16/3/2023Privacy + CyberSecurity Law
16/3/2023Privacy + CyberSecurity Law
We offer ALL our Clients the highest level of Privacy Rights + Protection
Privacy by Design ➲ Our "Advertising Free" Approach
Proactive Measures to Protect Your Privacy
Clarence Ling's LinkedIn Post is on Point
Notable Law Firm Data Breaches
Have you questioned your law firm about its Privacy and Cybersecurity measures?
Type in your Law Firm's Domain Name ... is your law firm's website domain protected by DMARC Email Authentication?
Why does Blue Ocean Law Group use a *.law website domain?
Digital Signatures + End-to-End Encryption
Website ➲ https://... v. http://...
Email ➲ Blue Ocean Law Group use S/MIME for Digital Signing by default and Encrypted email (where possible)
Explaining EFAIL and Why it isn't the end of Email Privacy ...
Optional ➲ Trustifi (1-Click to Decrypt) Email Encryption
Optional ➲ Secure Your Documents + Trade Secrets using TraxPrint
Optional ➲ TraxPrint GPS Protected PDF Document Security
FREE Client Cybersecurity Alert Letter
FREE Digital Asset Safe Custody Vault for our Subscribers
FREE Equifax Identity Protection + Identity Guard Insurance for our Subscribers
Blue Ocean Law Group has opted (as far as is practical within local privacy regimes) to provide ALL our Clients with the same high level of privacy rights + protection as our Clients residing in California or the EU are legally entitled to claim.
Both California and the EU are global leaders in legislating to protect the privacy of their residents.
We value our client's privacy and foresee that Australia may eventually move towards catching up with California and the EU.
As we already comply with both California and EU privacy laws, we have simply extended a higher level of privacy protection to all our clients regardless of where they reside.
Blue Ocean Law Group takes an "Advertising Free" 'approach and does DO NOT SELL OR SHARE our users’ personal information in the traditional sense (i.e., in exchange for payment or for any other valuable consideration).
Wherever possible, Blue Ocean Law Group have taken proactive measures to protect your privacy.
For example, we have configured our Google Analytics setup on our website so that your IP Address is anonymized. This means that your anonymized IP Address cannot be used to link to you and consequently you can browse our website anonymously.
Increasingly businesses (especially law firms) need to step up their security to help you protect your privacy + trade secrets.
We are often surprised by what we discover in the public domain about how few other law firms appear to have taken very inexpensive and basic steps to reduce the risk that their law firm email might be used as a way "in" for a hacker or a way to phish information from their clients if a hacker uses their email to impersonate the law firm.
By way of example, we have not been able to find a single law firm anywhere globally that has DMARC Email Authentication set up in accordance with a CyberSecurity company's recommendations.
Please refer to the discussion below and type in your law firm's domain name to check whether they have taken proactive steps to eliminate this risk.
If they have not set up DMARC protection, then please consider what else they may not have done.
if they have set up DMARC protection, please let us know so that we can give them credit in this blog article.
I have extracted part of Clarence Ling's LinkedIn post below as I can't say this any better than he already has:
"You’ve seen what happened to Optus. Then you’ve seen Woolworths. Your cybersecurity isn’t good enough. I’ll say it again for the people at the back, your cybersecurity is not good enough. Until you can look at the list below and know for sure that every step is covered, you will have really obvious vulnerabilities.
But a breach like that simply won’t happen to you, right? If you’re lucky, sure, but there will always be malicious actors and a severe breach will be VERY costly. In some cases, you would be lucky to see your business survive. Think of the implications for your staff. Think of what it means for your family. So without further ado, here are our top cybersecurity tactics ...
... Email security: SPF, DMARC and DKIM are features that authenticate the emails sent by your domain. Malicious actors sometimes impersonate staff to gain an “in” to your networks."
This is a link that includes a summary of the most notable Law Firm Cyber Attacks as of November 2022.
From the Mossack Fonseca 2016 Panama Papers, one of the biggest data breaches (more than 11 million documents) in history believed to be an inside hack to the global law firm DLA Piper Ransomware attack in 2017 where the people and companies affected are unknown, right through to the Campbell Conroy & O’Neil P.C. data breach on February 27, 2021.
The list of breaches continues to be added to in April 2022, with midsized law firms McCarter & English and Stevens & Lee and we expect the list will continue to be added to in 2023.
The following is an extract from the Above The Law article about the April 2022 breaches:
"While law firms are waking up to the need for multifactor authentication, they are waking up slowly – and still battling the “it’s too annoying” bleating from lawyers who should be more concerned about their ethical duties of technology competence and securing client confidential data. Cry all you want, but your cyber insurance carrier will most likely force you to implement MFA or impose huge premium increases or deny coverage.
Stevens and Lee’s data breach consumer notification letter, dated on April 7, 2022 (only recently made public) was online ... " (Comment added: but appears to have now been removed).
Earlier today (16 March 2023) I received a notification about the article "IPH facing cyber breach" being published in Lawyers Weekly:
ASX-listed Law Firm IPH Limited is the latest company to suffer a cyber security breach – and halted trading earlier this week as a result
In light of continuing data breaches of law firms of all sizes, firms need to ratchet up their cybersecurity. Because the threats (and defenses) are always in flux, it is really imperative to have a security assessment at LEAST annually and then immediately remediate any critical vulnerabilities that are found.
If you think it is easy to convince law firms that these regular assessments are imperative, let us assure you that it is not!
As a starting point, do you know whether your data (including emails) are encrypted by your current law firm?
If your data is encrypted, especially using strong military-grade encryption, then if there is a data breach there is a much lower probability you or your business will be harmed as a result.
Blue Ocean Law Group have implemented additional privacy and cybersecurity capabilities (outlined below) that we understand are at least industry-leading and at best world-firsts.
We welcome you to contact us to discuss this further so that you can obtain a deeper understanding of what we can do to help you protect your privacy and trade secrets.
We recommend you check whether your law firm's website domain (as well as your own) is protected against abuse by phishers + spammers by using this free Domain Health Checker.
Open this link and type in your current law firm's domain name (as well as your own).
From our inception, Blue Ocean Law Group has been actively working to source + implement leading privacy protection + cybersecurity measures.
Here is the result showing that our web domain blueocean.law is protected!
Blue Ocean Law Group first raised lack of DMARC email authentication in the blog article Phishing Scams that lead to Data Breaches + Identity Theft ➲ Business Brand + Personal Protection dated 31 October 2022 and as far as we are aware not one other law firm has yet taken any action to eliminate this cybersecurity threat.
For both Blue Ocean Law Group's website (using an SSL encryption certificate) and general email communications (using S/MIME for both digital signing by default and end-to-end encryption where possible), your personal information is encrypted by default.
🔒 In order to provide a high degree of privacy, SSL encrypts data that is transmitted across the web.
This means that anyone who tries to intercept this data will only see a garbled mix of characters that is nearly impossible to decrypt.
🔒 SSL initiates an authentication process called a handshake between two communicating devices to ensure that both devices are really who they claim to be.
🔒 SSL also digitally signs data in order to provide data integrity, verifying that the data is not tampered with before reaching its intended recipient.
There have been several iterations of SSL, each more secure than the last.
In 1999 SSL was updated to become TLS.
Originally, data on the Web was transmitted in plaintext that anyone could read if they intercepted the message.
For example, if a consumer visited a shopping website, placed an order, and entered their credit card number on the website, that credit card number would travel across the Internet unconcealed.
The answer is a resounding “no”, but it’s not exactly something unique to Outlook. Sure, it’s owned by Microsoft, a huge company that collects customer data and has had a questionable stance on privacy over the years. Although these aren’t points in Microsoft’s favour, the real issue is with the email itself.
Standard email just isn’t secure. Once a message leaves your inbox, there are numerous points at which it can be exposed to attackers. It’s a communication system that is good enough for much of our more mundane daily messages, but it falls tremendously short for those times when secrecy is necessary.
The answer is encryption.
In essence, it means to jumble up all of your messages into a complex code that attackers cannot decipher.
There is a range of different types of encryption such as S/MIME, OME and IRM, +/or PGP.
For Blue Ocean Law Group to be able to apply S/MIME End to End Encryption to legal matter-related emails being sent to you the following steps are required:
1️⃣ Either you or your organisation need to first acquire and install a S/MIME certificate;
2️⃣ You then need to send Blue Ocean Law Group digitally signing your email and including your S/MIME certificate;
3️⃣ We can then save the public key portion of your S/MIME certificate against your contact details;
4️⃣ Blue Ocean Law Group will then be able to send you a S/MIME End to End Encrypted email.
Where installation & configuration of a S/MIME certificate is beyond your technical capabilities or your technical support team (if any) refuses your request for any reason we alternatively offer Trustifi (An Award Winning Email Security Platform) which provides End-to-End Email Encryption that does not require the installation or use of digital ceificates.
Please refer below for information about using Trustifi as an alternative.
S/MIME, or Secure/Multipurpose Internet Mail Extensions, is a technology that allows you to encrypt your emails.
S/MIME is based on asymmetric cryptography to protect the content of your emails from unwanted access.
It also allows you to digitally sign your emails to verify you as the legitimate sender of the message, making it an effective weapon against many phishing attacks out there.
For more information please read this white paper "S/MIME for Enterprise Email Security".
Email offers convenience and benefits, but also poses some risks.
Hackers are savvy at targeting organizations via email, including intercepting messages to get at sensitive information or email spoofing with the intent of pushing to phishing sites or triggering malicious downloads.
Using S/MIME certificates to digitally sign and encrypt emails mitigates these risks.
Digitally signing and encrypting your emails ensures message privacy, keeps sensitive data from falling into the wrong hands, and assures the recipient that emails actually are coming from you and haven't been altered since they were sent.
In 2018, a team of researchers published the now infamous paper (dubbed #EFAIL) where they describe how to decrypt a PGP (Pretty Good Privacy) +/or S/MIME encrypted email via a targeted attack.
The paper caused a media frenzy and subsequently, the majority of commentary currently found online about PGP +/or S/MIME encryption has since made a reference to this major flaw which exposes encrypted content to potential exposure to hackers.
The rare expert commentator exceptions have taken a more balanced approach and rightly pointed out that there is no need to panic, PGP +/or S/MIME is not broken, and EFAIL is not the end of email privacy etc.
Efail isn’t an immediate threat for the vast majority of people simply because an attacker must already have access to an encrypted email to use the exploit.
Advising everyone to disable encryption altogether just makes no sense.
Aside from the massive false alarm, Efail is a very interesting exploit to wrap your head around.
The bottom line is that the EFAIL problem lies in how emails are processed by the recipient user's email client (for example, Apple Mail, Microsoft Outlook, Mozilla Thunderbird, etc.).
EFAIL can only be exploited If the recipient's email client allows or is configured to render HTML tags.
is to goIt is not a problem in the underlying PGP +/or S/MIME encryption.
To protect yourself against this vulnerability, and a lot of others, disable HTML rendering in your email client.
Many email clients allow for this and/or have settings to disable the loading of remote content.
This might be enough to stop Efail, at least attacks that would use img tags as the backchannel.
If you use PGP and your email client does not support these settings, consider changing to a safer client.
My main advice is to go ahead and disable HTML rendering now, even if you don’t use PGP.
At least that way there will be a lot fewer companies tracking you.
The configuration of S/MIME Email Encryption may be beyond your technical capabilities if you are an individual Client or Prospective Client, +/or you may not have the necessary time or access to a technical support team.
In these situations, we offer Trustifi (An Award Winning Email Security Platform) End-to-End Email Encryption known for its reputation for ease of use as an alternative solution.
With Trustifi’s automatic encryption software, sending and receiving encrypted email communications can all be accomplished with a single click of a button, providing the best email security service in the industry to both the sender and the end-user, whether you’re sending small or large files.
With Trustifi’s email encryption services, there is no need for either the sender or intended recipient to understand how secure email encryption works, know how to set it up or exchange encryption keys. The Trustifi platform has been built from the bottom up to be as straightforward as possible, all while preventing data loss by securing every email account with encryption.
In contrast to other email encryption vendors, Trustifi’s Single Click Encryption service is genuinely hassle-free
By using a *.law website domain we have made it easy for you to determine whether it is our website you are accessing or whether an email you have been sent is from our law firm.
No malicious actors or hackers can impersonate us as they simply cannot purchase a *.law domain name.
⚖️ *.law is a top-level-domain (TLD) that aims to:
Promote trust in the professional legal community by creating a:
✅ Exclusive; and
✅ Reserved online space in which only accredited lawyers and law firms can establish a comprehensive digital brand.
✅ Website users can have confidence they are dealing with an authorised and licensed lawyer/law firm.
✅ *.law offers effective branding to those in the legal community, with the ability to secure a domain name that clearly communicates who you are + the legal resources you provide.
Source: join.law - Why *.law?
If you want to proactively protect your Legal + Identity Documents from Fraud + Litigation by adding a Trax Print please contact our legal team to instruct us to add this optional additional level of protection.
This protection is especially useful for Estate Planning documents, where being able to independently verify a tamper-proof digital date/timestamp for the document as well as being able to verify every pixel of the document so that the contents of the document are incapable of being fraudulently altered is crucial in establishing a solid evidential footing regarding when the document was created and the exact contents of the document at the time it was signed and TraxPrinted.
A new Trax Print product (currently in beta) allows you to add GPS Protected PDF Document Security to protect your Identity +/or Trade Secrets or other important documents from being viewed by anyone other than the person you nominate outside of GPS co-ordinates (address) you specify when you contact our legal team to instruct us to add GPS Protected PDF Document Security to one or more of your PDF documents.
Trax Print GPS Protected PDF Document Security can ensure that the document you send can only be opened by the person you sent it to at the location you specify, in other words, the document is GPS locked.
If required, you can instruct us to add multiple people and their respective GPS locations to the same PDF document.
If your GPS Protected PDF Document has been sent inadvertently or on purpose (leaked) to a person you have not approved, you can instruct us to upload the file to our GPS Protected PDF Document dashboard so we can view exactly who has attempted to open it (they will have been unsuccessful due to the GPS Protected PDF Document Security) and where this unauthorised third party is located.
You can then instruct us to contact the authorised person you nominated to receive the GPS Protected PDF Document to determine how your PDF document was leaked or inadvertently sent to the unauthorised third party, and to instigate the process of having it returned back into your possession.
All our new Clients are encouraged to generate our FREE Client CyberSecurity Alert Letter.
We also send you this link or a copy of the "Together we can help Prevent Cyber Fraud" brochure published by the NSW Law Society and LawCover (also available to download from our brochures page at any time).
However, we understand that attachments can always be overlooked or ignored.
In an abundance of caution, we recommend you take the time required to engage with our onlin process to step through what you need to know in detail to generate your FREE Client CyberSecurity Alert Letter so that you are fully aware of how best to protect your funds when transferring them to or from our bank account.
All our subscription plans include FREE ongoing access [$55 initial setup fee] to our Digital Asset Safe Custody Vault.
You can access your Digital Asset Safe Custody Vault via a web browser or download the App version locally to your desktop or laptop (Windows or Mac).
Our Digital Asset Safe Custody Vault platform provider The Prepared Company has attained both GDPR (the EU Global Data Protection Regulation) and a SOC 2 Security Attestation by an independent chartered accountant and is continuously monitored using Vanta.com.
Vanta is the leading automated security and compliance platform. Vanta helps your business get and stay compliant by continuously monitoring your people, systems and tools to improve your security posture.
You can access the latest Vanta Trust Report for The Prepared Company here.
A SOC 2 examination is a report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.
SOC 2 reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
Identity Watch is a cyber-monitoring service included in a number of Equifax personal credit and identity monitoring plans.
Identity Watch is used to help detect fraud by constantly looking for information - such as credit and debit card numbers, phone numbers and email addresses - in places on the internet where information is known to be illegally traded.
All our subscription plans include FREE EquiFax Identity & Credit Protection
Identity Theft, Identity Protection Equifax Credit and Identity Guard Insurance supports you if you've become a victim of identity fraud.
It'll help you with the cost of restoring your identity and reduce the impact and risk associated with loss and theft.
All our subscription plans include up to $15k Identity Guard Insurance.
Are your Legal + Identity Documents Securely Trax Print Protected to provide Fraud + Litigation Prevention? ➲ It's a No-Brainer!
How to Protect your Reputation + Copyright Online ➲ 24/7 Active Monitoring + TakeDown Notice Options
Step-Up to Sophisticated Intellectual Property / Privacy Protection ➲ Geo-fence your Trade Secrets, Personal Data, etc.
Identity Theft Protection ➲ Smart List
Verification of Identity (VOI) [Authentic or Fake] ➲ Smart List
Digital Life ➲ The Law Playing Catch Up on Privacy + CyberSecurity
Social Sharing Image: Courtesy of Alfred Leung on Unsplash
Credits: This blog article was written by James D. Ford Esq., GAICD CIPP/US | Principal Solicitor, Blue Ocean Law Group℠.
This blog article is intended for general interest + information only.
To the extent this article is deemed advertising or solicitation, it is hereby identified as such.
It is not intended to constitute legal advice; the statements made are opinions about general situations, and they are not a substitute for advice as to any specific matter.
We recommend you always consult a lawyer for legal advice specifically tailored to your needs & circumstances.
Your comment has been received and we will approve it shortly.