An Everyone Lesson: The DNC Email Hacks

While the relevance of the Democratic party email hacks may appear to be political, every individual and entity using an electronic device connected to the Internet should be concerned.  Of course, the foremost concern should be the potential influence the hackers may have on United States' elections through the unauthorized access to and disclosure of the electronic mails at issue.  Given there exists some indication that the hackers emanate from Russia, the spectre of this influence becomes all the more troublesome should indeed a foreign government seek to and succeed in affecting the United States' presidential elections and its future through the use of clearly illegal conduct.  Now, certainly, there may be emails that should not have been sent or describe conduct that should not have occurred.  But, regardless of the email content - whatever it may be, the foremost concern should be the effect that the illegal conduct may have on the future of the United States.  But, this article focuses on a much more personal concern.

Every Person Concern
Indeed, every person should be concerned because we all remain very vulnerable to cyber attacks and intrusions.  The DNC Hacks (in using the term "DNC Hacks", I intend to encompass the entire scope of email intrusions under investigation and being discovered) represent another significant example of how real the risk of cyber attacks happen to be.  As the New York Times reported today, August 11, 2016, the DNC Hacks extend beyond the email accounts within the DNC entity.  Now, it appears that the hackers targeted individual personal email accounts as well.  

But for the elections, the DNC Hacks probably would not obtain as much media attention (which it surely deserves).  Though again, were it not for the elections, the intrusions may not have occurred.  Or, as some have suggested, the disclosure of the emails obtained through the intrusions may not have occurred.  This infers that the intrusions could be part of routine foreign intelligence efforts that the public would not come to realize in the ordinary course of events.

Returning to the import, we must recognize the vulnerability of our electronic accounts.  While you or I may not be on the Russian radar or believe ourselves to be significant on a worldwide scale, there may exist those parties who would want to obtain access to our accounts on a much more local, intimate, and personal level.

Indeed, my firm and I represent individuals who have suffered unauthorized access to their electronic mail and social media accounts by those intimately familiar with them.  In some cases, those behind the intrusions happen to be family or former family members.  In other cases, to be sure, the intrusions occur at the hands or behest of commercial competitors.  Even within the legal profession, prominent law firms reported earlier this year that they suffered intrusions arising from nefarious purposes.  Beyond emails, cyber criminals may seek credit card or other financial information.  A discussion on the full range of what can be obtained from our devices and the privacy issues arising therefrom falls beyond the scope of this article.  Suffice it to say, we all have data and information that should be kept from criminals.

Are There Remedies
In the United States, there exist federal statutes that apply directly to unauthorized access to computers and electronic mail.  The Computer Fraud and Abuse Act, 18 U.S.C. § 1030, criminalizes the unauthorized access to computers falling within the scope of the statute.  The Stored Communications Act, 18 U.S.C. § 2701, et seq., criminalizes the unauthorized access and/or use of stored communications.  And, the Wiretap Act (or Electronic Communications Privacy Act), 18 U.S.C. § 2510, et seq., criminalizes the unauthorized interception of electronic communications.  Each of these three federal criminal statutes provides for civil remedies.  Many states have similar statutes.

Additionally, there exist common law claims that may be applicable, such as the privacy tort intrusion upon seclusion.  Should private information be disclosed, many states recognize the tort public disclosure of private fact.  Additional claims may also exist depending on one's state.

Of course, litigation can be very expensive.  As such, it may not be a viable alternative for every intrusion.  However, the federal statutes above as well as some state statutes provide for the - potential or absolute, depending on the statute -recovery of attorney's fees and costs.  But, beyond attorney's fees and costs, and beyond recovery of compensatory and possible punitive damages, our litigation clients most often place injunctive relief as the foremost objective.  In many instances, this will involve removal of private material that may have been published online.  It may involve the destruction of content obtained illegally.  But, to obtain such relief where available, one must file and succeed in litigation.  

Consequently, the best approach - where possible - will be to take efforts to prevent unauthorized intrusions from occurring in the first place.

Proactive Measures - Individuals
The first proactive measure to implement right now will be to change your password.  Where one believes unauthorized access may have already occurred, I recommend changing the password once, logging out, logging in from a different device with the new password, and then changing the password again from the second device.

You should regularly change passwords.  Of course, the password "password" is not good.  Yet, many people unwisely use it.  On the other end of the spectrum, the best password may not be a randomized sequence of characters.  When passwords become too complicated, the user may later abandon such complication and resort to simplicity.  The best compromise for a password will be a combination of two key terms along with a small sequence of non-alphabet characters (eg trainMonday3#).  But, of course, if you take the Number 3 train on Mondays, this would not be a good password for you.  Rather, you want to choose something that has an illogical and non-obvious meaning.

I mean it.  You should change your passwords now.

And, as I believe Mr. Zuckerburg learned not to long ago, you should not use the same password for multiple accounts, certainly not all of your accounts.  If you do, one lucky guess will open quick access to every account you may have.  Make it difficult.  Make it hard.

My wife recently complained about the need for passwords.  I agree with her sentiment.  But, the convenience of our electronic reality - as the DNC Hacks make evident - necessitates the need for passwords.

So, change your passwords.  Make your passwords different for different accounts.  Change them on a routine basis.  But, make your passwords such that you can remember them.  And, set the routine such that it does not become a chore.  Finally, you might consider using one of the programs available for mobile devices that will track your passwords in one place. 

Proactive Measures - Entities
For the last couple of years, our firm's practice has represented businesses in their efforts to avoid and react to computer intrusions.  This representation involves a multi-stage process.

Ideally, an entity will develop an Incident Response Plan prior to any intrusion occurring.  In developing a IRP and related policy, an entity must ensure that it understand its operations, electronic practices, networks, and more.  The entity must also ensure that the cybersecurity teams with whom it works understand these components as well.   From this understanding, a strong policy and IRP can be drafted.  From there, an entity can work to methodically develop and implement the policy and IRP into the workflow.  Education becomes paramount.  Not only must employees understand the changes to their normal workflow, but they must understand why the changes need to occur.  If an entity educates its employees and brings them on board as part of the process, it will effectuate a greater likelihood of success than a blind force feeding of change would produce.

As with individuals, a successful cybersecurity preventative program does not end with implementation.  Rather, there will need to be periodic audits to ensure compliance with and effectiveness of the policy and IRP.

When an incident does arise, an existing IRP will be critical to a successful response.  However, where an IRP does not exist, it becomes essential to find quality people immersed in cybersecurity - legal, technical, and PR - to help guide the entity to make the proper decisions.  And, make such decisions promptly.  In some circumstances, the correct decision may not be obvious.  For example, even among cybersecurity professionals, there exists a debate on whether to publicly disclose a breach to customers (this debate has been diminished somewhat through the enactment of laws requiring such disclosure).  And, in some instances, an entity may make a decision that appeared correct at the time but later became evidently incorrect.  In such situations, the process - the due diligence, the debate, the consideration of options - will go a long way to protect the entity.

But, what can an entity do right now?  It certainly should follow suit with the advice provided individuals above.  Change passwords.  And, ensure that employees adopt and follow through on a policy to change passwords.  Efforts to preclude intrusions will involve implementation of policy changes (password, limiting access to key people, etc.) as well as installation of software and hardware security products.  It involves diligence.  And, persistence.

Foremost, any entity should have people readily accessible to help it with preparation for, prevention of, or a response to a computer intrusion incident.  The effort invested in identifying these people now will be invaluable in a time of crises.  It seems the DNC has now created a Cybersecurity Advisory Board.  While I am sure the DNC wishes it had done so previously, hindsight is always 20/20.  Fortunately, it now has the foresight to implement such a panel of advisors with eyes to the future.  And, returning to the theme which began this article, it behooves us all to learn from the DNC's hindsight, adopt its present foresight, and look to our own houses to ensure safety, security, and peace of mind.

For those who enjoy reading, the National Institute of Standards and Technology within the Department of Commerce published in 2012 a thorough Computer Security Incident Handling Guide.  NIST has also released a DRAFT Guide for Cybersecurity Event Recovery (targeted to federal agencies, but nonetheless informative).

Conclusion
The DNC Hacks should waken us all.  Of course, we should be concerned about foreign intrusions and intelligence.  We should be concerned about the potential affect such foreign machinations may have on our (for those in the United States) country's future (and be sure to prevent such intent from succeeding). But, more importantly for our immediate, personal world, we should recognize the real threat of computer intrusions and take precautionary measures.  We may not succeed in all instances.  But, the more preventative effort we implement, the more likely we will succeed.  And, in that sense, the more soundly we may sleep.