Category Archives: Intellectual Property

Data Network Security Breaches and Notification Laws

Data Network Security Breaches and Notification Laws
Data Network Security Breaches and Notification Laws

Ever gotten a notice in the mail that read, something to the effect of, “by law, we’re required to inform you that since our infrastructure passwords were extremely weak, such as “password” and “123456,” a data breach has occurred and your personal information may or may not be in the hands of Russian hackers for sale somewhere in the deep web?”

Well, maybe not that forthcoming, but you know what I’m talking about. When it comes to data network security breaches, there are laws which specifically require an organization to disclose to its customers whenever there has been such a data breach. These laws go  far beyond the ubiquitous Health Insurance Portability and Accountability Act, better known as HIPPA.

For instance, here in Arizona, under Revised Statute § 44-7501, (Conditionally Rpld.) it requires a person that conducts business in this state who becomes aware of a data breach shall conduct a reasonable investigation and after determining a breach in the security system shall notify all individuals affected.[1] Simply put, organizations are required, by law, to disclose the breach, make remedies to resolve it, and can be held responsible for any damages thereof.

Oftentimes, these data network security breaches and subsequent notifications will be accompanied with a free offer for credit monitoring. As a consumer, you should absolutely take it, if you aren’t’ already monitoring your credit through some other third party.

First and foremost, if you discover a data network security breach within your firm, promptly notify your clients and provide measures to protect their interests. More importantly, as an organization, there are several steps you can take to avoid such data network security breaches. Some are as simple as requiring strong password policy. Others include keeping your data stored in a secured, locked environment with very restricted access.

Password Policies

As both an end-user and as an administrator, I know how frustrating complex password policies can be. Yes it’s pain to have a password that must contain 1 uppercase letter, 1 lowercase letter, 1 symbol, 1 number, that cannot be anything you’ve ever used before and cannot have successive numerical values. However, that complexity exists for a reason. Hackers are well aware of the most commonly used password, such as “123456” followed by “password.”[2]

The folks at Microsoft recommend you “set password policy to require complex passwords, which contain a combination of uppercase and lowercase letters, numbers, and symbols, and are typically a minimum of seven characters long or more for all accounts, including administrative accounts, such as local administrator, domain administrator, and enterprise administrator.”[3]

However, consequently, when employees are required to change passwords often, meet minimum complexity requirements, and not repeat a password for a minimum amount of time, they may begin to break the rules and start writing passwords down simply because they cannot remember passwords that change so often.[4] Bottom line, design a password policy that is secure but doesn’t comprise functionality.

Data Network Security Breaches and Notification Laws
Data Network Security Breaches and Notification Laws

End-User Training

Many folks within an organization, while balking at having to change passwords regularly, simply do not understand the reasons behind it or the risks they attempt to advert. To that end, it would be wise for your IT staff to train end-users on why and how to keep their passwords unique and safe. Once employees discover their organization can be levied a hefty fine which may result in cutbacks as a consequence thereof, I’m sure the loudest of the balkers will begin to change their tune.

End-user training can be as simple as memo sent to employees requiring  them to read, sign, and return to management. Alternatively, a once a year run-down presented by IT staff during a mandatory meeting should suffice for larger organizations.

Restricting Access

Your organizations most sensitive client data should be restricted to a need-to-know basis. If there is no need for the receptionist to access client information, then by all means create a security clearance group policy that only allows access to sensitive drives to those who truly require it.

Is your server room open to anyone at the firm? If so, quite frankly, you’re doing it wrong! I don’t care if there are 2 people in your firm, if one doesn’t need access to drives containing sensitive data, then by all means keep that access restricted. Unfortunately, many organizations have the “it’ll never happen to us” mentality that ultimately comes back to bite them in the end. Remember Target? Ever heard of the Panama papers?

Data Network Security Breaches and Notification Laws
Data Network Security Breaches and Notification Laws


Data security is your responsibility. Be not only aware of the legal obligations for your firm’s clients, but for anyone who does business with your organization. Develop corresponding IT policies and procedures to avoid liability that can possibly be the death knell of your organization.

[1] Arizona Revised Statutes, , (last visited May 16, 2016).

[2] The 25 Most Popular Passwords of 2015: We’re All Such Idiots, , (last visited May 16, 2016).

[3] Creating a Strong Password Policy: Logon and Authentication, , (last visited May 16, 2016).

[4] Password Policy, , (last visited May 16, 2016).

How Our Law Firm Survived a CryptoWall Ransomware Attack

How one Law Firm Survived a CryptoWall Ransomware Attack
How Our Law Firm Survived a CryptoWall Ransomware Attack

It started with an early Sunday morning phone call. A senior equity partner who writes whenever and wherever inspired complained, “I’m getting an error whenever I try to open Word or PDF documents.” Two hours, and a trip into the office later, we erroneously concluded our case file folder had been corrupted from an unsuccessful backup and a simple scan/repair job would have us back up and running.

Unfortunately, while the scan/repair utility sifted its way through 1.5 terabytes of files, a more destructive tool was worming its way through our network shares as well. It wasn’t until another partner emailed late Sunday evening to inquire about strange file names like “HELP_DECRYPT” saved in his case directory  did we realize we had a more serious problem on our hands. We’d been struck by the CryptoWall 3.0 ransomware virus! (Que Scary Music!)

What is CryptoWall 3.0?

“CryptoWall is “the largest and most destructive ransomware threat on the Internet “at the moment and will likely continue to grow.[1] Essentially, CryptoWall, an evolution from CryptoLocker, uses malware to copy and encrypt commonly used office file extensions, then deletes the original, leaving victims little or no options beyond paying a ransom or losing the ability to recover their files. In a law firm, losing client data, past and present, simply isn’t an option. In our case, the ransomers wanted $700 to supply the key to decrypt our files! Though we had roughly triple that amount in lost productivity and billable hours fixing this mess, negotiating with terrorist simply wasn’t an option! However, fortunately, if your organization has a cold backup the likelihood of recovery drastically increases.

When we investigated just how much the virus purveyed through our network, we noticed it was centralized in the heart of our operation, client case files, and law firm application data shares. Though we knew we had cold back-ups to restore from, we didn’t know if the virus had stopped spreading or even know where it originated. The last thing we wanted to do was to restore our files only to have them encrypted all over again!

$700 Ransom only doubles with time!
$700 Ransom only doubles with time!

Identifying the Source of the Virus

Once you notice your organization has been affected by CryptoWall, some engineers suggest you power down your network switch to prevent spreading. While this works for smaller networks, it may not be feasible, especially for larger organizations. I would simply suggest modifying share permissions to critical shared drives to prevent infected machines from writing to those drives and further spreading. Unfortunately, there is no administrator level method to determine which machine the virus originated from. I had to walk around to each and every machine in the law firm, install, and run applications such as MalwareBytes, Hitman Pro and ListCWall to scan, identify, and remove any locally infected files. Once we identified the source of the virus (HELP_DECRYPT files will appear locally), I scrubbed it clean and proceeded to delete and restore our files.

Restoring the Infected Files

There is something unnerving about deleting 1.5 terabytes of client files even when you know there is a backup, but it was necessary. Besides, all of it was utterly useless encrypted garbage at this point. After deleting, we used an application called Karen’s Replicator to replicate the cold backup drive to the previously infected share drive. It took approximately 2 days to restore 1.5 terabytes worth of data, but it worked, and so far, so good.

We also noticed that QuickBook files, both current, and backups were affected as well. Luckily, we were able to restore company files from previous routine bare metal Windows Server Backup.

How You Can Protect Your Network

The bottom line is this can happen to anyone. One erroneous click on the Internet, opening an attachment from even a trusted source whose email contacts have been compromised can unleash a world of hurt on law firms who increasingly rely on sensitive client data to operate. The more we embrace technology, the more vulnerable we become to it. Keeping end-users up-to-date with safe browsing practices is a start. TechRepublic has some great tips for keeping your network safe and avoiding the likes of CryptoWall 3.0.

[1] CryptoWall ransomware held over 600K computers hostage, encrypted 5 billion files, PCWorld (2014), (last visited Sep 22, 2015).

Windows 10 vs. Rule 1.6

Is Windows 10 Ethically Compliant?

Is Windows 10 MRPC Compatible?

Apparently, from the feedback I’m getting, Microsoft® finally got it right with Windows 10! As a legal technology professional I have been inundated with inquiries from attorneys on whether Windows 10 is worth the upgrade (even though it’s free), and if they should think about making the switch. My response has consistently been to wait.

First, like any new product I always suggest letting the manufacturer work out the kinks before jumping aboard. Similarly, like purchasing a new model year car, you never really want the first batch rolling off the assembly line. That said, after digging further under the hood, it appears there are other potential pitfalls with Windows 10 that could specifically leave attorneys on the wrong side of the rules of professional conduct!


What Windows 10 End User License Agreement Says

Apparently, Microsoft is following the footsteps of other “Big Data” mining companies and has gotten creative in their user terms and conditions. How creative you ask, well apparently creative enough to give Microsoft ingress to virtually any and all data you may have or had access to while using their operating system! This ingress gives Microsoft permission to track your location, activities, browser history, and more importantly, READ YOUR EMAILS! Further, there does not appear to be a way for less sophisticated users to disable these settings. This is why it’s so important to be aware of what’s in that End User License Agreement.

Moreover, as pointed out by Daily Kos, Microsoft’s privacy policy specifically states the following:

Finally, we will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to:

  1. comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies;

  2. protect our customers, for example to prevent spam or attempts to defraud users of the services, or to help prevent the loss of life or serious injury of anyone;

  3. operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or

  4. protect the rights or property of Microsoft, including enforcing the terms governing the use of the services – however, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property of Microsoft, we will not inspect a customer’s private content ourselves, but we may refer the matter to law enforcement.[1]


What the Model Rules of Professional Conduct Say

Generally, under Model Rules of Professional Conduct (MRPC) Rule 1.6, a lawyer is prohibited from revealing any information related to the representation of a client. Either voluntarily or involuntarily, unless informed consent is given by his/her client.[2] Recently, the New York State Bar specifically addressed this very conceivable dilemma in its Opinion 782, which addressed inadvertent confidential data disclosures through email, opining in part that, “a lawyer must exercise reasonable care to ensure that he or she does not inadvertently disclose his or her client’s confidential information.”[3]

Though some disclosures are unavoidable, under MRPC 1.6, where “the disclosure is impliedly authorized to advance the best interest of the client and is either reasonable under the circumstances or customary in the professional community,” is permitted, however an attorney should always know what the data is, where it’s located, and who has access to it. Granted these rules were designed to regulate traditional vendors such as storage facilities or copy services, they are also relevant to any form of data transmission. One could arguably say that since there is little control over the settings that control the data sharing in Windows 10, or since the data mining is customary a lawyer should be in the clear, right? Wrong. The model rules consistently say attorneys should take reasonable steps to protect a client’s data at all times. This includes everything from choosing to forgo using Windows 10 all together, to familiarizing yourself with ways to prevent data ingress.

What Can You Do About It?

By now, I’m sure you’re thinking, it’s probably just not worth using Window’s 10 if you want to remain MRPC 1.6 compliant. I would tend to agree, especially at this stage when little is known about the vastness of Microsoft’s data mining. However, for those who have already made the switch, there are some options. As Jacob Siegal noted, a simple program called “The Windows Club” allows users to tweak Windows 10 in order to disable some pervasive features such as user tracking, telemetry, and hiding your network from others.[4] Additionally, I would not recommend integrating the same email address used for client data with the operating systems if prompted. Simply put, keep your business email separate from Windows 10 operating system. Of course, if you use an email client such as Outlook, this may be unavoidable. However, I’m specifically referring to the prompt for your email address when initially setting up the operating system. Either avoid supplying an email address all together, or if unavoidable, use an email address not associated with clients. Alternatively, to completely protect your neck, consider weaving in the possibility of ostensible third party data disclosures through the use of operating systems or cloud based data into your fee agreement.


The bottom line, use caution when implementing a new operating system, and use your best judgment when integrating your firm’s email with your operating system. Even with Windows 8, Microsoft wanted to link your email address to your operating system. Personally, I use Outlook Web App (OWA) for sending/receiving email to avoid using native programs such as Outlook. With today’s web (cloud) based email, virtually all the functionality of an email client is built right in. Of course, Ethical Compliance and Cloud Services for Law Firms is a whole other issue, but this generally means that one has taken reasonable steps to protect client data from being shared. This is really all you can do in order to be MRPC Rule 1.6 compliant.

[1] Windows 10 comes with built-in spyware. If your work requires confidentiality, DO NOT INSTALL., , (last visited Aug 31, 2015).

[2] New York City Bar Association – Ethics Overview – Ethics Panel, , (last visited Nov 18, 2014).

[3] Id.

[4] Windows 10: Modify your OS with Ultimate Windows Tweaker 4 | BGR, , (last visited Aug 31, 2015).

Law Firm Information Rights Management & Electronic Signatures

Information Rights Management and Electronic Signatures
Protecting Email Signatures

Can my email signature be forged? How about using an electronic signature on legally recognized documents? Both issues were recently presented to me by our senior equity partner at the law firm. My answers, yes & yes, but let me explain. It boils down to understanding Information Rights Management (IRM) and meeting the statutory requirements for using a legally recognized electronic signature.

Issue #1 Information Rights Management

When it comes to preventing email signatures from being altered, copied, or forwarded without authorization, an IRM policy must be implemented. Assuming we’re using an email client such as Outlook 2010 or newer, additional third party Microsoft credentials are required. Here’s how it works.

Information Rights Management (IRM) allows you to specify access permissions to email messages. IRM helps prevent sensitive information from being read, printed, forwarded, or copied by unauthorized people. After permission for a message is restricted by using IRM, the access and usage restrictions are enforced regardless of where the message goes, because the permissions to access an email message are stored in the message file itself.

IRM is generally implemented at the server level using Microsoft Exchange software. Alternatively, IRM is hosted on Microsoft servers by Microsoft for free, but requires a Microsoft Live ID ( email) to use. In order to utilize IRM internally, for example, a law firm would need one of the following: (1) running their own Microsoft Exchange server and managing it in-house, or (2) use a new or existing Microsoft Live ID ( ID) in conjunction with a firms existing hosted email to take advantage of IRM hosted for free on Microsoft servers. Clearly the latter is the most cost effective; however it would require several additional steps in sending an IRM equipped email.

Information rights management and electronic signatures
Legally Recognized Electronic Signatures

Issue #2 Using Electronic Signature

Here in Arizona, under Arizona Revised Statutes, an electronic signature is defined as an electronic process that is attached to or logically associated with a record that is executed or adopted by an individual with the intent to sign the record. A.R.S § 44-7002
Furthermore, a signature is considered secure if, at the time it was made, and applied through a security procedure it is; (1) unique to the person using it, (2) capable of verification (3) under the sole control of the person using it, and (4) linked to the electronic record to which it relates in such a manner that if the record were changed the electronic signature would be invalidated. A.R.S § 44-7003

Generally speaking, an electronic signature can be any electronic means of indicating that a person adopts the contents of an electronic message. However, under A.R.S. § 44-7003, to qualify as a secure electronic signature, the operative requirement is element (4), the necessity to have ones identity validated through a third-party security certificate service. Such services are seemingly analogous to credit reporting agencies however solely for electronic identity. Currently, there are seven credentialing services customarily used throughout the industry. Those seven services include ARX CoSign, Avoco secure2trust, ChosenSecurity, Comodo, GlobalSign, My Credential, and VeriSign.

If your firm decides to implement a secure electronic signature digital ID, it is recommended you use a platform you may already be using. For instance, at our firm, we use Norton for anti-virus protection. It just so happens Norton is who issues VeriSign electronic signatures. A yearly subscription is required however, with a digital ID, a possessor would not only be able to securely sign electronic documents, but also send digitally signed emails which, in and of itself, constitutes a secure verified document. The process is fairly simple; a YouTube video explaining the process can be viewed here.


In conclusion, to protect email signatures from alteration, unauthorized copying and forwarding, a law firm has the option to implement Microsoft IRM services through the use of Microsoft Live ID accounts in lieu of costly in-house Exchange server management. Furthermore, secure electronic signatures pursuant to A.R.S § 44-7031, can be achieved through the use of digital ID’s validated through third-party security certificate services.


Consumer Confusion and Trade Name Infringement

I’ve always wanted to invent my own brand of soda called Peepsi! However, I’m positive I’d get a cease and desist letter for trade name infringement from Pepsi before I could screw the cap on my first bottle. Although there is a difference between Peepsi and Pepsi, the consumer confusion would likely turn into a winnable trade name infringement case. Generally, infringing on a business’s trade name comes at the expense of a company’s good will it has established over time, in Pepsi’s case, over a century. So let us discuss consumer confusion and trade name infringement.


Consumer Confusion and Trade Name Infringement

In the famous movie “Coming to America” starring Eddie Murphy, John Amos played the role of Cleo McDowell, an entrepreneur who owned McDowell restaurants which eerily resembles McDonalds. In the film, he’s quoted as saying “… me and the McDonald’s people got this little misunderstanding. See, they’re McDonald’s… I’m McDowell’s. They got the Golden Arches, mine is the Golden Arcs. They got the Big Mac, I got the Big Mick. We both got two all-beef patties, special sauce, lettuce, cheese, pickles and onions, but their buns have sesame seeds. My buns have no seeds.” Great fodder for film but in real life this would hardly fly. Specifically, under 15 U.S.C §§ 1051 et seq., also known as the Lanham Act that governs consumer confusion cases, a specific set of guidelines “protects the owner of a federally registered mark against the use of similar marks if such use is likely to result in consumer confusion, or if the dilution of a famous mark is likely to occur.”[1]

Establishing Trade Name Infringement

Typically, in determining whether consumers were unjustly confused to the detriment of an established registered mark, a court will consider seven factors. In consideration of these seven factors, the court uses a balancing test in deciding whether consumer confusion has occurred. The seven major factors a court will use in determining the “likelihood of confusion,”, include (1) the similarity of the plaintiff’s and defendant’s goods or services, (2) the identity of retail outlets or purchasers, (3) the identity of advertising media, (4) the “strength” (for example, inherent distinctiveness) of the trade name, (5) the defendant’s intent, (6) the similarity of the trade names, and (7) the degree of care likely to be used by consumers. [2]

So in our hypothetical case involving Cleo’s McDowell restaurant, first a court will consider the fact that both McDonalds and McDowell’s are in the fast food industry, primarily selling hamburgers, specifically “two all-beef patties, special sauce, lettuce, cheese, pickles and onions.” Being that both entities are selling virtually identical products (minus the seeds), element one will likely go into McDonalds favor.

Second, the court would look at the fact that both restaurants use fast-food outlets to target and serve its customers. If Cleo were operating out of, let’s say a food truck instead of an actual fast-food restaurant, a court might give deference to that fact. However, here, both entities are using similar outlets which would likely serve as another blow to Cleo’s consumer confusion defense.


Third, with regards to identity of the advertising media, presumably McDowell’s advertised primarily through community presence and its logo. As Cleo put it, “McDonalds has the gold arches, while his logo uses the golden arcs.” Here, the logo’s and even the typeface are extremely similar. This form of self-advertising media bears a striking resemblance in both restaurants which would likely land another check in McDonald’s favor.

Fourth, the court would determine the strength of the plaintiff’s own brand. Here, McDonald’s – having been in existence since the 1950’s – would have amassed a significant amount of good will under its brand by now. Though it is unknown how long Cleo McDowell’s franchise has been in existence, it unlikely pre-dates McDonalds.

Fifth, it is unclear that Cleo McDowell’s intent was to purposefully confuse consumers; however a court can and will infer intent by conduct. Specifically, the closeness of the brand, the logo, the type of food sold, the similarity in uniforms and the fact that when Cleo is first confronted by King Jaffe Joffer, he is seen reading a McDonald’s Operation Manual. [3]

Sixth, with regards to the similarity in trade names, a court will take into consideration the use of one’s family name in contrast to an existing trade name. However, courts have held that “the right of an individual to use his or her own name in connection with a business must yield to the need to eliminate confusion in the marketplace.” B.H. Bunn Co. v. AAA Replacement Parts Co., 451 F.2d 1254, 1266 (5th Cir. 1971) (“[O]ne may be forbidden to use even one’s own name, absent other distinctions, if the total effect of using it is to create confusion as to source.”) [4] Here, while Cleo used his family name, unfortunately there simply aren’t enough distinctions between the McDowell’s and McDonald’s brand to distinguish the similarities.

mcdowells 2

Lastly, in establishing the degree of care likely to be used by consumers, all McDonald’s would need to establish is a “likelihood of confusion” arising from the defendant’s use of the same or similar name.” WSM, Inc. v. Hilton, 724 F.2d 1320, 1325 (8th Cir. 1984). [5] This could be satisfied constructively or literally. For instance, if a customer, on any occasion, entered McDowell’s thinking it was McDonald’s, or attempted to use a McDonald’s coupon, or even referred to Cleo’s “Big Mic” as a “Big Mac” when placing an order, it would likely satisfy the last element. [6]


In conclusion, given the totality of the circumstance resulting from the balancing test, a court would likely determine that Cleo’s restaurant is liable for customer confusion and trade name infringement. So remember that while you’d like your product to be recognized by the masses for what it is, there could be serious confusion for what it isn’t. My personal brand of soda, Peepsi, while specific and individual to me, is unlikely to be easily differentiated by a consumer. This causes consumer confusion and ultimately infringes on Pepsi’s established good will. So if you’re contemplating starting the next big burger franchise called Burger Queen, think again about how consumer confusion and trade name infringement.


[2]REMEDIES FOR TRADE NAME INFRINGEMENT, (last visited Oct 23, 2014)


[4]REMEDIES FOR TRADE NAME INFRINGEMENT, (last visited Oct 23, 2014) See Basile S.P.A. v. Basile, 899 F.2d 35, 39 (D.C.Cir. 1990) (limiting right of watch manufacturer to use family name “Basile,” where prior user had obtained trademark over use of the name); Perini Corp. v. Perini Construction, Inc., 915 F.2d 121, 124 (4th Cir. 1990) (limiting second comer’s right to use family name “Perini,” where name had acquired secondary meaning in the construction industry through prior use); B.H. Bunn Co. v. AAA Replacement Parts Co., 451 F.2d 1254, 1266 (5th Cir. 1971) (“[O]ne may be forbidden to use even one’s own name, absent other distinctions, if the total effect of using it is to create confusion as to source.”)

[5]REMEDIES FOR TRADE NAME INFRINGEMENT, (last visited Oct 23, 2014)