Just a reminder that this Friday, November 1^st, The Privacy Foundation holds its Fall Seminar: “AI & Privacy: Ethical, Legal, and Technical Issues” from 10:00 – 1:00 at the University of Denver Sturm College of Law. For full details and registration information: https://www.law.du.edu/privacy-foundation or contact Vince Gonzales vgonzales@law.du.edu 303-871-6313

Anyone can become a victim. Is paying the ransom mandatory for firms like this? All third parties? What should the contract say?

https://securityaffairs.co/wordpress/93040/malware/trialworks-ransomware-attack.html

Ransomware hit TrialWorks, law firms and lawyers were not able to access court documents

TrialWorks, a company that provides the most established and widely used legal case management software solutions, was a victim of a ransomware attack earlier this month.

At result of the attack, law firms and lawyers, were not able to access the legal documents hosted on TrialWorks’ platform.

On October 13, the company notified its customers of a hosting service outage at their data center.

… The company hired several cyber security firms that will help it in investigating the incident and restore normal operations.

… On October 15, TrialWorks announced that the threat was completely eradicated from its systems and its staff was “actively decrypting and restoring data.” The announcement suggests that the company obtained in some way the decryption keys to restore the files, likely after paying the ransom.

… The incident had a significant impact on the TrialWorks’s customers, some of them were forced to request the courts to extend the deadline for providing case documents.

Should the BoD have a ‘Security Committee’ similar to the Audit Committee?

https://www.cpomagazine.com/cyber-security/it-security-leaders-board-members-need-to-accept-more-responsibility-for-cybersecurity-risk/

IT Security Leaders, Board Members Need to Accept More Responsibility for Cybersecurity Risk

Data breaches and security incidents continue to plague enterprises, yet a surprisingly low percentage of these enterprises are actually taking proactive steps to improve their overall IT security posture. According to a new AttackIQ report based on Ponemon Institute research, 63% of IT security leaders do not report to the board of directors on a regular basis, and 40% do not report to the board at all. Moreover, as the AttackIQ report demonstrates, a majority of enterprises still have a reactive, incident-driven approach to IT security that leaves them very vulnerable to outside hackers.

Confusing, isn’t it?

https://www.engadget.com/2019/10/27/china-cryptography-law/?guccounter=1&guce_referrer=aHR0cHM6Ly9uZXdzLmdvb2dsZS5jb20v&guce_referrer_sig=AQAAAFHhtUJAxveiNCKbUIkZh9a2YDvfns1b7_HftJx780avW1fLGkOKpdyFKO4i2OFVzyIcXq5RbO11iSI7SA2Tmc2UmtRLKD3avKoixvd8mVZpWkuyKKf1UTG3KF33hbBZpT2La_fmO62TxHvspUmEyM-u5zrzazrQ6Nr3IGblRNeQ

China passes law regulating data encryption

China isn't known for respecting privacy, but it's readying legislation that will address it all the same. The country has passed a law that will regulate cryptography in the country for both government and private uses when it takes effect on January 1st, 2020. Officials didn't go into great detail about the law in the announcement, but they raise concerns that permissions could vary significantly depending on whether or not you're working for the ruling party. [We can encrypt, you can confess. Bob]

The law requires that all state secrets be stored and transmitted using "core and common" encryption, and that institutions working on cryptography have to establish "management systems" that guarantee the security of that encryption. Those managers won't be allowed to ask private encryption developers to turn over "exclusive" info like source code, though, and any business secrets they do get will have to be kept confidential.

Interesting idea. Let’s make it virtual with AI instructors.

https://fcw.com/articles/2019/10/27/cyber-academy-comment-conti.aspx

Is it time for a U.S. cyber academy?

If you are reading this article, you'll probably agree that cybersecurity is a critical threat to national security. American is one of the most technologically advanced, and technologically dependent, nations on Earth. Our adversaries know and exploit this. Across the government and military we are rushing to secure our systems, but fighting and often losing an uphill battle. To change the tide, we need to create a service academy dedicated to cybersecurity and cyber operations. This idea isn't new, but the need is critical.

I may run a “really good bad example” of a blog, but I do subscribe to (via RSS) and read several legal blogs.

https://www.bespacific.com/the-how-and-the-why-of-law-blogs/

The How and the Why of Law Blogs

Via LLRX – The How and the Why of Law Blogs – Legal technology evangelist, author and blogger Nicole L. Black recommends that a legal blog is one of the best ways to create a memorable and search-engine-friendly online presence. Simply put, blogs are a great way for lawyers to showcase legal expertise while increasing their firms’ search engine optimization—all while helping them to stay on top of changes in their areas of practice by writing about them on their firm’s blog.