Month: June 2017

Cybersecurity and Social Media Use by Sex Offenders: Packingham v. North Carolina

This week the U.S. Supreme Court decided Packingham v. North Carolina, a first amendment challenge to a state statute that prohibited convicted sex offenders from accessing certain “commercial social networking” sites.  I include cases like this that involve the protection of minors, harassment, stalking, and the like under the rubric of “cybersecurity” because these issues of personal online safety relate to the stability and security of the “place” we call “cyberspace.”  In fact, it’s in these kinds of cases that the courts often grapple with the “place-ness” of cyberspace.  That grappling is central to the majority and concurring opinions in Packingham.

Many states have statutes that prohibit or limit registered sex offenders from accessing Internet content, including social media.  North Carolina’s statute defined “social networking Website” broadly.  It arguably would have covered not only sites such as Facebook and Twitter, but also shopping, news, health,  career, or other sites with comment boards.

Packingham was convicted in 2002 of sexual contact with a minor.   As a result, he was required to register as a sex offender, and was barred from accessing “social networking Websites” under the North Carolina statute.  In 2010, Packingham received a traffic ticket, which subsequently was dismissed.  He posted a religiously-themed message on his Facebook page celebrating the dismissal.  As a result of this posting, he was convicted of violating the social media statute.

A unanimous 8-Justice Supreme Court (Justice Gorsuch did not participate in the case) struck down North Carolina’s statute as unconstitutional under the First Amendment.  Justice Kennedy wrote the Court’s opinion, but Justice Alito wrote a concurrence, joined by Justices Roberts and Thomas, disagreeing with some of Justice Kennedy’s reasoning.  Both opinions are notable for their Internet exceptionalism, but Justice Kennedy’s opinion seems like an exceptional kind of exceptionalism.

Both the majority and concurring opinions applied the same legal doctrine based on the assumption that the North Carolina statute is “content neutral.”  Government regulation that restricts the time, place or manner of speech, but not the content of speech, generally is subject to “intermediate scrutiny” by the courts.  Under intermediate scrutiny, the regulation must “be narrowly tailored to serve a significant governmental interest,” which means the regulation “must not burden substantially more speech than is necessary to further the government’s legitimate interests.”  Opinion at 6 (internal quotations omitted).  All of the Justices agreed that the protection of children online is a significant government interest but that the North Carolina statute burdened substantially more speech than necessary to further online child protection.  Justices Kennedy and Alito disagreed somewhat, however, on how to frame the question of how much speech was burdened.

Justice Kennedy suggested that “[a] fundamental principle of the First Amendment is that all persons have access to places where they can speak and listen, and then, after reflection, speak and listen once more.” Id. at 4.  Justice Kenendy makes clear that he views cyberspace as such a “place”:

While in the past there may have been difficulty in identifying the most important places (in a spatial sense) for the exchange of views, today the answer is clear.  It is cyberspace — the “vast democratic forums of the Internet” in general . . . and social media in particular.

Id. at 5.  Not only is cyberspace one of the most important “places” of civil discourse today, according to Justice Kennedy

While we now may be coming to the realization that the Cyber Age is a revolution of historic proportions, we cannot appreciate yet its full dimensions and vast potential to alter how we think, express ourselves, and define who we want to be.  The forces and directions of the Internet are so new, so protean, and so far reaching that courts must be conscious what they say today might be obsolete tomorrow.

Id. at 6.

In his concurrence, Justice Alito complained that “[t]he Court is unable to resist musings that seem to equate the entirety of the internet with public streets and parks.”  Alito Concurring Opinion, at 1.  For Justice Alito, it was clear that the North Carolina statute would prohibit access to many websites that provided little or not risk of child exploitation.  However, he argued that “if the entirety of the internet or even just ‘social media’ sites are the 21st century equivalent of public streets and parks, then States may have little ability to restrict the sites that may be visited by even the most dangerous sex offenders.”  Id. at 10.

It seems, then, that Justice Alito took a more cautious, less exceptionalist line than Justice Kennedy.  At the conclusion of his concurrence, however, Justice Alito agreed that “[c]yberspace is different from the physical world. . . .”  Id. at 11.  For Justice Alito, this difference warrants careful evaluation of individual cases, “one step at a time.”  Id. at 11.

My own sense of the judicial role, combined with the dynamic nature of the Internet, leads me to agree more with Justice Alito than Justice Kennedy.  There is something different about cyberspace, and this difference does make the nexus between liberty and security — not least as that nexus involves the freedoms of speech and association — exceedingly difficult.  But these difficulties are not anything new for courts.  In cases that implicate technological change, a court’s job is to understand how the particular technology at issue in a particular case or controversy relates to the legal doctrine applicable to that particular case or controversy.  Hand-waving over the word “cyberspace” is no excuse for sloppy judging.

Perhaps equally importantly, because the balance between liberty and security in cyberspace is difficult, courts should be careful about usurping legislative judgment.  Critics of sex offender social media bans often point to social science research that suggests restricting social media use has no effect on recidivism or child safety and that “sex offenders” cannot be treated as a homogeneous group.  The primary risk to children, according to some of this literature,  is from adult men who are not pathologically pedophiles but who groom adolescent girls out of a sense of power or danger.   I wonder if such studies are too focused on recidivism rather than on the possible deterrent effect for potential first-time offenders.  Even more significantly, I also think such studies can overlook the harm caused to children in the production of child pornography and the role of social networking sites and technologies in facilitating child pornography collection exchanges.  Indeed, even the authors of such research have noted that “[t]he development of new technologies and social media often outpaces the study of its use in the commission of crimes, which poses a unique challenge for further study.”  Chan, McNeil and Binder, Sex Offenders in the Digital Age, The Journal of the American Academy of Psychiatry and the Law 44:3 (2016).  Legislatures might be even better positioned than courts to evaluate and adjust to social science and other research that can inform policy.

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xdUpubGNxaWxQTkU/preview?usp=drivesdk” title=”packingham.pdf” icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/pdf” width=”100%” height=”400″ style=”embed”]

Slides on Cybersecurity and Legal Ethics

I’m also speaking later with Brett Harris on cyber security and legal ethics.  Here are our slides.

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xbFVLaTVHNDYtZHM/preview?usp=drivesdk” title=”Final Cyber 2017 Presentation.ppt” icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/vnd.ms-powerpoint” width=”100%” height=”400″ style=”embed”]

Tabletop for NJSBA Second Annual Cybersecurity Conference

Here is a tabletop exercise I drafted that we’ll be running at the Second Annual NJSBA Cybersecurity Conference.

Acme Corp. manufactures and sells industrial control systems (ICS).  ICS devices integrate computer chips, hardware and software and can be programmed to monitor, regulate and control various components of commercial manufacturing, assembly and packaging plants.  For example, the following video shows an Acme ICS serving as the controller for water bottling plant:

ACME’s ICS devices are network enabled and come bundled with a software suite that allows users to monitor and control the devices through a web interface.

Acme also provides installation and maintenance services for its ICS equipment.  Each ICS device must be configured for the systems it will control, which involves the creation of custom computer code.  The computer code, and sometimes the hardware, must periodically be updated if the underlying system configuration changes or if Acme develops performance enhancements, bug fixes, or security patches.  In a larger installation, Acme’s fees for installation and maintenance can exceed the costs of the initial hardware purchase, and the total contract price can exceed ten million dollars.

Acme maintains detailed information about each of its installations, including specific configuration information, networking details, and backup copies of computer code.  This information is stored in numerous documents in a variety of formats, including, for example, Word documents, Excel spreadsheets, Powerpoints, e-mails, and plain text files, on systems used by various Acme business units.  Files may reside on individual computer hard drives, internal company file servers, portable media (such as thumb drives), company-owned and personal laptops, smartphones and tablets, and commercial cloud-based storage such as Google Drive and Dropbox.

ISSUE 1:  A number of management-level Acme employees recently received emails purporting to have been sent by Sol Fish, Vice President for Client Relations at Acme.  The emails instruct the recipients to log into a newly-established sales database through a hyperlink in the email using their existing Acme network log-in credentials.  Fish did not send these emails, however, nor has Acme created any new sales database.  Meanwhile, Fish has received an email from Carl Kent, a business reporter for the Broad Street Journal, inquiring about the fact that the full technical specifications for an ICS installation at the Port Newark were posted this morning on a number of business and government blogs.  In fact, Acme won a contract to improve the automation of shipping cranes and other devices at the Port.  The contract was controversial because of unsubstantiated allegations of bid rigging, cost overruns, and other political complaints.  The full technical specifications are confidential for security concerns among other reasons.  An obvious inference is that the spearphising attack may have allowed someone to obtain and post the confidential specifications.

ISSUE 2:  In addition, Fish has received an angry call from Bill Brazos, the CEO of Consolidated Fulfillment Centers, Inc.  Consolidated owns and operates large warehouse and fulfillment centers for major online retail companies.  Brazos claims that an Acme ICS system installed at a Consolidated facility in Edison, NJ contained a vulnerability that allowed hackers to obtain information concerning consumers to whom products were being distributed through the Consolidated facility.   Brazos says “millions” of customer accounts may have been compromised.

Implementing ABA Formal Opinion 477

Background

On May 4, 2017, the ABA released Formal Ethics Opinion 477, “Securing Communication of Protected Client Information” (attached at the end of this post).  This Opinion updates Formal Ethics Opinion 99-413, issued in 1999, which concluded that lawyers could use unencrypted email to communicate with clients.  Those of us who were practicing in 1999 will remember the difficulty the then-still-new phenomenon of ubiquitous email communication created for lawyers’ obligations of confidentiality.  The ABA has revisited the question because of new concerns about cybersecurity and client confidentiality.

Opinion 477 does not mandate any specific cybersecurity measures, but instead requires “reasonable efforts” to ensure client confidentiality when using any form of electronic communication, including text messaging, cloud-based document sharing, or other services, in addition to email.  The “reasonable efforts” requirement is consistent with Model Rule 1.6(c) concerning inadvertent disclosure of client information.  The Opinion adopts the factors set forth in Comment 18 to Model Rule 1.6(c) as guidelines for “reasonable efforts”:

(1) The sensitivity of the information;
(2) The likelihood of disclosure if additional safeguards are not employed;
(3) The cost of employing additional safeguards;
(4) The difficulty of implementing the safeguards; and
(5) The extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).

Opinion 477, lines 108-114.

For “routine communication with clients,” Opinion 477 reaffirms the conclusion of Opinion 99-413 that unencrypted email is generally acceptable, “presuming the lawyer has implemented basic and reasonably available methods of common security measures.”  Id., lines 130-136.  However, Opinion 477 requires a more extensive, fact-based risk assessment for other kinds of communications.

Steps for Compliance

Basic Technical Measures

There are some technical measures every lawyers should take to secure electronic communications with clients and that Opinion 477 seems to assume are normally reasonable.  These generally are technologies and policies that every law firm already should be using:

      • Sound password and access policies;
      • Appropriately configured firewalls;
      • Use of a VPN for communications outside a secure office network;
      • Encryption of data at rest, at least for sensitive client information;
      • Secure file sharing portals, at least for sensitive documents;
      • Appropriate BYOD policies.

Education and Training

Like any good cybersecurity compliance program Opinion 477 suggests that lawyers and their support staff must obtain some training about cyber hygiene.  Id., lines 149-200.  This does not mean lawyers need to obtain expert cybersecurity certification credentials, but it does mean every lawyer must obtain at least a general understanding of how computers and computer networks function, of common types of cybersecurity threats and how to mitigate them, and of the proper use and implementation of the kinds of technologies and policies mentioned above.  A firm should be able to document the content and frequency of such training for its personnel.

Inventories and Audits

A key part of a strong cybersecurity program that is often overlooked is to inventory computer networks and systems and to audit compliance policies.  A firm should know:

      • Its network configuration;
      • Exactly which devices are connecting to the network;
      • Open ports on the network;
      • The volume of traffic flowing over the network.

A number of software tools are available to help automate this inventory and monitoring process and to raise red flags if unusual patterns occur.  If the firm is relying on an outside vendor for network support, the vendor should be able to provide this information.

In addition, a firm should maintain centralized cybersecurity compliance and breach response policies, which should regularly be reviewed by attorneys and staff.  A law firm’s cybersecurity compliance should include tiered security measures based on specific types of client information regularly handled or with the potential to be handled in the course of the firm’s practice.

Due Diligence on Vendors

The Opinion also requires attorneys to conduct due diligence on vendors that provide communications technology.  The auditing checklists here likely are more extensive than the current practices of many law firms.  See Opinion, 477, lines 267-312.  Attorneys should remember that these requirements relate to their ISPs, web hosting companies, cloud storage providers, email providers, outside experts who handle electronic client information, e-discovery providers, and other vendors.  It can be helpful to develop standardized checklists and questionnaires for gathering this information.

Conclusion

ABA Opinion 477 makes clear that law firms must follow up-to-date, comprehensive cybersecurity compliance practices.  While many firms likely already use some basic security technologies, Opinion 477 makes cybersecurity a high priority for competency in the practice of law.

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xRjJyRlZXSnZwem8/preview?usp=drivesdk” title=”ABAFormalOpinion477.pdf” icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/pdf” width=”100%” height=”400″ style=”embed”]