Photo: Carmen Natale/ALM

The first day of the New York State Bar Association 2019 Tech Summit included sessions on topics that spanned the gambit from the ways cybercriminals operate, simple solutions that firms can use to protect themselves from cyberthreats, and how to approach new forms of digital evidence.

While several sessions aimed to educate attorneys on today's tech and regulatory landscape, there were also many insights that would surprise even the most well-versed tech lawyer. Here are three highlights from the day one of the conference:

High-Tech Threats, Low-Tech Solutions

From ransomware to deep fakes, cyberthreats are becoming more sophisticated and targeted. But speakers at the "Cybersecurity — Law Firm Hackers: Just Because You're Cyber-Paranoid, Doesn't Mean the Hackers Aren't Out to Get You!" session noted that protecting against these threats can be a simple, low-tech affair.

The solution comes down to relying more on manual authentication for digital communications. John Bandler, founder of the cybersecurity consulting firm Bandler Group, noted, "91% of all infections or cybercrime start with an email." And those emails are usually tied to things such as login credentials or wire transfers. "For anyone involved anywhere in the transfer of funds or the relaying of transfer instruction … you really need to know about that fraud," Bandler said.

Thankfully, confirming that an email or wire transfer is sent from, or goes to, the right party isn't a highly technical affair, but it does require some work. "Just the simple act of inconveniencing yourself to pick up the phone can solve an enormous amount of the problems" around wire transfer fraud and phishing scams, said Joseph DeMarco, a partner at DeVore & DeMarco.

Cyberattacks Inc.

Cybercriminals attacking businesses around the country may know a few things about how their targets operate. And that's not just because they did their research. It's also because they have firsthand experience.

"They are … organized like a company and they operate like a business," said Deborah Snyder, New York state's chief information security officer, at the "Mega Trends and Cyber Predictions 2020 & Beyond — Perspective for Lawyers and Law Firms" session.

She noted that hackers who steal access credentials from targets are not always the ones exploiting that stolen information. "Generally speaking, what you'll see is the commoditization of access, so one group or one department within an organization will come after and phish your credentials. And they will sell them on the open dark market. … They even have Black Friday sales."

But it's not just stolen credentials that these cybercriminal businesses are selling. They're also offering hacking tool kits for which they provide ongoing support. "They're supporting phishing-as-a-service, malware-as-a-service, ransomware-as-a-service, [and] rent-a-bot [services] as though they were a product company supporting [its own software]," Snyder added.

The fact that cybercriminal businesses are able to build and maintain these types of businesses speaks to just how profitable, and successful, their attacks still are, and by extension how much more law firms and companies need to do to fully protect themselves.

"Even though [we are] shifting the dial in terms of awareness and the risk posed by cyberattacks … at the end of the day many people are still at the very low end of the maturity scale with regard to their [security] and understanding the impact on their reputation, products and bottom line," Snyder said.

What Attorneys Need to Hear About Smart Speaker Data

A smart speaker that is potentially always listening can seem like a gold mine for those looking for concrete evidence for or against a claim. But legal professionals at the "Hey Siri, Hey Alexa … Is This Admissible?" panel noted that obtaining and using this evidence in court isn't always so clear-cut.

U.S. Magistrate Judge Lisa Margaret Smith from the U.S. District Court for the Southern District of New York noted that like other recordings, smart speaker content may be hard to decipher.  "From my years as an assistant U.S. attorney, I reviewed hundreds, probably thousands, of surreptitious recordings that were made by informants in cases and I can assure you that … if there are other conversations around you, you can hear only a tiny bit of what is being said. If you want to use—affirmatively or defensively for your client—a conversation … you may have challenges in identifying what was being said and by whom."

While quality control can be an issue, some may take heart in the fact that the owner of a smart speaker devices may not always be able to fight against a requested search.

Shawndra Jones, senior counsel in the employment, labor and workforce management practice at Epstein Becker & Green, noted that in the 2018 New Hampshire v. Verrill case, a state court ruled that the defendant "didn't have standing to object to that motion to search." She explained, "This might have been [about] a request that this defendant made to Alexa, but the defendant didn't have standing because it was on Amazon's servers."

Still, going through tech companies to obtain smart speaker data is no walk in the park. Jones noted the tech companies that maintain such data can object to motions to search under privacy and First Amendment grounds, as Amazon did in the 2017 Arkansas v. Bates case.

Smith said such "privacy concerns are really fairly important to consider, and they are the kinds of arguments that are very attractive to judges, especially if you're talking about a third party whose voice may be on these recording devices."

Still, despite these privacy issues, Smith believes smart speaker data will be more prominent in courts in the years to come. "I think that starting to introduce this information in criminal cases is the tip of the iceberg, and using them in civil cases is going to be the norm not many years down the road," she said.