New Paper on Data Breach Harms

This is a draft of my paper Cybersecurity and Data Breach Harms: Theory and Reality, forthcoming in the Maryland Law Review.

ePrivacy Regulation Proposal

On February 10, 2021, the Council of the European Union released its proposed ePrivacy Regulation. If adopted, the ePR will complement and extend the GDPR. The ePR would be deemed lex specialis in relation to the GDPR as lex generalis, meaning the ePR would take precedence in the event of any conflicts. The ePR would apply to organizations and providers that facilitate electronic communications. The next step is the trilogue process. Most observers think the European Parliament will ask for some potentially significant changes to the Council Proposal. In subsequent posts we’ll unpack some significant aspects of the Proposal.

Published
Categorized as ePR, GDPR

North Korean Hacker Indictment

Today Federal prosecutors in California unsealed an indictment against North Korean members of Lazarus Group and APT38 alleging $1.3 billion in theft and extortion. The Indictment is notable for the scale of the nation-state sponsored economic criminal activity it describes.

Published
Categorized as Cyber Crime

The Virus and Ransomware

In the middle of the pandemic, things we used to take for granted feel frightening.  A trip to the grocery store, taken only when truly necessary, seems like stepping onto the set of a post-apocalyptic movie, as shoppers eye each other suspiciously from behind face masks while picking over thinly-stocked shelves.  Cyber criminals, unfortunately, know how to prey on these fears.  From early in the COVID-19 crisis, cybersecurity experts have warned about a rise of social engineering attacks, such as phishing emails, spoofed websites impersonating public health authorities such as the World Health Organization and the U.S. Centers for Disease Control, and fake coronavirus mobile apps.   

Some of these social engineering campaigns have been linked to ransomware attacks on health care facilities, financial services providers, and other essential businesses.  A study done by Carbon Black, for example, showed a 148% increase in ransomware attacks between February and March 2020.  Another study released by Checkpoint Research on April 16, 2020, found that ransomware attackers are increasingly engaging in “double extortion.”  This kind of attack begins as a typical ransomware incident:  the attacker encrypts the victim’s data and demands a ransom to decrypt it.  It also adds a second stage:  the attacker makes a copy of sensitive data and then, after receiving the decryption ransom, demands a second payment to prevent public disclosure of the stolen data.

Although the COVID-19 crisis creates fear, it also prompts generosity and altruism – ranging from the heroism of front-line health care workers to everyday acts of kindness like checking in virtually on friends and neighbors.  At the start of the crisis, leading ransomware groups such as DoppelPayemer and Maze seemed to join this wave of altruism by promising to avoid attacks on health care facilities.  These groups try to position themselves as modern-day cyber Robin Hoods, stealing from wealthy banks and other for-profit companies while avoiding entities such as healthcare facilities that serve the poor. 

Almost immediately after this promise, however, Maze hit Hammersmith Medicines Research, a British company that may serve as a COVID-19 vaccine test center.  The truth is that these are ruthless organized crime operations that will not hesitate to take advantage of this crisis.

Now more than ever, even as we practice social distancing to flatten the curve of the coronavirus infection, we need to practice good cyber hygiene to flatten the curve of cyber attacks.  It’s a good time to remind employees working from home of some basic principles: 

  • Be wary of texts or emails that seem unusually alarmist or urgent, particularly if they purport to originate from high-level government or corporate sources.

  • Avoid apps and websites that claim to offer some inside information or cures beyond what is being reported by official government sources and reputable news outlets.

  • If presented with a request for information that seems suspicious, use recognized channels, including a phone call to the supposed source, to confirm whether the request is authentic.

  • Notify the appropriate persons in your organization of contacts that appear to be social engineering scams.

Legal Ethics and Technology

I’m speaking tonight at the Gibbons Institute of Law, Science & Technology’s “Legal Ethics, Technological Competence and New Technologies” event.  I’ll focus on Comment 8 to ABA Model Rule 1.1, ABA Formal Opinion 477, and ABA Formal Opinion 483, all of which concern a lawyer’s ethical duties in relation to new technologies.  Here’s the slide deck.

[google-drive-embed url=”https://drive.google.com/file/d/1Jp61G_IzBN0nqH7yzXx5FIgtbB3ILH0l/preview?usp=drivesdk” title=”slidesforethicscle2018.PPTX” icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/vnd.openxmlformats-officedocument.presentationml.presentation” width=”100%” height=”400″ style=”embed”]

AI Data Privacy Concerns

Here’s a working list of legal concerns regarding AI and data privacy:

  • Legal Problem #1: Do you have authority to collect the data?
  • Legal Problem #2: Do you have authority to use the data?
  • Legal Problem #3: Do you have authority to retain the data?
  • Legal Problem #4: Does your algorithm need to be fair?
  • Legal Problem #5: Are you providing data to a business partner that is using it in AI applications?
  • Legal Problem #6: Are you obtaining services from a business partner that is processing data in AI applications?

AI in the Pharma Industry

On Thursday I’m speaking at the Mayer Brown Life Sciences Symposium on AI, Blockchain, and Automation in the pharma industry.  Here’s a graph from a recent EY Report showing the ways in which big data and automation will impact the pharma and healthcare industries.  

These developments promise to revolutionize healthcare for the better.  From a security perspective, these developments present both benefits and risks.  On the risk side, one of the themes I’ll emphasize is the increased attack surface that comes from the integration of information across multiple vendors, devices, platforms, providers, and patients.

Encryption and the Fifth Amendment

This afternoon I’m presenting at the Hofstra Law School IP Colloquium on my paper The Skeleton in the Hard Drive:  Encryption and the Fifth Amendment.  Here are my slides.

[google-drive-embed url=”https://drive.google.com/file/d/1BGkHdofptEBeJjkbbi9gkpycbnjtmlMa/preview?usp=drivesdk” title=”The Skeleton in the Hard Drive.pptx” icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/vnd.openxmlformats-officedocument.presentationml.presentation” width=”100%” height=”400″ style=”embed”]

Disrupt NJ

Speaking tonight at Disrupt NJ on “Corporate Social Responsibility and Cybersecurity.”  Here are my slides.

[google-drive-embed url=”https://drive.google.com/file/d/1drmCVDg-mNkCfTp8bD6Mr56i_iqVnr2x/preview?usp=drivesdk” title=”csrtechethics.pptx” icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/vnd.openxmlformats-officedocument.presentationml.presentation” width=”100%” height=”400″ style=”embed”]

Law and AR / VR: “Asymmetric Reality”

On Friday I spoke at the “Virtual Legality” symposium at the University of Maryland Law School.  Here are my slides.  My talk emphasized the “second half of the chessboard” effect concerning data collection in AR / VR.

[google-drive-embed url=”https://drive.google.com/file/d/1w5Vew5vBXL_fL26ZbYatwEiqlgTUpFjr/preview?usp=drivesdk” title=”maryland presentation.pptx” icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/vnd.openxmlformats-officedocument.presentationml.presentation” width=”100%” height=”400″ style=”embed”]

Published
Categorized as AR / VR

Russia’s Other Cyber Attack

Russia’s meddling in the 2016 Presidential election obviously has captured plenty of media attention.  Less well known is that, according to a recent U.S. CERT Report, Russia has been “targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors” with cyber intrusions.  The CERT Report notes that the initial intrusions proceeded through trusted third-party suppliers with networks that were less secure than those of the infrastructure entities and that the targets were deliberately chosen.

Russia’s manipulation of social media to influence U.S. elections is a deep concern, but the fact that Russia is probing weaknesses in our power, water, air, and other critical networks is even more sobering.  Coincidentally, this week I’m teaching a class on cybersecurity and the international law of war.  Cyberwar is a fuzzy domain that does not map neatly onto the existing international law of war.  Here’s a video lecture of the materials for that class:

Cybersecurity and Corporate Social Responsibility

My article Cybersecurity, Encryption, and Corporate Social Responsibility has been published in the current edition of the Georgetown Journal of International Affairs.  I argue in this paper that “[c]ompanies such as Apple should recognize that they have a social responsibility to work with governments on security issues, and such a corporate social responsibility norm should become part of international CSR principles.”