May 30, 2017 Practice Points

Motions to Seal: Shut Out Social Engineers

By Jean-Marie Crahan

Cybersecurity now makes headlines every day for good reason. Company IT systems serve as repositories for a vast amount of data including sensitive personal information and company trade secrets. Technology assets consist of hardware and software critical to sustaining vital operations. Just as we all rely on our IT assets to keep the business running, we all, including litigators, must shoulder the responsibility for their protection.

Most lawyers will recognize that information about a company's general technology infrastructure, server systems, and security needs protection from public disclosure because disclosure of such information provides cyber criminals and industrial spies a roadmap to hacking company systems. Much less obvious, but just as critical in needing protection from public disclosure, is information that is not technology-related but can nevertheless be used by social engineers to hack company networks. "Social engineering" is a phrase used to describe the efforts of a person who uses a pretext to gain another person's trust when trust is otherwise unwarranted. That trust is then exploited to obtain access to computer networks where the hacker can wreak havoc.

For example, a new employee list does not automatically conjure cybersecurity concerns. This seemingly innocuous information, however, can be used by hackers to "socially engineer" a new employee into voluntarily granting access to an organization's network. Armed with a simple list of new hires, the social engineer uses the information to identify and target a new employee. The social engineer, pretending to be a member of the organization's IT department, calls the new employee requesting access to the employee's computer to set up a user account, fix a security flaw, or install a new program. Understandably, the new employee wants to appear amiable and diligent. Unfamiliar with the organization's personnel and policies, the new employee has no reason to doubt the caller and grants the requested access. Unfortunately, the new employee has just opened the door to the company's network, thereby bypassing and rendering worthless the company's investment in firewalls, anti-virus software, and encryption algorithms.

This example is but one of a myriad of ways social engineers use humans to hack companies. Bypassing technology security by having an employee voluntarily grant access is usually a faster, easier and less expensive way for hackers to achieve their goals. Litigators, therefore, need to:

  • educate themselves about these techniques;
  •  develop a holistic security-centric mindset;
  •  evaluate the potential that seemingly innocuous information, like a list of newly hired employees, made public by a court filing could be used to perpetrate such a scheme, and;
  • take steps to protect this information, when possible, from public disclosure.

In Music Group Macao Commercial Offshore Limited v. Foote, No. 14 CV 03078, 2015 WL 3993147 (N.D. Calif. June 30, 2015), the plaintiff's attorneys used a motion to seal as a tool to protect information presenting such a social engineering risk from public disclosure. The case arose out of a data breach at Music Group. Music Group sued the consultant it alleged was responsible for overseeing its information security systems. Worried that certain information necessary to the litigation would make the company vulnerable to future cyber-attacks, the plaintiff's attorneys brought a motion to seal that information. The attorneys convinced the court that an order to seal was warranted to shield from public disclosure information pertaining not only to vulnerability in the company's systems or software but also the identity of the employees who had knowledge of that vulnerability. The attorneys argued, and the court agreed, that sealing the identity of these employees was justified to protect these employees from future social engineering efforts to hack the company's systems.

Using familiar analyses, the court first found that the prevention of a social engineering attack was a compelling reason to seal certain information from the public record. It then balanced the competing interests of the public's right to know and the party's interest in keeping the information out of the public domain and found in favor of sealing the information.

Although the Music Group matter centered around a data breach, the consideration of whether the information needs protection is not limited to data breach cases. Instead, the key consideration is whether the information under scrutiny could be used by a social engineer to hack the client's systems. The cyber criminal is just as happy to find the information he needs to perpetrate a social engineering scheme in an employment discrimination case as he is in a data breach case. All litigators must keep protection of critical IT systems front of mind by asking themselves whether a hacker could use information in a court filing to hack the client. A motion to seal is one tool a litigator should consider using to address these concerns.

Jean-Marie Crahan is a partner at Gonzalez Law, LLC, in Milwaukee,Wisconsin.