Beware: a new scam using key elements of phishing and shame hacking

Cybercriminals are using yet another new twist on the old email phishing attack: they email people claiming to have infected porn sites with malware that allowed them to take over the recipient’s webcam and record them sitting at their computer watching porn and if they don’t pay up, the video is going public. I discuss this new method of attack in the video above.

For people who know they have never watched porn on their computers, this probably isn’t too effective. For everyone else, this threat of public shaming can be a powerful motivation to comply with the extortion demand.

This is another example of what I have often described as shame hacking, the use, or threatened use, of purportedly hacked data for embarrassing or extorting people by threatening to expose such compromising data if they do not comply with the demands made of them.

Shame hacking is one more way that cyber criminals have learned to monetize the fruits of their criminal actions and represents an increasing trend for how hacked information can and will be used for many ways. I have blogged about other cases where hackers have relied on shame hacking for profit.

Dallas / Fort Worth CBS News station in Dallas / Fort Worth did a story about this latest attack and invited Shawn Tuma on to explain more about it. See story here

Happy Data Privacy Day!

WHAT ARE YOU DOING TO OBSERVE IT?

Data Privacy DayToday is Data Privacy Day! If you have been wondering “what is Data Privacy Day?” then this is your lucky day because not only is today Data Privacy Day, but here is the answer and an explanation for why it really matters to you and your company’s future success.

What is Data Privacy Day?

Data Privacy Day is observed every year on January 28 and is led by the National Cyber Security Alliance (NCSA), a nonprofit, public-private partnership dedicated cybersecurity education and awareness. According to the NCSA,

DATA PRIVACY DAY IS AN INTERNATIONAL EFFORT TO EMPOWER AND EDUCATE PEOPLE TO PROTECT THEIR PRIVACY AND CONTROL THEIR DIGITAL FOOTPRINT.

DATA PRIVACY DAY BEGAN IN THE UNITED STATES AND CANADA IN JANUARY 2008 AS AN EXTENSION OF THE DATA PROTECTION DAY CELEBRATION IN EUROPE. DATA PROTECTION DAY COMMEMORATES THE JANUARY 28, 1981, SIGNING OF CONVENTION 108, THE FIRST LEGALLY BINDING INTERNATIONAL TREATY DEALING WITH PRIVACY AND DATA PROTECTION. DATA PRIVACY DAY IS NOW A CELEBRATION FOR EVERYONE, OBSERVED ANNUALLY ON JANUARY 28.

DATA FLOWS FREELY IN TODAY’S ONLINE WORLD. EVERYONE – FROM HOME COMPUTER USERS TO MULTINATIONAL CORPORATIONS – NEEDS TO BE AWARE OF THE PERSONAL DATA OTHERS HAVE ENTRUSTED TO THEM AND REMAIN VIGILANT AND PROACTIVE ABOUT PROTECTING IT. BEING A GOOD ONLINE CITIZEN MEANS PRACTICING CONSCIENTIOUS DATA STEWARDSHIP. DATA PRIVACY DAY IS AN EFFORT TO EMPOWER AND EDUCATE PEOPLE TO PROTECT THEIR PRIVACY, CONTROL THEIR DIGITAL FOOTPRINT, AND MAKE THE PROTECTION OF PRIVACY AND DATA A GREAT PRIORITY IN THEIR LIVES.

14 Tips For Keeping Your Company’s Data Secure

In honor of Data Privacy Day, the International Association of Privacy Professionals (iapp) has posted an article with 14 tips you need to consider when evaluating how to keep your company’s data secure:

  1. Know Thy Data. Determine what data you collect and share. Classify it according to its level of criticality and sensitivity. What could be considered PII? Define whether data is “in use,” “in motion” or “at rest.” Know where the data is physically stored.
  2. Terms and Conditions May Apply. Make sure your privacy policy reflects current data practices (see Tip #1). This includes the use of third-party advertisers, analytics, and service providers. Periodically review and confirm these third parties comply with your written policies.
  3. You Don’t Know What You’ve Got Till It’s Gone. Conduct annual audits to review whether your data should be retained, aggregated or discarded. Data that’s no longer used needs to be securely decommissioned. Create a data retention policy dictating how long you keep information once it’s fulfilled its original purpose. And, of course, continually ask whether that purpose is still valid and relevant.
  4. Practice or You’ll Breach. Forged e-mail, malvertising, phishing, social engineering exploits and data snooping via unencrypted transmissions are on the rise. From simple controls to sophisticated gears, make sure you’ve implemented leading security “best practices.”
  5. AYO Technology! Data Loss Prevention (DLP) technologies identify vulnerabilities of potential exposures. These work in conjunction with existing security and antivirus tools. From early warnings of irregular data flows to unauthorized employee access, DLP solutions help minimize and remediate threats.
  6. BYOD Is Like a BYOB House Party. The lack of a coherent bring-your-own-device (BYOD) program can put an organization at risk. User devices can easily pass malware and viruses onto company platforms. Develop a formal mobile device management program that includes an inventory of all personal devices used in the workplace, an installation of remote wiping tools and procedures for employee loss notification.
  7. Insist on a List. To mitigate the grave impact on your organization, inventory key systems, access credentials and contacts. This includes bank accounts, registrars, cloud service providers, server hosting providers and payroll providers. Keep this list in a secure yet accessible location.
  8. Forensics – Don’t Do This at Home. The forensics investigation is essential in determining the source and magnitude of a breach. This is best left to the experts as it’s easy to accidentally modify or disrupt the chain of custody.
  9. Where the Logs At? Logs are fundamental components in forensics analysis, helping investigators understand what data was compromised. Types of logs include transaction, server access, firewall and client operating system. Examine all logs in advance to ensure correct configuration and time-zone synchronization. Routinely back them up; keep copies, and make sure they’re protected.
  10. Incident Response Team to the Rescue! Breaches are interdisciplinary events requiring coordinated strategies and responses. The team should represent every functional group within the organization, with an appointed executive who has defined responsibilities and authority. Establish “first responders” available 24/7 (hackers don’t work a 9 to 5 schedule).
  11. Get Friendly With the “Fuzz.” Reach out to law enforcement and regulators prior to an incident. Know who to contact so you won’t have to introduce yourself in the “heat of the battle.” When you have bad news to report, make sure they hear directly from you (a courtesy call goes a long way). Don’t inflame the situation by becoming defensive; focus on what you’re doing to help affected parties.
  12. Rules, Rules, Rules. Become intimately familiar with the international, domestic and local regulations that specifically relate to your organization. The failure to notify the appropriate governmental body can result in further inquiries and fines.
  13. What Did You Say? A well-executed communications plan not only minimizes harm and potential legal consequences, it also mitigates harm to a company’s reputation. Address critical audiences and review applicable laws before notifying. Tailor your message by geographic region and demographics. Knowing what to say is just as important as knowing what NOT to say.
  14. Help Me Help You. Customers want organizations to take responsibility and protect them from the potential consequences of a breach. The DIP should include easy-to-access remedies that offset the harm to affected parties.

Here is a link to the full post: How to Lose Your Data in 10 Days

The 14 tips are a great place to start when thinking about securing your company’s data. As shown by the recent data breaches that have hit Target, Neiman Marcus, Michaels, and Barnes & Noble, the question is no longer one of if your company will have a data breach, but when.

When Your Company is Breached, Your Preparation Will Be Vital to the Company Surviving the Crisis

A data breach is a crisis situation for any company–especially given the amount of attention data breaches are getting these days. From a very big picture perspective, there are two goals to strive for when a company responds to a data breach: (1) avoid, or at least mitigate, any legal and regulatory trouble; and, (2) more importantly, minimize the impact of the breach on the company’s overall business. (see related data breach discussions) The only way your company can achieve these goals is to be proactive by getting prepared before the inevitable occurs–the breach.

If your company is prepared, it is in a much better position to minimize the loss of data, be better able to respond to the breach, and demonstrate to the legal and regulatory authorities that it acted reasonably in protecting its data, which can be very helpful in minimizing the legal and regulatory repercussions, which is the first step. By being prepared and better able to address the first step, the company is then able to focus more of its efforts on polishing its response to be more palatable for its customers and better addressing their feelings and concerns. In other words, if the company is prepared, it is not panicking and scrambling just to get out a response–any response–but instead can take the time to analyze the situation through its customers’ eyes and provide a much better response that takes their feelings and concerns into consideration. This is the vital step because this is what helps preserve the company’s customer relationships.

The best way to be prepared for this is for your company to have a thorough and custom data breach incident response plan. The data breach incident response plan should be tailored to fit your company in many ways, including the following ways just to name a few:

  • the nature of your company’s culture, both internally and externally
  • the nature of your company’s customers
  • the nature of your company’s products or services
  • the nature of your company’s operations and management structure
  • the type, volume, and sensitivity of the data your company collects and retains
  • the security measures your company has in place
  • the resources your company has to devote to data security issues
  • the security standards of your company’s particular industry

Could you figure these things out on your own, with enough time and effort? Probably so — but would that really be efficient? More importantly, and I can not over-emphasize this point enough: You need an attorney to assist you with many of these things because, when done under the guidance of an attorney and if the proper formalities are observed, much of the process can be protected by the attorney-client privilege, but not if you don’t have an attorney assisting with the process.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Tips for Staying #CyberSecure While Shopping Online for #CyberMonday

Cybercriminals need shopping money for the Holidays and one of their favorite times to get yours is when you are shopping on #CyberMonday.

Use these tips to help stay #cybersecure while shopping online for #CyberMonday and at any other time:

  1. Credit or debit? Use credit cards, not debit cards, for your online shopping. Debit cards are tied directly to your bank account so if there is a problem, your money is gone. With credit cards, it is borrowed money, plus, if you have a problem with the merchant or order, the credit card company can act as your intermediary in the dispute. If possible, have one credit card that is used solely for online shopping in case you need to cancel it.
  2. Secure Internet connection. When shopping online, it is best to avoid free WiFi or other forms of open WiFi in public locations. When you are out, it is best to use your own data plan or, if you must use public WiFi, use a VPN to help minimize the risk of having your information stolen.
  3. Credible merchants. Only shop at online merchants that are credible and well-established. Anyone can put up a website in a short amount of time, make sure you know you’re dealing with a trusted merchant with a history of doing business.
  4. Scams – too good to be true (merchants). Be wary of deals that seem too good to be true and do not get too greedy because if a “deal” seems that good, it almost certainly is and the person behind the scam is either outright stealing your money or they are trying to steal your information.
  5. Saving information with merchant. While it is more convenient to save your personal information and payment information with the merchant, doing so also means that information is now stored in their database and can be compromised. It is best to not save your information with merchants.
  6. Scams – too good to be true (click here). Be wary of emails or social media posts that advertise deals that seem too good to be true and then tell you to “click here” on a link to see more information. Those are usually phishing emails that are designed for the sole purpose of getting you to click the link so they can either steal your information or deposit malware on your device. Cybercriminals can perfectly clone emails from legitimate merchants such as FedEx, PayPal, Amazon, and others so just because the email looks legit doesn’t mean it is — don’t click on the links!
  7. Scams — the sad story. While not limited to online shopping, a close relative to the “too good to be true” scam are the scams that play on your sympathy and generosity during the Holidays. An example of these is chain emails that tell of a tragedy that has befallen people and asks for donations. Criminals know how to play on our sympathies and use our emotions to manipulate us into doing things we would never do otherwise, such as sending money because someone asked for it in an email or social media post. Unless you know the people first hand, do not let your emotions overtake your judgment and stick with reputable charitable organizations with an established history.
  8. Good Cyber Hygiene. Whether for shopping on #CyberMonday or otherwise, it is best to always use good #CyberHygiene to protect yourself online. Here is a free Checklist for Good Cyber Hygiene.

For more discussion of these tips for staying safe while shopping online see 5 tips for Avoiding the Cyber Grinch this Cyber Monday! and Cyber Monday: Online safety tips from a cybersecurity expert.

SEE ALSO

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

New Hacking Technique Revealed, Viruses in Online Video Subtitles

Check Point security group has released information revealing how hackers are now using online video subtitles as a source to transport viruses into personal computers, granting hackers to endless information for very little work.

This method of hacking requires a user to do nothing other than opening up their favorite videos online. According to a recent article, this is not even potential danger but is the real thing because it’s already being used successfully by the hackers.

Hackers are very knowledgeable and creative which is why most seem to be one step behind them in most cases. A few years ago people were panicking because of pop-ups, surveys, or phishing links. Now hackers are able to encrypt information by using techniques that can bypass many security products and it is more destructive than anything seen before.

This drastic increase in hackers using the technique of online video subtitles as a source to transport viruses is no surprise. Check Point stated they “estimate there are approximately 200 million video players and streamers” and online video streams have a massive audience making these defenseless targets very beneficial investments. Using this technique, these hackers are able to take complete control of a computer with minimal effort.

Big streaming sites such as VLC, Stremio, Popcorn Time, and others are assisting users in defense by providing updated patches for blocking viruses. Unfortunately downloading these patches is the only defense (other than completely avoiding online videos) and as we saw recently with the #WannaCry ransomware outbreak, counting on people to keep their systems patched seems to be too much to ask. Hopefully, that will begin to change.

______________________

Seth Tuma is a student at Santa Barbara City College in Santa Barbara, California.

Quiz: How much do you know about cybersecurity?

Here is an interesting little quiz that is actually quite informative. It is by the Pew Research Center so it seems legit. Thanks for originally sharing it, Kevin Keane:

How much do you know about cybersecurity?

UPDATED: Read what the results show about overall cybersecurity understanding

 

Are Smaller Healthcare Practices Required to Report a Ransomware or Potential Data Breach?

Does the HIPAA Breach Notification Rule apply to all Covered Entities and Business Associates, Even Smaller Ones?

To many of you reading this post this question seems ridiculous. You know the answer. However, I get asked this question so frequently that I decided to answer it with a blog post to save time next time I get asked the same question. What is worse, however, is I often hear people say — out of complete ignorance — “no, it is not a big deal.”

Let me be clear: it is a big deal – a very big deal – and if it is considered a “breach” then you are required to report. See this Guide for more information.

Healthcare professionals must understand just how important cybersecurity and privacy of patient protected health information (PHI) is to their practices: You can spend your entire career building a fine medical practice and lose it all because you did not take this seriously. Don’t believe me? Then jump to this point of the post.

Are ransomware attacks a data breach?

Regarding ransomware attacks in particular, the Department of Health and Human Services (HHS) considers these kinds of attacks on Covered Entities and Business Associates to be a breach that requires notification, by default, unless you perform a risk assessment that considers four factors and determines there was no breach. See HHS FACT SHEET: Ransomware and HIPAA

The reason for this is because under what is called the CIA Triad of Cybersecurity. To maintain the security of data, you must ensure you maintain its confidentiality, integrity, and availability; when you have a ransomware attack encrypt your data, you no longer have availability unless you have appropriate backups of the data. Moreover, depending on the nature of the ransomware, some strains may exfiltrate data prior to the encryption, causing a failure to maintain confidentiality as well.

Is there a penalty for failing to notify?

 See also Professor Daniel Solove’s 2017 HIPAA Enforcement Update

Absolutely. When a Covered Entity or Business Associate fails to comply with the HIPAA Breach Notification Rule, HHS may launch an investigation and bring an enforcement action against the entity that failed to timely notify. Below are two notable cases where HHS has done this but it is important to note that the vast majority of the smaller ones are resolved with fines and compliance measures imposed at the investigation level:

Does HHS fine small healthcare practices?

Read these examples and decide for yourself:

If you would like more information about other HHS cases, read about these HHS Case Examples.

See: YES, YOU CAN BE HELD PERSONALLY LIABLE FOR YOUR COMPANY’S DATA BREACH – HERE’S WHY

What are the 3 most important questions you should ask yourself now before you have an incident?

  1. Do you have privacy and cyber insurance coverage for your practice?
  2. Do you always have a backup of your critical business, customer, and PHI information that is completely disconnected from your network?
  3. Do you understand these 3 critical cybersecurity steps your organization must take?

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

WHDT World News Interviews Shawn Tuma about WikiLeaks’ CIA Vault7

See also: 

Happy Data Privacy Day!

WHAT ARE YOU DOING TO OBSERVE IT?

Data Privacy DayToday is Data Privacy Day! If you have been wondering “what is Data Privacy Day?” then this is your lucky day because not only is today Data Privacy Day, but here is the answer and an explanation for why it really matters to you and your company’s future success.

What is Data Privacy Day?

Data Privacy Day is observed every year on January 28 and is led by the National Cyber Security Alliance (NCSA), a nonprofit, public-private partnership dedicated cybersecurity education and awareness. According to the NCSA,

DATA PRIVACY DAY IS AN INTERNATIONAL EFFORT TO EMPOWER AND EDUCATE PEOPLE TO PROTECT THEIR PRIVACY AND CONTROL THEIR DIGITAL FOOTPRINT.

DATA PRIVACY DAY BEGAN IN THE UNITED STATES AND CANADA IN JANUARY 2008 AS AN EXTENSION OF THE DATA PROTECTION DAY CELEBRATION IN EUROPE. DATA PROTECTION DAY COMMEMORATES THE JANUARY 28, 1981, SIGNING OF CONVENTION 108, THE FIRST LEGALLY BINDING INTERNATIONAL TREATY DEALING WITH PRIVACY AND DATA PROTECTION. DATA PRIVACY DAY IS NOW A CELEBRATION FOR EVERYONE, OBSERVED ANNUALLY ON JANUARY 28.

DATA FLOWS FREELY IN TODAY’S ONLINE WORLD. EVERYONE – FROM HOME COMPUTER USERS TO MULTINATIONAL CORPORATIONS – NEEDS TO BE AWARE OF THE PERSONAL DATA OTHERS HAVE ENTRUSTED TO THEM AND REMAIN VIGILANT AND PROACTIVE ABOUT PROTECTING IT. BEING A GOOD ONLINE CITIZEN MEANS PRACTICING CONSCIENTIOUS DATA STEWARDSHIP. DATA PRIVACY DAY IS AN EFFORT TO EMPOWER AND EDUCATE PEOPLE TO PROTECT THEIR PRIVACY, CONTROL THEIR DIGITAL FOOTPRINT, AND MAKE THE PROTECTION OF PRIVACY AND DATA A GREAT PRIORITY IN THEIR LIVES.

14 Tips For Keeping Your Company’s Data Secure

In honor of Data Privacy Day, the International Association of Privacy Professionals (iapp) has posted an article with 14 tips you need to consider when evaluating how to keep your company’s data secure:

  1. Know Thy Data. Determine what data you collect and share. Classify it according to its level of criticality and sensitivity. What could be considered PII? Define whether data is “in use,” “in motion” or “at rest.” Know where the data is physically stored.
  2. Terms and Conditions May Apply. Make sure your privacy policy reflects current data practices (see Tip #1). This includes the use of third-party advertisers, analytics, and service providers. Periodically review and confirm these third parties comply with your written policies.
  3. You Don’t Know What You’ve Got Till It’s Gone. Conduct annual audits to review whether your data should be retained, aggregated or discarded. Data that’s no longer used needs to be securely decommissioned. Create a data retention policy dictating how long you keep information once it’s fulfilled its original purpose. And, of course, continually ask whether that purpose is still valid and relevant.
  4. Practice or You’ll Breach. Forged e-mail, malvertising, phishing, social engineering exploits and data snooping via unencrypted transmissions are on the rise. From simple controls to sophisticated gears, make sure you’ve implemented leading security “best practices.”
  5. AYO Technology! Data Loss Prevention (DLP) technologies identify vulnerabilities of potential exposures. These work in conjunction with existing security and antivirus tools. From early warnings of irregular data flows to unauthorized employee access, DLP solutions help minimize and remediate threats.
  6. BYOD Is Like a BYOB House Party. The lack of a coherent bring-your-own-device (BYOD) program can put an organization at risk. User devices can easily pass malware and viruses onto company platforms. Develop a formal mobile device management program that includes an inventory of all personal devices used in the workplace, an installation of remote wiping tools and procedures for employee loss notification.
  7. Insist on a List. To mitigate the grave impact on your organization, inventory key systems, access credentials and contacts. This includes bank accounts, registrars, cloud service providers, server hosting providers and payroll providers. Keep this list in a secure yet accessible location.
  8. Forensics – Don’t Do This at Home. The forensics investigation is essential in determining the source and magnitude of a breach. This is best left to the experts as it’s easy to accidentally modify or disrupt the chain of custody.
  9. Where the Logs At? Logs are fundamental components in forensics analysis, helping investigators understand what data was compromised. Types of logs include transaction, server access, firewall and client operating system. Examine all logs in advance to ensure correct configuration and time-zone synchronization. Routinely back them up; keep copies, and make sure they’re protected.
  10. Incident Response Team to the Rescue! Breaches are interdisciplinary events requiring coordinated strategies and responses. The team should represent every functional group within the organization, with an appointed executive who has defined responsibilities and authority. Establish “first responders” available 24/7 (hackers don’t work a 9 to 5 schedule).
  11. Get Friendly With the “Fuzz.” Reach out to law enforcement and regulators prior to an incident. Know who to contact so you won’t have to introduce yourself in the “heat of the battle.” When you have bad news to report, make sure they hear directly from you (a courtesy call goes a long way). Don’t inflame the situation by becoming defensive; focus on what you’re doing to help affected parties.
  12. Rules, Rules, Rules. Become intimately familiar with the international, domestic and local regulations that specifically relate to your organization. The failure to notify the appropriate governmental body can result in further inquiries and fines.
  13. What Did You Say? A well-executed communications plan not only minimizes harm and potential legal consequences, it also mitigates harm to a company’s reputation. Address critical audiences and review applicable laws before notifying. Tailor your message by geographic region and demographics. Knowing what to say is just as important as knowing what NOT to say.
  14. Help Me Help You. Customers want organizations to take responsibility and protect them from the potential consequences of a breach. The DIP should include easy-to-access remedies that offset the harm to affected parties.

Here is a link to the full post: How to Lose Your Data in 10 Days

The 14 tips are a great place to start when thinking about securing your company’s data. As shown by the recent data breaches that have hit Target, Neiman Marcus, Michaels, and Barnes & Noble, the question is no longer one of if your company will have a data breach, but when.

When Your Company is Breached, Your Preparation Will Be Vital to the Company Surviving the Crisis

A data breach is a crisis situation for any company–especially given the amount of attention data breaches are getting these days. From a very big picture perspective, there are two goals to strive for when a company responds to a data breach: (1) avoid, or at least mitigate, any legal and regulatory trouble; and, (2) more importantly, minimize the impact of the breach on the company’s overall business. (see related data breach discussions) The only way your company can achieve these goals is to be proactive by getting prepared before the inevitable occurs–the breach.

If your company is prepared, it is in a much better position to minimize the loss of data, be better able to respond to the breach, and demonstrate to the legal and regulatory authorities that it acted reasonably in protecting its data, which can be very helpful in minimizing the legal and regulatory repercussions, which is the first step. By being prepared and better able to address the first step, the company is then able to focus more of its efforts on polishing its response to be more palatable for its customers and better addressing their feelings and concerns. In other words, if the company is prepared, it is not panicking and scrambling just to get out a response–any response–but instead can take the time to analyze the situation through its customers’ eyes and provide a much better response that takes their feelings and concerns into consideration. This is the vital step because this is what helps preserve the company’s customer relationships.

The best way to be prepared for this is for your company to have a thorough and custom data breach incident response plan. The data breach incident response plan should be tailored to fit your company in many ways, including the following ways just to name a few:

  • the nature of your company’s culture, both internally and externally
  • the nature of your company’s customers
  • the nature of your company’s products or services
  • the nature of your company’s operations and management structure
  • the type, volume, and sensitivity of the data your company collects and retains
  • the security measures your company has in place
  • the resources your company has to devote to data security issues
  • the security standards of your company’s particular industry

Could you figure these things out on your own, with enough time and effort? Probably so — but would that really be efficient? More importantly, and I can not over-emphasize this point enough: You need an attorney to assist you with many of these things because, when done under the guidance of an attorney and if the proper formalities are observed, much of the process can be protected by the attorney-client privilege, but not if you don’t have an attorney assisting with the process.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.