RSS Feed LinkedIn Instagram Twitter Facebook
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

Beware Phony (or Exaggerated) Software Piracy Claims

Posted on: February 3rd, 2020

By: Jeff Alitz

For more than a decade, software companies or software trade groups/alliances have pursued aggressive cost-recovery strategies against customers and former customers for their alleged unauthorized use (i.e, no license available) of software and other intellectual capital published and marketed by the companies.  While the deliberate use of such software without license is not condoned nor encouraged, the cost recovery tactics – and the targets of such tactics – are not always appropriate nor warranted. The savvy tech user and their counsel should be aware of the most egregious recovery strategies and the best protocol to fight them.

The least scrupulous piracy enforcers may employ a variety of methods, from targeting small and undercapitalized companies with only several software users with the threat of crippling fines to giving whistleblowers not only anonymity but also cash for their reporting of the use of unlicensed software to the imposition of damage multipliers (3X actual damages are common) found in seldom read software-license agreements against even the unintentional use of unlicensed software (even where the user has simply misplaced the license over time). Most often, the law firm or other designees of the software company or trade group initiates contact with an alleged unlicensed software user by a demand for a software audit. If the user cannot demonstrate that the products it uses are fully licensed and up to date and tied to all the users’ employees, the software company sharpens its knives.

What can be done? Obvious, but maintaining and internally broadcasting that all the software IS licensed will go far to discourage whistleblowers and will help thwart the piracy hounds if they continue their hunt. IF violations of the software agreements remain unexplained after the audit is complete and the software company continues its pursuit, the “target” and its counsel can employ a variety of defenses to the claims including arguing any infringement was innocent ( which typically reduces the available fine but does not outright exonerate the software user), focusing on statute of limitations defenses and to project a willingness to defend the license violation allegations while at the same time working to achieve a cents on the dollar settlement with the best release that can be negotiated.

Freeman Mathis & Gary’s Data Privacy and Security Practice Group is here to help clients with policies and training. If you have any questions or would like more information, please contact Jeff Alitz at [email protected].

Two-Factor Authentication—Not Broken Yet, But the Bad Guys Are Doing Their Worst

Posted on: January 27th, 2020

By: Barry Miller

If a cybersecurity gold standard exists, it is two-factor authentication (“2FA”).

Or it was.

As the name implies, 2FA is a two-level approach. Level one usually is a password. The second level is typically a random digital code (a “token”) created by or transmitted to a separate device. After entering their password, users then have to supply the token. Because the second-factor changes with every use, the assumption was that the only way to break 2FA would be to hack both levels—password and token.

Shortly before Christmas ZDNet reported that a group sponsored by the Chinese government managed to bypass 2FA in a “wave of attacks.” Government entities and providers in the aviation, healthcare, finance, insurance, and energy were the main targets. Their method bypassed 2FA not by intercepting the token sent to the user, but by creating another valid token.

This followed a November report from gPost that a whitehat hacker showed how Gmail’s 2FA could be vulnerable; and another December story that hackers were using an Android app advertised as a battery utility app to bypass 2FA to steal money from PayPal accounts.

All of which prompted threatpost to ask several security experts whether 2FA is broken. The consensus was that, while 2FA is not perfect, using it still is better than not using it. “Any sort of 2FA is still leaps and bounds better than no 2FA at all,” Jason Kichen told threatpost. Because so many entities still do not require 2FA, using it “means you’re a harder target than the user next to you.”

A second consensus among the threatpost experts is that even the best 2FA system will not compensate for failing to set and follow policies, and failing to train users.

Freeman Mathis & Gary’s Data Privacy and Security Practice Group is here to help clients with policies and training. If you have any questions or would like more information, please contact Barry Miller at [email protected].

Ransomware Attacks Reached Unprecedented Numbers in 2019

Posted on: January 15th, 2020

By: Melissa Santalone

According to a study published by Emsisoft Malware Lab, an unparalleled number of ransomware attacks hit U.S. businesses and government agencies in 2019.  In total, 113 state and municipal governments and agencies, 764 healthcare providers, and 89 universities, colleges, and school districts were targeted at a potential cost of more than $7.5 billion.  In many instances, these attacks caused disruptions that placed lives at risk, like when 911 services were interrupted, emergency patients had to be sent to other hospitals, and police were unable to run background checks and check criminal histories and active warrants.

The report analyzed the “why” of the sharp increase of ransomware attacks in 2019 and concluded that organizations continue to have security weaknesses and attackers have developed better ways of exploiting those weaknesses, creating a “perfect storm.”  Emsisoft referenced a 2019 University of Maryland, Baltimore County report based on data from a national survey of cybersecurity in local governments that found a lack of preparedness within the local governments and a lack of funding for cybersecurity.  Many local governments do not even have mechanisms in place to detect or track cyberattacks and even basic best practices are going unused.  The report cited the city of Baltimore’s loss of data after a ransomware attack because data resided only on users’ individual systems for which there was no mechanism for back-up.

It is clear that state and local governments, healthcare providers, and schools need to be better at preventing, detecting and recovering from ransomware and other cyberattacks.  The Emsisoft report recommends multiple actions that should be taken to make public entities more secure, including improved oversight, more guidance, better funding, and mandatory reporting requirements for ransomware and other cybersecurity incidents.  While there are numerous federal and state laws requiring entities to take protective measures to secure the data with which they are trusted, many organizations are failing to comply.  Emsisoft suggests that authorities should implement auditing systems and corrective measures for those entities that fail to meet minimum standards.  Further, the report argues, clear minimum standards must be adopted so organizations can make appropriate decisions about how best to protect themselves and can allocate their resources in better ways.  Because ransomware and other cyberattacks are not always required to be reported, it is also proposed that entities be legally required to do so in an effort to better pool information on such attacks to detect, prevent, and recover from them.

The Data Security, Privacy & Technology attorneys at Freeman Mathis & Gary, LLP are ready, willing, and able to assist entities with compliance with data security and privacy laws and preparing for attacks before they occur.  If you have any questions about detecting, preventing, or responding to ransomware or other cyberattacks, contact Melissa Santalone at [email protected] or any other member of our Data Security, Privacy & Technology team.

A Recent Study on Cybersecurity Among Small Businesses

Posted on: December 18th, 2019

By: Michael Kouskoutis

A recently published report, entitled “Under Attack: The State of MSP Cybersecurity in 2019,” surveyed 200 managed service providers across the country to evaluate the state of cybersecurity among smaller businesses.  (A managed service provider is a company that handles its customers’ IT infrastructure, often remotely.)  The report reveals how small businesses and their managed service providers are underequipped to protect against the newest forms of cybersecurity threats.  In particular, the study found that nearly three-quarters of managed service providers suffered a cyberattack, and over 80% of their small-business customers experienced a cyberattack as well.

What’s most concerning is that two-thirds of managed service providers believe that they are not equipped to defend their customers against a cyberattack, and that this lack of confidence is likely linked to the widening gap among providers in technical skill, knowledge, certifications and accessibility to resources.  The report advises that managed service providers should seek top talent and facilitate training programs aimed at keeping staff up to date on the latest cyber threats and solutions.

Further, managed service providers are reporting difficulty in selling cybersecurity solutions to their customers, leaving customers increasingly vulnerable to the latest cyber threats.  However, prior studies show that small businesses are willing to spend 27% more money for cybersecurity, provided they feel confident in the security package’s ability to offer adequate protection.  In addition to strengthening their services, managed service providers should proactively engage in conversations with their customers about cybersecurity, and not wait until after an attack.  Customers and prospects should be aware of the evolving nature of cyber threats and that proper cybersecurity requires a deliberate and concerted effort among all small business employees.

For more information about cybersecurity or breach response, contact Michael Kouskoutis at [email protected].

The Ethical Duty of Technology Competence – The Day is Coming in California

Posted on: December 5th, 2019

By: Renata Hoddinott

Recognizing the emergence of technology, its impact on the practice of law, and the importance of lawyers understanding technology, the American Bar Association modified its Model Rules in 2012 to make clear a lawyer’s duty of competence includes both a substantive knowledge of the law and the competent use of technology. ABA Model Rule 1.1 Comment 8 provides, in part, that, “to maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice including the benefits and risks associated with relevant technology.”

Since then, 38 states* have now adopted some version of Comment 8. In 2016, Florida went even further and became the first state to require lawyers to complete three hours of continuing legal education on technology every three years. In 2019, North Carolina followed suit and requires lawyers to complete one hour of continuing education devoted to technology training every year.

But where California normally leads the nation in many areas, in this it is in the minority of hold-out states which have not adopted a version of Comment 8. While the State Bar of California’s Standing Committee on Professional Responsibility and Conduct has issued several opinions involving technology to date, California has not yet expressly referred to a technology component of a lawyer’s duty of competence in its Rules of Professional Conduct.

There are constantly emerging technologies to assist lawyers in delivering legal services to their clients. In the past, lawyers were deemed competent based on their experience and knowledge of a substantive area of law. As technology evolved, so too did the concept of competence. Types of  technology used  by today’s lawyers include the technology used to run a law firm and practice, case management software, billing software, and email, as well as data security to protect client confidentiality, technology used to present information to the court, electronic discovery, saving client information in the cloud and other third-party service platforms, and the use of social media such as Facebook, LinkedIn, and blogs. There is also the growing area of artificial intelligence or AI which is transforming the way lawyers and law firms perform legal research, due diligence, document review, and even more.

While these technologies offer many benefits to help increase efficiency, minimize mistakes, and decrease labor costs, there are also associated risks and pitfalls. Technology competence includes an understanding of the technology a lawyer currently utilizes in his or her practice, the additional technology available, and the technology that a client or prospective client uses or owns. Lawyers who are not technologically competent may be putting their clients and themselves at a disadvantage, as well as potentially risking a malpractice action in certain cases.

Attorneys must recognize the ways in which technology influences the practice of law in California. While it is not yet mandated as in many other states, that day is coming soon. And while technology continues to advance faster than developments in California law, lawyers should consider their duties of competence, diligence, supervision, and maintaining confidentiality when implementing and using technology.

*The states which have adopted some version of Comment 8 are: Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, Florida, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Michigan, Minnesota, Missouri, Montana, Nebraska, New Hampshire, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.

If you have any questions or would like more information, please contact Renata Hoddinott at [email protected], or any other member of our Lawyers Professional Liability Practice Group, a list of which can be found at