May 18, 2019

Archives for June 27, 2012

Law Firms and Small Businesses: Protecting Security Interests (Part 2)

Editor’s Note: This is the second in a two-part series of cyber security articles. Part one can be found here.

Reasonable Contractual Expectations

One of my best contractual stories revolves around a conversation with the president of a local web site design firm – a good friend and one who feels comfortable with being candid with me. During one of his development projects, I offered to do a free security evaluation of the soon-to-be-released web application. His rejection of my offer came with the rationale that if the web application was ever compromised, he wanted to be able to honestly tell the client that, to the best of his knowledge, the delivered web site was secure.

I haven’t the faintest idea of the legality of my friend’s hope for plausible deniability, but it should be obvious that two very poor consequences come out of his approach to security. The first is that his client will end up with an unsecure web site, when they could just as easily have had a product that would have withstood all but the most experienced and persistent hackers.

The second eye-opening realization is that the client never asked about security, and the development contract never addressed security. In this case, the client (and potentially the law firm that reviewed the contract) never included security development and testing as one of the primary requirements of the relationship. A single section added to the development contract might have the effect of preventing a devastating security breach.

A favorite statement of mine goes as follows:

Businesses end up with a lack of security because they never, ever ask about it. 

Almost all web site development contracts include obvious legal details like payment schedules, software ownership, and product specifications. These terms protect the interest of the business as well as the development firm – standard boilerplate.

A well-written contract should also include a requirement that the contracted web site be developed under strict security guidelines (consider OWASP as a source of information) and that a comprehensive third-party security penetration test (Acunetix as one such test) be run and presented before product acceptance.

The additional cost for security-oriented development should be minimal, since a knowledgeable development firm should be adhering to these practices regardless of a request. The third-party security penetration test can be contracted for with one of many firms and should cost only a few thousand dollars.

Again, the role of a law firm in this environment should certainly be the crafting and approval of the basic development contract, but also making sure security validation is a well-defined requirement of the overall agreement.

How to Respond After a Breach

When a security breach does occur, businesses (and their counsel) need to be ready to react thoroughly and decisively. A few of my suggestions for the days, weeks, and months following a breach are:

  • Don’t panic. Carefully consider the nature of the breach, what data (if any) has been compromised and what the business’ next steps should be. A premature release of breach information may cause unnecessary customer panic or, even worse, make management look even more inept when they revise information sent out too hastily. Advise them to take the time to respond with dignity and thoughtfulness.
  • If required, inform the appropriate financial and legal entities as soon as possible. Depending on the industry, there may be strict requirements for reporting security breaches. Your client’s problem will only get worse if they are caught hiding information. Keep in mind that many security breaches become public knowledge as the compromised data is used or sold within the cyber underground, not as a result of company disclosure. As a side note, an embarrassingly large number of security breaches are never discovered by the company that was breached.
  • Inform users or clients and customers as soon as appropriate. There is a line between keeping a company viable and an ethical responsibility to customers. My thoughts on this line are to consider the damage that might be done to customers and think about how you would expect to be treated.
  • Call the insurance company. Depending of the nature of the breach, the business may be covered for some, if not all, of the expenses associated with recovery. Suggest that the business give their insurance company a call. They might also take the time to talk about cyber insurance with their agent – for the next time.

As a legal professional, you should easily be able to see the pitfalls inherent in panic-stricken businesses reacting to security breaches. Legal, financial, and professional stakes surrounding a security breach may be high enough to shut down the business. The correct reaction may be well outside of the expertise of the business, or, even worse, the business may naively attempt to react on their own.

Conclusion

Hopefully, I have provided food for thought on the security opportunities and responsibilities of law firms supporting small businesses and their own technological infrastructure. Obviously, I’ve brought up far more issues and concerns than solutions. My hope is that even a casual discussion of security problems will prepare you with far more knowledge than the majority of your clients.

It’s a mean world out there; cyber crime is an industry run by foreign nationals from countries where cyber criminals are not prosecuted. An industry-accepted statistic is that more than 70% of all Internet web sites contain critical security vulnerabilities. Many of your clients, and your own web sites, undoubtedly are on the wrong side of this depressing number.

One final note to add one more level of additional worry: Web application security awareness has only recently entered mainstream web site development. If your web site or your client’s is more than four years old, not only is it certainly open to a critical security attack, but it is probably a target for even the most amateurish hackers: script kiddies, young kids who hack web sites because doing so is more fun than playing a predictable Xbox game.

Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Wlasuk is an expert in web security – from evaluation to web development and remediation.

Learn More: Cyber Security/Privacy CLE Homestudy Programs

Is Your Sensitive Data Secure: Cyber Insurance for Your Firm and Your Clients (video on-demand and mp3 download)

Avoiding The Lawyer’s Digital Nightmare: How To Safeguard Your and Your Clients’ Sensitive Information And Survive The Inevitable (?) Security Breach (video on-demand, mp3 download, and audio CD)

Ethics in a Wild Wired World (video on-demand, mp3 download, and audio CD)

To Use and Protect: Privacy Basics for Business (video on-demand and mp3 download)

Tenth Circuit: Unpublished Opinions, 6/26/12

On Tuesday, June 26, 2012, the Tenth Circuit Court of Appeals issued two published opinions and three unpublished opinions.

United States v. Hartman

United States v. Norwood

United States v. Wilkerson

No case summaries are provided for unpublished opinions. However, published opinions are summarized and provided by Legal Connection.

Tenth Circuit: Sufficient Evidence of Hostile Work Environment and Constructive Discharge to Avoid Summary Judgment; Retaliation Claim Time-Barred

The Tenth Circuit Court of Appeals published its opinion in Hernandez v. Valley View Hospital Assoc. on Tuesday, June 26, 2012.

The Tenth Circuit reversed in part and affirmed in part the district court’s decision. Petitioner, “a Latina of Mexican origin, began working in 2001 at Valley View in the food services department. Petitioner alleges that during the time there, her supervisors “frequently made racially derogatory jokes and comments about Latinos and Mexicans, and continued to do so despite her complaints to them that their remarks were offensive.” Valley View denied her transfer request to any other position besides food services, but offered her leave under the Family and Medical Leave Act (FMLA), which she accepted. Before her leave time expired, she again asked for a transfer, which was denied, and when she failed to report back to work she was terminated.

On her hostile work environment and constructive discharge claims, the Court agreed with Petitioner that the district court incorrectly applied the summary judgment standards “by failing to construe evidence in the light most favorable to her as the non-moving party, and by resolving factual issues in favor of defendants.” Additionally, Petitioner presented sufficient evidence of a hostile work environment to withstand Valley View’s motion for summary judgment; she “presented specific examples of her supervisors’ racial jokes, identified general time frames, and provided the relevant content and context of these comments.” The Court affirmed the dismissal of her retaliation claim as time-barred.

Tenth Circuit: ALJ’s Handling of Findings Was Erroneous and Dispositive Hypothetical Inquiry Was Fatally Defective

The Tenth Circuit Court of Appeals published its opinion in Chapo v. Astrue on Tuesday, June 26, 2012.

The Tenth Circuit reversed and remanded the district court’s decision. Petitioner “appeals from a district court order upholding the Commissioner’s denial of her application for disability and supplemental security income benefits.” Petitioner contends that the administrative law judge’s residual functional capacity (RFC) “determination was not supported by substantial evidence, in particular by medical opinion evidence directly supporting the RFC findings, and . . . the ALJ improperly handled the opinion evidence in the case.”

The Court found that her first contention “rests on an unduly narrow view of the role of the administrative factfinder in social security disability proceedings.” “There is no requirement in the regulations for a direct correspondence between an RFC finding and a specific medical opinion on the functional capacity in question.” Her second contention, however, has merit,” and led the Court to reverse and remand this matter to the agency for further proceedings. “[T]he ALJ’s handling of Dr. Vega’s findings was erroneous and, as a result, the dispositive hypothetical inquiry put to the [vocational expert] was fatally defective.”

Chief Justice Amends Court Compensation of Expert Witnesses and Professionals Conducting Mental Health Evaluations

In an effort to control expenditures of state funds in court cases, the Chief Justice of the Colorado Supreme Court has approved a new policy that applies to expert witnesses and mental health professionals conducting examinations or evaluations (with or without subsequent testimony) who are entitled to compensation paid by the Colorado Judicial Department.

Issued in June 2012, this new Chief Justice Directive, CJD 12-03, does not apply to other professionals that are appointed and compensated by the court as provided in other Chief Justice Directives, nor does it apply to employees and/or contractors paid by the Colorado Mental Health Institute at Pueblo or other government mental health agencies for work performed at their direction.

Certain types of evaluations are also excluded inasmuch as they are governed by other program-specific statutes, rules, or policies. If the Court finds that there is not an applicable statute, rule, directive, policy, or similar guidance that governs compensation for an evaluation permitted by statute, and that payment by the Judicial Department is appropriate, the Court will enter an order requiring the expert to comply with the fee and billing requirements and limitations set forth by CJD 12-03.

The Judicial Department may enter in to agreements to provide for evaluations or examinations when it is determined that said agreements are cost-effective and in the best interest of the Judicial Department.

This new Chief Justice Directive is applicable to all appointments made on or after July 1, 2012.

Chief Justice Directives 87-01 (Court compensation of experts in felony cases) and 93-03 (Compensation, mental condition examinations in criminal and civil cases) are repealed by CJD 12-03.

For all details about CJD 12-03, including Fees, Expenses, and Guidelines for Payment, click here.

Rejection List for E-Filed Documents Updated by the Chief Justice

Attachment A of Chief Justice Directive 11-01 was revised this week. CJD 11-01 concerns Statewide Electronic Filing Standards and Attachment A outlines the Rejection List for E-Filed Documents. Attachment A is the only portion of the CJD that was revised.

Attachment A was amended to add reason number 16 to the list of reasons to reject a document. Section 1-15 of Colorado Civil Procedure Rule 121 was amended by the Colorado Supreme Court in March (Rule Change 2012(03) to add a requirement that each motion filed must be accompanied by an order in editable format. The amendment to CJD 11-01 conforms Attachment A with that requirement.

The details are outlined in CJD 11-01 – “Directive Concerning Statewide Electronic Filing Standards”

Questions about this amendment can be directed to Carol Haller, Deputy State Court Administrator, Legal Counsel at (303) 837-3669 or carol.haller@judicial.state.co.us or Linda Bowers, Court Services Manager at (303) 837-3839 or linda.bowers@judicial.state.co.us.