AXEL Network Products:

AXEL GO - share and store files securely.

LetMeSee - photo sharing app.

  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

AXEL.org

  • Network
  • Technology
  • Applications
  • Blog
  • About
    • Team
    • Press
    • Careers
    • Patents
  • Contact Us
  • Login
    • AXEL Go
    • AXEL Cloud

Legal

September 10, 2021

The State of Privacy Laws in the United States

In recent decades, privacy has become one of the most important issues on the minds of lawmakers. With the rise of digital devices that can track our every move, the desire for privacy is growing in an increasingly public society. And while many Americans have a general desire for “privacy,” the amount you receive is heavily dependent on where you live. While there are some federal privacy laws, most consumer privacy comes from state-level bills. And while some states have thorough, fair privacy laws on the books, the vast majority simply do not.

America’s focus on state-led privacy laws is in contrast to Europe’s lawmaking; the European Union’s main privacy law is the General Data Protection Regulation. Because of this, privacy in the E.U. is governed by this one law, and 92% of companies believe they can comply with every aspect of the law [1]. Because Europe has one overarching privacy law, it is much simpler to understand your privacy rights, whether as an individual or a business. Unfortunately, in the United States though, it is quite the opposite. Privacy laws in the country are currently a mishmash of federal and state laws that confuse and harm individuals simply trying to protect themselves.

A Barrage of State Bills

Simply put, U.S. privacy laws are so unorganized because there are so many of them. Even at the federal level, there isn’t an all-encompassing privacy law, but a collection of specialized laws. For example, the Health Insurance Portability and Accountability Act (HIPAA) protects medical privacy, and the Family Educational Rights and Privacy Act (FERPA) protects students, educators, and schools. When it comes to privacy rights, at least at the federal level, it really depends on your specific situation. Although laws such as HIPAA and FERPA do an adequate job of protecting privacy, they are far too specific to offer comprehensive privacy rights that extend to every facet of life.

While federal-level laws are specific to industries, some state-level laws provide all-encompassing privacy protections. Unfortunately, those state laws are few and far between. Only California, Colorado and Virginia have comprehensive data privacy laws [2]. These laws give consumers notice and choice regarding their data. For example, under these laws, a company must tell consumers if it is selling their data, and must allow consumers to access, move, or entirely delete that data. However, while these laws are certainly a good starting point for true consumer privacy, even these three bills are quite limited in effect.

Why are Privacy Protections so Poor?

While those three states have “all-encompassing” privacy laws, they still have glaring holes in protection. In every state except California, privacy laws specifically exclude a “private right of action,” or the ability to sue a business for privacy violations as an individual. Additionally, Virginia’s law has no civil rights protections and allows businesses to continue the status quo of collecting and selling consumer data [2]. It’s no wonder that Amazon lobbyists wrote the first draft of Virginia’s privacy bill [3].

For other states, the situation is even grimmer. States like Florida, Georgia, and others don’t allow consumers to opt out of data sharing. These two states also don’t even require government entities to ever dispose of your data [4]. Ultimately, most states have few genuine protections for consumers. For the most part, businesses can do whatever they please once they have your data. 

And due to strong lobbying by tech companies, it will likely remain this way in many states [2]. Big Tech companies pay millions each year to lobby lawmakers to write and support laws favorable to them. For example, Facebook spent nearly USD $20 million in lobbying in 2020, while Amazon spent USD $18 million [5]. And while this lobbying doesn’t come cheap, it’s a lot cheaper than allowing consumers to opt out of data sales. Ultimately, the reason why so many states don’t offer comprehensive privacy laws is because Big Tech doesn’t want them. Put simply, Big Tech is willing to pay big money to keep strong privacy laws off the books. 

So, What Can We Do?

In most states, it’s now up to individual businesses and firms to protect consumer data. And while Big Tech is unlikely to change any time soon, other businesses can still fight for consumer privacy. Taking simple steps like encrypting documents and backing up your data offline can substantially better protect your clients’ data. After all, Americans want privacy. By taking steps to protect customers and their data, businesses and firms can offer what Big Tech can’t: True privacy protections for their customers.

At an individual level, supporting businesses and firms that prioritize privacy is the best way to show support for strong privacy laws. Additionally, simply supporting federal or state laws that give genuine privacy rights to consumers is another great way to stand up for privacy rights. Since Big Tech wants to continue the status quo of endless data collection and sales, it’s up to individuals to support businesses and firms that offer what Big Tech can’t.

AXEL Supports Your Privacy

At AXEL, we believe privacy is a right. And unlike the Big Tech companies, we’ll never sell your data to third parties, ensuring your data is only yours. Our file-sharing and storage application, AXEL Go, uses blockchain technology and AES 256-bit encryption to provide the most secure file-sharing system in the industry. Whether for business or personal use, AXEL Go helps protect your (and your clients’) most important files.

Sign up here to receive a free 14-day trial of AXEL Go Premium. After the trial period, you can choose to continue your Premium account for just $9.99/month or use our Basic service free of charge. After all, our business is protecting your data, not collecting it. Together, we can help prioritize privacy rights across the country.

[1] Gooch, Peter. “A New Era for Privacy GDPR Six Months on.” Deloitte. 2018. https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/risk/deloitte-uk-risk-gdpr-six-months-on.pdf.

[2] Klosowski, Thorin. “The State of Consumer Data Privacy Laws in the US (And Why It Matters).” The New York Times. September 06, 2021. https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/.

[3] Birnbaum, Emily. “From Washington to Florida, Here Are Big Tech’s Biggest Threats from States.” Protocol. February 19, 2021. https://www.protocol.com/policy/virginia-maryland-washington-big-tech.

[4] McNabb, Joanne, and Paul Bischoff. “Internet Privacy Laws by US State: Does Yours Protect Online Privacy?” Comparitech. July 29, 2021.  https://www.comparitech.com/blog/vpn-privacy/which-us-states-best-protect-online-privacy/.

[5] Tracy, Ryan, Chad Day, and Anthony DeBarros. “Facebook and Amazon Boosted Lobbying Spending in 2020.” The Wall Street Journal. January 24, 2021. https://www.wsj.com/articles/facebook-and-amazon-boosted-lobbying-spending-in-2020-11611500400.

Filed Under: Legal, Privacy Tagged With: big tech, government, legislation, Privacy, privacy law

August 30, 2021

Data Privacy and Security Increase Profitability in the Cannabis Industry

Experts estimate that the cannabis industry is currently worth $60 billion, and that number is predicted to grow to $100 billion by 2030. As this industry grows and the customer base gets larger, so too does the need for modern data custody technologies. It might not be obvious at first glance, but data custody and security are critical components of running a successful cannabis business. Here are four reasons why.

The Importance of Data Security in the Cannabis Industry

First, medical dispensaries could be considered “healthcare providers” under the Health Insurance Portability and Accountability Act (HIPAA). Under HIPAA, healthcare providers must implement safeguards to prevent the incidental disclosure of any patient’s “protected health information.” Disclosures could result in a fine of up to $50,000 per disclosure. 

Second, each cannabis company has numerous trade secrets to protect. These could include growing processes, distribution plans, recipes for edibles, extraction techniques, soil mixtures, etc. The theft of any of these trade secrets could be disastrous to a company.

Third, cannabis companies must comply with (sometimes conflicting) state laws. For example, in California, the Medicinal and Adult-Use Cannabis Regulation and Safety Act (MAUCRSA) requires cannabis delivery companies to maintain records of every person who receives a delivery. At the same time, the California Consumer Privacy Act (CCPA) gives customers the right to demand that companies delete any records pertaining to them.

Fourth, data breaches result in damage to a company’s reputation. Dispensaries often sell T-shirts and other merchandise stamped with the company logo to foster customer loyalty, but a newsworthy data breach could shake that loyalty. Further, data breaches could damage the industry’s image as a whole and become a roadblock to legalization efforts at the federal level.

Room for Improvement

Last year, a group of ethical “white hat” hackers located a breach in the THSuite point-of-sale system, which is used by many dispensaries. Through the breach in THSuite, the hackers were able to access roughly 85,000 unencrypted files containing the personally identifying information of 30,000 people, including names, phone numbers, addresses, emails, birthdays, images of state-issued IDs, signatures, quantities of cannabis purchased, and medical ID numbers. 

This breach, and all the reasons discussed above, highlight the need for modern technological solutions. The International Cannabis Bar Association (INCBA) and AXEL are working together to bring these solutions to Bar members. INCBA members will now receive a 20% discount when they sign up for Premium or Business Plan subscriptions of AXEL Go. AXEL Go is the safest way to collect, store and share files during in-office, hybrid and remote work situations.

AXEL’s patented blockchain technology and AES-256 encryption help attorneys collect, store, and share client files in a user-friendly manner that is impervious to hackers, unauthorized access, and ransomware attacks. The decentralized nature of the network ensures that there is no single point of failure. Further, files uploaded to the AXEL network are heavily encrypted, sharded, and scattered between 400+ different global servers, providing a high level of security without sacrificing speed. Sensitive files and shifting regulatory frameworks in the cannabis industry call for an abundance of caution permitted by AXEL Go. INCBA members can sign up for a 14-day trial of AXEL Go and redeem discounts here.

Filed Under: Cybersecurity, Legal Tagged With: cybersecurity, data privacy, law, lawyer

April 20, 2021

Common Pitfalls when Attorneys Adopt New Technology

Common Pitfalls when Attorneys Adopt New Technology

The legal industry faces unique challenges to the adoption of new technology and digital transformation efforts. This article will discuss the most typical obstacles and introduce a framework that will help firms analyze whether a new tech solution is likely to integrate successfully.

Impediments to technological progress in the legal sector

Time investment. As you likely know, being an attorney isn’t a regular 9-5 job. A recent survey claims lawyers work an average of 66 hours per week[1]. That’s like a typical full-time and part-time job combined. So, all but the largest firms with dedicated IT teams can’t afford to spend too much time implementing new technology. Small firms and solo practitioners simply don’t have the resources to research, test, and deploy complex tech solutions.

Cybersecurity and confidentiality concerns. Legal professionals have needs that go above and beyond the average office worker when it comes to digitization. Due to attorney-client privilege and the ethical responsibility to maintain data security, attorneys need to be extra careful when upgrading their technology. They may have to look for approved ‘legal tech’ solutions when off-the-shelf consumer products don’t meet these standards.

The “billable hour” issue. Although there may be a shift in billing practices in a few firms, most still rely on the time-tested “billable hour” method. It may seem like a paradox, but the increase in efficiency new tech can bring might actually reduce a firm’s profitability due to fewer billable hours plus the cost (initial and ongoing) of the technology itself. While an increase in clients due to more free time could offset this problem, the demand for legal services, especially in less populated regions, probably won’t rise at the same rate.

The partnership model. The traditional hierarchy of law firms puts the “partners” at the top. Depending on the organization’s size, many decision-makers would need to approve any new legal tech initiative. This alone makes it an uphill battle, but add in the fact that partners tend to be older people who may not see technological advancement as a priority, and it becomes a serious deterrent. Obviously, this is a much more significant obstacle at larger firms, but any practice will multiple partners could face a difficult situation.

The “ignorance is bliss” dilemma. Solo practitioners and small firms don’t have the resources of their more massive brethren. This means that tech policies and solutions mega-firms implement have a hard time trickling down. Unfortunately, this can lead to solo practitioners developing an “ignorhttps://www.axel.org/the-10-worst-data-breaches-of-the-decade/ance is bliss” mantra, even if they don’t necessarily believe that to be the case.

For example, whereas large organizations may completely ban the use of insecure applications such as Dropbox for confidential file transfer or storage, smaller practices could still use them due to familiarity. They don’t search out current best practices for data storage because they may fear switching and disrupting their workflow.

While this is an understandable reaction, we urge attorneys to push through this bias for their own sake. After all, if a serious data breach occurs and the lawyer has not lived up to their ethical responsibilities, it becomes an even worse situation.

The innovation-decision process

We recommend running through the innovation-decision process before making conclusions about a particular technology’s viability for your firm. This process goes as follows:

  1. Assess comparative advantage. Does the new technology offer a substantial upgrade to your current systems? Define these advantages and review the overall impact they will have.
  2. Analyze compatibility. Does the solution fit into your existing workflow? If not, what resources will you need to allocate to adapt your business practices?
  3. Consider complexity. If you do need to adapt, calculate the cost-benefit analysis (not just financial, but also psychological) of doing so. Will it be a complicated endeavor? Do the results outweigh these complexities?
  4. Evaluate trialability. See if the vendor offers any sort of trial or demo. You can test out the solution, receive critical feedback and preliminary effectiveness metrics before committing to the entire project.

If you go through this process and discern that the tech is worth using, you will be much more confident in the solution and have a greater chance for success.

Your firm and AXEL Go

While the decision will still be challenging in many instances, sometimes the Universe serves up a no-brainer. AXEL Go is a secure, private file-sharing and cloud storage solution that overcomes the common obstacles and scores well on the innovation-decision process.

With the sudden shift toward working remotely, many attorneys find themselves in need of an easy-to-use file-sharing application that can fit seamlessly into their legacy workflow while providing more robust data security. AXEL Go is the perfect solution for any such lawyer. It has many innovative advantages, including:

  • Industry-leading security. AXEL Go runs on a secure, decentralized network that features blockchain integration and file encryption. Documents stored on the network go through a process of “digital shredding,” where only the uploader and recipient (if there is one) have access to the complete file.
  • Secure Fetch. Think of it as a digital courier. You send a secure, encrypted link to a recipient and request certain sensitive documents. They upload the necessary files, and you receive a notification for download. Recipients do not need AXEL Go accounts, meaning you don’t have to badger clients or colleagues to sign up for new services or software. You get to meet data security guidelines without any hassle or inconvenience.
  • Microsoft Outlook integration. You can now send confidential data via email without having to rely on insecure attachments. Using our Outlook plugin, you can send fortified AXEL Go links directly in an email with the click of a button. It’s a simple process that fits within traditional workflows.

With partnerships with the State Bars of states such as Connecticut, Florida, Nevada, and Georgia, it’s fair to say the legal community sees the unique value proposition AXEL Go offers.

According to a 2021 survey by ALM[2], 56% of legal teams consider “data privacy and security” as their primary focus for 2021. It makes sense when you understand the high probability of attempted hacks and data breaches every firm faces today. Don’t just wait around waiting for the inevitable. Be proactive and protect your most sensitive information with AXEL Go.

If you’re interested in seeing it in action, you can enjoy a completely unlocked trial of our Premium service for 14-days. Sign up today and see the AXEL Go difference for yourself.

[1] “How Many Hours A Week Does A Lawyer Work?”, careerigniter.com, https://www.careerigniter.com/questions/how-many-hours-a-week-does-a-lawyer-work/

[2] “What Do Legal Professionals Expect From 2021?”, Mitratech.com, 2021, https://mitratech.com/resource-hub/whitepapers/alm-survey-legal-tech-plans-2021/

Filed Under: Legal, Tech Tagged With: attorney, cloud storage, file sharing, law firm, lawyer, legal, legal tech

February 10, 2021

Law Enforcement is Already Breaking into Encrypted Devices

Law Enforcement is Already Breaking into Encrypted Devices

Are we living in the drowsy beginnings of an Orwellian nightmare? The signs don’t look great. In Orwell’s most famous book, 1984, the protagonist Winston exclaims, “Freedom is the freedom to say two plus two make four,” as an appeal to the uncontroversial description of objective reality. You may think our society hasn’t sunk that low yet, but with 2+2=5 receiving some mainstream acceptance[1], sirens should be sounding in your head.

Beyond that can of worms lies less abstract evidence that our world is slipping into dystopia, such as the increasingly-shady tactics law enforcement agencies use to pry evidence from peoples’ phones.

A bit of backstory

The 2014 Supreme Court case Riley v. California scored a rare unanimous decision[2]. In it, the Justices upheld that law enforcement is not allowed to search a suspect’s phone upon arrest without a warrant. Privacy advocacy groups saw this as a significant win in the fight against unconstitutional search procedures.

Since then, the central issue centers around the topic of encryption. Police don’t like encryption, as it makes their job more difficult, even when they have a warrant. The frustration is understandable. Going through the trouble of attaining a warrant against an alleged criminal and still being unable to access their device to get crucial evidence would be upsetting. This is precisely what happened in the high-profile cases of the 2015 San Bernardino[3] shooting and the 2019 Pensacola Naval Air Station[4] shooting.

It boils down to the Department of Justice wanting tech companies like Apple and Google to implement “backdoors” into their operating systems, allowing law enforcement to bypass the encryption when necessary. Of course, the problem is that once you put a backdoor in a piece of software, there is no way to ensure only the “good guys” can use it. As we’ve seen with cyberattacks such as the recent SolarWinds breach, malicious hackers seem to be one step ahead of cybersecurity as-is. Now, imagine if developers had to code in an explicit path that allowed system breaches. It doesn’t seem like a good idea, right?

This image has an empty alt attribute; its file name is Guns_used_in_San-Bernardino_shooting-2.jpg
The guns used by the San Bernardino shooter. San Bernardino County Sheriff’s Department, Public domain, via Wikimedia Commons

In the end, the bluster of the United States Department of Justice wasn’t necessary. In both of the shooting cases mentioned above, the feds cracked the encryption without Apple’s help[5][6]. Although, in the San Bernardino case, authorities shelled out over a million dollars to freelance hackers to do so. Those payment requirements are unsustainable, even for the U.S. government. So, their typical workflow is a bit different.

How they do it

This image has an empty alt attribute; its file name is 800px-CLB_logo_Tag_2color_pos_rgb.png
Cellebrite Logo Alon Klomek, GM, InternationalChris Armstrong (Toronto), CC BY-SA 4.0, via Wikimedia Commons

Law enforcement agencies use Mobile Device Forensic Tools (MDFTs) to break into locked, encrypted phones. Third-party vendors such as Grayshift and Cellebrite provide these tools[7][8]. Cellebrite is an Israeli company that requires the agency to send in the device they wish to crack. In contrast, the United States-based Grayshift gives the software and hardware packages directly to law enforcement. Both cost tens of thousands of dollars or more. MDFTs bypass locking and encryption mechanisms through system exploits. This is why Cellebrite has law enforcement send the mobile devices directly to them. It prevents the actual mobile companies (Apple and Google) from purchasing the tools to see which exploits they use and patching them.

 

MDFT packages are designed to be easy-to-use. Clients with little technical knowledge on staff can still use them and acquire all the desired information. They automatically scan the device’s directories for files and then sort them into categories such as “Images, SMS, Audio, etc.”

MDFT abuse

An October 2020 study by Upturn uncovered many startling facts about law enforcement’s use of MDFTs[9]  in the United States. Here’s a brief synopsis of their findings:

  • Over 2000 agencies throughout all 50 states, including the 50 largest police departments, purchased MDFTs between 2015-2020.
  • Many departments have no set guidelines regarding the use of MDFTs, resulting in little accountability.
  • Police skirt warrant regulations by coercing people involved in minor crimes to consent to a phone search. Then, they use the MDFT to analyze the entirety of the person’s device and collect evidence relating to other, more serious crimes.

The usage of these criminal analysis tools is widespread. Even smaller departments can usually pay the exorbitant fees through indirect avenues such as federal grant programs. Worryingly, those consenting to an electronic search typically assume it will be limited to the particular crime that sparked the investigation. Unfortunately, this isn’t the case.

Other shady tactics

Coercion isn’t the only loophole for law enforcement. In the age of Big Data, many agencies simply purchase information like detailed location data from third-party sellers[10]. It’s a particularly sneaky way to get around the pesky Fourth Amendment.

You never really know which apps will sell your data to law enforcement. Multiple recent stories prove that many seemingly innocuous applications collect a surprising amount of your personal info and are willing to sell to law enforcement or the military[11]. Download a digital level app to make sure your bookshelf isn’t crooked? You might be in a police database. It’s a strange reality most people don’t give a second thought to, but it truly is pushing society toward totalitarianism.

How to protect yourself

It isn’t easy. Firstly, if you’re in a situation where law enforcement wants to search your phone without a warrant, do not consent. Even if you have nothing to hide, we should hold the police to high standards of ethical behavior.

Furthermore, recognize Big Tech doesn’t have your back (although Apple’s new privacy labels for their App Store[12] are reasonable first steps.) We recommend only installing apps from reputable companies committed to keeping your data safe. It’s also a good idea to move away from free Big Tech services as much as you can. Free services sound great, but these companies are some of the most profitable in the world and are making money somehow. Usually, this means selling your data.

AXEL Go

You can move away from cloud storage and file-sharing apps such as Google Drive, OneDrive, or DropBox by using AXEL Go. AXEL is dedicated to providing users with full data custody and never selling personal information. AXEL Go delivers one of the most secure and private ways to share and store data on the internet. It utilizes technologies such as blockchain, IPFS servers, and AES 256-bit encryption for industry-leading security. Try it out today and sign up for a free, full-featured Basic account with 2GB of storage and complimentary fuel for hundreds of typical shares.

 

[1] Caroline Delbert, “Why Some People Think 2+2=5…and why they’re right, Popular Mechanics, Aug. 7, 2020, https://www.popularmechanics.com/science/math/a33547137/why-some-people-think-2-plus-2-equals-5/

[2] Marc Rotenberg, Alan Butler, “Symposium: In Riley v. California, a unanimous Supreme Court sets out Fourth Amendment for digital age”, SCOTUSblog, June 26, 2014, https://www.scotusblog.com/2014/06/symposium-in-riley-v-california-a-unanimous-supreme-court-sets-out-fourth-amendment-for-digital-age/

[3] Arjun Karpal, “Apple vs. FBI: All you need to know”, CNBC, March 29, 2016, https://www.cnbc.com/2016/03/29/apple-vs-fbi-all-you-need-to-know.html

[4] Joseph Marks, “The Cybersecurity 202: Bar ramps up encryption war with Appl over Pensacola shooter’s phone”, May 19, 2020, https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2020/05/19/the-cybersecurity-202-barr-ramps-up-encryption-war-with-apple-over-pensacola-shooter-s-phone/5ec32a4188e0fa6727ffe363/

[5] Thomas Brewster, “FBI Hacks iPhones in Pensacola Terrorist Shooting Case, But The War With Apple Goes On”, Forbes, May 18, 2020, https://www.forbes.com/sites/thomasbrewster/2020/05/18/feds-hack-iphones-in-pensacola-case-apple-not-needed-after-all/?sh=1db6e89675e9

[6] Matt Drange, “FBI Hacks Into San Bernardino Shooter’s iPhone Without Apple’s Help, Drops Case”, Forbes, May 28, 2016, https://www.forbes.com/sites/mattdrange/2016/03/28/fbi-gets-into-san-bernardino-iphone-without-apples-help-court-vacates-order/?sh=492873d93b18

[7] Thomas Brewster, “Mysterious $15,000 ‘GrayKey’ Promises To Unlock iPhone X For The Feds”, Forbes, March 5, 2018, https://www.forbes.com/sites/thomasbrewster/2018/03/05/apple-iphone-x-graykey-hack/?sh=1419c67b2950

[8] Thomas Brewster, “This Powerful iPhone Hacking Tool Can Now Break Into Samsung Androids”, Forbes, Feb. 1, 2021, https://www.forbes.com/sites/thomasbrewster/2021/02/01/the-powerful-graykey-iphone-hacking-tool-can-now-break-into-samsung-androids/?ss=cybersecurity&sh=1cbafece4d61

[9] Logan Koepke, Emma Weil, Urmila Janardan, Tinuola Dada, Harian Yu, “Mass Extraction: The Widespread Power of U.S. Law Enforcement to Search Mobile Phones”, Upturn, Oct. 2020, https://www.upturn.org/reports/2020/mass-extraction/

[10] Gilad Edelman, “Can the Government Buy Its Way Around the Fourth Amendment?”, Wired, Feb. 11, 2020, https://www.wired.com/story/can-government-buy-way-around-fourth-amendment/

[11] “Mobile App Monetisation – Covert trackers in your pocket”, Privacy International, Jan. 28, 2021, https://privacyinternational.org/case-study/4404/mobile-app-monetisation-covert-trackers-your-pocket

[12] Sarah Perez, “Apple launches its new app privacy labels across all its App Stores”, Tech Crunch, Dec. 14, 2020, https://techcrunch.com/2020/12/14/apple-launches-its-new-app-privacy-labels-across-all-its-app-stores/

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook

Filed Under: Culture, Cybersecurity, Legal Tagged With: hacking android, hacking iphone, police cracking phone

February 5, 2021

How Remote Work Affects the Legal Profession

How Remote Work Affects the Legal Profession

The lockdowns and restrictions caused by the coronavirus pandemic transformed the way people work. This is especially true for legal professionals, as attorneys used to long hours in the office and courtroom were mandated to work from home. It was a considerable departure from business-as-usual and resulted in significant ramifications for the industry.

A unique sector

The legal industry is a notorious laggard when it comes to embracing technological advancements. And, for good reason too! Who would want to go digital after sparing no expense on all those leatherbound legal tomes that look so classy adorning the office bookshelf? Kidding aside, it’s true; in 2018, over 80% of Legal Departments claimed they were unprepared for digital transformation[1]. While late 2018 may seem like eons ago after spending the past year cooped up, it was well after most industries embraced the advantages of increased digitalization.

Then, the pandemic hit, and law firms scrambled to condense a decade’s worth of technological evolution into a few months. With nearly all organizations experiencing problems due to COVID-19, it is not surprising that the legal profession was especially susceptible. It’s easy to argue that this accelerated implementation is a good thing in the long run, but let’s look at some of the short-term growing pains.

Increased cyber attacks

Law firms are already high-priority targets for hackers due to their business’s inherently confidential and sensitive nature. The fact that firms had to switch to remote working basically overnight exacerbates this problem. Whereas traditional cybersecurity deals with setting up and maintaining perimeter defenses, what happens when there is no longer a definable perimeter?

Attorneys in the same practice are now spread out throughout their regions. Some may only use approved devices to do work, while others skirt guidelines and conduct business on their personal phones, tablets, laptops, or PCs. Some firms may not even have concrete policies in the first place! These significant discrepancies increase the attack surface for malicious agents. It’s unlikely that the IT department or third-party cybersecurity firm can monitor every single device each lawyer will be using. This unfortunate dynamic resulted in more instances of:

  • Phishing. Scammers posing as legitimate colleagues or clients send emails or other forms of communication to trick victims into clicking malware-infested links and attachments. Phishing attempts rose across the board last year, with some analysts claiming an increase of 85% over pre-COVID levels[2].
  • Ransomware. Once threat actors compromise a computer system, they often attempt to install ransomware. This type of malware encrypts as much data as it can find on the system, then the hacker group responsible for the attack demands a ransom to restore it. Incidents of ransomware rose significantly in 2020[3], with high-profile attacks such as the one against celebrity law firm Grubman Shire Meiselas and Sacks. In that case, hackers demanded a $42 million (!) ransom, which, when left unpaid, resulted in privileged client data leaked to the Dark Web[4].

Slower data breach detection

Due to many of the same variables mentioned above (lack of consistent monitoring, use of unapproved hardware, users spread across a wider geographic area), remote work increases the time it takes to detect data breaches. In an IBM survey, 76% of respondents agreed with that conclusion[5]. In the field of Law, where cybersecurity budgets are already stretched thin, this is a major issue.  Slower detection times can mean more time for hackers to map out networks, leading to more inaccessible files, higher ransoms, and larger overall breaches that can irreparably damage a practice’s reputation.

Shifting job expectations

Attorneys (especially Junior or mid-level ones) typically have pretty rigid schedules and expectations. The pandemic has thrown this into flux. Lawyers with children are the most affected. If the parents are working from home, chances are the kids are distance learning too. This means that professionals who usually have a large window of the day’s time blocked off specifically for their career now have to share that time with parental duties.

Firms must meet these new requirements by allowing for schedule flexibility or even reduced workloads. Otherwise, an already-stressful occupation becomes unmanageable, leading to poor performance.

Disrupted development tracks

Younger attorneys gain experience and learn on-the-job. Working from home can stunt their professional growth and take away otherwise organically-appearing opportunities. This is because they lose the ability to attend events such as hearings, depositions, witness meetings, and more with their experienced colleagues.

It also prevents interactions with senior attorneys in the office or courthouse halls. This can adversely affect the chances of a helpful mentorship and important professional relationships. While digital correspondence and interaction are possible, many parts of an in-person exchange cannot be replicated on a Zoom call or email.

Ways to deal with these issues

In a time with reduced revenues, investing in large-scale cybersecurity projects is probably not a viable option. So, while hiring more IT professionals or a dedicated SOC-as-a-Service (Security Operations Center) company to shore up your networks is a great idea, it may not be possible.  We recommend implementing other low-cost suggestions to protect your organization.

  • Ongoing cybersecurity training. Most of the time, organizations can avoid data breaches by training employees on the basics of cybersecurity best practices. Consult with your IT team and construct an ongoing curriculum that informs your team how to spot phishing emails and what policies your firm has in place regarding data sharing, personal device usage, and more.
  • Require strong passwords and 2-Factor Authentication (2FA). Prevent brute force attacks by requiring team members to set up strong, phrase-based passwords. Then, mandate 2FA for all logins to firm networks through unrecognized hardware. Unless you’re dealing with extremely sophisticated hackers, these two no-cost solutions offer excellent protection.
  • Vet new software and cloud solutions. If your practice didn’t allow working from home previously, chances are you’ll need to invest in some cloud or enterprise solutions. Make sure you use trusted vendors with documented cybersecurity safeguards. Remember, your system is only as strong as the weakest link. A lesson that law firm Goodwin Procter recently learned when hackers breached their third-party file transfer vendor[6].
  • Utilize data encryption. Encrypting your data is essential these days. Strong encryption means even if malicious agents could breach your system and access information, it wouldn’t be useful or even viewable unless they had the decryption key.
  • Implement Access Controls. Everyone in your organization doesn’t need access to all the potential files on the network. While it might take some work to segment and decide individual permissions, doing so promotes resiliency. It means that if someone is able to hack a low-level employee, they don’t automatically gain access to highly confidential information.
  • Have a mitigation plan. As of 2019, 25% of firms have experienced a data breach, and 36% report malware infections. Knowing this, a mitigation plan is crucial. All of the top-level decision-makers need to get together and agree on a roadmap for damage reduction. It could be the difference between an unfortunate blip or the complete loss of client trust.
  • Remain flexible. As we’ve seen, cybersecurity is only a part of the work-from-home equation. Firms also need to ensure their lawyers are in a good mental state and in a position to provide high-performance to their clients. This may mean making some changes regarding work schedules and workloads. Allowing this flexibility can actually be a good thing for clients as well, as perhaps some of their schedules will line up better this way.
  • Facilitate interactions. Don’t neglect the everyday interactions that make practicing law special, especially for your junior attorneys. Perhaps you could set up office hours with the senior team or have an open Zoom room for your organization where everyone has to check in daily to preserve basic socialization.

These trying times present new challenges every day. Your organization can weather the storm and come out better for it on the other side. Take the situation seriously and evolve intelligently, and you’ll be fine.

Protect your documents

Having a trusted data transfer solution is critical to protecting your firm’s and clients’ confidential information. As the situation with Goodwin Procter confirms, your organization needs a vendor committed to preventing hacks.

AXEL Go is a cloud file-sharing and storage solution that puts security and privacy first. It runs on a decentralized and distributed network that is resilient to breaches. All data transferred via AXEL Go is split into smaller pieces called ‘shards’ and spread across many secure servers. Your files can also be protected using AES 256-bit encryption, ensuring industry-leading data security for your most sensitive documents. If your firm needs a data transfer and storage solution, contact us today to discuss your needs and schedule a demo.

 

 

[1] Rob van der Meulen, “Gartner Says 81 Percent of Legal Departments Are Unprepared for Digitalization”, Gartner, Dec. 12, 2018, https://www.gartner.com/en/newsroom/press-releases/2018-12-12-gartner-says-81-percent-of-legal-departments-are-unprepared-for-digitalization

[2] Phil Muncaster, “Experts Detect 30,000% Increase in #COVID19 Threats”, Infosecurity Magazine, Apr. 27, 2020, https://www.infosecurity-magazine.com/news/experts-detect-30000-increase/

[3] “Mid-Year Threat Landscape Report 2020”, BitDefender, 2020, https://www.bitdefender.com/files/News/CaseStudies/study/366/Bitdefender-Mid-Year-Threat-Landscape-Report-2020.pdf

[4] Akshaya Asokan, “Ransomware Gang Demands $42 Million From Celebrity Law Firm”, Bank Info Security, May 16, 2020, https://www.bankinfosecurity.com/ransomware-gang-demands-42-million-from-celebrity-law-firm-a-14292

[5] “Cost of a Data Breach 2020”, IBM Security, 2020, https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/

[6] Meghan Tribe, “Goodwin Procter Says It Was Hit by Data Breach of Vendor”, Bloomberg Law, Feb. 2, 2021, https://news.bloomberglaw.com/us-law-week/goodwin-procter-says-it-was-hit-by-data-breach-of-vendor

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook

Filed Under: Legal, Professional Tagged With: legal tech, remote lawyer, remote work

November 20, 2020

What’s Inside California’s New Privacy Regulations

What’s Inside California’s New Privacy Regulations

On November 3, 2020, California voters approved the California Privacy Rights Act (CPRA or Prop 24), a ballot initiative expanding consumer privacy protections. It easily passed, securing over 56% “Yes” votes. We look into some of its major provisions and examine how it differs from a previous California privacy law.

An amendment to current regulations

In 2018, the California Consumer Privacy Act (CCPA) passed and became law. While it outlined a framework for many consumer privacy protections, many felt it was inadequate given the current state of corporate data collection. So, a mere two years later (and less than one year after the CCPA officially went into effect), the CPRA has made significant changes to these stipulations.

An overview of the changes

Here is a brief summary of the significant changes. You can view the full bill here if you enjoy reading 50 pages of legalese (hey, everyone has their preferences).

A higher threshold for mandated compliance

The CCPA required businesses that used 50,000 consumers’ or households’ personal information to comply with the bill’s privacy standards. The CPRA actually increases this number to 100,000 consumers or households. So, it lessens the regulatory burden on small to medium-sized businesses who traffic in personal information.

Is this a win for privacy advocates? It’s unclear. Nobody wants to shutter small businesses due to onerous regulation, but could these exemptions lead to exploitation? While the biggest privacy offenders such as Facebook and Google will fall under the regulatory umbrella, smaller companies get a free pass. Could this create a loophole where corporations spin their data collection arms off into smaller shell companies to avoid compliance? Until governments and organizations address these possibilities, it remains a concern.

A wider net

CCPA restrictions applied to companies receiving 50% or more of their revenue from selling personal data. This seemingly straightforward wording created a giant loophole for the serial data offenders. In many cases, corporations argued they didn’t actually “sell” personal information. They simply gave it away to increase advertising revenue.

The CPRA closes this loophole by injecting the term “sharing” into the clause. As defined by the bill: “sharing, renting, releasing, disclosing, disseminating, making available, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary, or other valuable consideration…” results in mandatory compliance (assuming the other qualifiers are also met). This is a much more encompassing definition and an overall win for privacy advocates.

New data categories

Whereas the CCPA treated most personal information generally, the CPRA creates more granular data categories with distinct regulatory differences. Specifically, the CPRA defines certain types of data as being “Sensitive Personal Information.” This includes:

  • Government identifiers such as social security numbers or driver’s licenses
  • Financial accounts and login information
  • Detailed geolocation data
  • Info regarding race, religion, philosophical beliefs, or sexual preference
  • Union membership status
  • The content of private mail, email, and text messages
  • Genetic information
  • Biometric data
  • Health records

Consumers can now request that businesses limit the use of their Sensitive Personal Information to only what is necessary to provide the desired services. Companies would then no longer be able to sell or share sensitive information without prior consent and authorization.

It also sets up disclosure and opt-out standards for the use of Sensitive Personal Information that organizations must follow. This includes providing opt-out links on their businesses’ homepage and respecting opt-out signals sent by the consumers when they visit their site.

Expanded consumer rights

The CPRA outlines new privacy rights and modifies others already defined in the CCPA. Examples include:

The right to correction. Consumers can now demand businesses update their personal information if it’s inaccurate.

The right to opt-out of profiling. Data collectors use your personal information to construct a “profile” of you, then utilize automated decision-making technology to serve advertisements based on the profile. The CPRA allows consumers to opt-out of this practice.

An expanded right-to-know. Previously, the CCPA entitled consumers to information collected on them for the past 12 months. The CPRA entitles residents to all data collected.

Greater protection for minors. Businesses that collect and sell the personal information of minors under the age of 16 are subject to triple fines per incident, or $7500.

A more robust right to delete. The CPRA strengthens Californians’ right to delete their personal information. Companies now not only must delete the data but inform third parties they’ve shared or sold the data to of the deletion request as well. Note, the right to delete is subject to certain conditions and exemptions.

A new government agency

Under the CCPA, enforcement falls under the California Attorney General’s responsibilities. This bill creates a dedicated government agency that will handle enforcement and penalties. California sure does love their government agencies! It’s called the California Privacy Protection Agency (CPPA); don’t worry if you can’t keep all the acronyms straight. The CPPA will have a $5 million budget in 2021, which will increase to $10 million from 2022 on.  Its creation will theoretically lessen the burden on the Attorney General’s office and make enforcement more feasible.

Regular audits

Another important provision of the bill is the requirement for companies to audit their cybersecurity practices. As the constant hacks over the past few years have shown, problems lie not only in data collection but also in data protection. Sensitive information needs to be secured with baseline standards to prevent future phishing attacks, cyber theft, and identity fraud.

Organizations must present the findings from these audits to the newly-formed CPPA on a “regular basis.” Hopefully, this incentivizes companies working with private data to invest more in their cybersecurity solutions and reduce data breaches.

Opposition

The CPRA is a controversial bill, with a diverse set of proponents and opponents. However, the opponents may not be who you’d imagine. While one might assume that the big technology corporations in Silicon Valley aren’t too happy with the bill, none came out in outright opposition. There are two common explanations for this:

  • Nobody in Big Tech wants to come out against consumer privacy explicitly. Facebook, Google, and the other tech players have all had their share of bad publicity regarding privacy concerns over the past few years. Saying, “Oh yeah, we want all of your data and don’t want you to have any recourse against it,” likely wouldn’t play well to the general user.
  • Big Tech has sunk its digital claws into the legislation and weakened it considerably. This is actually the standard line for many of those who have come out against it.

Surprising opponents include the California American Civil Liberties Union[1], Consumer Action[2], and the California League of Women Voters[3].

A Frequently cited concern

Those opposing the bill have similar problems with it. They conclude it’s a “pay-for-privacy” scheme that unfairly affects people without the financial means to pay. This is because a clause in the legislation says that a company can charge a consumer requesting privacy the amount of the collected data’s value. It helps tech organizations offset the advertising revenue lost and is a clear motivation for consumers to opt-in to data collection.

An unclear future

Though not everyone agrees that the CPRA is the best possible solution, it’s difficult to argue it isn’t more substantial than the CCPA. It will be fascinating to see the legislation’s future effects on the tech business and consumer privacy. If successful, it could set in motion a slew of similar bills in other states. If it becomes a bureaucratic quagmire, it might stall regulation throughout the country.

One quirk of the CPRA is that lawmakers can no longer amend it unless the amendment is to “further privacy rights.” That may sound good, but its nebulous wording could open up legal challenges down the road if aspects of it need adjustment.

AXEL’s commitment

At AXEL, we believe in everyone’s right to privacy. That’s why we develop file-sharing and cloud storage solutions that prioritize privacy and security. No government-enforced edicts are necessary for us to respect your personal information. It’s an integral component of our corporate philosophy. If you need to share or store files in a safe, private way, download AXEL Go for Windows, Mac, Android, or iOS. Get out from under the watchful eye of Big Tech and experience a better way to use the internet.

 

[1] Andrea Vittorio, “ACLU Among Activist Opposing Update to California Privacy Rules, Bloomberg Law, July 22, 2020, https://news.bloomberglaw.com/privacy-and-data-security/aclu-among-activists-opposing-update-to-california-privacy-rules

[2] Alegra Howard, Linda Sherry, “Consumer Action opposes California Proposition 24”, consumer-action.org, Aug. 19, 2020, https://www.consumer-action.org/press/articles/consumer-action-opposes-california-proposition-24

[3] “League of Women Voters Opposes Prop 24”, prnewswire, Oct. 28, 2020, https://www.prnewswire.com/news-releases/league-of-women-voters-opposes-prop-24-301162344.html

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook

Filed Under: Legal Tagged With: cpra, data privacy, personal information, Privacy, prop 24

  • « Go to Previous Page
  • Go to page 1
  • Go to page 2
  • Go to page 3
  • Go to page 4
  • Go to Next Page »

Primary Sidebar

Recent Posts

  • AXEL News Update
  • AXEL Events
  • Biggest Hacks of 2022 (Part 2)
  • Biggest Hacks of 2022 (Part 1)
  • The State of Government Cybersecurity 2022

Recent Comments

  • Anonymous on Five Simple Security Tricks

Footer

Sitemap
© Copyright 2023 Axel ®. All Rights Reserved.
Terms & Policies
  • Telegram
  • Facebook
  • Twitter
  • YouTube
  • Reddit
  • LinkedIn
  • Instagram
  • Discord
  • GitHub