Saturday, November 22, 2008

Congress Reports on Targeted Foreign Surveillance of US Email

According to separate reports this week, the Chinese are spying on US email and Barack Obama is having his Blackberry taken away.

New York Times reporter Jeff Zeleny writes in his recent article entitled, “Give up his Blackberrry? Yes he can. Maybe” :

“Presidents were not advised to use e-mail because of security risks and fear that messages could be intercepted,” according to Diana Owen, who heads the American Studies program at Georgetown University. "They could come up with some bulletproof way of protecting his e-mail and digital correspondence, but anything can be hacked,' said Ms. Owen, who has studied how presidents communicate in the Internet era."

Although, in partial answer to Ms. Owen, it’s also true that not everything is hacked and not everything is stolen. Some things are more stolen than others. Some communiqués are less read.

Thomas Claburn writes this week in Information Week:

"China is targeting U.S. government and commercial computers for espionage," says the U.S.-China Economic and Security Review Commission's (USCC) 2008 Annual Report to Congress.

"Alan Paller from the SANS Institute, an Internet security company, believes that in 2007 the 10 most prominent U.S. defense contractors, including Raytheon, Lockheed Martin, Boeing, and Northrop Grumman, were victims of cyberespionage through penetrations of their unclassified networks."

Claburn goes on to write:

“In June, U.S. Rep. Frank Wolf, R-Va., said that four computers in his office had been compromised in 2006 and that computers used by other members of Congress and by the House Foreign Affairs Committee had also been hacked.”

Claburn quotes Wolf as saying, “These cyberattacks permitted the source to probe our computers to evaluate our system's defenses, and to view and copy information. My suspicion is that I was targeted by Chinese sources because of my long history of speaking out about China's abysmal human rights record."

To run full circle on presidential email, according to Demetri Sevastopulo writing for the Financial Times on Novemeber 7th:

“Chinese hackers have penetrated the White House computer network on multiple occasions, and obtained e-mails between government officials, a senior US official told the Financial Times.
The cyber attackers managed to penetrate the White House system for brief periods that allowed them to steal information before US government experts each time patched the system.
The specialists suspect the attacks were sponsored by the Chinese government, although they cannot say for definite.”

Meanwhile the Associated Press writes today, November 22nd:

“BEIJING (AP) — China has denounced a U.S. congressional panel that issued a report accusing it of stepping up computer espionage attacks on the American government, its defense contractors and businesses.”

Regardless of foreign involvement, the wider issue here may be whether email continues to offer a reasonable expectation of privacy. Even before the courts do, it’s a question the American Bar Association may soon need to revisit. Without legal consensus of email’s reasonable expectation of privacy, businesses and government, and the law firms that serve them may need to treat their communiqué’s more like they should have treated money.

There are, in fact, some ways to easily send email without spilling the beans to moneyed, foreign, or governmental interests. My own firm continues to look at ways at keeping email easy without opening it to anyone with an incentive to pry. It’s one of the reasons why the Los Angeles Bar brought our firm in to help secure email for its 22,000 members in California and the Pacific Rim.

I’m including here the following link into the LA Bar's free offer of our service. They’ve made it available for a limited time. I’m also including a link into a legal education class I taught on email privacy at the Los Angeles County Bar with former CIA staffer, Fred Klapetzky, now a disaster recover expert with Marsh Consulting.

Thursday, November 20, 2008

The Wall Street Journal's Ben Worthen Investigates New Wave of State Privacy Laws

The Wall Street Journal’s Ben Worthen digs into the new email privacy and data security laws enacted in Nevada and Massachusetts. The Nevada law went into effect October 1st. The Massachusetts law goes into effect in January.

In his October 16th article Worthen draws insight from experts in the field:

“The new state data-security laws are stricter than past regulations, which only required businesses to notify people whose personal information they lost. The new laws establish a standard that can be used by plaintiffs in civil suits to argue that a business that lost data was negligent” -- Miriam Wugmeister, attorney with Morrison & Foerster LLP.”

"We do business in all 50 states so we're definitely reviewing it." -- Andrew Speirs, Information security officer for National Life Group, insurance based in Montpelier, Vt.

"It's a burden, but it's something you have to do." -- Karen Grant, Chief Privacy Officer for Boston Based Partners HealthCare System Inc., commenting on the $100,000 price tag for complying with the new law.

"Breach-notification laws deal with what happens after the horse leaves the barn. [The new regulation] is intended to prevent the horse from getting out of the barn in the first place." -- Daniel Crane, Undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation.

My own firm’s approach to complying with the law looks at the participants in this legal ecosystem. So much paper moves between law firms, insurance companies and hospitals that some people call this the devil’s triangle. But people are also asking how to move these documents privately. My firm’s development team has produced one solution for client privacy.

We’re one of a handful of companies that have taken a specific look at how to move legal documents privately over the web. But these new laws make one thing clear: the reasonable expectation of privacy when using email is now being questioned under state law. More information on my firm’s solution is available at: Legal Lockbox.

Nevada Data Security & Privacy Law (NRS 597.970)

Email privacy for lawyers has taken on a new urgency with the enactment of new state mandates for transferring client information. Charlene Brownlee writes in the Privacy and Security Law blog:

“Nevada has enacted the first data security law that mandates encryption for the transmission of customer personal information. ( NRS 597.970) The law goes into effect on October 1, 2008. While there are several laws that direct organizations in certain industries to consider using encryption and laws that make encryption a factor in decisions regarding breach notifications, no law required the encryption of personal information prior to this Nevada law.”Brownlee notes that the law is brief in that it provides the following:“A business in this State shall not transfer any personal information[1] of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption[2] to ensure the security of electronic transmission.”

Brownlee also notes:

“Accordingly, the law could be interpreted as applying to an organization’s transmission of “any personal information of a customer,” regardless of where the customer resides.”

Bottom-line according to Brownlee:

“Companies operating nationally should consider whether their existing policies and procedures regarding transmission of customer personal information comply with this new law. In October 2008 merely transmitting customer personal information in an unencrypted format may violate this Nevada data security law. If an organization is not doing business in Nevada, it should monitor the developments in other states where it operates. History of the enactment of the data breach statutes suggests that the other states may soon follow.”

My own firm has already delivered a solution, now being used by law firms nationwide. But there seems to be special interest by attorneys in Nevada and California. Because of mandates or necessity, I’m seeing more Lawyers use this and other solutions when corresponding over the net with other lawyers.

The email privacy issue appears particularly ripe for lawyers since they must also adhere to existing rules guiding attorney-client privilege. What’s curious is that once they actually use a solution for email privacy, they then appear confident in recommending a solution . . . but not before. The Los Angeles Bar is now offering a free trial of our service available through the following link: LACBA trial. This link will only be active for a limited period. Sorry. If you’ve missed the cut off time, visit our Legal Lockbox for a paid subscription.

Monday, July 7, 2008

Email Privacy Becoming an Issue for the Law . . . and Lawyers Too?!

Carolyn Elefant poses the question in her May 28th blog, Can Outsourcing Violate Attorney-Client Privilege or Waive the Fourth Amendment? The question may actually underscore the lack of legal protections for all off-border electronic communications, especially email. The problem appears especially thorny for law firms. Elefant writes:

Plenty of law bloggers are discussing a declaratory action by Bethesda, Md.-based law firm, Newman McIntosh & Hennessey, seeking a ruling on whether outsourcing privileged client documents for review to companies located outside of the country could result in a waiver of Fourth Amendment protection or attorney-client privilege. Joseph Hennessey, who drafted the motion, argues that foreign companies have no presumption of privacy because the National Security Agency can spy on them without constitutional constraints. Thus, by sending client documents overseas, lawyers may waive their clients' Fourth Amendment protections against unlawful search, or compromise the attorney-client privilege. The firm has also sought opinions from the District of Columbia and Maryland bars on whether lawyers who outsource documents overseas must disclose potential privilege waivers to their clients.

The ABA Best Practices for Acting Competently to Preserve Confidentiality appear to address this situation, in part, for attorneys looking for partial clarity (Rules 1.6 - 1.7). “Factors to be considered in determining the reasonableness of the lawyer's expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law . . ." (emphasis added).

If your email privacy isn’t guaranteed under the law, the ABA appears to be saying, you’d do well by doing good to inform your client. Now it appears that not only are off-border communiqués such as email not protected under US law, but their actual lack of privacy under FISA provisions is currently ensured. Carolyn Elefant notes in her blog of May 2nd that the “Foreign Intelligence Surveillance Act (FISA) now allows surveillance of people located outside the United States without a warrant.”

How then does a firm move private electronic documents to Canada, Mexico, Europe, China, and the Americas and maintain client confidence in its privacy? Extranets offer a partial solution for long-term clients. Other less expensive solutions for maintaining privacy are listed on the website for the Electronic Privacy Information Center (EPIC) . Of these the Legal Lockbox offered by Lawdex is designed specifically for use by law firms moving electronic legal documents and client data.