Your Firm is a Potential Target for Cyber Criminals

By | Criminal Defense, Data Breach, eDiscovery, Employment Law, Litigation | No Comments

Legal professionals take note: your firm is a potential target for cyber criminals. Recently, three Chinese citizens have been charged in the United States with insider trading activities based on information obtained through breaching multiple law firms. This fact illuminates that law firms are a prime target for cyber attackers. Given the nature of communication and documents that often comprise legal work product, it comes as no surprise that the same information can be used for financial gain if it falls into the hands of an unscrupulous party. Regardless of the type of cases handled by a firm, the resulting communication and work product could be useful to an attacker. For those firms working in mergers and acquisitions, the work product potentially becomes even more valuable.

The previously mentioned attack leading to insider trading activities was allegedly made possible through hacking into law firms and mining for information related to buyouts and other useful data for insider trading. To some, this comes as no surprise. Leveraging the wealth of information maintained by law firms, particularly those dealing with large corporations, is a natural and potentially lucrative avenue for cyber attackers. In Spring 2016, dozens of law firms were targeted by Russian hackers in an effort to obtain confidential information to be used for insider trading. It is clear that law firms are an enticing target for cyber criminals. Information technology and security may not be a focal point of law school, but it is a vital piece of protecting the information entrusted to law firms by their clients.

Simply put, law firms produce and store data that is often of great interest to cyber criminals. Whether it is information regarding an upcoming merger, bankruptcy, patent, or any other intellectual property, the type of data generated at law firms can be extremely valuable to attackers looking to profit from confidential information. Consider the attackers vantage point: breaching the security and gaining access to a specific corporation may yield fruitful information, but the effort and time involved in successfully hacking the company typically results in information about a single organization. If the same effort were applied to carrying out a successful cyber attack on a law firm, hackers could potentially gain access to confidential information regarding a multitude of companies in a single attack. To defend themselves, firms must take action through implementation and proper execution of cyber security policies and procedures.

It is imperative that law firms recognize the risk of a cyber attack and take appropriate actions to mitigate the chances of a data breach. There are numerous technology controls such as firewalls, intrusion detection and prevention systems, anti-virus, and sophisticated log aggregation and monitoring tools. While all of these are important and useful in their own right, it is the user that can play the most significant role in preventing or unwittingly facilitating a cyber attack. Users are more easily manipulated and coerced than firewalls and other technical measures, and must therefore be aware of the types of threats they are likely to encounter and trained on spotting issues and mitigating the successfulness of an attack.

A technique known as spear phishing is one of the most common methods attackers use to gain unauthorized entry into an organization. In a spear phishing attack, a very targeted email is sent to a specific party in hopes that the recipient will click a link within the email, opening a malicious attachment, or otherwise unintentionally degrade the security of the system enough to allow the attacker access. Spear phishing emails often contain seemingly personalized information, addressed to the correct recipient and perhaps referencing a past event the recipient spoke at or attended. Providing these types of details is an attempt to implicitly build trust with the recipient and detract from the true nefarious purpose of the message. In some cases, attacks like these can be blocked using technical controls. However, if not blocked by an email filter or other technical control, it is up to the recipient of the message to make the final determination on whether or not to complete the call-to-action urged in the email. This is where user awareness and training pay off. Users that are trained on spotting spear phishing attempts and other common scams can help a law firm prevent data breaches by blocking the initial effort of a cyber criminal.

Regardless of the security controls, policies, and procedures that a firm chooses to implement, it is clear that law firms are and will continue to be a target of cyber criminals. The recent charges filed against three Chinese citizens for allegedly hacking into law firms and leveraging confidential data to make millions off trades based on the stolen data is unlikely to be the only one of its kind. The valuable data held at law firms paints a target on the back of firms across the country. If your firm is lagging behind on its cyber security practices, now is the time to catch up. Protecting the information bestowed to firms by their clients extends well beyond the confines of the courtroom and into the digital realm of networks, data, and hackers looking to take advantage of vulnerable systems.

Jason Hale is a Digital Forensic Examiner at One Source Discovery who specializes in incident response. Jason has a Master’s degree in Digital Forensics and holds the Certified Computer Examiner (CCE) designation from the International Society of Forensic Computer Examiners and the GIAC Certified Forensic Analyst (GCFA) designation from the Global Information Assurance Certification.

Ryan Ferreira testifies about call detail records

By | Criminal Defense, Employment Law, Litigation | No Comments

Digital Forensics Expert, Ryan Ferreira, MSc, CCE explains Call Detail Records. Call Detail Records are often used when there is an allegation related to an individual being at a location at a particular time.

Looking back at 2016: Can Hillary’s emails teach us anything?

By | eDiscovery, Litigation | No Comments

The Hillary Clinton Email Saga, By The Numbers

From Visually.


Looking back at 2016: Can Hillary’s emails teach us anything?

by Andy Cobb, PhD, CCE

While many cases that affected the practice of electronic discovery popped up in 2016, no eDiscovery topic got more attention or had more impact than the Hillary Clinton email server saga. Are there some lessons we can all take away from the Hillary email debacle? Yes. But before we discuss those lessons, let’s refresh our memories on what happened during the Clinton email debacle according to the USA Today’s summary:

March 2, 2015: The New York Times reports that Hillary Clinton used a private email server while serving as Secretary of State.

March 10, 2015: Clinton defends her use of a private server, saying it was for “convenience” so she could use a single device for personal and business use. “Looking back, it would have been better for me to use two separate phones and two separate e-mail accounts,” she said. “I thought using one device would be simpler. Obviously, it hasn’t worked out that way.”

July 24, 2015: The inspectors general at the State Department and Director of National Intelligence ask the Justice Department to review whether classified information was compromised in Clinton’s use of private email.

August 2015: A federal official confirms the FBI is investigating.

Aug. 11, 2015: Clinton’s campaign says she has directed that her server be turned over to the Justice Department

May 25, 2016: The inspector general at the State Department issues a report critical of Clinton’s use of private email, saying department policies dating to 2005 require that “normal day-to-day operations” be conducted on government computers.

July 1, 2016: Attorney General Loretta Lynch says she will accept recommendations from the FBI and career prosecutors in the email case in an attempt to dispel criticism of her potential conflict of interest after she met with former president Bill Clinton on a Phoenix tarmac.

July 2, 2016: Clinton is interviewed by the FBI for 3-1/2 hours in Washington, D.C.

July 5, 2016: FBI Director James Comey announces the recommendation not to prosecute Clinton.

October 28, 2016: In a letter to Congress, Comey says the FBI is reviewing new emails related to Clinton’s time as secretary of state, according to a letter sent to eight congressional committee chairmen. The emails are discovered as part of an investigation into Anthony Weiner and were sent or received by Clinton aide Abedin.

November 6, 2016 — Based on a review of the newly discovered emails, Comey tells lawmakers that the agency has not changed its opinion that Clinton should not face criminal charges.

Sifting Through the Talking Points
After all of this, Clinton’s campaign Communications Director, Jen Palmieri said she was “glad this matter is resolved.” Trump, however, pushed back against the announcement: “Right now, she is being protected by a rigged system,” Trump said Sunday night at a rally in Michigan. “It’s a totally rigged system. I’ve been saying it for a long time. You can’t review 650,000 new emails in eight days. You can’t do it, folks.”

Actually you can – easily. And you can do it in a matter of a couple of days. It’s a matter of filtering emails by metadata (fields such as: to, from, dates, etc.). 650,000 emails become a few hundred with some smart filtering and maybe some keyword searching. Which brings us to Comey, who said the email review wouldn’t be complete until after the election. This is what we call managing expectation in our industry.

What Can we Take Away from how this played out?
From an information governance and Ediscovery perspective, Clinton’s use of a personal server to send State Department messages, some of which were at some point deemed classified, was clearly a mistake. One must keep in mind that the records/emails policies of the state department were fluid from 2000 through 2014, when they were strengthened. We’ve seen this same tightening of records retention policies in the private sector over the past decade, with the appending of the Federal Rules of Civil procedure and court decisions. Clearly she didn’t err on the side of caution, which is always the best policy. Our advice would have been to keep the email sets entirely separate – separate email accounts, separate physical server, separate service provider, separate location. Notice the emphasis on separate. There is a lesson here for all of us: keep professional and personal emails separate. At the very least, in the event of an inquiry, this practice prevents the work of having to sort out which emails are professional and which ones are personal.

BYOD and Hillary
If there was one trend that emerged in 2016 for which Clinton’s personal/State Department emails were a metaphor, and a serious topic that will remain a concern for information governance past 2016, it’s the critical importance of BYOD (Bring-Your-Own-Device) policies. These policies are designed to address issues related to an organization’s data being stored on devices that are owned by employees or associates, rather than being owned by the organization. Even though an individual may have two different email addresses, they may still have one device in a BYOD-friendly environment. So a client using their own personal device for professional and personal communication can, at the very least, complicate discovery.

For example, say a client sends you, their attorney, a question via text and a privileged conversation ensues. The following week, opposing counsel issues a discovery request for client’s phone because they believe there are relevant, non-privileged communications relating to the legal matter at hand. Now you must take the extra step (and the client must incur the extra cost) of reviewing the information on the phone since you knew there were protected text messages and possible emails, before other information is turned over.

The key, as was missing with Clinton’s handling of her emails, is to have in place, and follow, good records retention and BYOD policies outlining how communications should be preserved and managed. Ideally, IT (Information Technology) and the legal department should collaborate on policies for the security of corporate data (and devices that data could be transferred to/ accessed from). Specifically, policies that contain the following elements can make a big difference:

-Restrictions on usage of devices on unsecure networks, which can be common attack venues for hackers
-Encryption of sensitive corporate data should be implemented to prevent access by those other than the end-user and/or select IT staff
-Regular audits of the system to ensure securities are in place and effective
-The capability to remotely wipe a lost or stolen device

Additionally, from a legal standpoint there are certain guidelines that can prevent lawsuits arising from an employee’s loss of data. Some of those measures can be captured in an agreement signed between the employer and each employee with elements such as:

-Acknowledgement by the employee that personal data on BYOD devices is subject to potential exposure during discovery proceedings

-Acknowledgement that the data on the device may be wiped if the device is lost or stolen

-An indemnity clause, stating that while the employer will make efforts to protect employee’s personal data on devices, the employee acknowledges that data placed on the device is at risk of deletion

-Acknowledgement that the employer has the right to audit device(s) upon request

Hillary Clinton’s email server has brought into the public eye the complications of having personal and professional communications in the same location (and may have cost her the election!). Unfortunately, this issue is not limited to presidential candidates; it can have major impacts on individuals everywhere involved in discovery for legal matters.

Andy Cobb is a Partner with One Source Discovery, a full-service eDiscovery firm, and is the creator of the patent-pending BlackBox remote forensic collection software tool. He has served as a consultant on eDiscovery matters, provided expert testimony on various computer forensics matters and published numerous technology journal articles.