News and information useful to Cleveland State College of Law students, faculty and staff.

Archive for the ‘Comment 8’


Comment 8: It’s November. Remember to be Moderate with Your Cookies (and other stuff)

The ABA Rules of Professional Conduct, Model Rule 1.1 Comment 8 requires, “To maintain the requisite knowledge and skill, a lawyer shall keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” To that end, we have developed this regular series to develop the competence and skills necessary to responsibly choose and use the best technologies for your educational and professional lives. If you have any questions, concerns, or topics you would like to see discussed, please reach out to e.koltonski@csuohio.edu.

 

Cookies, to paraphrase from a now beat-to-death cultural reference, are like a box of chocolates: some of them are good, and others are filled with that weird nougat that tastes like how you think the elderberry wine must have tasted in Arsenic and Old Lace. That’s two references in one compound sentence!

It should, hopefully, come as no surprise that the cookies that I am discussing are not the kind that you eat. Today we are going to look at the cookies which are used by the web sites that we visit and the web apps that we use.

 

What is a cookie?

A cookie is a small text file that a website stores on your computer’s internet browser. Much like their physical counterparts, cookies on the web come in many flavors. [note: I’m likely not finished with this joke yet, so I will now refer to electronic cookies as cookies.] Each cookie serves a particular function and you can learn more about the types here but, basically, cookies are used for session management; personalization, and; tracking. More broadly, cookies are defined by the standards set out in the General Data Protection Regulation (GDPR): duration, provenance, and purpose.

What you need to know is that some cookies are necessary and some are optional.

 

What is a GDPR?

The GDPR is regulations adopted and April 2016 and made enforceable in May 2018 by the European Union. Data privacy and the protection of data held by professional or commercial organizations are cornerstones of the GDPR. Thus, the GDPR is meant to protect EU citizens by establishing a compliance framework of covered organization that operate in the EU.

“Wait just a minute,” you’re saying to yourself, “I’m not a citizen of the EU. This has nothing to do with me!”

“Au contraire, mon ami,” I reply. Though I suppose we aren’t friends, but you’re very easy to talk to.

 

Why me?!

There are actually two reasons why the GDPR affects you and your time on the internet:

First, following the adoption of the GDPR a lot of other law makers thought it made sense to make similar rules. Among those adopters are Turkey, Japan, Brazil, Kenya, the United Kingdom, and the state of California. The list of places adopting similar provisions continues to grow. “Wait just another minute,” you once again interject into the void, “I don’t live any of those other places either.”

This brings us to the second reason this affects you. Risk. Well, you could also call it ‘people trying to make their jobs easier,’ but ‘risk’ is just easier. For example, the California Consumer Protection Act (CCPA) based a lot of it data protection rules on the GDPR and created regulations that protect residents of California and establishes a compliance framework for professional and commercial organizations that operate in the state. Imagine you are one such organization. Let’s say that you sell [insert product] online for you base of operations in oh, I don’t know, let’s say Ohio. If you meet the criteria set forth in the CCPA then you need to make sure you are compliant with its regulations. There is an informative, easy-to-follow article available here.

So whether your organization is under the GDPR; CCPA; or whichever other similar regulatory framework, how do you make sure that you are properly protecting the EU; California; or wherever citizen. The risk is too great to just check it against every visit to your website or every transaction on your webstore. Compliance failures can be expensive. The solution that has become most common is to use regulations like GDPR as a baseline for all people.

Because of this approach taken by organizations, you’ve probably noticed a lot more pop-ups on website asking you about accepting cookies and what cookies you want to accept. What does this mean for you as a smart internet user who wants to protect that data and privacy?

Well, don’t fill up too much over the holiday. Next month we are going to take a practical look at this subject in a Part 2 post that I may, or may not, title “The Good, The Bad, and The Cookie”.

 

Comment 8: No Personal Information for You! (sort of…)

The ABA Rules of Professional Conduct, Model Rule 1.1 Comment 8 requires, “To maintain the requisite knowledge and skill, a lawyer shall keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” To that end, we have developed this regular series to develop the competence and skills necessary to responsibly choose and use the best technologies for your educational and professional lives. If you have any questions, concerns, or topics you would like to see discussed, please reach out to e.koltonski@csuohio.edu.

We often hear, and I’ve talked a lot, about how important and valuable data is. This is doubly so when it comes to your personal data. “But wait,” you may already be thinking, “isn’t all my data personal data?” Well, to put it in the parlance of law school: maybe.

Personal Information (PI), or Personal Data, can have some slightly different definitions depending on the situation. For example, 2 CFR § 200.79 – Personally Identifiable Information (PII) states:

PII means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. Some information that is considered to be PII is available in public sources such as telephone books, public Web sites, and university listings. This type of information is considered to be Public PII and includes, for example, first and last name, address, work telephone number, email address, home telephone number, and general educational credentials. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. Non-PII can become PII whenever additional information is made publicly available, in any medium and from any source, that, when combined with other available information, could be used to identify an individual.

Whereas the DHS defines PII “as any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual, regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to the Department”. DHS takes a narrower view of personal information, saying that it is any information linkable to an individual.

I mention this because Google recently brought a new tool online to help people control, at least in part, what personal information is found about you in a search. The type of information for which you can request is about what you would think, and it is available here.

The whole process is pretty simple:

  • Go to google.com and search your name (don’t act like you never have). Google recommends adding your city/state if you have a more common name or find yourself getting results that aren’t you.
  • If you find something which you would like to request be removed from Google’s search results, then click the menu button on the search result (representing with three vertical dots).
  • Now click where it says “remove result”.

You’ll need to answer a few questions and then you submit your request. You’ll even receive updates about the progress of your request. Find a full explanation here.

It is important to note that this process isn’t about removing data from a particular site or database, but is only about removing potentially harmful search results from Google; however, I am planning to cover ways to claw back your personal information from websites and databrokers in the near-future.

 

Comment 8: Risk Ain’t Just a River in Egypt

The ABA Rules of Professional Conduct, Model Rule 1.1 Comment 8 requires, “To maintain the requisite knowledge and skill, a lawyer shall keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” To that end, we have developed this regular series to develop the competence and skills necessary to responsibly choose and use the best technologies for your educational and professional lives. If you have any questions, concerns, or topics you would like to see discussed, please reach out to e.koltonski@csuohio.edu.

 

In a recent blog, I discussed that reality that no business, or even person, is too “small” to escape cyberattacks. Digital devices in the twenty-first century are a necessity, and that necessity comes with risk. While “it won’t happen to me” thinking is nothing new—remember those driver’s safety videos with titles like ‘Red Asphalt’—it seems particularly easy to distance ourselves from risk when it comes to the internet.

Part of my work includes following a lot of cybersecurity blogs and podcasts. It’s hard to keep up with them, but it feels hard to keep up with anything sometimes. We’ve got supercomputers in our pockets that let us access almost the entirety of human knowledge (and Twitter), and it’s overwhelming. While reading one such blog I was introduced to a tool that visually shows the prevalence of a particular type of cyberattack.

The type of attack is known as ransomware. The tool is called The World Ransomware Map. It was developed through the research of a firm called Comparitech, which I usually describe to people as being like Consumer Reports for cybersecurity and privacy.

world map showing ransomware attacksThe data here isn’t likely complete and some of the information may not be particularly important to you (such as the particular strain of ransomware used), but I really recommend that the next time you are planning to doomscroll on Twitter you instead check out this great tool and familiarize yourself with the costly risk of ignoring cyberattacks. You may even find that ransomware attacks have happened at businesses or organizations in your own backyard. You’ll certainly find less comments from Elon Musk.

I’m also including a link to the Stop Ransomware! website which is operated by the Cybersecurity and Infrastructure Security Agency (CISA) in case you want to learn more about ransomware attacks and how to better protect yourself from them. You should really check out these sites. Seriously. Twitter will probably still be there later.

Comment 8: Do You Even Update?

The ABA Rules of Professional Conduct, Model Rule 1.1 Comment 8 requires, “To maintain the requisite knowledge and skill, a lawyer shall keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” To that end, we have developed this regular series to develop the competence and skills necessary to responsibly choose and use the best technologies for your educational and professional lives. If you have any questions, concerns, or topics you would like to see discussed, please reach out to e.koltonski@csuohio.edu.

 

Fall is coming and there is a whole lot of “new” in the air. New classes are beginning. New textbooks need to be purchased. New syllabi and lectures are waiting to be finished. With all of this new it is easy to let some things slide, but one of those things is something that too many of us forget all year: updating our technology.

 

Why should I?

 

I’m not talking about buying new devices, though that is a potentially expensive way to do it. No, I’m talking about updating the operating systems and applications on the devices that you already own. Updating is often used synonymously with the term “patching,” which the Cybersecurity and Infrastructure Security Agency (CISA) defines as:

Patches are software and operating system (OS) updates that address security vulnerabilities within a program or product. Software vendors may choose to release updates to fix performance bugs, as well as to provide enhanced security features.

Basically, as CISA explains, you should update\patch because it will make you device run better and be more secure. Mostly. Sometimes a patch ends up causing a lot of problems, but the reality is that it is better to update than to not.

 

How do I?

 

Below are some links for updating several different operating systems. Updating software is slightly more complicated but not so much that we’d say it’s complex. Each software often has its instructions for updating. Those instructions can often be found on the manufacturer’s website.

 

Windows 10/11 Update Instructions

macOS Update Instructions

Debian-based Linux Distros (i.e. Ubuntu, Kali, and Zorin OS) Update Instructions [Terminal]

Android Device Update Instructions

iPhone and iPad Update Instructions

 

It’s a good idea to check for updates at least once a week. Fortunately, updating is typically pretty quick and doesn’t require much attention. You can patch your devices while reading a good book…or a textbook.

 

Comment 8: No, Size Doesn’t Matter When It Comes to Cybercrime

The ABA Rules of Professional Conduct, Model Rule 1.1 Comment 8 requires, “To maintain the requisite knowledge and skill, a lawyer shall keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” To that end, we have developed this regular series to develop the competence and skills necessary to responsibly choose and use the best technologies for your educational and professional lives. If you have any questions, concerns, or topics you would like to see discussed, please reach out to e.koltonski@csuohio.edu.

 

As a solo practitioner, a partner in a small firm, or a student who hopes to work in such an environment it is important to realize that you are at risk of a cyber-attack. Many small and medium-sized businesses (SMBs) wrongly believe that their size helps protect them from malicious hackers. This is not the case. Cybercriminals will attempt to steal your data or encrypt your data as part of a ransomware scheme no matter your size. An article published by Cybersecurity Magazine highlights this danger, reporting that 43% of data breaches involve SMBs.

 

Your SMB’s computers and data are also exposed because of any number of bugs and vulnerabilities that exist in the software and services you use. A recent example of this type occurred during late 2021 and is known as the Log4j Event. For those who don’t know, let’s begin with a brief introduction that won’t require us all to get degrees in computer science.

 

Log4j is an open-source bit of code used by software developers that is so useful that it is even used in lots of commercial software. Soon after this vulnerability was discovered, cybercriminals were able to exploit it to attack computers. Though the outcome of Log4j ultimately proved less-catastrophic than security professionals originally thought thanks to quick responses from industry, governments, and cybersecurity teams, the problem is nowhere near resolved. A recent report by the Cyber Safety Review Board, which operates under the Cybersecurity and Infrastructure Security Agency (CISA), believes that it will takes years to fully fix the Log4j issue.

 

According to a recent study, the average cost of a breach for an SMB with less than 500 employees is over $2 million. This is why it is necessary for solo practitioners, small firms, and current students to fully understand the value of working proactively to protect your data and computers. Thankfully, CISA provides many great publications and advisories about tools to help you protect your SMB.

 

Remember: you aren’t just protecting yourself, you’re protecting your clients.