LAW LIBRARY JOURNAL Vol. 106:4 [2014-35] Thinking About Technology . Cybersecurity: Breaches and Heartbleed to BYOD— Are Bankers, Entertainment Company Executives, Celebrities, Postal Workers, Ice Cream Lovers, Home Builders, and CIOs the Only Ones Who Should Be Concerned?* Darla W. Jackson** In 2013 and 2014, several high-profile data security breaches underscored the impor- tance of cybersecurity in today’s world, including the legal community. Reports of leaked information and security breaches at legal information vendors, firms, univer- sities, and even courts continue to increase. Ms. Jackson addresses these concerns and suggests some considerations in developing responses to such security threats. ¶1 October 2014 was designated as National Cybersecurity Awareness Month.1 Most individuals, however, did not need such a formal observance to remind them of the increasing concerns regarding cybersecurity. In the past few years, we have continually heard about cybersecurity incidents. During the holiday season of 2013 and into 2014, the Target security breach was in the news. Later information regarding breaches of other service providers’ and retailers’ security led some to designate 2013 as the “Year of the Mega Breach”2 and instigated congressional hear- ings on the matter.3 ¶2 Despite the broad scope of breaches in 2013, the magnitude of the threat in 2014 surpassed that of the previous year. In late November 2014, a hack of Sony Entertainment’s systems resulted in the public disclosure of the company’s internal e-mails, financial information, and information about upcoming movies.4 In October 2014, the Department of Homeland Security released a bulletin on Black- * © Darla W. Jackson, 2014. ** Director, McKusick Law Library, University of South Dakota, Vermillion, South Dakota. 1. Proclamation No. 9179, 79 Fed. Reg. 60,047 (Oct. 3, 2014). 2. Andrew Ramonas, 2013: The “Year of the Mega Breach” for Consumer Data, CORP. COUNSEL (Apr. 8, 2014), http://www.corpcounsel.com/id=1202650189149/2013-The-Year-of-the-Mega-Breach-for -Consumer-Data. 3. Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime: Hearing Before the S. Comm. on the Judiciary, 113th Cong. (2014) (statement of Sen. Patrick Leahy, Chairman, Sen. Judiciary Comm.), available at http://www.judiciary.senate.gov/imo/media/doc/02-04-14Leahy Statement.pdf. 4. Roger Yu, Sony Warns Media Not to Publish Hacked E-mails, USA TODAY (Dec. 1, 2014, 4:21 PM EST), http://www.usatoday.com/story/money/business/2014/12/15/sony-wants-publishers-to -stop-hacked-email-stories/20427989/. 633 634 LAW LIBRARY JOURNAL Vol. 106:4 [2014-35] Energy malware, which was attributed to a Russian hacking campaign against the nation’s critical infrastructure, ongoing since 2011.5 Earlier in October 2014, news surfaced of a hack of J.P. Morgan Chase that compromised contact data from 76 million households.6 Dairy Queen also reported that the payment system in 395 of its restaurants had been hacked.7 In mid-September 2014, the U.S. Postal Service discovered a breach of its systems that “potentially compromised” the personal data of 800,000 past and present postal workers.8 In late August 2014 and again a few weeks later, “intimate photos” of celebrities obtained without their permission were posted to websites.9 The celebrity photo incidents were followed by the revela- tion that lax data security management at Home Depot had allowed a breach resulting in the compromise of credit card information of 56 million customers.10 These recent examples are part of a continuous string of incidents involving online security breaches.11 In addition, the Heartbleed bug and vulnerabilities found in Dropbox also brought the topic of cybersecurity to the forefront. ¶3 Cybersecurity has become a major concern for the legal community as well. Reports of leaked information and security breaches at law firms continue to increase.12 Legal information vendors, court systems, and universities’ systems sup- porting law schools have also increasingly become cybertargets. Yet a number of technology surveys indicate that many attorneys have little security training or 5. Douglas Ernst, Russian Hackers’ “Trojan Horse” Malware Inside U.S. Critical Infrastructure Since 2011 (Nov. 6. 2014), http://www.washingtontimes.com/news/2014/nov/6/russian-hackers -trojan-horse-malware-inside-us-cri/; Alert (ICS-ALERT-14-281-01B), ICS-CERT (Dec. 10, 2014), https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01B. 6. Emily Glazer & Danny Yadron, J.P Morgan Breach Hit 76 Million Households, WALL ST. J., Oct. 3, 2014, at A1. 7. Dairy Queen Says Hackers Broke into Payment System, N.Y. TIMES, Oct. 10, 2014, at B2. 8. David E. Sanger, Postal Service Discloses Major Theft of Its Employees’ Personal Data, N.Y. TIMES, Nov. 11, 2014, at A21. 9. Beth Lisa Goodbaum, Apple Boosts iCloud Security Measures After Celebrity Photo Hacks, CBS NEws (Sept. 5, 2014, 2:01 PM), http://www.cbsnews.com/news/apple-boosts-icloud-security-after -celebrity-photo-hacks/ (noting Apple’s explanation that the intrusions were a result of “human rather than technological” causes, such as weak passwords); Maria Puente, Who’s Next? More Nude Celeb Pics Hacked, Leaked Online, USA TODAY (Sept. 22, 2014, 5:11 PM EDT), http://www.usatoday.com/story /life/people/2014/09/22/whos-next-more-nude-celeb-pics-hacked-leaked-online/16047773/; Daisuke Wakabayashi, Apple Puts Focus on Security, WALL ST. J., Sept. 18, 2014, at B6. 10. Julie Creswell & Nicole Perlroth, Warned of Risk, Home Depot Left Data Vulnerable, N.Y. TIMES, Sept. 20, 2014, at 1. 11. DATA BREACH TODAY, http://www.databreachtoday.com/, provides news regarding reported hacks and breaches. 12. Martha Neil, Lawyers Targeted in Sophisticated Email Hack Attack Seeking Insider-Trading Info, Consultant Says, A.B.A. J. DAILY NEws (Dec. 2, 2014, 11:50 AM CST), http://www.abajournal .com/news/article/lawyers_targeted_in_sophisticated_email_hack_attack_seeking_insider_trading; David Ries, Security, in ABA TECHREPORT 2014, http://www.americanbar.org/publications/tech report/2014/security.html (last visited Feb. 16, 2015) (“The headlines are filled with reports of data breaches—ranging from small businesses to high profile incidents like Target, Home Depot, and JP Morgan. Likewise, there have been law firm data breaches, where incidents range from lost or stolen portable drives to long-term network intrusions that expose everything in the network.”); Debra Cassens Weiss, Law Firms Face Cybersecurity Audits by Banking Clients; Are They a “Weak Link”?, A.B.A. J. DAILY NEws (Oct. 27, 2014, 8:09 AM CDT), http://www.abajournal.com/news /article/law_firms_face_cybersecurity_audits_by_banking_clients_are_they_a_weak_link/?utm _source=maestro&utm_medium=email&utm_campaign=daily_email. Vol. 106:4 [2014-35] CYBERSECURITY: BREACHES AND HEARTBLEED TO BYOD 635 understanding of the security measures undertaken by their firms and organiza- tions. This article addresses these increasing cybersecurity concerns and suggests some considerations for law librarians13 and the organizations they serve when developing measures to address security threats. ¶4 At the 2014 American Bar Association (ABA) Techshow, cybersecurity was a topic of concern for many attendees.14 Events since 2012 have caused an increased emphasis on cybersecurity. In fact, eighty-seven percent of the technology directors and chief technology officers responding to the 2013 American Lawyer Law Tech Survey indicated that they were “more concerned” about security threats in 2013 than they were two years before.15 This is not surprising given reports that more firms are being attacked, sometimes without knowing it.16 ¶5 Products and services used by firms were found to have vulnerabilities as well. News of Dropbox’s vulnerabilities to Heartbleed,17 a bug in the Open SSL encryption code “that could have allowed people to see what was supposed to b[e] encrypted data passing between users and the websites using OpenSSL,” potentially threatened law firms’ data security.18 Further, Dropbox issues regarding shared links to documents permitting inadvertent disclosure to unintended recipients, although eventually fixed,19 caused legal technology professionals to advise firms and corpo- rate counsel to block the use of document-sharing tools such as Dropbox.20 ¶6 But firms are not the only targets of cybersecurity crimes in the legal com- munity. Legal information vendors, including LexisNexis, have also suffered loss of data.21 Compromise of a vendor’s database in March 2014 allowed hackers access to an international law firm’s servers, resulting in the breach of hundreds of employ- ees’ W-2s and other information.22 Court systems have also been victims of those 13. Throughout this article, “law librarians” is used to refer to all legal information professionals. 14. Victor Li, “60 Sites” Session Takes In the Crowd’s Favorites, A.B.A. J. DAILY NEws (June 1, 2014, 3:00 AM CDT), http://www.abajournal.com/magazine/article/60_sites_session_takes_in_the _crowds_favorites/. 15. Alan Cohen, 2013 AM Law Tech Survey: Firms’ Data Security Fears Rise, AM. LAW. (Nov. 10, 2013), http://www.americanlawyer.com/id=1202473327555/2013-Am-Law-Tech-Survey-Firms-Data -Security-Fears-Rise. 16. Matthew Goldstein, Law Firms Are Pressed on Security for Data, DEALBOOK, N.Y. TIMES (Mar. 26, 2014, 7:00 PM), http://dealbook.nytimes.com/2014/03/26/law-firms-scrutinized-as-hacking -increases/?_php=true&_type=blogs&_r=0. 17. Aditya Agarwal, Web Vulnerability Affecting Shared Links, DROPBOX BLOG (May 5, 2014), https://blog.dropbox.com/2014/05/web-vulnerability-affecting-shared-links/; Claire Reilly, Drop- box Stands Firm on Privacy, Despite Heartbleed Risk and Board Appointments, C/NET (Apr. 14, 2014, 7:28 PM PDT), http://www.cnet.com/news/dropbox-stands-firm-on-privacy-despite-heartbleed-risk -and-board-appointments/. 18. Aaron Street, Heartbleed: What Lawyers and Law Firms Need to Know, LAWYERIST (Apr. 11, 2014), http://lawyerist.com/72733/heartbleed-lawyers-law-firms-need-to-know/. 19. Warwick Ashford, Dropbox Finally Fixes Security Vulnerability, COmpUTER WKLY.