The "Dark Overlord" Strikes The Practice Of Law: What Law Firms Can Do To Protect Themselves
April 17, 2019 —
Ivo G. Danielle – Newmeyer & DillionCybersecurity breaches involving law firms are on the rise with each passing year. Law firms are prime targets for cyber criminals seeking confidential and sensitive information because of the various types of legal work that law firms normally handle for their clients. Whether it be mergers and acquisitions, the use of intellectual property, purchase agreements, bankruptcy or even litigation involving divorce, law firms are a rich depository for highly confidential and sensitive information. As a result, law firms must employ comprehensive security measures to protect themselves from security breaches or risk being on the losing end of a costly malpractice claim, and suffer severe reputational harm.
Law Firms Continue To Be Targeted By Cybercriminals
According to the American Bar Association ("ABA") 2018 Legal Technology Survey Report, 23% of the law firms who participated in the survey reported that their law firm experienced a data breach. Although this may be just a 1% increase from the 22% who reported a breach in 2017, it is important to understand that this is an increase of 8% from the stable percentages reported from 2013 through 2016.1 The 2018 survey report also revealed that security breaches fluctuated with firm size – 14% for solo law firms, 24% for firms employing 2-9 attorneys, approximately 24% for firms with 10-49 attorneys, 42% for firms with 50-99 attorneys, and approximately 31% for those firms employing 100 or more attorneys.
Latest Law Firm Security Breaches
The notorious criminal group called "The Dark Overlord" has a history of committing data breaches of high profile companies such as Gorilla Glue, Netflix, Larson Studios, multiple healthcare companies, and Little Red Door Cancer Agency. Their goal is simple – steal sensitive information and then extort payment from the victims by threatening to release the sensitive information to the public.
On December 31, 2018, this cybercriminal group announced to the world that they had acquired 18,000 documents containing highly sensitive legal information related to insurance based litigation connected to the 9/11 tragedy. The stolen information was the attorney/client property of Lloyd's of London, Silverstein Properties, and Hiscox Syndicates, Ltd. In its announcement, The Dark Overlord boasted that they were in possession of client sensitive information, such as: "emails; retainer agreements; non-disclosure agreements; settlements, litigation strategies; liability analysis; defense formation; collection of expert witness testimonies; communication with government officials in countries all over the world; voice mails; dealings with the FBI, USDOJ, DOD, confidential communications, and so much more."
Subsequent to the data breach, The Dark Overlord announced to the public that they designed a compensation plan that would allow for public crowd-funding for its organization to permit the public to view the stolen information in exchange for bitcoin payment. The more public funding it receives, the more stolen sensitive information will be unlocked and released to the public. It is estimated that this cybercriminal group already distributed information to the public on two separate occasions during the month of January 2019.
High profile cybersecurity breaches of law firms is nothing new – for example, the infamous Panama Papers breach, where cybercriminals leaked 11.5 million documents exposing the shadowy business of setting up offshore corporations as tax shelters for businesses, celebrities, and politicians - and the infamous Petya Malware attack which resulted in a digital lockdown of one of the world's largest law firms, DLA Piper. However, despite the infrequency of publicized cyber-attacks of law firms by the media, the FBI has recently announced that law firms should expect an increase in security attacks by cybercriminals because law firms are now viewed as "one-stop shops" for cybercriminals. Therefore, in order to combat the inevitable increase in cyber-attacks, law firms must get prepared.
How Law Firms Can Protect Themselves
All law firms will agree that the most serious consequence of a security breach for their firm would be the unauthorized access to sensitive client data. The American Bar Association's Model Rules of Professional Conduct, specifically Rules 1.1 and 1.62 and related Comments, require an attorney to take competent and reasonable measures to safeguard information relating to their clients. This duty to "safeguard' information imposes a significant challenge to firms when using technology in connection with protecting client information because most law firms are not savvy with technology and lack proper cyber security training.
In order for a law firm to protect itself from security breaches and inadvertently violate its duty of safeguarding a client's sensitive information, it is important to take the following actions:
- Start by taking an inventory and risk assessment of the firm to determine what needs to be protected – the inventory should include both technology and data;
- Develop, implement and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations;
- Ensure the cybersecurity program addresses people, policies and procedures, and technology. The cybersecurity program must designate an individual or a group to be in charge and coordinate security;
- Develop an incident response plan scaled to the size of the firm;
- Continually train staff and attorneys to identify and understand potential cybersecurity threats;
- Consider implementing a third-party assessment of firm's cybersecurity program and policies;
- Purchase cyber liability for insurance which not only covers first party losses to law firms (like lost productivity, data restoration, and legal expenses) but also liability protection to third parties;
- Implement authentication and access controls for network, computers and mobile devices used by the firm's staff and attorneys;
- Consider the use of full-drive encryption for computers and mobile devices;
- Have staff and attorneys avoid and/or limit the use of public WiFi when working remotely; and
- Create a disaster recovery plan to backup all data in the event of a cyber-attack or natural catastrophe.
Continually reviewing, implementing, training and updating a firm's cybersecurity program and protocols will help safeguard sensitive and confidential client information and/or data. No law firm wants to be the next data breach headline – so take the necessary steps to avoid a potential disaster.
1 Past ABA Legal Technology Surveys reported 14% in 2016, 15% in 2015, 14% in 2014 and 15% in 2013.
2 On November 1, 2018, California adopted ethics rules patterned after the ABA Model Rules of Professional Conduct.
Ivo Daniele is a seasoned associate in Newmeyer & Dillion's Walnut Creek office. His practice includes representing private and public companies with both their transactional and litigation needs. You can reach Ivo at ivo.daniele@ndlf.com.
About Newmeyer & Dillion
For almost 35 years, Newmeyer & Dillion has delivered creative and outstanding legal solutions and trial results for a wide array of clients. With over 70 attorneys practicing in all aspects of business law, privacy & data security, employment, real estate, construction, insurance law and trial work, Newmeyer & Dillion delivers legal services tailored to meet each client's needs. Headquartered in Newport Beach, California, with offices in Walnut Creek, California and Las Vegas, Nevada, Newmeyer & Dillion attorneys are recognized by The Best Lawyers in America©, and Super Lawyers as top tier and some of the best lawyers in California, and have been given Martindale-Hubbell Peer Review's AV Preeminent® highest rating. For additional information, call 949.854.7000 or visit www.ndlf.com.
Read the court decisionRead the full story...Reprinted courtesy of
Home Prices in 20 U.S. Cities Rise Most Since February 2006
January 29, 2014 —
Jeanna Smialek – BloombergHome prices in 20 U.S. cities rose in November from a year ago by the most in almost eight years, providing a boost to household wealth.
The S&P/Case-Shiller index of property prices in 20 cities climbed 13.7 percent from November 2012, the biggest 12-month gain since February 2006, after a 13.6 percent increase in the year ended in October, a report from the group showed today in New York. The median projection of 31 economists surveyed by Bloomberg called for a 13.8 percent advance.
Read the court decisionRead the full story...Reprinted courtesy of
Jeanna Smialek, BloombergMs. Smialek may be contacted at
jsmialek1@bloomberg.net
Record-Setting Construction in Fargo
November 07, 2012 —
CDJ STAFFPrairie Business reports that Fargo is experiencing the most new construction it has ever seen, totaling $434 million in value, which exceeds the previous high in 2006 of $428 million. Many of the construction starts are for single family homes, although there is also an increase in construction of apartments and townhomes.
The Home Builders Association of Fargo-Moorhead also noted that there was also a large of remodeling projects. Terry Becker, the president of the HBA, said that “remodeling is just huge right now.”
Read the court decisionRead the full story...Reprinted courtesy of
New ConsensusDocs 242 Design Professional Change Order Form Helps Facilitate Compensation for Changes in Design Services
November 05, 2024 —
Brian Perlberg - ConsensusDocsConsensusDocs is publishing a new ConsensusDocs 242 Change in Services and Compensation, a change order for design services by a design professional. In the design and construction industry, one thing is certain – change. The work scope included in basic design services an architect or engineer provides occurs somewhat regularly. Previously, ConsensusDocs did not have a standard contract document for changing design professionals’ prices. As a result of user feedback, the ConsensusDocs Contract Content Advisory Council (CCAC) drafted this new architect/engineer change order. The CCAC unanimously approved the new contract document and publication is set for October 14, 2024. The document will be available for most ConsensusDocs subscribers. The full, owner, design-professional, and short-form subscription packages will include the document. A subscription package can be purchased through ConsensusDocs here.
The design professional change order helps owners of construction projects keep track of additional services their design professionals perform. The design professional must provide itemized labor breakdowns for each invoice. The new ConsensusDocs 242 has options for compensation to be actual hours at the billing rate or a lump sum. The new contract document form also has a table for the remaining project deliverables and their respective due dates.
Read the court decisionRead the full story...Reprinted courtesy of
Brian Perlberg, ConsensusDocs CoalitionMr. Perlberg may be contacted at
bperlberg@ConsensusDocs.org
Privacy In Pandemic: Senators Announce Covid-19 Data Privacy Bill
May 11, 2020 —
Kyle Janecek & Jeffrey Dennis – Newmeyer Dillion"Data! Data! Data!. . . I can't make bricks without clay." This classic statement from Sherlock Holmes in The Adventure of the Copper Beeches takes on a new meaning in the COVID-19 pandemic. With the plans to begin contact tracing the spread of the COVID-19 pandemic slowly moving towards the forefront, a valid and important issue presents itself: how do we treat and protect the data we so desperately need to trace, track, and address the pandemic? U.S. Senators Wicker, Thune, Moran, and Blackburn introduced a possible solution to this problem with the COVID-19 Consumer Data Protection Act, as announced on April 30, 2020. So what does the Act entail? What information is protected? What action would businesses need to take towards individuals, such as consumers or even employees, in order to comply with this new legislation?
WHAT IS THE COVID-19 CONSUMER DATA PROTECTION ACT?
The Act is meant to address the concern regarding data collection and privacy due to large companies, like Google and Apple, adjusting the software within their devices to facilitate digital contact tracing. The Act can be broken up into three parts - the treatment of information; the privacy notice requirements; and the transparency requirements.
First, the Act prohibits the collection, processing, or transfer of certain categories of data without notice and the affirmative express consent of the individual, in order to:
- Track the spread of COVID-19,
- Trace the spread of COVID-19 through contact tracing, or
- Determine compliance with social distancing guidelines without the requisite notice to individuals and their express consent.
To accomplish this, the Act also restricts entities in their ability to collect excessive information, stating that an entity cannot collect information beyond what is reasonably necessary to conduct any of the three COVID-19 related purposes listed in the statute. The entity must also provide reasonable administrative, technical, and physical data security policies and practices to protect the information collected. Furthermore, in the event that the entity stops using the information for any of the three COVID-19 purposes, it must delete or de-identify the information it has collected.
Next, the Act describes the requirements for notice to individuals. In order to legally collect, process or transfer the information, the entity needs to provide the consumer with prior notice of the purpose, processing, and transfer of the data through their privacy policy within 14 days of the enactment of the law. This policy would have to:
- Disclose the consumer's rights in a clear and conspicuous manner prior to or at the point of collection,
- Be available in a clear and conspicuous manner to the public,
- Include whether the entity will transfer any of the information it collects in order to track or trace COVID-19 or determine compliance with social distancing,
- Describe its data retention policy, and
- Generally describe its data security measures.
Notably, many of these are already requirements common to many privacy policies, including the disclosure regarding the transfer of an individual's information.
In addition, an individual must give their affirmative express consent to such collection, processing and transfer. In other words, an individual must "opt-in" to having their information collected. This would be done through a checked box or electronic signature, as the law prohibits entities from inferring consent through a failure by the individual to take an action stopping the collection. Furthermore, the individual would also need the ability to expressly withdraw their consent, with the entity then having to cease collection, processing, or transfer of the information within 14 days of the revocation. In essence, due to the restriction on transferal, this may result in businesses opting to delete or de-identify data upon a revocation.
Finally, the entity would have to abide by certain reporting and transparency requirements, namely a monthly public report stating how many individuals had information collected, processed or transferred, and describing the categories of the data collected, processed or transferred by the entity and why. This is akin to the California Consumer Privacy Act's treatment of categories of information, though it would require this information to be released on an ongoing, monthly basis.
WHAT DATA IS COVERED?
Notably, the Act only affects a very limited scope of data. The Act covers geolocation data (exact real-time locations), proximity data (approximated location data), and Personal Health Information (any genetic/diagnosis information that can identify someone). This could cover information like Bluetooth communication or real-time tracking based on a cell phone's geolocation features. Notably, Personal Health Information does not include any information that may be covered under HIPAA or the broader categorization of "Biometric" data (i.e. retinal scans, finger prints, etc). Furthermore, and more generally, "publicly available information" is excluded, which includes information from telephone books or online directories, the news media, "video, internet, or audio content" as well as "websites available to the general public on an unrestricted basis." The latter of which potentially would push any and all information made available through social media (i.e. Facebook or Twitter) into the definition of "publicly available information."
HOW IS IT ENFORCED?
Generally, the law would be enforced by the FTC, under the provisions regarding unfair or deceptive acts or practices, similar to other enforcement actions arising out of privacy policies. Notwithstanding, state attorney generals may also bring actions to enforce compliance and obtain damages, civil penalties, restitution, or other compensation on behalf of the residents of the state.
WHAT SHOULD MY COMPANY DO?
If your entity plans on collecting information for tracking COVID-19, measuring social distancing compliance, or contact tracing, it is advisable to include language in your privacy policy now. This could be as simple as adding an additional provision within your privacy policy stating that the entity will retain information to conduct one of the three COVID-19 purposes as laid out in the statute. In addition, this also means that should the entity collect and use employee information for contact tracing, tracking the spread of COVID-19 or ensuring compliance with social distancing measures, it will need to disclose some of the specifics of that process to the employees and have them opt-in for the process. Finally, for contact tracing purposes, any individual that shares their diagnosis will have to opt-in for the entity to legally collect, process, and transfer that information to others.
While the time to reach compliance is unknown, it is more important than ever to form a compliance plan for privacy legislation if you do not already have a plan in place. If you decide to prepare with us, our firm has created a 90 day California Consumer Privacy Act compliance program (which can be expedited) where our team will collaborate with you to determine a scalable, practical, and reasonable way for you to meet your needs, and we will provide a free initial consultation. For further inquiries or questions related to COVID-19, you can consult with a Task Force attorney by emailing NDCovid19Response@ndlf.com or contacting our office directly at 949-854-7000.
Kyle Janecek is an associate in the firm's Privacy & Data Security practice, and supports the team in advising clients on cyber related matters, including policies and procedures that can protect their day-to-day operations. For more information on how Kyle can help, contact him at kyle.janecek@ndlf.com.
Jeff Dennis (CIPP/US) is the Head of the firm's Privacy & Data Security practice. Jeff works with the firm's clients on cyber-related issues, including contractual and insurance opportunities to lessen their risk. For more information on how Jeff can help, contact him at jeff.dennis@ndlf.com.
Read the court decisionRead the full story...Reprinted courtesy of
General Contractor Supporting a Subcontractor’s Change Order Only for Owner to Reject the Change
December 09, 2019 —
David Adelstein - Florida Construction Legal UpdatesThe opinion in Westchester Fire Ins. Co, LLC v. Kesoki Painting, LLC, 260 So.3d 546 (Fla. 3d DCA 2018) leads to a worthy discussion because it involves a common scope of work occurrence on construction projects involving a general contractor and subcontractor. The contractor submits a subcontractor’s change order request to the owner and the owner rejects the change order. What happens next is a scope of work payment dispute between the general contractor and subcontractor. Yep, a common occurrence.
In this case, a general contractor hired a subcontractor to perform waterproofing and painting. A scope of work issue arose because the specifications did not address how the window gaskets should be cut and then sealed. The owner wanted the window gaskets cut at a 45-degree angle and the subcontractor claimed this resulted in increased extra work. The general contractor agreed and submitted a change order to the owner to cover these costs. The owner rejected the change order claiming it was part of the general contractor’s scope of work even though the cutting of window gaskets at a 45-degree angle was not detailed in the specifications.
After the subcontractor filed a suit against the general contractor’s payment bond surety, the project architect further rejected the change order because gasket cutting was part of the specification requirements. (Duh! What else was the architect going to say? It was not going to concede there was an omission that resulted in a change order to the owner, right?)
Read the court decisionRead the full story...Reprinted courtesy of
David Adelstein, Kirwin Norris, P.A.Mr. Adelstein may be contacted at
dma@kirwinnorris.com
Orchestrating Bias: Arbitrator’s Undisclosed Membership in Philharmonic Group with Pauly Shore’s Attorney Not Grounds to Reverse Award in Real Estate Dispute
June 21, 2017 —
Lyndsey Torp - Snell & Wilmer Real Estate Litigation BlogThe California court of appeal recently issued an unpublished decision in Knispel v. Shore, 2017 WL 2492535, affirming a judgment confirming an arbitration award in a real estate dispute involving Pauly Shore. The court of appeal held that the arbitrator’s failure to disclose her membership in the Los Angeles Lawyers Philharmonic Group with the attorney representing Pauly was not grounds to overturn the judgment.
The underlying arbitration involved a dispute between Michael Scott Shore, on the one hand, and his brother, Pauly, among others, on the other hand, regarding certain residential property located on Sunset Boulevard near The Comedy Store in West Hollywood (owned and operated by their mother, Mitzi Shore). The parties agreed to arbitrate their dispute before Judge Aviva K. Bobb (Ret.) of the Alternative Resolution Center. Judge Bobb issued an award in favor of Pauly, and he petitioned the trial court to affirm the award. Michael opposed, contending the arbitrator failed to disclose that she and Pauly’s attorney had both been members of the Lawyers Philharmonic, for which they had been practicing and performing together since November 2010.
Read the court decisionRead the full story...Reprinted courtesy of
Lyndsey Torp, Snell & WilmerMs. Torp may be contacted at
ltorp@swlaw.com
AI – A Designer’s Assistant or a Replacement?
November 28, 2022 —
Aarni Heiskanen - AEC BusinessOver the last few months, we’ve seen an online explosion of AI-powered text and
image generators. Many non-designers welcome these tools as a way to express themselves and create results that would have taken professionals days to complete. The obvious question is, should designers start feeling scared?
Interior designs from a photo you upload
In
Business of Home, Fred Nicolaus writes about how he tested with an L.A. designer Shaun Crha an online tool called Interior AI. They uploaded pictures of empty rooms, selected basic prompts (“midcentury modern bathroom,” for example), and watched the machine go. After tweaking the tool settings, they started getting impressive results.
Launched in September 2022,
Interior AI is the creation of Pieter Levels, a programmer. He built the site in five days by connecting it to a commercially available AI engine called Stable Diffusion. It has been trained with images from Pinterest and other photo sources.
Read the court decisionRead the full story...Reprinted courtesy of
Aarni Heiskanen, AEC BusinessMr. Heiskanen may be contacted at
aec-business@aepartners.fi
