“WannaCry” Ransomware Attack Causes Disruption Globally – With Worst Yet to Come

A ransomware known as “WannaCry” affected 200,000 people in 150 countries over the weekend, locking computer files and demanding payment to release them. As of this morning, Australia and New Zealand users seem to have avoided the brunt of the attack, with the Federal Government only confirming three reports of Australian companies being affected.  Not that ransomware attacks tend to be the subject of reporting – there is quite a high rate of payment of affected users as the pricing is deliberately cheaper than most alternatives unless your back-up process is very good.

The ransomware utilises vulnerabilities in out-of-date, unpatched versions of Microsoft Windows to infect devices. It spreads from computer for computer as it finds exposed targets, without the user having to open an e-mail attachment or click a link as is commonplace in most attacks. Ransom demands start at US$300 and doubles after three days.

The U.K. National Health Service (NHS) was among the worst hit organisations, forcing hospitals to cancel appointments and delay operations as they could not access their patients’ medical records. The Telegraph suggested that 90 percent of NHS trusts were using a 16 year old version of Windows XP which was particularly vulnerable to the attack. More attacks are anticipated throughout the working week as companies and organisations turn on their devices.

The U.K. National Cyber Security Center has released guidance to help both home users and organisations limit the impact of the attacks. It can be read here.

Edwin Tan is co-author of this article. 

How to Develop an Effective Law Firm SEO Action Plan for 2017 [WEBINAR]

What used to work in SEO just a few years ago won’t work today.12-must-do-action-steps.png Learn how to make this year your most profitable ever by getting consistent leads from SEO and positioning your firm as thought leaders.

Tuesday, March 14, 2017 – 3:00pm EST

Join John McDougall from McDougall Interactive and Nicole Minnis, Esq. from The National Law Review for a free 60-minute digital marketing webinar, where you will learn:

  • Step-by-step actions you should take in the next 12 months to substantially increase your revenues.
  • Powerful strategies that are based on the 10,000 keyword study from Searchmetrics, including the latest Google ranking factors including Content, Social Signals, Technical Factors, Backlinks, User Signals, and User Experience
  • Highlights from the Orbit Media study of 1,000 bloggers and what they do to stand out.

Some examples of cutting-edge topics we’ll be discussing (this is way more than just “add keywords” and “add more content”):

  • Why click-through-rate, time-on-site, and bounce rate are more important than ever
  • Why merely having keywords in your meta tags and copy is not nearly enough
  • How the length of your content can affect your search rankings
  • How video and podcasts can enhance your thought leadership and improve your mobile user experience and search rankings at the same time
  • Why links are still significant, especially deep links to inner pages
  • The extremely high correlation between social signals and ranking position
  • How your website load time can directly affect your search rankings, especially on mobile devices

Click here to register now.

This webinar will leave you with 12 must-do action steps for success, based on data from industry leaders, as well as a list of ridiculously great tools you can use to speed up your process and spy on competitors.

In today’s hyper-competitive legal SEO landscape, your either need to do SEO deeply or don’t waste time doing it at all.

House Energy and Commerce Committee Holds Hearing on Security of Internet of Things

What the experts are saying.

The hearing was motivated by the revelation that cybersecurity is no longer just about protecting  laptops or securing digital data. IoT insecurity puts human safety at risk, as everything from home appliances to automobiles and medical technology are becoming connected to the Internet. Representatives from both committees pressed expert witnesses Mr. Dale Drew of Level 3 Communications, Dr. Kevin Fu of Virta Labs and the University of Michigan, and Mr. Bruce Schneier of the Harvard Kennedy School of Government for examples of legislation that could target the cybersecurity concerns related to the Internet of Things.

These experts shared conflicting opinions about whether it is in fact possible for the government to establish one set of security standards that covers all Internet-connected devices, as these devices do many different things and are powered by many different types of technology. Mr. Schneier reminded the subcommittees that “[your smartphone] is not a phone; it’s a computer that makes phone calls.” The same applies to a long list of devices including WiFi-connected baby monitors, thermostats, refrigerators, DVR players, GPS systems, children’s toys, and of course, electronic voting booths. In his testimony, Mr. Drew explained that “bad actors are increasingly attracted to IoT devices since they can use those devices without being detected for long periods of time, they know most devices will not be monitored or updated, and they know there are no endpoint protection capabilities on IoT devices to remove threats.” Nevertheless, they agreed that a collaborative and, above all, proactive approach by both the government and manufacturers of these devices will be essential.

Fortunately, we already have a potential starting point. The National Institute of Standards and Technology recently issued a comprehensive set of guidelines and best practices for securing IoT devices and systems throughout their entire life cycle. But simply establishing these best practices on paper will not be enough. Dr. Fu reiterated the most important takeaway from the hearing: that proper security measures for IoT devices must be “built in, not bolted on.” Protective measures like encryption must be incorporated into the fundamental design of a device, not tacked on as an afterthought. They also must secure a device from its creation, through its life with a consumer, and after “retirement” since old but active devices are still vulnerable to hijacking by botnets like the one used in last month’s massive distributed denial of service (“DDoS”) attack on global Internet routing company Dyn.

Looking ahead to the future.

Currently, there are few market incentives to spend time and money producing more secure encrypted devices.  There are likewise no significant legal or economic penalties for selling devices to consumers that are insecure. In short, consumers are focused on buying sleek and affordable new products rather than on the networks that connect them. However, if massive DDoS attacks continue the same way that data breaches have in recent years, the priorities of consumers and manufacturers alike are bound to evolve.

Will a greater focus on security slow down the rate of technological innovation? Despite some concerns, Dr. Fu and Mr Schneier reassured the subcommittees that efforts to improve cybersecurity will spur innovation in the tech industry, not hold it back. As consumers and manufacturers become more aware of the implications of poorly secured devices, incorporating features like end-to-end encryption will be understood not as necessary obstacles, but as valuable solutions to very real and costly problems.

ARTICLE BY Cynthia J. Larose, Michael B. Katz & Joanne Dynak of Mintz Levin
©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Insurance Coverage Issues for Cyber-Physical Risks

internet of thingsThe recent National Institute of Standards and Technology (NIST)publication of cybersecurity guidance for the Internet of Things (IoT) is a useful reminder that hacking incidents can result not only in privacy breaches, but also in bodily injury or property damage — via critical infrastructure, medical devices and hospital equipment, networked home appliances, or even children’s toys. In addition to enhanced system security engineering and preventive education efforts, insurance is an increasingly essential component in any enterprise risk management approach to cyber vulnerabilities. But purchasers of cyber insurance are finding that nearly all of the available cyber insurance products expressly exclude coverage for physical bodily injury and property damage.

These exclusions are no doubt assumed to “dovetail” with (i.e., to avoid duplicating) the bodily injury and property damage coverage traditionally afforded by general liability and first-party property insurance policies. But it is not always clear whether those more conventional policies cover bodily injury or property damage arising from a cyber-related peril (so-called “cyber-physical” risks). Unless an insurance program specifically addresses these risks, the determination of coverage for physical harm from a cyber-attack may depend on a close reading of policy language and a fact-intensive analysis of how the harm arose.

Policyholders would be well advised to understand the potential cyber-physical risks they face; to analyze all their current lines of coverage to determine whether and how each would respond to those risks; to seek clarifications in their current insurance wordings; to explore new “difference in conditions” insurance products designed to plug any gaps in coverage for such risks; and, ultimately, to expect disputes with their insurers if these novel cyber-physical harms should materialize.

© 2016 Covington & Burling LLP

IP Addresses Constitute Personal Data According to Court of Justice of European Union

IP AddressesIn a decision dated 19 October 2016, the Court of Justice of the European Union (CJEU) has provided much needed clarification on a long-standing issue in EU data protection law.

A German politician brought an action concerning websites operated by the Federal Republic of Germany that stored personal data, including IP addresses, on logfiles for two weeks.  The question before the CJEU was – are IP addresses personal data?  According to Article 2(a) of EU Directive 95/46personal data” is any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly from the data.

The CJEU ruled that dynamic IP addresses constitute personal data for an online media service provider (here the Federal Republic of Germany) that makes a website accessible.

A dynamic IP address means that the computer’s IP address is newly assigned each time the website is visited.  Unlike static IP addresses, it is not possible for dynamic IP addresses, using only files which are accessible to the public, to create an identifiable link between the user’s computer and the physical connection to the internet provider’s network . Hence, the data included in a dynamic IP address does not enable the online media service provider to identify the user.

However, according to the CJEU, a dynamic IP address will be personal data if the additional data necessary to identify the user of a website is stored by the user’s internet service provider. The website provider only needs to have the legal means which enables him to identify the user. Legal means are, for example cyber attacks and does not have to be applicable for the specific case.

This decision has significant practical implications for all website providers, because the storing of user information by internet service providers falls under data protection laws. Ultimately, the website provider needs the consent of the user to store the dynamic IP address. This will also apply after the General Data Protection Regulation (GDPR) comes into force in May 2018, because Article 2 of Directive 95/46 is incorporated in almost the same words in Article 4 (1) of the GDPR.

© Copyright 2016 Squire Patton Boggs (US) LLP

Teenagers And D.C. Circuit Agree: Internet Service Is A Utility – Will Bankruptcy Courts Follow?

Mobile devices, wireless communication technology and internet web concept: business laptop or office notebook, tablet computer PC and modern black glossy touchscreen smartphones with colorful application interfaces isolated on white background

The topic of net neutrality has continued to be at the forefront of public discourse over recent years.  This is the result of the FCC’s repeated attempts to impose regulations designed to protect consumers while at the same time telecom companies seek to control their product and the services they provide without what they contend is burdensome regulation. This summer, in U.S. Telecommunication Association v. FCC, the D.C. Circuit Court of Appeals dealt a blow to the telecom industry when it upheld a FCC declaration that broadband internet is a telecommunication service—essentially a public utility.  Many speculate that this decision will have a broad impact (good and bad) on internet service providers in both the short and long term.  A less considered aspect of the D.C. Circuit’s ruling is how it will be applied in the bankruptcy context.

Section 366 of the Bankruptcy Code establishes safeguards for debtors when it comes to their use of public utilities.  Under Section 366, essential utility providers are prohibited from discontinuing service upon the filing of a bankruptcy petition.  Instead, the debtor is required to provide adequate assurance of payment within short order, and if the debtor complies, the utility provider must continue service.  The Bankruptcy Code does not define what a “utility” is, but the legislative history provides some insight, noting that section 366 “is intended to cover utilities that have some special position with respect to the debtor, such as an electric company, gas supplier, or telephone company that is a monopoly in the area so that the debtor cannot easily obtain comparable service from another utility.”

Bankruptcy courts have not strictly interpreted the monopoly reference in the legislative history and have continued to hold that telephone service is a utility even after the industry has been deregulated.  In the context of cable television, rather than looking to the monopoly requirement, the Fifth Circuit Court of Appeals in Darby v. Time Warner, 470 F.3d 573, 574 (5th Cir. 2006), held that the relevant analysis was whether the provider stands in a “special positon with respect to the [debtor] such that it is a utility within the meaning of the statute.”  There the Fifth Circuit held that cable television providers did not stand in a special position with respect to the debtor and further that cable television service was not a necessity and therefore not a utility under Section 366.

We have no doubt that individual debtors will begin to test whether they can claim internet service is a utility, relying principally on the D.C. Circuit’s ruling.  However, based on the Fifth Circuit’s analysis, it is entirely conceivable that bankruptcy courts will be reluctant to extend utility status to broadband internet service providers in individual bankruptcies, as it is difficult to find that internet service is a necessity.  However, in the corporate chapter 11 context, one can easily envision a scenario where broadband internet service is necessary for a debtor to continue operating its business, for example, in the e-commerce arena or simply to connect its internal computer systems.  In these circumstances, courts have already allowed debtors to consider internet service a utility under Section 366.  The D.C. Circuit’s recent opinion in U.S. Telecommunication Association v. FCC will now provide further support for commercial debtors to claim that internet service is a utility in the event that a provider dissents.

Written by Peter R. Morrison of Squire Patton Boggs Law Firm.

gTLD Sunrise Periods Now Open: April 2016

As first reported in our December 2013 newsletter, the first new generic top-level domains (gTLDs, the group of letters after the “dot” in a domain name) have launched their “Sunrise” registration periods.  Please contact us or see our December 2013 newsletter for information as to what the Sunrise Period is, and how to become eligible to register a domain name under one of the new gTLDs during this period.

As of April 29, 2016, ICANN lists Sunrise periods as open for the following new gTLDs:

.homes .vip
.auto .salon
.group .store
.gmbh .ltd
.promo .tube
.stream .med
.try .redumbrella
.travelersinsurance .stcgroup
.viva .stc

ICANN maintains an up-to-date list of all open Sunrise periods here. This list also provides the closing date of the Sunrise period.  We will endeavor to provide information regarding new gTLD launches via this monthly newsletter, but please refer to the list on ICANN’s website for the most up-to-date information – as the list of approved/launched domains can change daily.

Because new gTLD options will be coming on the market over the next year, brand owners should review the list of new gTLDs (a full list can be found here) to identify those that are of interest.

© 2016 Sterne Kessler