News and information useful to Cleveland-Marshall College of Law students, faculty and staff.

Archive for the ‘Apps/Technology’


This Just in: Breached! Why Data Security Law Fails and How to Improve It

Our lives involve a lot of access to digital information and with that also data breaches. Despite the passage of many data security laws, data breaches are increasing at a record pace. In Breached! Daniel Solove and Woodrow Hartzog, argue that we focus too much on the breach itself. Using many stories about data breaches, Solove and Hartzog show how major breaches could have been prevented or mitigated through a different approach to data security rules. Current law is counterproductive they argue because it penalizes organizations that have suffered a breach but doesn’t address the many other actors that contribute to the problem: software companies that create vulnerable software, device companies that make insecure devices, government policymakers who write regulations that increase security risks, organizations that train people to engage in risky behaviors, and more.

Both Solove and Hartzog are experts in privacy and data security.  Solove has authored a number of books and textbooks on privacy and is the John Marshall Harlan Research Professor of Law at George Washington University School of Law.  He also is the founder of TeachPrivacy, a company that provides privacy and data security training. Hartzog is a Professor of Law and Computer Science at Northeastern University School of Law and the College of Computer and Information Science. His research on privacy, media, and robotics has been published in numerous law reviews and peer-reviewed publications.  He has also been published in many popular and news publications.

For additional information on cybersecurity, check out C|M|LAW’s CENTER FOR CYBERSECURITY AND PRIVACY PROTECTION.

Comment 8: And Just Like That, Everything Got All Meta Pt.2

The ABA Rules of Professional Conduct, Model Rule 1.1 Comment 8 requires, “To maintain the requisite knowledge and skill, a lawyer shall keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” To that end, we have developed this regular series to develop the competence and skills necessary to responsibly choose and use the best technologies for your educational and professional lives. If you have any questions, concerns, or topics you would like to see discussed, please reach out to e.koltonski@csuohio.edu.

 

Last month we looked at metadata as it exists broadly. If you are unfamiliar with the topic or need a quick refresher, you can find Part 1 here.

Today, we are continuing our conversation by focusing more specifically on what lawyers and legal professionals need to understand about metadata. Over the next three sections we will develop knowledge about when metadata useful, when to delete your metadata, and then a more granular look at metadata during discovery.

 

When is Metadata Useful?

 

All the time. Now moving onto the next section. Just kidding. Though it is pretty much all the time, the context in which it is useful constantly changes. As we stated last time, “Metadata is information about data that makes the data easier to organize, utilize, and understand”. System metadata, which is generated by our devices, helps us organize and later locate our work. Without system metadata it would be near impossible for us to get the file that we need when we need it. A process which we do by using the various file managers available within operating systems. Where System metadata is concerned more with organization, Application metadata is focused on utilization and understanding.

 

Application metadata, which is created by our software, is also incredibly important. One of the better-known instances of application metadata is the ability to track edits in Microsoft Word. Metadata in a Word file allows users to see previous versions, track who made changes, and even find out how much time was spent creating and editing the document. In the legal profession, these data can mean a lot to your workflows and billings. Metadata, importantly, provides more utility to the documents created within applications.

 

But how does metadata allow us to better understand data? Consider a digital photo. During a case, you find an image which may or may not be useful. How do you determine if the image was taken anywhere near the area you are researching? Was it even taken at the right day or time? For that we look at a special form of metadata known as Exchangeable Image File (EXIF) data. The EXIF data may show when and where the picture was taken, the settings of the camera, the model of the camera, who took the picture, and even more. There are, however, two important caveats. First, it is possible on most cameras to control the amount of EXIF data created before a picture is taken. Second, it is possible to delete EXIF data after a picture is taken.

 

Speaking of deleting metadata, now is the time for something completely unexpected: that this two-part blog on metadata will in fact be three parts!

 

Why did I decide to do this? The most important reason is because this blog started to run longer than planned and I want to respect your time by keeping these posts manageable. The other reason is because this will provide us some extra space to really dive into deletion and metadata during discovery. Despite this spontaneous intermission, Part 3 will be available later this month.

Comment 8: A Brief Security Brief for 30 March 2022

The ABA Rules of Professional Conduct, Model Rule 1.1 Comment 8 requires, “To maintain the requisite knowledge and skill, a lawyer shall keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” To that end, we have developed this regular series to develop the competence and skills necessary to responsibly choose and use the best technologies for your educational and professional lives. If you have any questions, concerns, or topics you would like to see discussed, please reach out to e.koltonski@csuohio.edu.

 

If you use the Chrome browser on any of your personal devices, this blog post is for you. This week there has been a lot of reporting that there are newly discovered exploits on the Chrome browser that will make your device less secure. Whether you use Chrome on Windows or macOS [Yes, Macs can be hacked.], you need to update your Chrome app as soon as possible to help protect your system from potential malicious attacks.

This article from Forbes is likely a bit more technical than you may need, but it gives a good overview of what is happening and, more importantly, explains how to go about updating your Chrome browser. Updating Chrome on your phone is handled differently, but phones tend to put everything for updating in the same place. IT departments at your workplace will take care of updating the computers that they manage.

 

Terminology Check:

exploit: A technique to breach the security of a network or information system in violation of security policy (cisa.gov).

Think of an exploit like having a fence around your yard with a big hole in it. Or finding a loophole in the tax law and using it.

 

Updating your devices, operating system, and apps is something you should strive to do on a regular basis, even if you aren’t weird and do it daily like me.

Comment 8: How I Stopped Forgetting and Love the Password Manager

The ABA Rules of Professional Conduct, Model Rule 1.1 Comment 8 requires, “To maintain the requisite knowledge and skill, a lawyer shall keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” To that end, we have developed this regular series to develop the competence and skills necessary to responsibly choose and use the best technologies for your educational and professional lives. If you have any questions, concerns, or topics you would like to see discussed, please reach out to e.koltonski@csuohio.edu.

 

The Introduction

If we could travel back in time a few decades and explain life in 2002, one thing that would likely amaze those in the past is how much time and effort we spend on entering usernames and passwords to use the various programs and services that fill our working and personal lives. That is, of course, if we even think to bring this fact up to them as ‘logging in’ has become so ubiquitous that we rarely think about it anymore. Unless, of course, the process does not work.  But there is an issue much worse than having to reset a password, and that is having a weak password. This installment will examine two major, but interrelated, topics:

Why having weak passwords and reusing them across accounts is a terrible idea (that we all do).

What we can do to make our accounts more secure.

 

The Limited Bandwidth Problem

This is not a recommendation that your home or office needs to pay an internet service provider (ISP) for more speed, but an admission that as humans we have definable limits. I can remember in the 1980s knowing about twenty or thirty phone numbers at any given time. They ranged from numbers that I called daily to those than I rarely ever used, but I could walk up to a pay phone; plop in a quarter; and dial without giving it a second thought. Today, I can barely remember my own cell phone number. The problem here is not that I’m getting old (not completely) but that I need to know way more phone numbers than I did back then. I rely on my ‘contacts’ app to remember all the phone numbers so that I can focus my attention on other things: like all the usernames and passwords that I must keep track of.

 

The Reused and Weak

Since I have dozens, and dozens, and dozens of accounts that means I have a lot of usernames and passwords to keep up with. To help us with organizing all this information we all, no matter how much we shouldn’t, end up making the simplest password that the sign-up page will allow and then reuse that same password all over the place. While organizationally this helps us save some brain power by not having to remember as much, doing this also makes our accounts less secure. Given the decidedly confidential nature of information for those who practice law, this poor bit of security hygiene can prove incredibly costly…both professionally and financially. A recent article by the Indianapolis Bar Association highlights several cases where data breaches have led to suits against lawyers and firms by their affected clients.

Imagine this hypothetical. You work at a firm that employs and on-site cybersecurity professional who has the budget available to properly defend the firm’s systems and data against outside intrusion. No system is hack-proof, but it would take a lot of really good cybercriminals a lot of time to get in. When you began at the firm you had to set up new credentials for services like the enterprise email system and the computer at your desk. “Another log-in,” you silently bemoaned, “I have my personal email password memorized. That’ll be perfect.” The problem is that an attacker found out that you started at the firm and, unbeknownst to you, your personal email credentials had been compromised and he found them online. The firm’s website provides your email address. The attacker uses that along with your personal email password that they found in the hopes of getting lucky. Just like that, they have access to your firm. Now some angry clients are preparing to sue.

Not that a cybercriminal needs to search around hoping to find a compromised account to try and use. A fairly common password scheme requires: Seven characters with an uppercase, lowercase, number, and symbol. An attacker may be able to crack this password in about six minutes. While no password is technically unhackable, it may take up to five years if you used the previous scheme with ten characters. In other words, what we see here is that you want each password to be both complex (namely long) and unique to each account. But how do we remember all of this?

 

The Management Solution

It ends up that you can make all your accounts more secure and make it easier for you to remember your logins if you use one simple product: a password manager. This tool will help keep track of your accounts and will generate extremely complex passwords for them. Password managers are just really fancy spreadsheets. You won’t be on the hook for remembering all this information, though, as all you need to remember is the username and ‘master password’ for the password manager. From there, and depending on which service you choose, you can either copy-and-paste your credentials or it will autofill your credentials if your manager integrates with your web browser: usually through an extension. With many managers it is also possible to integrate them with multi-factor authentication tools to make things even more secure. Several also allow you to install the app and sync it across devices, so that you can use it from your phone and your computer.

There are a few things to consider when considering a good password manager, and I highly recommend researching the possibilities before choosing. While some web browsers have even begun integrating password management, they are not a very secure. There are some good free password managers but they tend to have some or all of the following issues: they are less secure, they have limited features, they are complicated to use. The paid managers, especially if you are not buying for a whole office, are incredibly reasonably priced considering the protection that they offer.

 

The TLDR

We have to remember too many passwords so we make them weak and reuse them. Weak and reused passwords can make you an easier target for cybercriminals and losing client information could cost you or your firm both professionally and financially. Password managers make our accounts more secure and give us less to have to remember.

Reset Your Law Account Yourself

We all forget or misplace passwords.

Our IT depart has created a do it yourself reset your law account feature. Click on Reset Law Account under “Quicklinks” on the right side of the library’s homepage to access this feature.