Social media sites are transforming not only the daily lives of consumers, but also how companies interact with consumers. Here at Morrison Foerster, across all of our practice groups, we are seeing complex, cutting-edge legal issues arising out of social media. As with the Internet boom during the mid-to-late 1990s, social media is generating new legal questions at a far faster pace than the law’s ability to provide answers to such questions. In an effort to stay on top of these emerging issues, and to keep our clients and friends informed of new developments, Morrison Foerster publishes this blog devoted to the law and business of social media.<h2>ABOUT MORRISON FOERSTER</h2>Morrison Foerster is a leading global law firm that transforms complexity into advantage for its clients. Our clients include some of the largest financial institutions, banks, consulting and accounting firms, and Fortune 100, technology, and life sciences companies. Highlighting the firm’s commitment to client service, leadership in market-changing deals and impact litigation, and values-based culture, Morrison Foerster has been repeatedly recognized as one of the top 10 firms on The American Lawyer’s A-List. Year after year, the firm receives significant recognition from Chambers and The Legal 500 across their various guides, including Global, USA, Asia‑Pacific, Europe, UK, Latin America, and FinTech Legal. Our lawyers passionately care about delivering legal excellence while living our values. Morrison Foerster has a long-standing commitment to creating a culture that respects and celebrates differences, while providing an inclusive environment. The firm has achieved Mansfield Certification Plus since 2018 as a result of successfully reaching at least 30 percent women, communities of color, and LGBTQ+ lawyer representation in a notable number of current leadership roles and committees. The firm also has a long history of commitment to the community and society through providing pro bono legal services, including litigating for civil rights and civil liberties, improving public education and fostering the wellbeing of children, advocating for veterans, promoting international human rights, enforcing the right to asylum, and safeguarding the environment.

Social

Search

sociallyaware-abajournalweb100-1

Aaron is the chair of the firm’s Technology Transactions Group and co-chair of the Interactive + Digital Media Group. He advises clients on a wide range of complex transactions involving intellectual property and technology, including structuring and negotiating strategic licensing, development, collaboration, procurement, and distribution deals.Aaron’s practice focuses on advising both established and emerging companies in a variety of data- and technology-intensive sectors, including software, SaaS, cloud-based technology, digital media (social media, AR/VR, gaming, streaming media, AdTech), AI, healthcare, consumer electronics, e-commerce, other online business models, and mobile applications. He also maintains an active practice counseling companies on branding and marketing, trademark licensing, and content-related transactions, as well as the intellectual property aspects of mergers, acquisitions, asset spin-offs, and private equity investments.He has represented clients such as Autodesk, Meta, OpenAI, Splunk, Konami, Kaiser Permanente, SoftBank, Visa, and Yahoo, among others.Aaron has been recognized by numerous publications for his work on market-defining technology transactions. He is currently ranked by Chambers USA for “Technology Transactions.”Aaron also serves as co-editor of Socially Aware, the firm’s award-winning newsletter and blog devoted to the law and business of social media, and regularly publishes on various IP and technology-related topics. Aaron is also a sought-after speaker on new and emerging areas of law, and is a frequent presenter and panelist at conferences and legal services programs. In addition to his active practice, Aaron regularly provides pro bono assistance to various nonprofit and charitable organizations such as Common Sense Media and the Starlight Children’s Foundation. He is a member of the board of directors of California Lawyers for the Arts.While in law school at the University of California, Berkeley, Boalt Hall School of Law, Aaron served as executive editor of the California Law Review and was elected to the Order of the Coif. Following law school, Aaron served as law clerk to the Honorable William H. Orrick and the Honorable Martin J. Jenkins, both United States District Judges for the Northern District of California.

rubin_aaron_blog_150x150.png

rubin_aaron_common_640x280.jpg

rubin_aaron_heroretina_2700x1160.jpg

rubin_aaron_mobileretina_750x1040.jpg

rubin_aaron_social_600x600.jpg

Partner

Aaron is the chair of our Technology Transactions Group. He advises clients on a wide range of complex transactions involving intellectual property and technology, including structuring and negotiating strategic licensing, development, collaboration, procurement, and distribution deals. Aaron’s practice focuses on advising both established and emerging companies in a variety of data– and technology–intensive sectors, including software, SaaS, cloud computing, AR/VR, AI, gaming, healthcare, consumer electronics, social media, e–commerce, other online business models, and mobile applications. He also maintains an active practice counseling companies on the intellectual property aspects of mergers, acquisitions, asset spin–offs, and private equity investments.

Aaron P. Rubin

Lawrence Gallick is of counsel in the firm’s Austin office and a member of the Technology Transactions Group.Lawrence focuses his practice on technology transactions and licensing matters. His diverse experience includes advising on SaaS agreements, cross-licensing agreements, research and collaboration agreements, development agreements, and distribution agreements. He counsels a broad range of companies across the software, hardware, life sciences, biotech and FinTech spaces, as well as other entities including universities.He advises clients in connection with general corporate matters including contract negotiations, and leasing and technology placement agreements.Lawrence also serves as co-editor of <a href="https://www.sociallyawareblog.com/" target="_blank">Socially Aware</a>, the firm’s award-winning newsletter and blog devoted to the law and business of social media, and regularly publishes on various IP and technology-related topics.Prior to joining the firm, Lawrence was counsel at another major law firm. Before earning his law degree, Lawrence was a web consultant, project manager, and web developer in Portland, Oregon, where he managed and consulted on projects using industry methodologies and performed custom development and integration of content management systems.Lawrence was named a Super Lawyers “Rising Star” in 2015 and 2018–2022, and is licensed in both California and New York. Lawrence earned his J.D. from the University at Buffalo School of Law, where he was the electronic systems editor for the Buffalo Law Review and awarded the ABA-BNA Award for Excellence in the Study of Intellectual Property Law.

gallick_lawrence_blog_150x150.png

gallick_lawrence_common_640x280.jpg

gallick_lawrence_heroretina_2700x1160.jpg

gallick_lawrence_mobileretina_750x1040.jpg

gallick_lawrence_social_600x600.jpg

Of Counsel

Lawrence Gallick

Anthony Ramirez is a partner in the Technology Transactions Group in the New York office of Morrison Foerster.Anthony advises clients on general commercial and transactional matters. He regularly advises companies on the IP aspects of their M&A transactions. His clients include technology, digital media and content for television and music, financial services, and communications companies with diverse intellectual property assets and issues.His practice focuses on the legal aspects of developing, licensing, and commercializing technology and intellectual property, as well as negotiating general commercial contracts, including outsourcing transactions, as well as content and data licenses. He regularly assists clients with legal issues relating to licensing and commercialization of digital media and content, digital content that is distributed over the Internet or streamed, mobile applications and social media, as well as the licensing of recorded music for distribution via digital platforms. Anthony is also experienced with issues relating to open-source software, software development, artificial intelligence and machine learning, cloud-based technology, and protection of proprietary information.Anthony has extensive experience working on matters involving disruptive technologies, such as blockchain. He has helped fintech clients with general intellectual property issues in connection with terms of service for online financial products and services.Anthony is an integral part of the outside pro bono legal team for nonprofit organizations based in New York, including advising clients on legal issues regarding entertainment, social media, privacy rights, and the negotiation of outsourcing and service agreements. Anthony received his J.D. from the University of Michigan Law School in 2009. He received his B.S. from Cornell University in 2004.

ramirez_anthony_blog_150x150.png

ramirez_anthony_common_640x280.jpg

ramirez_anthony_heroretina_2700x1160.jpg

ramirez_anthony_mobileretina_750x1040.jpg

ramirez_anthony_social_600x600.jpg

Anthony Ramirez is a partner in the Technology Transactions Group in the New York office of Morrison Foerster. He advises clients on general commercial and transactional matters. His clients include technology, media, and communications companies with considerable intellectual property assets. His practice focuses on the legal aspects of licensing and commercializing technology and intellectual property, as well as negotiating general commercial contracts. He also regularly assists clients with legal issues relating to mobile applications and social media.

Anthony M. Ramirez

favicon.ico

favicon-16x16.png

favicon-32x32.png

apple-touch-icon.png

MoFo Favicons

Socially Aware is devoted to the law and business of social media, proactively addressing emerging issues and keeping our clients informed of new developments. We cover fields such as artificial intelligence, privacy and data security, Section 230, intellectual property, and much more.

Welcome to Socially Aware

240920-socially-aware-header.jpg

Welcome to Socially Aware

240920-socially-aware-header

Socially Aware is devoted to the law and business of social media, proactively addressing emerging issues and keeping our clients informed of new developments. We cover fields such as artificial intelligence, privacy and data security, Section 230, intellectual property, and much more.

News and Announcements

Blog - Terms of Use

Blog - Privacy Policy

Blog - Blog Disclaimer

Blog - Attorney Advertising

morrison-foerster-blog-logo.png

Provides a data-driven look at the Federal Circuit.

Federal Circuitry

Brings together legal insights and in-depth analyses on trends and complex issues shaping the global technology industry.

MoFo Tech

Mofo Tech

Equips our clients with the most up-to-date and relevant information on employment and labor law issues.

Employment Law Commentary

In-depth analysis of developments and trends impacting government contracting.

Government Contracts Insight

Government Contracts Insights

Provides insights and reports on the most current class actions lawsuits and product liability issues that affect consumer-facing companies.

Class Dismissed Blog

Class Dismissed

MoFo’s Socially Aware blog provides timely updates and analysis of the many complex and cutting-edge legal and business issues arising out of social media.

Socially Aware

  Linkedin

MoFo LinkedIN

Socially Aware Blog - RSS

Stay Connected

Never miss a post from Socially Aware. Enter your email below to stay up-to-date.

Subscribe

The Law and Business of Social Media

Morrison Foerster - Footer

Blogs -  Home Button

Home

Blog - Topics

Web Scraping

Advertising

Antitrust

Arbitration

Artificial Intelligence

Asia

Autonomous Vehicles

Bankruptcy

Big Data

Blockchain

Class Actions

Cloud Computing

Compliance

Contracts

COPPA

Copyright

Crowdsourcing

Cyberbullying

Cybersecurity

Data Security

Defamation

Digital Content

Disappearing Content

Discovery

DMCA

E-Commerce

E-Discovery

E-Personation

Electronic Contracts

Employment Law

Endorsement Guides

Ephemeral Messaging

Ethics

European Union

Event

Fair Use

FDA Regulations

Financial Institutions

First Amendment

Fraud

Free Speech

GDPR

Hacking

Influencer Marketing

Infographic

Internet of Things

Investment Management Law

JOBS Act

Labor Law

Litigation

Live streaming

Marketing

Mobile

Online Contracts

Online Endorsements

Online Promotions

Online Reviews

Patent

Privacy

Product Liability

Protected Speech

Right of Publicity

Right To Be Forgotten

Section 230 Safe Harbor

Securities Law

Social Media Policy

Statistics

Status Updates

Stored Communications Act

Supreme Court

Terms of Use

Trademark

UK High Court

User-Generated Content

Wearable Computers

Topics

Blog - Editors

Editors

Blog - About

About

Blog - Subscribe

More

Lawrence W. Gallick

Social Links: TikTok’s Wild Ride

Northern District Applies Section 230 to AI-Assisted Content Moderation

2024 Recap: Ten Lords A-Leaping!

Social Links: If the Suit Fits

Social Links: Age Verification, X Appeal, and the Great White North

LinkedIN

Is your company prepared to respond to a data security breach? For many companies, even reading this question causes some anxiety. However, being prepared for what seems like the inevitable—a security breach—can be the difference between successfully navigating the event or not. While we still hear some companies say, “That would never happen to our company!” a significant breach can happen to any company.In light of this and the close scrutiny that the high-profile breaches reported over the past year have received, many companies have taken the opportunity to consider their preparedness and ability to respond quickly and decisively to such an incident. We have prepared for our readers who are in-house attorneys or privacy officers the following checklist highlighting some steps that companies may consider taking so that they can be better prepared in the event that a significant breach incident occurs.<ol><li> Make Friends With Your IT/IS Department. </li></ol>It is important to be familiar with your company’s risk tolerance and approach to information security in order to develop an understanding of your company’s security posture. The time to explore these issues isn’t after a breach has happened, so ask your colleagues in your company’s information technology or information security departments the basic questions (e.g., What’s DLP?) and the tough questions (e.g., Why haven’t we addressed the data security concerns raised in last year’s audit?). You would rather learn, for example, that your company does not encrypt its laptops before one is stolen.<ol start="2"><li> Have a Plan. </li></ol>Many companies have an incident response plan. If your company does, dust it off. Does it need to be updated based on the current breach environment? Would it actually be helpful in responding to a high-profile nationwide data security breach? Does it have a list of key contacts and contact information? Also, make sure you have a copy printed out in case the breach impacts your company’s electronic system. If you don’t have a plan, draft one and implement it.<ol start="3"><li> Practice. </li></ol>Although practice may not make perfect when it comes to data breach response, you do not want your response team working together for the first time in the middle of an actual high-stress incident. Gather your response team and relevant stakeholders and conduct a “fire drill” or “breach tabletop” exercise (and consider bringing your outside counsel). This will be invaluable training and an investment in your company’s preparedness.<ol start="4"><li> Decisions, Decisions, Decisions. </li></ol>Someone has to make the tough calls. A high-profile breach incident presents a series of tough calls (e.g., when will you go public, how will you respond to the media, will you offer credit monitoring and so forth). We continue to hear of incidents where there are competing views within a company about the “right” decision, and incidents where difficult decisions have to be made based on limited facts. You should give thought to who within your organization will be responsible for making the tough calls, and making sure the key decision-makers understand the broader issues that have to be considered.<ol start="5"><li> Know the Law. </li></ol>In the United States, notice of breach incidents is driven by federal and state law. There are federal breach requirements (e.g., the Gramm-Leach-Bliley Act), and there are state requirements in 51 states and jurisdictions. Needless to say, notice in a nationwide incident can be complicated. And the laws have been rapidly changing over the last several years. Someone in your company should be committed to staying abreast of the current landscape of breach-related requirements (e.g., requirements for the content of consumer notices and requirements to notify state regulators). In addition, breaches that affect individuals outside the United States are even more complicated. Be aware that the number of jurisdictions with breach-notification obligations is growing, and in many instances a “breach” includes the unauthorized disclosure of any type of personal information.<ol start="6"><li> Go Outside. </li></ol>Outside counsel who have a deep practice in this area will have worked on countless incidents both large and small, and can advise on how other companies respond to similar incidents and how regulators have reacted. This is invaluable insight when the tough calls have to be made (see item 4 above).<ol start="7"><li> Engage Vendors. </li></ol>In a significant breach incident, a company’s resources can be stretched thin. Many companies would not have the capability to produce and mail 500,000 breach letters in just a few days. Similarly, many companies are not prepared to handle dramatically increased call center volumes after an incident becomes public. There are a wide variety of vendors that can help companies respond to a breach incident, including forensic investigators, crisis communication experts and mail houses, to name a few. Consider your company’s capabilities and engage vendors before an incident occurs.<ol start="8"><li> In Case of Emergency, Call. </li></ol>The list of individuals and entities that may need to be contacted in case of a significant breach at your company may be longer than you think. For example, you may need to contact members of your response team, members of senior management, your merchant acquirer, payment card networks, a wide variety of vendors, the press, your regulators, outside counsel and others. While a comprehensive contact list may seem simple, it can reduce stress in the heat of the moment if you have one (see item 2 above).<ol start="9"><li> Consider Coverage. </li></ol>Cyberinsurance is one of the fastest growing areas of insurance today. It’s quite possible that your company already has a policy that would provide at least some coverage in the case of a data security breach. If so, the policy should be reviewed to get a sense of the breadth of the coverage and to determine whether such coverage is appropriate for your company’s needs. If your company does not have a policy, you can consider the costs and benefits of obtaining coverage. This is a risk-based decision, but one that of course needs to be thought about before a breach occurs.<ol start="10"><li> Don’t Delay. </li></ol>Although you can’t control whether a breach occurs, you can control how your company responds. Many companies will find that there is more that they can do to prepare for a potential breach event. In light of the public, regulatory and internal scrutiny that a high-profile breach brings, you should not delay in considering your company’s preparedness to respond to such an event.Concluding ThoughtsUnfortunately, data security breaches have become as inevitable as death and taxes; accordingly, no company can afford to be unprepared for a breach incident when it occurs. Although our pre-breach checklist above isn’t intended to be exhaustive, it should provide a helpful starting point for companies in thinking about the unthinkable.

Recognized as an authority on financial privacy issues, Nathan helps financial institutions and other companies develop practical solutions for complying with privacy and data security laws. In partic

Nathan D. Taylor

Nathan Taylor

gettyimages-488221686_small-300x167-1.jpg

Preparing for a Data Security Breach: Ten Important Steps to Take

Preparing for a Data Security Breach: Ten Important Steps to Take

Is your company prepared to respond to a data security breach? For many companies, even reading this question causes some anxiety. However, being prepared for w

The latest issue of our Socially Aware newsletter is now available <a href="https://media2.mofo.com/v3/assets/blt5775cc69c999c255/blt5dbd95633a7b6adb/62730e307198441d81b3a28f/161107-socially-aware.pdf" target="_blank" rel="noopener">here</a>.In this edition, we provide five tips for reducing potential liability exposure in seeking to exploit user-generated content; we examine a Ninth Circuit decision highlighting the control that social media platform operators have over the content and data that users post to those platforms; we discuss five questions that companies should ask themselves to help prepare for a ransomware attack; we explore a controversial California court decision that narrows an important liability safe harbor for website operators; we review a federal court decision that illustrates the importance of securing clear and affirmative assent to electronic contracts; we take a look at some recent enforcement actions that indicate a shift toward requiring clearer and potentially more burdensome disclosures from companies engaged in interest-based advertising; and  we examine a recent Northern District of California decision holding that a mobile app developer was not be liable under the Telephone Consumer Protection Act for a text initiated by one of the app’s users.All this—plus an infographic illustrating the impact of incorporating user-generated content in marketing campaigns.Read our <a href="https://media2.mofo.com/v3/assets/blt5775cc69c999c255/blt5dbd95633a7b6adb/62730e307198441d81b3a28f/161107-socially-aware.pdf" target="_blank" rel="noopener">newsletter.</a>

Aaron is the chair of the firm’s Technology Transactions Group and co-chair of the Interactive + Digital Media Group. He advises clients on a wide range of complex transactions involving intellectual property and technology, including structuring and negotiating strategic licensing, development, collaboration, procurement, and distribution deals.

Aaron Rubin

capture-1-1.jpg

Now Available: The November Issue of Our Socially Aware Newsletter

Now Available: The November Issue of Our Socially Aware Newsletter

The latest issue of our Socially Aware newsletter is now available here. In this edition, we provide five tips for reducing potential liability exposure in seek

The <a href="https://www.technologyreview.com/s/602713/how-the-internet-of-things-took-down-the-internet/" target="_blank" rel="noopener">Internet of Things is apparently to blame for the Web outage</a> that paralyzed the online world earlier this month.<a href="http://www.usatoday.com/story/life/nation-now/2016/10/26/justin-timberlake-ballot-selfie/92790196/" target="_blank" rel="noopener">Justin Timberlake took down his “ballot selfie”</a> from Instagram after <a href="http://www.businessinsider.com/justin-timberlake-broke-the-law-voting-booth-selfie-photo-2016-10?&platform=bi-androidapp" target="_blank" rel="noopener">Tennessee authorities made clear that it was illegal</a>.Presumably in order to help facilitate compliance with guidance from regulators in the <a href="http://www.sociallyawareblog.com/2014/12/03/ftc-enforcement-action-confirms-that-ad-disclosure-obligations-extend-to-endorsements-made-in-social-media/" target="_blank" rel="noopener">United States</a>, United Kingdom and elsewhere, YouTube is making available to video creators an easy-to-use “sponsored content” notification that they can opt to have appear during the first few seconds of their videos.Will blockchain technology be <a href="https://www.linkedin.com/pulse/blockchain-could-musics-next-big-disruptor-don-tapscott?trk=hp-feed-article-title-editor-pick" target="_blank" rel="noopener">the next big wave of disruption for the music industry</a>?With <a href="http://venturebeat.com/2016/10/13/tinder-smart-photos/" target="_blank" rel="noopener">Tinder’s new feature</a>, online daters can be sure their profiles feature the photos most likely to get right-swipes.When the chief digital officer at New York’s Metropolitan Museum of Art lost his job, he <a href="https://www.fastcompany.com/3064052/creative-conversations/how-this-exec-used-social-media-to-turn-his-layoff-into-a-career-rebo7" target="_blank" rel="noopener">turned to social media for advice</a>.The NFL’s new social media policy promises to impose hefty fines on member teams that post videos or animated GIFs of games, or use Facebook Live or Periscope to stream anything in the stadium.When a Russian tech entrepreneur’s friend died, she <a href="http://www.theverge.com/a/luka-artificial-intelligence-memorial-roman-mazurenko-bot" target="_blank" rel="noopener">used artificial intelligence and his old text messages to create a futuristic memorial</a>.Employed but curious about new job opportunities? Now you can <a href="http://www.businessinsider.com/linkedin-open-candidates-secretly-find-job-2016-10" target="_blank" rel="noopener">change your LinkedIn profile to secretly signal to recruiters</a> that you’re in the market for a new gig.Guess what percentage of Americans one researcher predicts <a href="http://venturebeat.com/2016/10/13/only-6-of-americans-will-own-a-vr-headset-in-2016/" target="_blank" rel="noopener">will own a virtual reality headset</a> in 2016?Could <a href="http://www.huffingtonpost.com/entry/google-flights-tips-tricks_us_58062e82e4b0b994d4c1675a" target="_blank" rel="noopener">Google Flights be the ticket to finding the best possible fare</a> to your 2016 winter holiday destination?

Social Links: IoT Causes Web Outage; YouTube Makes Endorsement Disclosure Convenient; NFL’s Social Media Policy Imposes Fines

The Internet of Things is apparently to blame for the Web outage that paralyzed the online world earlier this month. Justin Timberlake took down his “ballot sel

Social Links: IoT Causes Web Outage; YouTube Makes Endorsement Disclosure Convenient; NFL’s Social Media Policy Imposes Fines

The California Supreme Court <a href="http://www.latimes.com/business/technology/la-fi-tn-yelp-ava-bird-20160921-snap-story.html" target="_blank" rel="noopener">agreed to hear Yelp’s case</a> arguing that requiring the company to remove a one-star review of a law firm “creates a gaping hole” in the immunity that shields internet service providers from suits related to user-generated content.Images, videos and quoted tweets no longer count toward Twitter’s 140-charter limit.Google is undertaking <a href="https://www.wired.com/2016/09/inside-googles-internet-justice-league-ai-powered-war-trolls/" target="_blank" rel="noopener">cutting-edge efforts to battle online trolls</a>.Only <a href="http://www.wired.co.uk/article/north-korea-28-websites-domain" target="_blank" rel="noopener">28 websites are registered</a> under North Korea’s top level .kp domain.Chinese law enforcement agencies investigating criminal cases can now secretly <a href="http://www.bloomberg.com/news/articles/2016-09-22/tencent-s-wechat-social-media-posts-count-as-criminal-evidence" target="_blank" rel="noopener">request access to personal information</a> posted on social media services.Back here in the United States, Twitter’s bi-annual transparency report shows that between January and June the platform received 2,520 information requests from U.S. law enforcement agencies.The Department of Transportation issued <a href="http://www.nytimes.com/2016/09/21/technology/the-15-point-federal-checklist-for-self-driving-cars.html" target="_blank" rel="noopener">a 15-point list of safety expectations</a> for driverless cars.<a href="http://www.relationshipscience.com/" target="_blank" rel="noopener">Relationship Science</a>, a repository of information about influential people and their connections, is <a href="http://venturebeat.com/2016/09/20/relationship-science-takes-a-shot-at-linkedin-opens-its-database-to-everyone/" target="_blank" rel="noopener">opening its database to everyone</a>, a change that could put the company in competition with LinkedIn.Content marketers need to <a href="https://www.entrepreneur.com/article/280975?utm_content=buffer9c5cf&utm_medium=social&utm_source=twitter.com&utm_campaign=bufferrr" target="_blank" rel="noopener">publish how many articles a week</a> to make a difference?! Sigh.<a href="http://www.socialmediatoday.com/social-networks/ultimate-guide-building-your-audience-snapchat" target="_blank" rel="noopener">Building an audience on Snapchat</a> seems pretty arduous, too.Concerned that your identity may have been stolen in some of the major hacking attacks in the last three years? Take <a href="http://www.nytimes.com/interactive/2015/07/29/technology/personaltech/what-parts-of-your-information-have-been-exposed-to-hackers-quiz.html?smid=fb-nytimes&smtyp=cur&_r=0" target="_blank" rel="noopener">this quiz</a> to learn your minimum level of exposure and what you can do about it.The <a href="http://venturebeat.com/2016/09/20/5-bots-to-try-this-week-evabot-fashion-brobot-event-io-breakingsports-and-american-express/" target="_blank" rel="noopener">five most popular bots</a> on <a href="https://botlist.co/" target="_blank" rel="noopener">Botlist</a> last week.

Social Links: Yelp’s Communications Decency Act claim; Twitter loosens its character limit; building a Snapchat audience

The California Supreme Court agreed to hear Yelp’s case arguing that requiring the company to remove a one-star review of a law firm “creates a gaping hole” in 

Social Links: Yelp’s Communications Decency Act claim; Twitter loosens its character limit; building a Snapchat audience

The news has been filled this year with reports of ransomware attacks against companies and government agencies, including even law enforcement. Ransomware refers to a type of malware that encrypts or otherwise restricts access to a machine or device. As part of the attack, the attacker will demand that the victim pay a ransom in order to receive the encryption key or otherwise recover access to the compromised machine.The reality is that ransomware attacks have been proliferating against all types of companies and organizations. Ransomware is a profitable business for underground circles, and we expect to see continued targeting. Because these attacks may be isolated to a single machine, they frequently do not impact a company’s business continuity or result in a noticeable service disruption. In response to an infection, companies may be able to obtain the technical assistance needed to defeat the attack. Free online resources exist that will identify which ransomware infected your system and provide victims with known decryption keys. In other cases, companies may determine that the data loss is not significant and/or that backups exist, allowing them to rebuild the computer by reformatting the hard drive and reinstalling a clean operating system, applications and data. In other cases though, companies pay the ransom.Ransomware attackers frequently use many of the same tools and tactics, such as spear phishing, as do other hackers. Unlike many hackers, however, ransomware attackers are not focused on stealing data that can be sold or used for illicit purposes (e.g., credit card information and trade secrets). Instead, ransomware is about economic extortion. The attackers prevent a company from being able to access its own system or data, and they make a demand. Usually, they want money, but that could change. Imagine a hacker who holds data and systems hostage in return for the company’s releasing a public statement, making a divestiture or a arranging for a senior executive’s departure? The distinction between routine malware and ransomware is important to manage the scope of the threat. While some companies may not maintain data that is of value to cyber thieves (although that is becoming less and less the case, as evidenced by the proliferation of W-2 tax information phishing attacks), every company is a potential target of a ransomware attack.There are a couple of reasons why this is such a challenging problem to overcome from a technology perspective. Once the files are encrypted, it is nearly impossible to decrypt them. This leaves the affected organization facing the difficult choice of either paying the ransom or losing their data. In many cases, downtime and data loss are more costly than the ransom, which is why many organizations opt to pay. The second major challenge is that ransomware is highly polymorphic. There are tens of thousands of malware samples and variants detected in the wild.As a result, all companies should be mindful of the risk of such an attack and take steps to limit the impact of such an attack, including being prepared to respond.Responding to a ransomware attack can be a stressful and unnerving experience. Not surprisingly, depending on the system that is the target of the attack, time is usually of the essence. As part of a company’s broader incident response preparation, it is worth anticipating what you would do in the event of a ransomware attack. The following five questions are a good starting point for companies, and in-house counsel might consider leading this review together with their information security managers. While the answers to these questions often differ depending on the nuance or nature of a given attack, the investment in planning related to these questions can reduce the stress and increase the agility and effectiveness of a company’s response to an attack.1. Will You Pay The Ransom?This literally can be the million-dollar question, although ransom demands historically have been much smaller. For example, it is common to see ransom demands between $500 and $50,000, typically to be paid with Bitcoin. Regardless of the extortion level, many companies have taken the approach of not negotiating with blackmailers or otherwise paying ransom, regardless of the situation.  In fact, the FBI does not encourage payment.Still, even where there is a general (and understandable) resistance to paying ransom, the answer to this question for most companies will depend on the impact and timing of the attack. That is, the answer frequently depends on the business continuity risk and service disruption potential that the attack presents, as well as whether there is an available and useful backup of the data/service maintained by, or hosted on, the impacted system. More specifically, how badly does your company need the impacted system or the data stored on that system?For example, if a company cannot access a machine that has critical data for which there is no adequate or available backup, or if the machine is integral to business operation (e.g., a web server or payment service) and there are challenges in replacing the machine in a timely manner, a company may determine that it has little choice but to pay the ransom because the costs of lost access far outweigh the ransom demand. In many scenarios, however, companies have elected not to pay the ransom because they have a sufficient backup of data maintained on the machine or because the lost access to the system does not have a meaningful business impact. For example, from a business continuity perspective, there may be no practical difference between a ransomware attack that locks an employee’s company-issued laptop and the physical theft of that laptop.Significantly, paying does not always result in the hackers making good on their promise. In a recent case, a hacker only provided partial access to a hospital’s encrypted data before asking for more money to complete the deal.  At that point, the hospital refused.2. What Systems Are Subject to the Greatest Risk (And Are They Protected)?The first question highlights the critical, yet obvious, point that the potential impact of a ransomware attack all depends on which machine, system, or device is hit. It also highlights the fact that ransomware is not just an information security issue, but also a business continuity issue (not unlike, for example, natural disasters). On this point, a company should have the advantage over a ransomware attacker.Specifically, a company can assess its systems and dependencies and identify those that present the greatest risk to the company in the event of a ransomware attack. In fact, most companies with business continuity plans will have already gone through this exercise in a more general context.  Regardless, once you have identified systems that are critical to your company’s ongoing operations, you then can consider how those systems are currently protected from the types of malware typically deployed in a ransomware attack and whether additional protections make sense. In addition to having appropriate data backup and recovery plans in place, common information security considerations include:<ol><li>The use of robust endpoint detection and response (EDR) solutions,</li><li>Taking advantage of application white-listing,</li><li>Restricting user permissions and access controls,</li><li>Implementing software restriction policies (SRP),</li><li>Ramping up efforts to detect spear-phishing emails and</li><li>Disabling macros from running in files that are received in email or downloaded from websites.</li></ol>3. Do You Have Sufficient Backups?While the previous question was focused on the extent to which critical systems are protected, this question is focused on contingency planning in the event that a company is the victim of a successful ransomware attack. If critical systems are impacted by ransomware, how will your company respond, and will you be able to continue (somewhat) normal business operations? This is an important question, even if your company would consider paying the ransom. For example, even if a company pays the ransom, there will be a loss of data or availability until the key is received and, hopefully, normal access is restored. As a result, from both a data and a systems perspective, it is important to determine the extent of a company’s backups and alternatives that can support business operations. A company should consider not only the extent of its backups, but how frequently those backups are created and tested and whether the backups themselves are susceptible to being encrypted or deleted by the hacker. This will help determine the scope of the data loss at risk in the event of an attack. Similarly, a company should consider its process for restoring data from backup (or switching to backup systems) and whether that process can be simplified or made more efficient.4. Will You Make The Attack Public?It can be helpful to consider whether, or the circumstances when, your company would make public that it has been the victim of a ransomware attack. Most companies that have gone public with the fact that they were the victim of an attack appeared to do so because the attack significantly impacted their normal business operations and there was a delay in restoring those operations.If normal business operations are impacted, there is a question of how you communicate that fact to customers, vendors, business partners and the public generally. For example, if a company will pay the ransom and expects to restore operations within a relatively short time but feels that it is important to communicate to relevant third parties that certain systems are down, does the communication have to highlight the cause of the issue, or can it simply identify the impact? For example, a company could indicate that it is aware of the problem, it is working to address it and when it expects the issue to be resolved. While the nuance of an attack (e.g., the impact and duration) is incredibly important to answering this question, the answer can be equally nuanced. For example, a company may elect to alert third parties only where there is a contractual requirement to do so, keeping in mind that a ransomware attack typically does not include a data breach. Regardless, it is important for a company to consider its communication strategy in the event of an attack. Some companies may even want to take the next step and prepare standby statements that can be used if needed, for example, in response to a third party or even an employee, revealing the incident.5. Will You Contact Law Enforcement?A question companies frequently consider in the context of a ransomware attack (and cybersecurity incidents generally) is whether to contact law enforcement and, if so, which law enforcement agency. The answer will be company-specific and depend on a number of factors. Nonetheless, it is important for a company to identify and understand the reasons why it would contact law enforcement in the event of an attack. Not surprisingly, the likelihood of achieving the desired objective varies significantly based on the reason for contacting law enforcement.A company may contact law enforcement because it wants the attacker brought to justice or because it hopes that there may be technical assistance that law enforcement can provide to help the company regain control of the relevant machine (and avoid paying the ransom). While the facts are always critical, these may not be the primary reasons to contact law enforcement, because the likelihood of law enforcement catching what is likely a foreign actor may be slim; similarly, law enforcement may not have the capability to crack the encryption, and the facts may not warrant law enforcement investing resources in that effort.A company, however, may contact law enforcement for other reasons. For example, a company may contact law enforcement because, if the attack becomes public, the company can reassure customers, vendors, business partners or even regulators that it did everything possible to respond to the attack. For many types of public cybersecurity incidents, it has become standard for a company to indicate that it has notified law enforcement and is cooperating with the investigation. This also highlights the fact that the company is a victim. In some instances, a company may contact law enforcement because its cyber response policies indicate that law enforcement should be contacted or because it has become standard practice for the company in responding to cyber incidents. A company may also contact law enforcement because the company believes that “it is the right thing to do” as a good corporate citizen. Finally, a company’s cyber insurance policy may require that suspected crimes be reported to law enforcement in order to make a claim for coverage. For each of these reasons, a company may conclude that it is in its best interest to contact law enforcement, even though it believes that the criminal will not ultimately be caught.The question of which law enforcement agency to contact is heavily dependent on the facts, including the type of company impacted, the threat actor, the type of machine impacted and the nature of that impact; a detailed discussion is beyond the scope of this article. For example, if a significant ransomware attack impacts critical infrastructure or a federally regulated entity (e.g., a national bank or an airline), the company should contact federal law enforcement, such as the FBI. If a ransomware attack hits a small hardware store, however, the company should instead consider contacting local law enforcement or using online reporting through the Internet Crime Complaint Center at <a style="font-weight: inherit;font-style: inherit;" href="http://www.ic3.gov/" target="_blank" rel="noopener">www.ic3.gov</a>.Moving ForwardUnfortunately, ransomware is costing businesses hundreds of millions of dollars annually, whether in the form of payments, intrusion response or both.  By definition, you cannot prepare after an event. By asking and answering these five questions early enough, you can arrive at a risk posture that is suitable for your business. Hopefully you will never experience a problem.  However, should a ransomware incident occur, you will have increased options for managing the event and quickly getting back to business.This piece was originally shared on <a href="https://protect-us.mimecast.com/s/K2JZB7UoM3x8Fg">Corporate Compliance Insights</a> and is republished here with permission.

istock_76494821_small-300x200-1.jpg

5 Questions to Help Prepare for a Ransomware Attack

5 Questions to Help Prepare for a Ransomware Attack

The news has been filled this year with reports of ransomware attacks against companies and government agencies, including even law enforcement. Ransomware refe

Our Morrison & Foerster colleague and Socially Aware contributor Miriam Wugmeister has published a thought provoking and insightful op-ed piece in The Hill on how companies that are the targets of cyberattacks are too often treated as suspects, rather than victims, by regulators.In her op-ed, titled Stop Victim Shaming in Cyberattacks, Miriam points out that defending the American people and economy from hostile state or state-sponsored actors is critical for both economic and national security reasons. However, while our state and federal law enforcement agencies vigorously protect people from criminals and assist victims of crimes, companies that publicly disclose that they have been the victim of a cybercrime are not treated like a typical victim by federal and state regulators. Instead, they are investigated by numerous agencies, including the Federal Trade Commission, the State Attorneys General, and the Security and Exchange Commission, while often simultaneously sued by consumers, business customers, and shareholders. In the face of the onslaught of cyber threats, U.S. companies are charged with defending themselves in cyberspace or facing legal liability.

Cybercrime and Victim Shaming

Our Morrison & Foerster colleague and Socially Aware contributor Miriam Wugmeister has published a thought provoking and insightful op-ed piece in The Hill on h

Cybercrime and Victim Shaming

Facebook introduced technology that disables ad blockers used by people who visit the platform via desktop computers, but <a href="http://www.vanityfair.com/news/2016/08/facebook-adblock-plus-work-around" target="_blank" rel="noopener">Adblock Plus has already foiled the platform’s efforts</a>, at least for now.A look at Twitter’s 10-year <a href="https://www.buzzfeed.com/charliewarzel/a-honeypot-for-assholes-inside-twitters-10-year-failure-to-s?utm_term=.fx6KOMDxrL#.ytjwx67GJ4" target="_blank" rel="noopener">failure to stop harassment</a>.Are mobile apps killing the web?<a href="http://www.mediapost.com/publications/article/282274/linkedin-sues-to-shut-down-scrapers.html" target="_blank" rel="noopener">LinkedIn sues</a> to shut down “scrapers.”The FTC is planning to <a href="http://adage.com/article/digital/ftc-cracking-social-influencers-labeling-promotions/305345/" target="_blank" rel="noopener">police social media influencers’ paid endorsements more strictly</a>; hashtags like #ad may not be sufficient to avoid FTC scrutiny. <a href="http://www.ft.com/cms/s/0/d200d8c2-5fef-11e6-b38c-7b39cbb1138a.html" target="_blank" rel="noopener">Officials in the UK</a> are cracking down on paid posts, too.Dan Rather, <a href="http://www.theatlantic.com/technology/archive/2016/08/dan-rather-reporting-for-facebook/495431/" target="_blank" rel="noopener">Facebook anchorman</a>.The U.S. Olympic Committee sent letters to non-sponsoring companies <a href="http://www.espn.com/olympics/story/_/id/17120510/united-states-olympic-committee-battle-athletes-companies-sponsor-not-olympics" target="_blank" rel="noopener">warning them against posting about the games</a> on their corporate social media accounts.How IHOP keeps winning the love & affection of its 3.5 million Facebook fans.A Canadian woman whose home was designated a Pokémon Go “stop” is <a href="http://www.cbsnews.com/news/pokemon-go-canada-class-action-lawsuit-gym-home-torrington-alberta/" target="_blank" rel="noopener">suing the app’s creators</a> for trespass and nuisance. We <a href="http://www.sociallyawareblog.com/2016/07/21/pokemon/" target="_blank" rel="noopener">saw that</a> coming.There’s a website dedicated to helping Snapchat users fool their followers into thinking they’re out on the town.Facebook has been wooing premium content owners, but <a href="http://www.wsj.com/articles/tv-companies-resist-facebook-video-deals-1470823203" target="_blank" rel="noopener">TV companies are reportedly resisting</a>.PETA got a <a href="https://www.techdirt.com/articles/20160805/16593335170/primatologist-tells-court-that-macaque-monkeys-are-like-super-smart-so-they-should-totally-get-copyrights.shtml" target="_blank" rel="noopener">primatologist to submit an amicus curiae brief</a> supporting its suit alleging a monkey who took a selfie is entitled to a copyright for the image.

Social Links: Facebook’s anti-ad-blocking software; LinkedIn’s “scraper” lawsuit; FTC’s upcoming crackdown on social influencers

Facebook introduced technology that disables ad blockers used by people who visit the platform via desktop computers, but Adblock Plus has already foiled the pl

Social Links: Facebook’s anti-ad-blocking software; LinkedIn’s “scraper” lawsuit; FTC’s upcoming crackdown on social influencers

The Internet is abuzz over the Facebook algorithm change. Here are the implications for marketers and publishers and for regular users.U.S. Customs wants to start collecting the social media accounts for foreign travelers.Court: Woman fired for posting to her Facebook page that she would quit her job before doing “something stupid like bash in” her co-worker’s “brains with a baseball bat” is entitled to unemployment benefits.Does artificial intelligence have a “white guy” problem?It appears consumers have an appetite for branded emoji: Harper’s Bazaar’s emoji keyboard was downloaded 30,000 times in 24 hours.Meet YesJulz, Snapchat royalty.And here’s a list of several more impossibly popular social media celebs who you’ve likely never heard of.Seven things everyone should know about cybersecurity and social media.Do anonymity and social mix? An interesting Q&A with the founder of Secret, an anonymous social messaging platform that was valued at $100 million before it shuttered as a result of bullying.Hitting the Tarmac this holiday weekend? Here’s a list of free or cheap travel apps worth downloading.

Social Links: Implications of Facebook’s algorithm change; branded emoji; free travel apps

Social Links: Implications of Facebook’s algorithm change; branded emoji; free travel apps