Data Privacy

What the SolarWinds hack means for the future of law firm cybersecurity?

Sam Sylvan, MJLST Staffer

Last December, the massive software company SolarWinds acknowledged that its popular IT-monitoring software, Orion, was hacked earlier in the year. The software was sold to thousands of SolarWinds’ clients, including government and Fortune 500 companies. A software update of Orion provided Russian-backed hackers with a backdoor into the internal systems of approximately 18,000 SolarWinds customers—a number that is likely to increase over time as more organizations discover that they also are victims of the hack. Even the cybersecurity company FireEye that first identified the hack had learned that its own systems were compromised.

The hack has widespread implications on the future of cybersecurity in the legal field. Courts and government attorneys were not able to avoid the Orion hack. The cybercriminals were able to hack into the DOJ’s internal systems, leading the agency to report that the hackers might have breached 3,450 DOJ email inboxes. The Administrative Office of the U.S. Courts is working with DHS to audit vulnerabilities in the CM/ECF system where highly sensitive non-public documents are filed under seal. Although, as of late February, no law firms had announced that they too were victims of the hack, likely because law firms do not typically use Orion software for their IT management, the Orion hack is a wakeup call to law firms across the country regarding their cybersecurity. There have been hacks, including hacks of law firms, but nothing of this magnitude or potential level of sabotage. Now more than ever law firms must contemplate and implement preventative measures and response plans.

Law firms of all sizes handle confidential and highly sensitive client documents and data. Oftentimes, firms have IT specialists but lack cybersecurity experts on the payroll—somebody internal who can aid by continuing to develop cybersecurity defenses. The SolarWinds hack shows why this needs to change, particularly for law firms that handle an exorbitant amount of highly confidential and sensitive client documents and can afford to add these experts to their ranks. Law firms relying exclusively on consultants or other third parties for cybersecurity only further jeopardizes the security of law firms’ document management systems and caches of electronically stored client documents. Indeed, it is reliance on third-party vendors that enabled the SolarWinds hack in the first place.

In addition to adding a specialist to the payroll, there are a number of other specific measures that law firms can take in order to address and bolster their cybersecurity defenses. For those of us who think it is not a matter of “if” but rather “when,” law firms should have an incident response plan ready to go. According to Jim Turner, chief operating officer of Hilltop Consultants, many law firms do not even have an incident response plan in place.

Further, because complacency and outdated IT software is of particular concern for law firms, “vendor vulnerability assessments” should become commonplace across all law firms. False senses of protection need to be discarded and constant reassessment should become the norm. Moreover, firms should upgrade the type of software protection they have in place to include endpoint detection and response (EDR), which uses AI to detect hacking activity on systems. Last, purchasing cyber insurance is a strong safety measure in the event a law firm has to respond to a breach. It would allow for the provision of additional resources needed to effectively respond to hacks.


I’ve Been Shot! Give Me a Donut!: Linking Vaccine Verification Apps to Existing State Immunization Registries

Ian Colby, MJLST Staffer

The gold rush for vaccination appointments is in full swing. After Governor Walz and many other governors announced an acceleration of vaccine eligibility in their states, the newly eligible desperately sought vaccinations to help the world achieve herd immunity to the SARS-CoV-2 virus (“COVID”) and get back to normal life.

The organization administering a person’s initial dose typically gives the recipient an approximately 4” x 3” card that provides the vaccine manufacturer, the date and location of inoculation, and the Centers for Disease Control (“CDC”) logo. The CDC website does not specify what, exactly, this card is for. Likely reasons include informing the patient about the healthcare they just received, a reminder card for a second dose, or providing batch numbers in case a manufacturing issue arises. Maybe they did it for the ‘Gram. However, regardless of the CDC’s reason for the card, many news outlets have latched onto the most likely future use for them: as a passport to get the post-pandemic party started.

Airlines, sports venues, schools, and donut shops are desperate to return to safe mass gatherings and close contact, without needing to enforce as many protective measures. These organizations, in the short-term, will likely seek assurance of a person’s vaccination status. Aside from the equitable and scientific issues with requiring this assurance, these business will likely get “proof” with these CDC vaccination cards. The cardboard and ink security of these cards rivals social security cards in the “high importance – zero protection” category. Warnings of scammers providing blank CDC cards or stealing the vaccinated person’s name and birthdate hit the web last week (No scammers needed: you can get Missouri’s PDF to print one for free).

With so little security, but with a business-need to reopen the economy to vaccinated folks, businesses and governments have turned to digital vaccine passports. Generically named “digital health passes,” these apps will allow a person to show proof of their vaccination status securely. They “provide a path to reviving the economy and getting Americans back to work and play” according to a New York Times article. “For any such certificate or passport to work, it is going to need two things – access to a country’s official records of vaccinations and a secure method of identifying an individual and linking them to their health record.”

A variety of sources have undertaken development of these digital health passes, both governments and private firms. Israel already provides a nationwide digital proof of vaccination known as a Green Pass. Denmark followed suit with the Coronapas. In addition, a number of private companies and nonprofits are vying to become the preeminent vaccine status app for the world’s smartphones. While governments, such as Israel, have preexisting authority to access immunization and identification records, private firms do not. Private firms would require authorization to access your medical records.

So, in the United States, who would run these apps? Not the U.S. federal government. The Biden Administration unequivocally denied that it would ever require vaccine status checks, and would not keep a vaccination database. The federal government does not need to, though. Most states already manage a digital vaccination database, pursuant to laws authorizing them. Every other state, which doesn’t directly authorize them, still maintains a digital database anyway. These immunization information systems (“IIS”) provide quick access to a person’s vaccination status. A state’s resident can make a request for their vaccination status on myriad vaccinations for free and receive the results via email. Texas and Florida, who made big hubbubs about restricting any use of vaccine passports, both have registries to provide proof of vaccination. So does New York, who has already published an app, known as the Excelsior Pass, that does this for the COVID vaccine. The State’s app pulls information from New York’s immunization registry, providing a quick, simple yes-no result for those requiring proof. The app uses IBM’s blockchain technology, which is “designed to enable the secure verification of health credentials such as test results and vaccination records without the need to share underlying medical and personal information.”

With so many options, consumers of vaccine status apps could become overwhelmed. A vaccinated person may need to download innumerable apps to enter myriad activities. “Fake” apps could ask for additional medical information from the unwary. Private app developers may try to justify continued use of the app after the need for COVID vaccination proof passes.

In this competitive atmosphere, apps that partner with state governments likely provide the best form of digital vaccination verification. These apps have direct approval from the states that are required by law to maintain these vaccination records. They provide some authority to avoid scams. And cooperation to achieve state standardization of these apps may facilitate greater use. States seeking to reopen their economies should authorize digital interfaces with their pre-existing immunization registries. Now that the gold rush for vaccinations has started, the gold rush for vaccine passports is something to keep an eye on.

 


Ways to Lose Our Virtual Platforms: From TikTok to Parler

Mengmeng Du, MJLST Staffer

Many Americans bid farewell to the somewhat rough 2020 but found the beginning of 2021 rather shocking. After President Trump’s followers stormed the Capitol Building on January 6, 2021, major U.S. social media, including Twitter, Facebook, Instagram, and Snapchat, moved fast to block the nation’s president on their platforms. While everybody was still in shock, a second wave hit. Apple’s iOS App stores, Google’s Android Play stores, Amazon Web Services, and other service providers decided to remove Parler, an app used by Trump supporters in the riot and mostly favored by conservatives. Finding himself virtually homeless, President Trump relocated to TikTok, a Chinese owned short-video sharing app   relentlessly sought to ban ever since July 2020. Ironically but not unexpected, TikTok banned President Trump before he could even ban TikTok.

Dating back to June 2020, the fight between TikTok and President Trump germinated when the app’s Chinese parent company ByteDance was accused of discreetly accessing the clipboard content on their users’ iOS devices. Although the company argued that the accused technical feature was set up as an “anti-spam” measure and would be immediately stopped, the Trump administration signed Executive Order 13942 on August 6, 2020, citing national security concerns to ban the app in five stages. TikTok responded swiftly , the District Court for the District of Columbia issued a preliminary injunction on September 27, 2020. At the same while, knowing that the root of problem lies in its “Chinese nationality,” ByteDance desperately sought acquisition by U.S. corporations to make TikTok US-owned to dodge the ruthless banishment, even willing to give up billions of dollars and, worse, its future in the U.S. market. The sale soon drew qualified bidders including Microsoft, Oracle, and Walmart, but has not advanced far since September due to the pressure coming from both Washington and Beijing.

TikTok, in the same Executive Order was another Chinese app called WeChat. If banning TikTok means that American teens will lose their favorite virtual platform for life-sharing amid the pandemic, blocking WeChat means much more. It heavily burdens one particular minority group––hundreds and thousands of Chinese Americans and Chinese citizens in America who use WeChat. This group fear losing connection with families and becoming disengaged from the social networks they have built once the vital social platform disappears. For more insight, this is a blog post that talks about the impact of the WeChat ban on Chinese Students studying in the United States.

In response to the WeChat ban, several Chinese American lawyers led the creation of U.S. WeChat Users Alliance. Supported by thousands of U.S. WeChat users, the Alliance is a non-profit organization independent of Tencent, the owner of WeChat, and was formed on August 8, 2020 to advocate for all that are affected by the ban. Subsequently, the Alliance brought suit in the United States District Court for the Northern District of California against the Trump administration and received its first victory in court on September 20, 2020 as Judge Laurel Beeler issued a preliminary injunction against Trump’s executive order.

Law is powerful. Article Two of the United States Constitution vested the broad executive power in the president of this country to discretionally determine how to enforce the law via issuance of executive orders. Therefore, President Trump was able to hunt a cause that seemed satisfying to him and banned TikTok and WeChat for their Chinese “nationality.” Likewise, the First Amendment of the Constitution and section 230 of the Communication Decency Act empowers private Internet forum providers to screen and block offensive material. Thus, TikTok, following its peers, finds its legal justification to ban President Trump and Apple can keep Parler out of reach from Trump supporters. But power can corrupt. It is true that TikTok and WeChat are owned by Chinese companies, but an app, a technology, does not take on nationality from its ownership. What happened on January 6, 2021 in the Capitol Building was a shame but does not justify removal of Parler. Admittedly, regulations and even censorship on private virtual platforms are necessary for national security and other public interest purposes. But the solution shouldn’t be simply making platforms unavailable.

As a Chinese student studying in the United States, I personally felt the of the WeChat ban. I feel fortunate that the judicial check the U.S. legal system puts on the executive power saved WeChat this time, but I do fear for the of internet forum regulation.

 


Becoming “[COVID]aware” of the Debate Around Contact Tracing Apps

Ellie Soskin, MJLST Staffer

As COVID-19 cases continue to surge, states have ramped up containment efforts in the form of mask mandates, business closures, and other public health interventions. Contact tracing is a vital part of those efforts: health officials identify those who have been in close contact with individuals diagnosed with COVID-19 and alert them of their potential exposure to the virus, while withholding identifying information. But traditional contact tracing for a true global pandemic requires a lot of resources. Accordingly, a number of regions have looked to smartphone-based exposure notification technology as an innovative way to both supplement and automate containment efforts.

Minnesota is one of the latest states to adopt this approach: on November 23rd, the state released “COVIDaware” a phone application designed to notify individuals if they’ve been exposed to someone diagnosed with COVID-19. Minnesota’s application utilizes a notification technology developed jointly by Apple and Google, joining sixteen other states and the District of Columbia, with more expected to roll out in the coming weeks. The nature of the technology raises a number of complex concerns over data protection and privacy. Additionally, these apps are more effective the more people use them and lingering questions remain as to compliance and the feasibility of mandating use.

The joint Apple/Google notification software used in Minnesota is designed with an emphasis on privacy. The software uses anonymous identifying numbers (“keys”) that change rapidly, does not solicit identifying information, does not provide access to GPS data, and only stores data locally on each user’s phone, rather than in a server. The keys are exchanged via localized Bluetooth connection operating in the background. It can also be turned off and relies wholly on self-reports. For Minnesota, accurate reports come in the form of state-issued verification codes provided with positive test results. The COVIDaware app checks daily to see if any keys contacted within the last 14 days have recorded positive test results. Minnesota policymakers, likely aware of the intense privacy concerns triggered by contact tracing apps, have emphasized the minimal data collection required by COVIDaware.

The data privacy regulatory scheme in the United States is incredibly complex, as there is no single unified federal data protection policy. Instead, the sphere is dominated by individual states. Federal law enters into the picture primarily via the Health Insurance Portability and Accountability Act (“HIPAA”), which does not apply to patients voluntarily giving health information to third parties. In response to concerns over contact tracing app data, multiple data privacy bills were introduced to Congress, but even the bipartisan “Exposure Notification Privacy Act” remains unpassed.

Given the decentralized nature of the internet, applications tend to be designed to comply with all 50 states’ policies. However, in this case, state-created contact tracing applications are designed for local use, so from a practical perspective states may only have to worry about compliance with neighboring states’ data privacy acts. The Minnesota Government Data Practices Act passed in 1974 is the only substantive Minnesota state statute affecting data collection and neighboring states’ (Wisconsin, Iowa, North Dakota, and South Dakota) laws have similarly limited or dated schemes. In this specific case, the privacy-focused Apple/Google API that forms the backbone of COVIDaware and the design of the app itself, described briefly above, likely keep it complaint. In fact, some states have expressed frustration at the degree of individual privacy afforded by the Apple/Google API, saying it can stymie coordinated public health efforts.

Of course, one solution to even minimal data privacy concerns is simply not to use the application. But the efficacy of contact tracing apps depends entirely on whether people actually download and use them. Some countries have opted for degrees of mandatory use: China has mandated adoption of its contact tracing app for every citizen, utilizing unprecedented government surveillance to flag individuals potentially exposed, and India has made employers responsible for ensuring every employee download its government-developed contact tracing app. While a similar employer-based approach is not legally impossible in the United States, any such mandate would be legally complex, and anyone following the controversy over mask mandates should instinctively recognize that a mandated government tracking app is a hard sell (to put it lightly).

But mandates may not even be necessary. Experts have emphasized that universal compliance isn’t necessary for an app to be effective: every user helps. Germany and Ireland have not mandated use, but have download rates of 20% and 37% respectively. Some have proposed small, community-focused launches of tracking apps, similar to successful start-ups. With proper marketing and transparency, states need not even enter the sticky legal mess that is mandating compliance.

Virtually every policy response to COVID in the United States has been met with heated controversy and tracking apps are no different. As these apps are in their infancy, legal challenges have yet to emerge, but the area in general is something of a minefield. The limited and voluntary nature of Minnesota’s COVIDaware app likely places it out of the realm of significant legal challenges and significant data privacy concerns, at least for the moment. The general conversation around contact tracing apps is a much larger one, however, and has helped put data privacy and end user control into the global conversation.