Category Archives: Middle Market Business

Back to School for Ransomware

Even though the first significant uptick in ransomware attacks began over three years ago, a steady increase in frequency and severity has likely now made ransomware exploits the number one security threat faced by most businesses today.  McAfee places the ransomware growth rate for the last quarter at 118%.  Many smaller businesses were previously on notice but chose to ignore the warning signs. Thankfully, after the 2017 ransomware attacks unleashed by the Wannacry strain of Cryptolocker, some companies did address ransomware risk by implementing better employee training while others decided to upgrade legacy software and initiate offsite backups.

Those who did not adequately address this risk, however, are now facing much larger extortion demands.  Also, the risk landscape has changed dramatically over the past several years with  ransomware becoming an equal opportunity attack that will now target local governments as well as dental offices. Indeed, even first grade students are now being impacted by network security intrusions that not too long ago only previously targeted only large universities. 

Despite the recent public trend of paying these extortion demands, the FBI has long advocated not paying a ransom in response to a ransomware attack. Specifically, the FBI has said:  “Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”

Another result of this increase in activity has been an increase in insurance purchased to cover an extortion demand as well as the related expenses incurred during a ransomware attack.  For example, the City of Baltimore may soon approve spending $835,000 for $20 million in coverage but only because it previously sustained a ransomware attack that set it back over $18 million

In fact, some have argued that by having insurance for this exposure the industry itself is actually at the root of increased ransomware activity.  Those in the security industry correctly point out that what drives these actors turns more on quick conversion rates rather than whether an insurer stands behind a victim.  To suggest the insurance industry is the cause of this problem gives threat actors way too much credit while completely ignoring the benefits derived from the cyber insurance underwriting process.

In the same way it is never too late to go back to school, it is never too late to begin importing a more robust security and privacy profile into an organization – which is the only real way to diminish the risk of a ransomware attack.  As suggested in 2016:  “Given the serious threat of ransomware, businesses large and small are reminded to at least do the basics – train staff regarding email and social media policies, implement minimum IT security protocols, regularly backup data, plan for disaster, and regularly test your plans.” 

NJ Supreme Court: Fired Employee Can Use Stolen Confidential Documents

In a decision that might have significant ramifications in future discrimination and whistle-blower lawsuits, the New Jersey Supreme Court  ruled in Quinlan v. Curtiss-Wright Corp., No. A-51-09 (N.J. Sup. Ct. Dec. 2, 2010) that an employee who copied 1,800 of pages of documents that she came upon during the normal course of her work — many with confidential information — could share them with the  attorney representing her in a lawsuit against the employer.  The Supreme Court allowed the usage of these documents even though the plaintiff signed her employer’s standard confidentiality agreement that bars employees from using confidential information for private use.

According to the dissent:

From this point forward, no business can safely discharge an employee who is stealing highly sensitive personnel documents even as she is suing her employer and disregarding the lawful means for securing discovery. Moreover, lawyers may think that, even after they have initiated a lawsuit, they can accept pilfered documents and benefit by using them to surprise an adversary in a deposition rather than abide by the rules of discovery.

Although the decision did reaffirm the ability of an employer to fire an employee for the theft of confidential documents, it provides for a potential safe harbor to the extent such documents are used in a subsequent suit for discrimination.   Newspapers as well as law firms have written on the decision, including Lowenstein Sandler, Proskauer Rose, Jackson Lewis, and Fox Rothschild.

Commentators have suggested that employers implement comprehensive confidentiality policies that are  communicated firm-wide and uniformly enforced.  Although that is certainly sound counsel, it is also suggested that adequate security measures be implemented that allow employers to prevent or at least track the copying and removal of over one thousand documents.  Moreover, although not discussed in either the ruling or subsequent  commentaries, there is only a minor leap to be made to extend this holding to whistle-blower suits.  Although choice of law issues remain untested, the new Dodd-Frank’s whistle-blower provisions — which allow employees to obtain significant rewards for providing information to law enforcement authorities about violations of the federal securities laws, the Foreign Corrupt Practices Act, the Investment Advisers Act and the Investment Company Act — may even be in play.   Bottom line:  New Jersey employers need to review their data security and confidentiality policies to address this new decision.

New York Metropolitan Area Tops Tech Jobs Ranking

According to a recently released report, the New York metropolitan area — including several nearby New Jersey counties — has more technology workers than any other in the United States.  The New York metro area had 317,000 technology jobs in 2009, topping a list of 60 other metropolitan areas, according to the Cybercities 2010: The Definitive Analysis of the High-Tech Industry in the Nation’s Top 60 Cities survey.   These New York metro jobs paid on average $98,500 annually and are mainly in computer systems design and related services.  

Although the New York metro area traditionally is known for being dominant in the financial sector, this report demonstrates something those in the tech/telecom industry have known for years.  Whether born out of Bell Labs in Murray Hill, New Jersey or IBM in Armonk, the New York metro area has laid claim to some of the major technology innovations of our time.  Couple those breakthroughs in core technologies with the new media leaps taken in Silicon Alley during the early days of the Internet and New York’s recipe for tech growth is quickly realized — it is all about innovation.  Those who innovate usually lead.

The Red Flag Program Clarification Act of 2010 Passes House and Senate

Looking to beat the end of the year enforcement deadline, the Senate (on November 30, 2010) and the House (on December 7, 2010) have now both voted to pass a law that would limit the scope of the FTC’s Red Flags regulations.  Although the ABA lawsuit seeking to exempt lawyers from the scope of these regulations is on appeal, it appears as if that suit will soon be dismissed as moot.

First introduced by Sen. John Thune, The Red Flag Program Clarification Act of 2010, S. 3987, would define a creditor as someone who uses credit reports, furnishes information to credit reporting agencies or “advances funds…based on an obligation of the person to repay the funds or repayable from specific property pledges by or on behalf of the person.”  Sen. Thune’s web site statement regarding the regulations states that action was necessary given the FTC was threatening small businesses with its regulations. 

As written, the existing law applies to “creditors,” a term the FTC interpreted broadly to include professionals who regularly deferred payment on services.  The FTC had delayed enforcement of these regulations numerous times due to pressure by the ABA and AMA given that the sweeping nature of the regulations would take into account professionals who would incur significant costs to address a perceived slight exposure.   As recognized on the House floor by Rep. John Adler (D-N.J.),“When I think of the word ‘creditor,’ dentists, accounting firms and law firms do not come to mind.”

Lost on many is the fact these regulations will remain in force and will still impact business owners throughout the country, including financial institutions, car dealers, contractors, utilities, phone providers, retailers (if financing is provided), mortgage brokers, etc.  Moreover, even if a business may no longer be “technically” within the rubric of the regulations, it may be a good best practice to still comply.  For example, an ID theft victim may look to the FTC Red Flags regulations to help determine a baseline reasonableness standard.  Although estimates of compliance costs range from $1,000 to $1,500 for small business owners, this amount may pale when compared to the expenses incurred in defending a data breach claim.

[Update:  December 18, 2010]
President Obama signed the Act into law.

Ponemon Institute: Lost Laptops Cost Billions

The Ponemon Institute’s latest report, “The Billion Dollar Laptop Study,” shows that 329 organizations surveyed lost more than 86,000 laptops over the course of a year.  Based on these findings and an earlier survey that put the average cost of lost laptop data at $49,246, the total cost amounts to more than $2.1 billion or $6.4 million per organization.

Some other key findings of the report:  (1)  while 46 percent of the lost systems contained confidential data, only 30 percent of those systems were encrypted; (2) only 10 percent had any other anti-theft technologies; and (3) 71 percent of laptops lost were not backed up so all work in progress was lost.

At the release media event reported on by InformationWeek, Larry Ponemon explained that most of the cost “is linked to the value of intellectual property on these laptops and the fees associated with data breaches and statutory notification requirements.”   During this same press conference, Ponemon recounted interviewing one woman at a company who had lost 11 laptops in two years:  “She claimed she wasn’t really that careful with laptops because the only way she could get a better one was to lose it.”

It is this disconnect — the value of the information lost vs. the relative interest in the user in protecting such information — that becomes the ultimate challenge faced by most firms.   Employee training remains the front line in addressing this challenge but having employees pay for their lost corporate laptops may actually yield more desirable results.   It would be interesting to have the next Ponemon lost laptop study include the ratio of lost business laptops compared to lost personal laptops, i.e., those actually purchased by an employee.

ABA: Law firms are Likely Targets for Attacks Seeking to Steal Information off Computer Systems

According to a recent ABA Journal article, the global digital infrastructure is under siege and law firms are to some extent on the front lines given the vast amounts of sensitive data they process and maintain.  Bradford A. Bleier, unit chief to the Cyber National Security Section in the FBI’s Cyber Division, is quoted in the article:  “Law firms have tremendous concentrations of really critical private information” and breaking into a firm’s computer system “is a really optimal way to obtain economic and personal security information.”  Philip Reitinger, the director of the National Cybersecurity Center in the Department of Homeland Security, believes this threat is increasing for two different reasons.   First, he said, “the skill level of attackers is growing across the board.” And, secondly, the nation’s networks of computer systems are becoming more connected and complex all the time, “and complexity is the enemy of security.”  Marc Zwillinger, a founding partner of Zwillinger Genetski, recognized another obvious problem for law firms:   “Lawyers haven’t been as diligent with security as some of the institutions that gave them information.”

After sufficiently spreading the FUD (fear, uncertainty, and doubt) throughout, what does the ABA author suggest as a solution.  Well, not much of note.  It is suggested that firms change their culture to be more in tune to security – which will likely need to be done from the top down given most managing partners, according to the author, have little time with sophisticated passwords and things that might otherwise slow them down.   It is also suggested that data be segregated and that encryption be deployed. 

The most relevant bit of information from the article actually was added in the sidebar and builds on Marc Zwillinger’s suggestion that a client’s security is usually more evolved than that of its law firm.    The author’s sidebar comment points out that clients may soon be auditing their law firm’s security.  Given that lawyers have been helping clients with technology due diligence for years now and have also been advising  on the use of audits, it is not much of a stretch to expect one law firm to recommend auditing another firm.  Those law firms in front of this issue will not only keep existing clients – they will also be in great shape to potentially win new ones.   Afterall, what law firm would suggest such an audit if it did not already deploy a sophisticated security infrastructure of its own?

Law Firms Feel Pressure From New Breed of Competitors

In a recent article, author Gina Passarella argues that the law firm industry “is moving away from a monolithic provider of legal services – the law firm – to a fragmented service platform where the competition isn’t just a broadening array of law firms, but legal process outsourcers [LPOs] and other non-law firm legal service providers as well.”

In essence, Ms. Passarella argues that the industry is “unbundling” into various constituent parts — from the client (who is keeping more and more work in-house) to the legal LPO vendor (who is doing more and more specialized work ).  And, according to experts quoted in the article, the trend is towards global firms that can do everything and boutique firms that can do certain things very well — with little room in between for other types of firms.  These legal consultants argue that law firms can no longer be “bet the farm” firms and commodity firms at the same time. 

What the article posits as future fact may actually be the a short-term trend towards cost-cutting.  For example, a good portion of LPO competition may actually be driven now by those lawyers who could not otherwise get a job with a traditional firm.   Once the market picks up again, those lawyers may find a more traditional home.    As recognized by K&L Gates chairman Peter Kalis, who is quoted in the article,  LPOs do not provide the same attorney-client privilege guarantees as law firms; and therefore, can never really be a threat to most of the business his firm does.  As he puts it, “they are a gnat in an elephant’s ear when it comes to K&L Gates.” 

Not sure if LPOs are ultimately law firm gnats or very large bed bugs.  What is clear, however, is that a law firm needs to continually reassess its business model – with a constant eye towards improving efficiencies – before it can ever hope to improve its bottom line.  A good starting point is to hone in on core competencies.   There are good reasons boutiques have taken a chunk out of BigLaw books over the past decade or so — all of which boils down to self-awareness on core competencies tied to a focused business plan that is well executed.

Patient Protection and Affordable Care Act Changes Begin Today

It’s been six months since passage of the administration’s healthcare reform act — the Patient Protection and Affordability Care Act (PPACA).   As reported in newspapers around the country, that means that for those health plans that begin today: 

  • Parents will be able to keep their young adult children on their group health plan up to age 26, regardless of whether the adult child lives with the parent, is a full-time student, disabled or married.
  • Insurance companies will be banned from dropping coverage when an enrollee gets sick.
  • All new plans must offer free preventive services, such as mammograms, colonoscopies and certain child preventive health-care services, meaning plans can’t charge deductibles, co-pays or co-insurance.
  • All employer plans and new plans in the individual market will be prohibited from denying coverage to children under age 19 with pre-existing conditions.
  • Parents will be able to select a pediatrician as the primary care provider for their children.
  • Female enrollees will be able to obtain obstetrical/gynecological specialist services without a referral from another primary care provider.
  • Group plans will be banned from imposing lifetime benefit limits and will start gradually eliminating annual benefit limits.
  • New plans must provide consumers access to an internal and external claims appeals process.

For plans operating on the calendar year, these new PPACA requirements will take effect on January 1, 2011.

FBI Warns “Here you have” Worm Hits Agencies and Businesses

Here is an FBI warning that was sent out yesterday to all FBI agents and FBI Infragard members.  It is worth repeating verbatim.

From: HQ INFORMATION TECHNOLOGY BRANCH
Sent: Sat Sep 11 22:08:33 2010
Subject: Computer Security Alert

A new Computer “worm” attacked several federal agencies and Fortune 500 companies yesterday.  The malicious email messages contain the subject line “Here you have” or “Just For You” and contain a link to a seemingly legitimate PDF file. If users click on this link, they will be redirected to a malicious website that will prompt them to download and install a screensaver (.scr) file. If they agree to install this file, they will become infected with an email worm that will continue to propagate through their email contacts.

Even though we are protected, sometimes the adversaries change the email to look a little different so they can get past defenses.  The Bureau is asking all users to carefully watch your emails here at work and on your home machine.  To reduce the risk of compromising your FBI workstation, be alert for unsolicited e-mail messages and keep in mind the following traits common to malicious e-mail messages:

  • Subject matter related to recipient’s work, possibly containing actual U.S. Government information
  • A sense of urgency to convince the recipient to open an attachment or click a link within the message
  • Convincing content such as upcoming meeting agendas, reports, information on current events or policy issues
  • Seemingly-legitimate sender (government and commercial addresses, including @fbi.gov) using legitimate signature and contact information
  • Receiving an email with just a link
  • An attachment (typically a .pdf or .zip file) or link

Thank you for your assistance and vigilance in protecting the FBI’s networks.

Enterprise Security Operations Center (ESOC)

JEH-HQ

Location, Firm Size Key to Legal Billing Rates

Released on September 1, 2010, CT TyMetrix’s Real Rate Report, which is based on empirical data “gathered from $4.1 billion in invoicing generated by over 3,500 law firm and 90,000 individual billers over three years (2007-2009),” provides unique insight on the billing practices of law firms around the country.   This report demonstrates  that it may not necessarily be the skills set or experience of an attorney that drives his or her billable rate.  Given that the 92-page report costs $4,500, a cost-effective way to learn what’s in the report is to review the September issue of The American Lawyer

As detailed in the article, “legal bills increased at rates that exceeded inflation, in-house lawyers who spent more at a particular law firm were not getting any discounts, and partner status added nearly $100 on average to a lawyer’s rate regardless of experience.”  What was even more interesting was the report’s finding that 85% of lawyers charge clients different rates for the same work and the “location of the biller and the size of the biller’s firm – not the biller’s experience – are the variables that most influence how much a client will pay.” 

Although geographic location obviously impacts law firm and employee living expenses, clients may perceive no real justification for paying more qualified lawyers in mid-sized suburban firms less pay simply because of their firm size and location.   It also does not appear to make sense to charge $100 more an hour simply because of a change in ownership rights.   What if the associate was made partner largely on the basis of being a great rainmaker?   How does that justify being a higher-priced M&A lawyer?

When it comes to the business of law, if law firms are going to continue to tie their collective hitches to the billable hour, they need to do a better job of meshing their actual expenses with their hourly fees and communicating their results to clients.   If there is an expense associated with tapping into a large New York City law firm, i.e., higher rents, increased costs of hiring, etc., firms need to communicate those additional costs.   Although doing that might make it more difficult to later reduce fees by 30% when in-house counsel balks on a given bill, it will end up leading to more consistency and a better relationship with those who actually pay the bills. 

By blanketly adding additional dollars to a billable rate without spelling out exactly why the rates are at that level, law firms are missing a great marketing opportunity.    The more successful manufacturers routinely lay bare their component expenses in order to close large orders.   In other words, widgets should be no different from legal briefs when it comes to transparency of expense.    

Here are some other interesting findings from the report (as listed in the American Lawyer article):