Oops! Something went wrong while submitting the form.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policyfor more information.
How Blue Ocean Law Group Help You Protect Your Privacy & Trade Secrets
This blog article provides an overview as well as detailed practical examples of how Blue Ocean Law Group use legal industry-leading cybersecurity measures to protect your privacy + trade secrets. Our aim is to raise your cybersecurity awareness so that you can make more educated decisions regarding who you decide to trust to protect your privacy & trade secrets as well as how you can step up your own cybersecurity game to best protect yourself and your clients/customers (if any).
We offer ALL our Clients the highest level of Privacy Rights + Protection
Blue Ocean Law Group has opted (as far as is practical within local privacy regimes) to provide ALL our Clients with the same high level of privacy rights + protection as our Clients residing in California or the EU are legally entitled to claim.
Both California and the EU are global leaders in legislating to protect the privacy of their residents.
We value our client's privacy and foresee that Australia may eventually move towards catching up with California and the EU.
As we already comply with both California and EU privacy laws, we have simply extended a higher level of privacy protection to all our clients regardless of where they reside.
Please read our Privacy Policy (it can also be downloaded in PDF format here) for more information.
Our Privacy Policy, Cookie Policies and website Terms & Conditions are available in 3 other languages (Spanish, French and Italian) which can be found by scrolling to the bottom of this or any other blueocean.law webpage to the LEGAL section of our website footer at any time.
Privacy by Design ➲ Our "Advertising Free" Approach
Blue Ocean Law Group takes an "Advertising Free" 'approach and does DO NOT SELL OR SHARE our users’ personal information in the traditional sense (i.e., in exchange for payment or for any other valuable consideration).
Proactive measures to protect your privacy
Wherever possible, Blue Ocean Law Group have taken proactive measures to protect your privacy.
For example, we have configured our Google Analytics setup on our website so that your IP Address is anonymized. This means that your anonymized IP Address cannot be used to link to you and consequently you can browse our website anonymously.
Private Browsing: Blue Ocean Law Group's website configuration anonymizes your IP address so that you can browse our website privately.
Is your Data in Safe Hands?
The Urgent Need to Step up CyberSecurity
Increasingly businesses (especially law firms) need to step up their security to help you protect your privacy + trade secrets.
We are often surprised by what we discover in the public domain about how few other law firms appear to have taken very inexpensive and basic steps to reduce the risk that their law firm email might be used as a way "in" for a hacker or a way to phish information from their clients if a hacker uses their email to impersonate the law firm.
By way of example, we have not been able to find a single law firm anywhere globally that has DMARC Email Authentication set up in accordance with a CyberSecurity company's recommendations.
"You’ve seen what happened to Optus. Then you’ve seen Woolworths. Your cybersecurity isn’t good enough. I’ll say it again for the people at the back, your cybersecurity is not good enough.
Until you can look at the list below and know for sure that every step is covered, you will have really obvious vulnerabilities.
But a breach like that simply won’t happen to you, right?
If you’re lucky, sure, but there will always be malicious actors and a severe breach will be VERY costly.
In some cases, you would be lucky to see your business survive.
Think of the implications for your staff. Think of what it means for your family. So without further ado, here are our top cybersecurity tactics ...
... Email security: SPF, DMARC and DKIM are features that authenticate the emails sent by your domain. Malicious actors sometimes impersonate staff to gain an “in” to your networks."
Notable Law Firm Data Breaches
This is a link that includes a summary of the most notable Law Firm Cyber Attacks as of November 2022.
From the Mossack Fonseca 2016 Panama Papers, one of the biggest data breaches (more than 11 million documents) in history believed to be an inside hack to the global law firm DLA Piper Ransomware attack in 2017 where the people and companies affected are unknown, right through to the Campbell Conroy & O’Neil P.C. data breach on February 27, 2021.
The following is an extract from the Above The Law article about the April 2022 breaches:
'Unfortunately, even those who budget for technology don’t separately budget for cybersecurity defenses.'
'While law firms are waking up to the need for multifactor authentication, they are waking up slowly – and still battling the “it’s too annoying” bleating from lawyers who should be more concerned about their ethical duties of technology competence and securing client confidential data. Cry all you want, but your cyber insurance carrier will most likely force you to implement MFA or impose huge premium increases or deny coverage.
Stevens and Lee’s data breach consumer notification letter, dated on April 7, 2022 (only recently made public) was online ... '(Comment added: but appears to have now been removed).
The Trend of Law Firm Cyber Security Breaches Continues Unabated ...
On 16 March 2023 I received a notification about the article "IPH facing cyber breach" being published in Lawyers Weekly:
ASX-listed Law Firm IPH Limited is the latest company to suffer a cyber security breach – and halted trading earlier this week as a result
'Hundreds of law firm’s clients, including dozens of government agencies, waiting on confirmation of whether they are affected by data leaked in cyberattack.'
The Russian-linked ALPHV/Blackcat ransomware group hacked the law firm in April 2023. Earlier this month [June 2023], the group published 1.1TB of the data it claimed to have stolen, later established to be 3.6TB worth of data.
An analysis of more than 1,000 contracts with HWL Ebsworth published on AusTender over the past decade revealed that at least 60 departments or government agencies have used HWL Ebsworth’s services including the Defence Department, Home Affairs, the Australian federal police, Prime Minister and Cabinet, Services Australia and the Fair Work Ombudsman.
Many of the contracts are for the provision of legal services or advice but some detail much more sensitive work, including cases with the government insurance fund, Comcover, legal advice on monitoring the use of human embryos in research, and investigation into complaints of breaches of the public sector code of conduct at the Department of Veteran Affairs.
Prof Monica Whitty, head of department of software systems and cybersecurity at Monash University, said the hack should cause business and government to consider the cybersecurity risk of their suppliers closely.
'I think part of the problem is that a lot of organisations will use third parties in some way or another, but the consideration of their secure systems often doesn’t come into play,” she said. “So they may be keeping their own systems secure and thinking that’s enough. But when you’ve got third parties, you’ve actually got to think about and maybe ask the questions regarding their own cybersecurity practices.'
Massive CyberSecurity Breach hits Biggest US Law Firms
On July 22, 2023 I read about this latest cybersecurity breach to hit some of the biggest law firms in the US legal profession in an article in the NY Post by Isabel Vincent.
Increasingly, cybersecurity vulnerabilities are to be discovered via the supply chain.
In this case, it appears that software used to transfer files called MOVEit is the source of the massive data leak affecting the personal data of thousands of clients of Kirkland & Ellis, K&L Gates and Proskauer Rose, along with 50 other multinational corporations.
Summing Up
In light of continuing data breaches of law firms of all sizes, firms need to ratchet up their cybersecurity. Because the threats (and defenses) are always in flux, it is really imperative to have a security assessment at LEAST annually and then immediately remediate any critical vulnerabilities that are found.
If you think it is easy to convince law firms that these regular assessments are imperative, let us assure you that it is not!
Have you questioned your Law Firm about its Privacy + Cybersecurity Measures?
As a starting point, do you know whether your data (including emails) are encrypted by your current law firm?
If your data is encrypted, especially using strong military-grade encryption, then if there is a data breach there is a much lower probability you or your business will be harmed as a result.
Blue Ocean Law Group have implemented additional Privacy + Cybersecurity capabilities (outlined below) that we understand are at least industry-leading and at best world-firsts.
We welcome you to contact us to discuss this further so that you can obtain a deeper understanding of what we can do to help you protect your privacy and trade secrets.
Type in Any Law Firm's Website Domain Name ...
We recommend you start by checking by using this free Domain Health Checker to instantly determine whether your Law Firm's Website Domain or any Law Firm you are considering to engage to provide legal +/or consulting services (as well as your own) fully utilises widely known and available Email Authentication Protocols to protect you against attack or abuse by Phishers + Spammers.
Open this link and type in any Law Firm's Website Domain Name (as well as your own) and become better informed regarding decisions about who you trust with the protection of your privacy and trade secrets.
Our Legal Industry-Leading Cybersecurity Measures
From Blue Ocean Law Group's inception, we have been actively working to source + implement leading privacy protection + cybersecurity measures to proactively protect both your Privacy Rights as well as our Business Reputation.
Website Security Report
blueocean.law test results dated: 2 February 2023 (click the above seal for the latest test results)
DMARC Protected Web Domain
Here is the result showing that our web domain blueocean.law is protected!
For both Blue Ocean Law Group's website (using an SSL encryption certificate) and general email communications (using S/MIME for both Digital Signing by default and End-to-End Encryption), your Personal Information is encrypted by default (where possible).
Why we use Security Keys to Lockdown Online Account Access?
Like locking your Car, House or Office ➲ We Lockdown our Online Accounts by using Security Keys.
It is difficult to understand given the ease of implementation of Security Keys for Online Account Access that they have not yet become standard practice for everyone, yes that includes you!
"Google's investment in giving USB security keys to all employees has been paying off. The employees haven't reported any takeovers of work-related accounts since 2017, when the new policy was introduced."
Our online searches indicate that Google has continued to maintain this secure position (zero hacks of Google work-related accounts using Security Keys) until the current day [being 27 April, 2023].
Like locking your car, house or office many people are simply unaware that they can easily add a Security Key to prevent unauthorised access to their Online Accounts.
In the event that a hacker obtains your password and the means to use it, for example, by impersonating you using a sophisticated identity theft technique enabling them to take control of your SIM card or gain access to your MFA codes by stumbling across your backup recovery codes on your network ... without physical possession of your physical Security Key they would still have no hope to hack your Online Accounts.
"Strongest Security: Setting up physical two-factor authentication, aka a Security Key, creates a single unique access point that can’t be duplicated. In order for you or anyone else to access your connected accounts, you’ll need your password as well as the physical key—something even the best hacker can’t work around."
Organisations that have adopted Security Keys as standard practice have seen their cybersecurity incidents quickly reduce to zero and stay there.
"Security keys are so good they’ll even prevent you from entering your information on a spoofed website, so even if a hacker manages to fool you, they won’t fool your security key. This bit of hardware acts as your digital bodyguard, keeping unwanted users away from your information."
🔒 In order to provide a high degree of privacy, SSL encrypts data that is transmitted across the web.
This means that anyone who tries to intercept this data will only see a garbled mix of characters that is nearly impossible to decrypt.
🔒 SSL initiates an authentication process called a handshake between two communicating devices to ensure that both devices are really who they claim to be.
🔒 SSL also digitally signs data in order to provide data integrity, verifying that the data is not tampered with before reaching its intended recipient.
There have been several iterations of SSL, each more secure than the last.
In 1999 SSL was updated to become TLS.
Why is SSL/TLS important?
Originally, data on the Web was transmitted in plaintext that anyone could read if they intercepted the message.
For example, if a consumer visited a shopping website, placed an order, and entered their credit card number on the website, that credit card number would travel across the Internet unconcealed.
Email ➲ Blue Ocean Law Group use S/MIME for Digital Signing (by default) and End to End Encrypted Email (where possible)
How can you recognise Blue Ocean Law Group's Digitally Signed +/or Encrypted emails?
Look for a 'Green Padlock" in your Desktop Outlook email inbox (or equivalent) when you receive an email from Blue Ocean Law Group (excluding Mailchimp Blog Subscription emails and Document Delivery-related emails)
Our Digitally Signed +/or Encrypted Emails (excluding Mailchimp Blog Subscription emails and Document Delivery-related emails) will display this "Green Padlock" if you are using Outlook.
Look for a "Signed" message in the email header when you open an legal matter related email from Blue Ocean Law Group on your mobile phone/iPad
Sample Digitally Signed Email Message Header in Outlook for iOS
The above message appears when you touch "Signed" in the email header in Outlook for iOS
Look for a secure message in the email header when you open a legal matter related email from Blue Ocean Law Group on your desktop
This message will display in the email header if the email has been digitally signed.
This message will display in the email header if the email has been both digitally signed and encrypted.
New Digital Certificate Issuance Baseline Verification Standards
Leading 19 from 22 global Certificate Authorities (CA), and 4 major consumers (Apple, Mozilla, rundQuadrat, Zertificon) have recently agreed to new baseline verification standands required prior to issuance of S/MIME Digital Certificates (effective from September 2023).
Is your Email Client (eg., Outlook) keeping your emails safe?
The answer is a resounding “no”, but it’s not exactly something unique to Outlook.
Sure, it’s owned by Microsoft, a huge company that collects customer data and has had a questionable stance on privacy over the years. Although these aren’t points in Microsoft’s favour, the real issue is with the email itself.
Standard email just isn’t secure. Once a message leaves your inbox, there are numerous points at which it can be exposed to attackers. It’s a communication system that is good enough for much of our more mundane daily messages, but it falls tremendously short for those times when secrecy is necessary.
How do you make your email secure?
The answer is End-to-End Encryption.
In essence, it means to jumble up all of your messages into a complex code that attackers cannot decipher.
There are a range of different types of encryption such as S/MIME, OME and IRM, +/or PGP.
What is required in order to enable S/MIME End-to-End Encryption?
For Blue Ocean Law Group to be able to apply S/MIME End to End Encryption to legal matter-related emails being sent to you the following steps are required:
1️⃣ Either you or your organisation need to first acquire and install a S/MIME certificate;
2️⃣ You then need to send Blue Ocean Law Group digitally signing your email and including your S/MIME certificate;
3️⃣ We can then save the public key portion of your S/MIME certificate against your contact details;
4️⃣ Blue Ocean Law Group will then be able to send you a S/MIME End-to-End Encrypted email.
Where installation & configuration of a S/MIME certificate is beyond your technical capabilities or your technical support team (if any) refuses your request for any reason we alternatively offer Trustifi (An Award Winning Email Security Platform) which provides End-to-End Email Encryption that does not require the installation or use of digital certificates.
Please refer below for information about using Trustifi as a simpler alternative for End-to-End Encrypted email.
What is S/MIME?
S/MIME, or Secure/Multipurpose Internet Mail Extensions, is a technology first developed in the 1990's that allows you to encrypt your emails.
S/MIME is based on asymmetric cryptography to protect the content of your emails (not the subject line which remains unencrypted) from unwanted access.
It also importantly allows you to Digitally Sign your emails to verify you as the legitimate sender of the email message, making it an effective weapon against many phishing attacks out there.
How Digitally Signing & Encrypting emails protects against Phishing and Data Breaches
Email offers convenience and benefits, but also poses some risks.
Hackers are savvy at targeting organizations via email, including intercepting messages to get at sensitive information or email spoofing with the intent of pushing to phishing sites or triggering malicious downloads.
Using S/MIME certificates to digitally sign and encrypt emails mitigates these risks.
Digitally signing and encrypting your emails ensures message privacy, keeps sensitive data from falling into the wrong hands, and assures the recipient that emails actually are coming from you and haven't been altered since they were sent.
Explaining EFAIL and Why it isn't the end of Email Privacy ...
In 2018, a team of researchers published the now infamous paper (dubbed #EFAIL) where they describe how to decrypt a PGP (Pretty Good Privacy) +/or S/MIME encrypted email via a targeted attack.
The paper caused a media frenzy and subsequently, the majority of commentary currently found online about PGP +/or S/MIME encryption has since made a reference to this major flaw which exposes encrypted content to potential exposure to hackers.
Efail isn’t an immediate threat for the vast majority of people simply because an attacker must already have access to an encrypted email to use the exploit.
Advising everyone to disable encryption altogether just makes no sense.
Aside from the massive false alarm, Efail is a very interesting exploit to wrap your head around.
The bottom line is that the EFAIL problem lies in how emails are processed by the recipient user's email client (for example, Apple Mail, Microsoft Outlook, Mozilla Thunderbird, etc.).
EFAIL can only be exploited If the recipient's email client allows or is configured to render HTML tags.
is to goIt is not a problem in the underlying PGP +/or S/MIME encryption.
To protect yourself against this vulnerability, and a lot of others, disable HTML rendering in your email client.
Many email clients allow for this and/or have settings to disable the loading of remote content.
This might be enough to stop Efail, at least attacks that would use img tags as the backchannel.
If you use PGP and your email client does not support these settings, consider changing to a safer client.
My main advice is to go ahead and disable HTML rendering now, even if you don’t use PGP.
At least that way there will be a lot fewer companies tracking you.
Optional ➲ Trustifi (1-Click to Decrypt) Email Encryption
The configuration of S/MIME Email Encryption may be beyond your technical capabilities if you are an individual Client or Prospective Client, +/or you may not have the necessary time or access to a technical support team.
In these situations, we offer Trustifi (An Award Winning Email Security Platform) End-to-End Email Encryption known for its reputation for ease of use as an alternative solution.
With Trustifi’s automatic encryption software, sending and receiving encrypted email communications can all be accomplished with a single click of a button, providing the best email security service in the industry to both the sender and the end-user, whether you’re sending small or large files.
With Trustifi’s email encryption services, there is no need for either the sender or intended recipient to understand how secure email encryption works, know how to set it up or exchange encryption keys. The Trustifi platform has been built from the bottom up to be as straightforward as possible, all while preventing data loss by securing every email account with encryption.
In contrast to other email encryption vendors, Trustifi’s Single Click Encryption service is genuinely hassle-free
Why do Blue Ocean Law Group use a *.law website domain?
By using a *.law website domain we have made it easy for you to determine whether it is our website you are accessing or whether an email you have been sent is from our law firm.
No malicious actors or hackers can impersonate us as they simply cannot purchase a *.law domain name.
⚖️ *.lawis a top-level-domain (TLD) that aims to:
Promote trust in the professional legal community by creating a:
✅ Verified;
✅ Exclusive; and
✅ Reserved online space in which only accredited lawyers and law firms can establish a comprehensive digital brand.
✅ Website users can have confidence they are dealing with an authorised and licensed lawyer/law firm.
✅ *.law offers effective branding to those in the legal community, with the ability to secure a domain name that clearly communicates who you are + the legal resources you provide.
Optional ➲ Secure Your Documents + Trade Secrets using Authentic8 / Genuin
Fraud + Litigation Prevention
If you want to proactively protect your Legal + Identity Documents from Fraud + Litigation by adding an Authentic8 / Genuine QR Code please contact our legal team to instruct us to add this optional additional level of protection.
This protection is especially useful for Estate Planning documents, where being able to independently verify a tamper-proof digital date/timestamp for the document as well as being able to verify every pixel of the document so that the contents of the document are incapable of being fraudulently altered is crucial in establishing a solid evidential footing regarding when the document was created and the exact contents of the document at the time it was signed and the Authentic8 QR code was added.
Optional ➲ TraxPrint GPS Protected PDF Document Security
A new Trax Print product (currently in beta) allows you to add GPS Protected PDF Document Security to protect your Identity +/or Trade Secrets or other important documents from being viewed by anyone other than the person you nominate outside of GPS co-ordinates (address) you specify when you contact our legal team to instruct us to add GPS Protected PDF Document Security to one or more of your PDF documents.
Trax Print GPS Protected PDF Document Security can ensure that the document you send can only be opened by the person you sent it to at the location you specify, in other words, the document is GPS locked.
If required, you can instruct us to add multiple people and their respective GPS locations to the same PDF document.
Trax Print's GPS Protected PDF Document Security is a breakthrough innovation that give you ultimate control over your Identity + Trade Secret PDF Documents.
If your GPS Protected PDF Document has been sent inadvertently or on purpose (leaked) to a person you have not approved, you can instruct us to upload the file to our GPS Protected PDF Document dashboard so we can view exactly who has attempted to open it (they will have been unsuccessful due to the GPS Protected PDF Document Security) and where this unauthorised third party is located.
You can then instruct us to contact the authorised person you nominated to receive the GPS Protected PDF Document to determine how your PDF document was leaked or inadvertently sent to the unauthorised third party, and to instigate the process of having it returned back into your possession.
However, we understand that attachments can always be overlooked or ignored.
In an abundance of caution, we recommend you take the time required to engage with our onlin process to step through what you need to know in detail to generate your FREE Client CyberSecurity Alert Letter so that you are fully aware of how best to protect your funds when transferring them to or from our bank account.
FREE for Subscribers
FREE Digital Asset Safe Custody Vault for our Subscribers
You can access your Digital Asset Safe Custody Vault via a web browser or download the App version locally to your desktop or laptop (Windows or Mac).
Our Digital Asset Safe Custody Vault platform providerThe Prepared Companyhas attained both GDPR (the EU Global Data Protection Regulation) and a SOC 2 Security Attestation by an independent chartered accountant and is continuously monitored using Vanta.com.
About Vanta
Vanta is the leading automated security and compliance platform. Vanta helps your business get and stay compliant by continuously monitoring your people, systems and tools to improve your security posture.
You can access the latest Vanta Trust Report for The Prepared Companyhere.
Vanta continuously monitors our Digital Asset Safe Custody Vault platform provider The Prepared Company and publicly displays their findings via this link.
What is SOC 2®?
A SOC 2 examination is a report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.
SOC 2 reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
Digital Asset Safe Custody Vault Independent Security Seals from Vanta.com
Identity Watch is a cyber-monitoring service included in a number of Equifax personal credit and identity monitoring plans.
Identity Watch is used to help detect fraud by constantly looking for information - such as credit and debit card numbers, phone numbers and email addresses - in places on the internet where information is known to be illegally traded.
Credits: This blog article was written by James D. Ford Esq., GAICD CIPP/US | Principal Solicitor, Blue Ocean Law Group℠.
Important Notice:
This blog article is intended for general interest + information only.
To the extent this article is deemed advertising or solicitation, it is hereby identified as such.
It is not intended to constitute legal advice; the statements made are opinions about general situations, and they are not a substitute for advice as to any specific matter.
We recommend you always consult a lawyer for legal advice specifically tailored to your needs & circumstances.
Share + Subscribe
RSS link copied!
Thank you! Please check your email to confirm your subscription.
Oops! Something went wrong. Please check your email and try again.
Share
Subscribe
COmments
No items found.
Post a comment
Thank you!
Your comment has been received and we will approve it shortly.
Your comment has been received and we will approve it shortly.