Legal shorts for June 2, 2015: FCC to get tough with ISPs on customer privacy, and a warning to lawyers about the increasing ransomware threat
FCC warns ISPs: Tougher customer-privacy regulation coming soon
The U.S. Federal Communications Commission released an Enforcement Advisory for Internet service providers on May 20, 2015, that indicates they'll be required to follow stricter rules for use of their customers' personal information starting on June 12, 2015. ISPs are now subject to Section 222 of the Communications Act, which states that companies “shall only use, disclose, or permit access to individually identifiable customer proprietary network information” in the provision of services. (47 U.S.C. § 222(c)(1))
The specifics of what information is covered and what constitutes the provision of services are uncertain, according to Matthew Riemer and Paul Werner of Sheppard Mullin in a June 1, 2015, article on the JD Supra Business Advisor site. What is certain is that the FCC intends to hold ISPs to the higher Title II standard for protecting their customers' private information.
Ransomware puts lawyers behind the eight ball
At midnight on May 25, 2015, a piece of ransomware called Locker became active, blocking workers at several companies from signing into their computers until they had paid a ransom to the malware's authors. Security firm KnowBe4 describes how Locker works in a May 27, 2015, press release.
Ransomware such as Locker poses a tremendous threat to law firms in particular, according to Legaltech News' Ed Silverstein in a May 28, 2015, article (registration required). Once ransomware has encrypted the firm's data, it has no choice but to pay the ransom to decrypt it. Even then, the company could be liable for allowing a third party to access confidential client information.
KnowBe4 CEO Stu Sjouwerman recommends that people have a recent full backup handy at all times, keep all their software up-to-date, and avoid clicking ads, which are increasingly used to spread malware of all types. Sjouwerman also emphasizes the importance of training employees in good data-security practices.
Well, best of intentions aside, the malware purveyors find new ways to spread their menace quicker than security experts can defend against them. The safest approach to protecting clients' confidential information is to store it on a computer that isn't connected to any network, and that doesn't allow data to be copied to any removable media. (That's how Caitlyn Jenner's Vanity Fair photos were safeguarded prior to their publication earlier this week, by the way.)
Practical? Not at all, but you simply have to acknowledge that any data stored on a computer with a network link is inherently insecure. The best option for law firms of all sizes is to use an online storage service that encrypts all data in transit and when it's stored. Even then, the company will have to take great pains to protect the decryption keys, as well as ensure all the PCs, tablets, and phones used by employees to access the data use encryption to access and store it.
A recent roundup of online storage services by PC Magazine gave high grades for security to CertainSafe and Code42 Crash Plan. CertainSafe refers to itself as "Insanely Secure" because it uses MicroEncryption to encrypt individual files to the byte level, in addition to standard 256-bit AES encryption, authentication controls, and "personal challenge questions." Code42 Crash Plan offers the unique ability to skip the cloud by having your data stored securely on a PC at the location of your choice, such as a business-partner's office or even a friend's house.
Even with the most cautious approach to data security, law firms have to prepare for the day they are locked out of their own data. If you don't believe me, just as Sony.