implement to avoid unnecessary complications. The state legislature has encouraged the implementation of “reasonable security” for personal information under Civil Code 1798.81.5. Also, Civil Code 1798.84 outlines the legal remedies which include initiating a civil action.

The proper retention of emails is paramount especially if the electronic messages include private, confidential or proprietary information. For example, “email archiving” is one method to retain electronic messages especially if there is the possibility of litigation. The emails should be backed up in a searchable format for practical reasons. Electronic discovery allows the parties to request and obtain electronic documents during litigation. In most cases, the electronic discovery process is time consuming and complicated especially because there is a large volume of data involved in the lawsuit. Also, more importantly, the failure to comply with electronic discovery requests may result in sanctions.

Artificial intelligence (“AI”) is defined as a system that imitates human intelligence to conduct similar tasks by improving itself based on the submitted or collected information. Artificial intelligence can be used in various industries such as manufacturing, automobiles, education, medicine, and financial services. Artificial intelligence can be used to detect and defend against cybersecurity intrusions, solve technical problems, lower production management tasks, and assess internal compliance for accepted vendors. Artificial intelligence technology is affordable and can produce faster results when compared to human interactions.

The terms artificial intelligence, machine learning, neural networks, and deep learning are not the same. Machine learning is a subset of artificial intelligence. Deep learning is a subset of machine learning. Neural networks create the backbone of deep learning algorithms and imitate the human brain by using specialized algorithms. It’s also important to realize that deep learning is different from machine learning. There are three main types of artificial intelligence: (1) Artificial Narrow Intelligence; (2) Artificial General Intelligence; and (3) Artificial Super Intelligence. For example, chatbots and virtual assistants (e.g., Alexa, Siri) are considered artificial narrow intelligence since they’re unable to incorporate human behaviors or interpret emotions, reactions, or tones.

What are the potential cybersecurity issues?

The term “metaverse” is a combination of “meta” and “universe.” This new concept allows users to interact with each other in virtual worlds and buy and sell names, goods/services, properties, and avatars. They can also organize, host, and attend events in virtual worlds.

The consumers will be using blockchain technologies and digital currencies. Blockchain is a database that includes network computers that share information across the internet. For example, Bitcoin uses blockchain technology to update its ledgers. So, several of these newer platforms are powered by blockchain technologies that use digital currencies and non-fungible tokens (“NFTs”) which allow a new type of decentralized digital asset to be designed, owned, and monetized. The NFT is a virtual asset that promotes the metaverse. It’s an intangible digital product that links ownership to unique physical or digital items (e.g., artistic work, real estate, music videos). In other words, each NFT cannot be replaced with another one because it’s unique and irreplaceable. So, for example, if you own an NFT, it will be recorded on blockchain and you can use it for electronic transactions. In fact, with NFTs, artifacts can be tokenized to create ownership digital certificates for electronic transactions.

What are the potential legal issues?

The internet is a combination of computer networks and electronic devices (e.g., smartphones, laptops) that can communicate with each other on various platforms. The internet has allowed people to immerse themselves in a world where they can create profiles on social media websites and freely interact with each other. It is certainly an intriguing phenomenon and an interesting part of today’s technological advancements. However, at this stage, technology companies are working on a different project called the “metaverse” which would combine the internet with augmented and virtual realities where the users can interact with each other as avatars.

What is metaverse?

It is made up of the prefix “meta” which means above or beyond and the stem “verse” which is a back-formation from “universe.” It’s generally used to describe the concept of a future iteration of the internet, made up of persistent, shared, three-dimensional virtual spaces linked into a perceived virtual universe.  It may not only refer to virtual worlds, but the internet as a whole, including the entire spectrum of augmented and virtual realities. It refers to an immersive digital environment where people interact as avatars. Its concept encompasses an extensive online world transcending individual tech platforms, where people exist in immersive and shared virtual spaces

There are a series of online scams that have been taking place in the recent years. The culprits are becoming more sophisticated as they’re coming up with new schemes. The law enforcement agencies have been trying to keep up with the new schemes. However, given their limited resources, it is a challenging task. Nonetheless, our law firm has been representing clients in state and federal courts who have been victims of online scams.

Online auction scams have become prevalent on the internet. For example, the scammer gets involved in the online auction and purchases the item by overpaying for it via an international money order. Then, the seller who is eager to sell the item to the buyer in good faith, sends the item along with the overpayment. So, at the end, the seller loses the item and the funds.

Online rental and real estate scams involve the same type of practice where the scammer poses as the interested renter or buyer and sends the funds towards the seller or landlord. Then, the scammer reneges on the deal and requests a refund. The seller or landlord returns the funds but later realizes the initial check was counterfeit.

We’ve already described the definition of doxing in the prior article. We will turn to the various doxing methods and relevant laws. Doxing works by tracking someone’s information by accessing the internet or other databases. Big data has allowed individuals to extract personal information which was impossible to find in the past. Nowadays, the doxing party can track usernames, run a WHOIS search on a domain or website, engage in phishing activities, look into social media profiles, go through state/federal government records, tracking an Internet Protocol (“IP”) address, or conduct a reverse phone number lookup. The doxing party can also engage into what is referred to as “packet sniffing” which can be prevented by using a virtual private network.

The doxing party (i.e., culprit) can release the victim’s sensitive or personal information on the internet and instruct others to harass or intimidate the victim. There have been instances of such transgressions in recent years. For example, a popular adult dating website was hacked and the users’ private information was released into the web. Obviously, this incident was embarrassing for the adult dating website and its members. There have been other incidents where the victim had engaged in questionable conduct and was targeted on the internet.

Is doxing illegal?

The question is what is doxing and what are the laws? Doxing, which is short for dropping documents, takes place when the malicious actor gathers personally identifiable information and publicly discloses it to annoy, harass, intimidate, or stalk the victim for no legitimate purpose. The malicious actors engage in these types of activities to publicly humiliate or target their victims. For example, they may intentionally identify law enforcement personnel or show off their hacking abilities.

How does doxing work?

The malicious actors utilize different techniques for their doxing activities. They can hack, social engineer, or steal personal and confidential information. They can gain access to the victim’s email account and extract private information from the victim’s account. They can break into web-based accounts such as social media, cloud storage, or bank records. They can also use the same email address and password to gain access to other accounts. There have been incidents where the malicious actors used the victim’s Department of Homeland Security username and password to gain access to its network.

The technology that we are using on a daily basis provides certain and cognizable advantages and disadvantages. The advantages are great and have allowed the public to have access to a wide range of options. The disadvantages, include, but are not limited to, security and privacy discrepancies. Technology operates to enhance a business model, idea, or operation. This is usually done by collecting and selling information for profit. These types of data collection and marketing activities have been heavily regulated by state and federal agencies in recent years. However, with every new technology, there will be new challenges.

Augmented and virtual reality technologies are no different from other types of technologies in that they are fully capable of being abused when they fall into the wrong hands. Augmented and virtual reality software or hardware applications are designed to enhance user experiences by storing and sharing information across the network. This information may include personal or confidential information that would not otherwise be accessible by third parties. Nonetheless, the designers or manufacturers of these applications make it much easier to gain access and share information with third parties – e.g., marketing or advertising agencies – which pay an incentive for gaining access to them.

The state and federal legislators should pay close attention to these technologies and their operation mechanisms so they can update existing laws and implement new laws that would properly address consumer-related issues. Now, if the AR/VR technologies are collecting health or medical information, the Health Information Portability and Accountability Act (“HIPAA”) comes into play. Also, if the AR/VR technologies are collecting a minor’s information, then the Children’s Online Privacy Protection Act (“COPPA”) would be applicable.