Saturday, July 18, 2015

MIRLN --- 28 June – 18 July 2015 (v18.10)

MIRLN --- 28 June - 18 July 2015 (v18.10) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | PODCASTS/MOOCS | RESOURCES | LOOKING BACK | NOTES

Study: Cyber risks overshadow corporate board security confidence (Networkworld, 23 June 2015) - Directors of U.S. businesses are pretty confident they can understand corporate security risks, but corporate security pros are not so sure their boards really get it, according to a survey of both board members and C-level security executives. While 70% of board members say they understand the risks, only 43% of hired corporate security professionals agree, according to a Ponemon Institute study polling 245 board members and 409 IT security pros that was sponsored by Fidelis Cybersecurity. Based on this finding the study concludes that, "more communication between the board and the IT function is sorely needed." There are other gaps between what board members think and what CIOs, CSOs and CISOs think. For example, 59% of board members say they believe their governance of cybersecurity practices is effective; only 18% of IT pros agree. In ranking that effectiveness, boards, on average, give themselves an 8.1 on a scale of 10 while the IT pros give them a 6.2, the study says. IT pros should brief their boards regularly on attacks and breaches the company has suffered, the report recommends. Doing so may actually protect companies from falling afoul of regulations and laws that oversee corporate cyber security. Asked whether their organizations suffered data breaches that resulted in lost or stolen records, 59% of board members said yes vs. 71% of security pros, which may reveal a lack of effective reporting to the boards by their hired IT pros. The gap is even larger for breaches involving the theft of intellectual property where 23% of board members thought their firm's intellectual property had been breached while 54% of IT respondents thought so.

top

Encryption conniption (ABA Journal, July 2015) - In 1999, ABA Formal Opinion 99-413 approved the use of unencrypted email for the transmission of confidential information with the caveat that under circumstances where the information to be communicated is highly sensitive the lawyer should forgo email, just as he would from making a phone call or sending a fax, and consult with the client about the best way to transmit the information. * * * The ever-developing nature of technology presents a moving target for those charged with setting ethics standards of competence and confidentiality. Changes in the form and manner of transmission of electronic communications force constant re-evaluation of the security of the exchange. Shared email accounts, shared passwords, shared computers, email accounts associated with an employer where the employee has no expectation of privacy see , e.g., ABA Formal Opinion 11-459 (2011), public computers, the idea of cloud computing, the prevalence of wi-fi connections at coffee shops and other public locations and the subsequent use of unsecured networks, the increase in hacking of institutions and individuals and information harvesting by government agencies such as the NSA all suggest that the expectation of privacy is open to question. The potential for unauthorized receipt of electronic data has caused some experts to revisit the topic and issue opinions suggesting that in some circumstances, encryption or other safeguards for certain email communications may be required. A discussion on recent developments in confidentiality at this year's ABA Center for Professional Responsibility's National Conference on Professional Responsibility featured one speaker who highlighted a pendulum-swinging trend among ethics committees that are revisiting the question of whether lawyers should be required to use encryption when emailing clients. As reported in the Lawyers' Manual : * * *

top

Americans' Internet Access: 2000-2015 (Pew Research Center, 26 June 2015) - The Pew Research Center's unit studying the internet and society began systematically measuring internet adoption among Americans in 2000. Since then, Pew Research has conducted 97 national surveys of adults that have documented how the internet has become an integral part of everyday life across diverse parts of society. A new analysis of 15 years-worth of data highlights several key trends: For some groups, especially young adults, those with high levels of education, and those in more affluent households, internet penetration is at full saturation levels. For other groups, such as older adults, those with less educational attainment, and those living in lower-income households, adoption has historically been lower but rising steadily, especially in recent years. At the same time, digital gaps still persist. In this report, we cover some of the major demographic trends that lie beneath the topline adoption numbers and highlight: * * * [ Polley : Pretty interesting top-level stuff - e.g., I was impressed to see that seniors are up to 58% internet penetration, from 14% in 2000.]

top

New case highlights deep hole in cyber insurance policies (Farella Braun, 29 June 2015) - Insurance policies covering data breach liability began appearing roughly ten years ago. We noted then a troublesome provision in some forms that seemed to exclude coverage for the insured's failure to maintain data security - in other words, the very risk the insured was seeking to insure. We'll call it the "Mistake Exclusion." One AIG form from 2006, for example, excluded coverage arising out of "your failure to take reasonable steps to use, design, maintain and upgrade your security." A 2009 Darwin form excluded coverage for any claim arising out of "any failure of an Insured to continuously implement the procedures and risk controls identified in the Application for this insurance." But isn't liability insurance supposed to do just that - protect against the insured's mistakes, innocent or negligent? We hoped and expected that as the market for these policies matured, savvy brokers and risk managers would insist that these Mistake Exclusions be removed or substantially narrowed. But that has not happened. We now have the first case we are aware of by an insurer seeking to enforce a Mistake Exclusion. In Columbia Casualty Company v. Cottage Health Systems , filed May 7, 2015 in the U.S. District Court in Los Angeles, Columbia seeks to enforce an exclusion barring coverage for a data breach claim arising out of any "failure of an Insured to continuously implement the procedures and risk controls identified in the Insured's application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing." * * * Columbia's and other insurers' Mistake Exclusions underscore just how immature the cyber insurance market still is. They reflect insurers' lack of confidence in their ability to underwrite cyber risks, motivating them to try to shift that very risk back onto their insured. A similar dynamic took place in the nascent market for technology errors and omissions policies. Eventually, though, insurers realized that they could rely on their insureds' own competitive need for quality control and claim mitigation procedures to control the risk of claims for defective products. The same is now becoming true regarding cyber security.

top

Feds: App secretly hijacked phones to mine digital money (Nextgov, 29 June 2015) - A smartphone app secretly hijacked its users' devices to mine for digital currencies for its developer, federal and state regulators alleged Monday. The process drained batteries and used up mobile data, potentially causing users to incur fees by going over their monthly data limits, the Federal Trade Commission and the New Jersey Attorney General's office said. The "Prized" app advertised that consumers could earn points playing games that they could then use on rewards, such as clothes or gift cards. The company also promised it was free from any malware or viruses, according to the government's complaint . But instead, the app took control of the user's computing power to secretly mine for virtual currencies, including DogeCoin, LiteCoin, and QuarkCoin, the regulators said. The government's complaint doesn't mention Bitcoin, the most popular virtual currency.

top

Second Circuit grants rehearing in Ganias computer search and seizure case (Orin Kerr, 29 June 2015) - Big news in the field of computer search and seizure today: The Second Circuit has granted rehearing in the full case of United States v. Ganias , the blockbuster case from last year on access to overseized files . I blogged about Ganias here and here when it came down, and I have been finishing up an article draft - which I was planning to post on SSRN later in the week - that focuses extensively on how courts should interpret and build on Ganias . Time to rewrite the draft, as the entire case will now go before the en banc court now for a September argument.

Notably, the DOJ's petition for rehearing in the case was limited to the remedy question of whether the exclusionary rule applied. In contrast, the Second Circuit granted rehearing on the whole case - 4th Amendment violation and remedy.

top

Survey finds [only] 66 percent of Netflix subscribers using pay TV (Telecompetitor, 1 July 2015) - Greater numbers of Netflix subscribers are "cutting the cord" on pay-TV providers. Surveying 829 Netflix subscribers, Cut Cable Today found that two-thirds maintain pay-TV service subscriptions - cable or satellite. But nearly one in 10 of those (9 percent) said they intend to cancel their pay-TV subscriptions sometime over the next year. Furthermore, 16 percent said they are unsure if they will keep their pay-TV subscriptions.

top

Crowdsourcing legal research website adds writing tool that 'could be a game-changer' (ABA Journal, 2 July 2015) - The free legal research website Casetext, which uses crowdsourcing to annotate cases, has launched a new writing tool that publishes lawyers' articles and links them to cases they cite. The new LegalPad application "could be a game-changer in how lawyers publish and share articles about the law," according to LawSites by Robert Ambrogi . Users can write articles that are shared with like-minded Casetext community groups based on practice areas and interests. There are links to cases discussed in the articles, and the cases will in turn link to articles. Casetext founder Jake Heller tells LawSites that his goal is for Casetext to become a place to build legal commentary as well as a tool for legal research. A Casetext press release points out that lawyers who publish articles on the website can build reputations in their specialty areas. LegalPad also serves as a legal writing tool. When an article writer types in a case name, it is supplied in correct Bluebook form with a hyperlink to the case. A writer can select text from the case, and it will be inserted in the article. Writers will be able to choose the Casetext communities where their articles will appear. LegalTech News , the Legal Insider and Inside Counsel also have stories on LegalPad. "Legal writing is exceptionally hard. You feel constantly buried in dozens of sources, trying to keep quotes and citations straight," Heller said in the press release. "We crafted technology to help writers focus on what matters most: developing their message."

top

- and -

Striking a blow against legalese: Adobe's legal department open sources its plain-English style guide (Robert Ambrogi, 15 July 2015) - Adobe's legal department is striking a blow against legalese today. It is releasing to the legal community at large the style guide it developed to help its own inhouse staff write legal documents in plain English and avoid legalese. Adobe is releasing The Adobe Legal Department Style Guide (embedded below) under a Creative Commons Attribution-NonCommercial-Share Alike 4.0 International License so that others in the legal industry can use and adapt it for their own legal departments and law firms. "We want to release this under a Creative Commons attribution and let others take our work product and make it their own in the hope that as a profession we'll change the way we communicate," Michael Dillon, Adobe's senior vice president, general counsel and corporate secretary, told me in an interview last week. "When you write a blog, you write to be engaging and accessible, but we don't write our legal documents that way" said Dillon, who was one of the first GCs in the U.S. to have his own blog and who still writes both for his personal blog and an Adobe blog . "So we've tried to rethink the way we're writing everything." To accomplish this, Dillon assembled a global team of a half-dozen "very passionate people" within his legal department. He also brought in outside experts such as Bryan Garner , often considered the leading authority on clear and effective legal writing. The result, not surprisingly, is a succinct, accessible guide of just 30 pages - a sort-of Strunk and White for the legal profession. It is a guide not only to language but also to layout, with a section detailing basic design principles to enhance the readability of documents such as contracts.

top

Sony data breach suit to proceed (Steptoe, 2 July 2015) - The U.S. District Court for the Central District of California ruled, in Corona v. Sony Pictures Entertainment, Inc. , that former Sony employees may proceed with their negligence and other claims against the company for failing to prevent the theft of their financial, medical, and other personal information. The theft was part of a cyberattack by North Korea on Sony's databases and the release of embarrassing emails from Sony executives and other information on the Internet. Bucking the trend in similar data breach cases, the court found that the threat of future harm resulting from the theft was sufficient to meet the "certainly impending" harm standard established by the Supreme Court in Clapper v. Amnesty International USA . The court also held that costs incurred by the plaintiffs to protect against identity theft constituted cognizable injury sufficient to state a negligence claim. And it held that the "economic loss" doctrine did not bar the suit because plaintiffs had adequately alleged a "special relationship" with Sony based in part on the foreseeability of the breach in light of Sony's past data breaches and its alleged failure to take adequate preventative steps.

top

FTC releases new data security guide: 50 mistakes to avoid in 10 lessons (Cooley, 2 July 2015) - The Federal Trade Commission (FTC) has brought over 50 cases against companies that put consumer data at unreasonable risk. On June 30, 2015, the FTC released a guide titled Start with Security that summarizes 10 lessons the FTC has culled over the course of these cases. These lessons can help your business protect consumer data, confidential data, and other proprietary information (together "sensitive information"). These lessons can also help you avoid FTC investigation. Data breaches and other consumer information issues are serious public relations problems, and the FTC has enforcement authority that includes the ability to obtain civil penalties for violations of FTC orders. This alert first explains the general principles underlying the lessons. Then, it lists the 10 lessons, explains them, and points you to additional resources the FTC has made available. Finally, it provides information about ways to follow up if you still have questions or concerns. * * *

top

CCBE wins case against the Dutch State on surveillance of lawyers (Global Legal Post, 3 July 2015) - The District Court of The Hague has ruled that surveillance of lawyers by intelligence agencies constitutes an infringement of fundamental rights and orders the State to stop all surveillance of lawyers' communications. The Court was questioned on the legality of eavesdropping on lawyers' calls and communications by domestic intelligence agencies in a challenge brought against the Dutch State by the law firm Prakken d'Oliveira, the Dutch Association of Criminal Defence Lawyers (NVSA), and the Council of Bars and Law Societies of Europe (CCBE). In its verdict, the Court recognised that the ability to communicate confidentially with a lawyer is a fundamental right which is currently being breached by Dutch surveillance policy. The Court ordered the Dutch government to stop all interception of communications between clients and their lawyers under the current regime within six months. The Dutch State has six months to adjust the policy of its security agencies regarding the surveillance of lawyers and ensure that an independent body exercises effective prior control in order to prevent or stop tapping of lawyer-client conversations. Under the existing policy, only a government minister may give the authorisation to conduct surveillance, while monitoring by a Supervisory Committee (CTIVD) only takes place after the fact. This is judged insufficient by the court.

top

Think your firm is HIPAA-compliant? Steps to make sure (Attorney at Work, 6 July 2015) - If any of your clients are involved with health care, you know how highly regulated the field is. You may think you are complying with all the regulations and have lock-tight security measures in place at your firm. But you could be wrong. When you work with PHI, you need to keep your firm steps ahead of hackers and away from accidental data breaches - and be aware of your responsibilities. As a law firm "business associate" handling PHI, you need to understand what the government expects of you, and where you may be vulnerable. Security for PHI is governed under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Omnibus Rule and the Health Information Technology for Economic and Clinical Health Act (HITECH). Under these rules, "covered entities" such as health plans, health care clearinghouses and medical providers can share PHI with their business associates, including law firms. If your firm receives any personal health information from a client who is a covered entity, you become a business associate. When that happens, you need to execute a business associate agreement (BAA) that guarantees your firm will keep the information safe and only use it for the purposes for which you were engaged. BAAs carry very high expectations and severe penalties for failure to comply. * * *

top

'Hackers' give orders to German missile battery (The Local, 7 July 2015) - German-owned Patriot missiles stationed in Turkey were briefly taken over by hackers, according to media reports on Tuesday. The attack took place on anti-aircraft 'Patriot' missiles on the Syrian border. The American-made weapons had been stationed there by the Bundeswehr (German army) to protect Nato ally Turkey. According to the civil service magazine , the missile system carried out "unexplained" orders. It was not immediately clear when these orders were carried out and what they were.

top

- and -

Software bug prompts Range Rover recall (BBC, 13 July 2015) - Land Rover is recalling more than 65,000 cars to fix a software bug that can "unlatch" the vehicles' doors. Drivers would get no dashboard warning that the doors of their car had been unlocked, the firm said. Land Rover said the recall was not related to widely-reported problems with keyless ignition and locking systems on some luxury cars that had made them favourites with car thieves. Last year car thieves were found to be targeting some models of Range Rovers and BMW X5s because they found it easy to unlock the vehicles. It is believed that a handheld "black box" was being used by some gangs to unlock and start cars that had keyless ignition systems. Some newspapers reported that insurers were unwilling to extend cover to Range Rover owners unless they could park in secure, off-street car parks. Other insurance firms insisted on the use of tracking systems that could help find a car if it was stolen. "It's been known for over a year that keyless entry and ignition systems possess certain vulnerabilities," said a spokesman for Thatcham Research which gathers data on car crime.

top

Lawyer is disbarred for 'social media blitz' intended to influence custody case and top state court (ABA Journal, 8 July 2015) - A divided Louisiana Supreme Court has disbarred a lawyer who used Twitter and an online petition to urge readers to contact two judges she accused of being unwilling to consider the evidence in two custody cases involving allegations of child sexual abuse. The supreme court disbarred 52-year-old lawyer Joyce Nanine McCool in a June 30 opinion (PDF), noted by the Legal Profession Blog . A hearing board and the disciplinary board had recommended a suspension of a year and a day, but the four-justice majority on the state supreme court said disbarment was warranted. Three dissenters would have imposed lesser discipline. The majority opinion said McCool displayed an "utter lack of remorse" and a "defiant attitude" by asserting her actions had First Amendment protection. According to the court, McCool's social media postings contained many "false, misleading and inflammatory statements" about the way two judges were handling the cases. Among the untrue statements were assertions that judges had refused to admit audio recordings of children talking about alleged abuse, although the recordings were not offered into evidence at that time. The court also said McCool had solicited others to make ex parte contact with the judges-and with the state supreme court-to express their feelings about the cases, which were sealed domestic proceedings.

top

Hackers of Apple, Facebook seen as independent group seeking money (NYT, 8 July 2015) - A hacking group best known for breaking into top-tier technology companies Apple Inc, Facebook Inc and Twitter Inc more than two years ago is now believed to be one of a handful of highly skilled independent gangs pursuing corporate secrets for profit. According to new research from the largest U.S. security software vendor, Symantec Corp, the group appears to be among the few that display significant talent without backing from a national government. The group stays below the radar with a small number of carefully targeted attacks. "They are very focused, wanting everything valuable from the top companies of the world," said Vikram Thakur, a Symantec senior manager. "The only way they could use it, in our opinion, is through some financial market or by selling it." Thakur said Symantec and other security companies such as FireEye Inc were tracking less than a half dozen such groups, including one called FIN4. FIN4 has less technical skill but uses knowledge of the investment banking world and strong social engineering, or trickery, to harvest email credentials and discover material financial information. The U.S. Securities and Exchange Commission is investigating some FIN4 breaches at large, publicly traded companies. Symantec said its group, which it calls Morpho, dropped out of sight for months after press accounts of the Silicon Valley breaches in early 2103 shone a light on their techniques, which included use of a previously unknown "zero-day" flaw in Oracle's Java platform. In a paper being released Wednesday, Symantec said Morpho came back from its absence to breach a small number of additional technology companies. It has also gone after the pharmaceutical industry and airlines, typically hitting multiple competitors in a sector and infecting a very few machines, usually in the research departments. Morpho has breached about 49 organizations that Symantec knows about since 2012, with the number penetrated each year rising to 14 by 2015.

top

- and -

Symantec report suggests hackers' motives are blurring (NYT, 8 July 2015) - A group of financially motivated hackers has been infiltrating major corporations and stealing valuable intellectual property, a sign that the motives and techniques of different types of online criminals are starting to blur, researchers at a computer security company will announce in a report on Wednesday. Typically, criminal hackers steal passwords and personal data from companies with poor security so that they can break into more valuable sites, or simply sell those passwords and Social Security numbers on the black market. But the report, by Symantec, the computer security company, suggests that a group it calls Morpho is after intellectual property, possibly to sell it to competitors or nation states. Symantec said the group had attacked multibillion-dollar companies in the Internet, software, pharmaceutical, legal and commodities fields. * * * Researchers found evidence that the group's hackers did careful reconnaissance before grabbing valuable trade secrets. In some cases, the researchers had indications that they had succeeded in intercepting company emails, and business databases containing legal and policy documents, financial records, product descriptions and training documents. In one case, researchers found that the group managed to compromise a physical security system that monitors employee and visitor movements around some corporate buildings. [ Polley : the emphasis is mine. A related story is more precise: " one of [Morpho's] latest attacks took place in June 2015 in the Central Asian offices of a global law firm. "

top

FFIEC releases cybersecurity assessment tool (Steptoe, 16 July 2015) - The Federal Financial Institutions Examination Council has released a Cybersecurity Assessment Tool to help financial institutions identify cybersecurity risks and evaluate their preparedness to address them. The Assessment is designed to inform and enhance financial institutions' risk management strategies, and will be updated as financial institutions' vulnerabilities and cyber threats evolve over time. Along with the Assessment Tool itself, the FFIEC released a companion "Overview for Chief Executive Officers and Boards of Directors" and explanatory guides to ease the process of using the Tool. Institutions will be able to provide comments on the Assessment Tool after a notice is published in the Federal Register. [ Polley : FFEIC's tool is here .]

top

CRS report - The Dark Web (BeSpacific, 16 July 2015) - Dark Web , Kristin Finklea, Specialist in Domestic Security. July 7, 2015: " The layers of the Internet go far beyond the surface content that many can easily access in their daily searches. The other content is that of the Deep Web , content that has not been indexed by traditional search engines such as Google. The furthest corners of the Deep Web, segments known as the Dark Web, contain content that has been intentionally concealed. The Dark Web may be used for legitimate purposes as well as to conceal criminal or otherwise malicious activities. It is the exploitation of the Dark Web for illegal practices that has garnered the interest of officials and policy makers. Individuals can access the Dark Web by using special software such as Tor (short for The Onion Router). Tor relies upon a network of volunteer computers to route users' web traffic through a series of other users' computers such that the traffic cannot be traced to the original user. Some developers have created tools-such as Tor2web-that may allow individuals access to Tor-hosted content without downloading and installing the Tor software, though accessing the Dark Web through these means does not anonymize activity. Once on the Dark Web, users often navigate it through directories such as the "Hidden Wiki," which organizes sites by category, similar to Wikipedia. Individuals can also search the Dark Web with search engines, which may be broad, searching across the Deep Web, or more specific, searching for contraband like illicit drugs, guns, or counterfeit money. While on the Dark Web, individuals may communicate through means such as secure email, web chats, or personal messaging hosted on Tor. Though tools such as Tor aim to anonymize content and activity, researchers and security experts are constantly developing means by which certain hidden services or individuals could be identified or deanonymized."

top

The Washington Post tests new 'Knowledge Map' feature (WaPo, 16 July 2015) - Today, The Post began testing a new feature called Knowledge Map, which can be seen in "Why the Islamic State leaves tech companies torn between free speech and security" . Knowledge Map gives readers an easier way to catch up on ongoing stories by quickly and seamlessly providing relevant background, additional information or answers to frequently asked questions, when the reader wants it. As readers will see in today's story, Knowledge Map appears as a series of highlighted links embedded throughout the body of the article. When clicked or tapped, these links instantly surface more information. This additional content offers background and contextual information, as well as related links to other Post content on that subject, allowing users to get up to speed quickly, or dive deeper into a subject. "We're excited to see how readers react to Knowledge Map," said Dr. Sam Han (PhD), Engineering Director for Data Science at The Post. "This iteration sets us up to use data mining techniques to identify and surface contextual content for our readers. We are also working on parallel applications to drive engagement with our native advertising content. Our ultimate goal is to mine big data to surface highly personalized and contextual data for both journalistic and native content. We continue to push the technical boundaries of applied Data Science at The Washington Post."

top

NOTED PODCASTS/MOOCS

Technology in International Arbitration (11 June 2015; 46 minutes) - This multi-location conference - the first of its kind - will examine the feasibility of virtual, or remote arbitration proceedings, where arbitrators, counsel and witnesses are in far-flung locations. The program will begin with a mock cross-examination before an arbitral tribunal, with arbitrators, counsel and witness spread across 13 time zones. It will continue with a panel discussion, again with participants in several different locations, on the technological, practical, and ethical considerations involved in conducting remote arbitrations. Among the issues to be tested and discussed are: * * * For both younger arbitration practitioners and "old hands," this conference will highlight some of the key issues that will likely confront arbitration's stakeholders over the next decades. Attendees (wherever they are) will come away with a substantially greater appreciation for the particulars involved in remote arbitration, the technologies available to them, and the suppliers of that technology. This will also be an historic opportunity to participate in the first multi-location arbitration conference ever. Faculty list is here . Videos are here and here .

top

Internet Giants: The Law and Economics of Media Platforms (Coursera, taught by Randy Picker at Chicago; July 2015) - This will be offered as an On-Demand Course beginning July 13, 2015: This seven-week course will explore the relationship between law and technology with a strong focus on the law of the United States with some comparisons to laws around the world, especially in Europe. Tech progress is an important source of economic growth and raises broader questions about the human condition, including how culture evolves and who controls that evolution. Technology also matters in countless other ways as it often establishes the framework in which governments interact with their citizens, both in allowing speech and blocking it and in establishing exactly what the boundaries are between private life and the government. And technology itself is powerfully shaped by the laws that apply in areas as diverse as copyright, antitrust, patents, privacy, speech law and the regulation of networks. You can see the course syllabus at https://www.coursera.org/course/internetgiants and play the trailer there. The MOOC is free and includes 20 hours of video. One of the virtues of Coursera's new on-demand approach is that people can jump in and just engage with what they want to. [ Polley : Spotted by MIRLN reader Ross Blair ]

top

RESOURCES

The Fair Use App - An Interactive Guide for Filmmakers and Video Creators (New Media Rights, 16 July 2015) - This guide is intended to help you navigate fair use. The guide will walk you through some of the questions you should ask yourself about your video project if you intend to reuse existing content such as images, audio, or video. However, this guide will not be able to give you a simple yes or no answer. Instead, the guide is intended to help you analyze fair use questions; learn what questions to ask; and how to identify possible problems. If you have any specific questions, we encourage you to contact New Media Rights or get specific legal advice from a lawyer.

top

The Law and Ethics of Experiments on Social Media Users (TAP by James Grimmelmann, 20 May 2015) - I have a new paper out in the Colorado Technology Law Journal, The Law and Ethics of Experiments on Social Media Users . It's the scholarly version of my work from last summer on the Facebook and OkCupid experiments. The basic argument should be familiar: running scientific experiments on users without their consent or institutional oversight raises serious ethical and legal concerns. But, thanks to the CTLJ and Paul Ohm's December conference at the University of Colorado, When Companies Study Their Customers , I have taken the opportunity to revise and extend my remarks. It's long for a symposium essay - 23,000 words - and I hope that it can also serve as a reference on last summer's controversy.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

SUN sets open-source course for Solaris - software giant changing to keep up with competition (San Francisco Chronicle, 26 Jan 2005) -- Sun Microsystems said Tuesday that its Solaris 10 operating system would soon be available on an open-source basis, a move the company hopes will help counter the perception that its technology is too proprietary and pricier than the competition. The decision means the software will be free and that programmers outside Sun will be able to customize and improve it. John Loiacono, executive vice president of software at Sun, said the decision to offer a free version of Solaris is intended to help Sun expand the market for its other programs and its servers. "The more people use Solaris, the more opportunities we have to sell other technologies," he said. Sun chief executive Scott McNealy said the company's technology had never been as closed as its competitors had tried to portray. Still, McNealy said, with many government agencies and corporations demanding open-source alternatives, the company felt it had to open up even further to compete.

top

Texas bill would benefit graduates of online law schools (Chronicle of Higher Education, 11 March 2005) -- A bill working its way through the Texas legislature could give graduates of online law schools more opportunities to practice law. The American Bar Association (ABA) has so far refused to accredit online law schools, saying that they do not train students adequately to practice law. Although the ABA continues to refuse accreditation to online law schools, the organization does accredit institutions that offer some courses online. Currently in Texas, a graduate of an online law school can only take the state's bar exam if he or she has practiced law in another state for at least five years. The proposed law would allow online graduates to take the Texas bar exam if they simply had passed the bar in another state. A small number of other states have similar statutes. California is currently the only state that allows individuals to take the bar exam without having passed another state's bar exam. The bill was prompted by the situation of Julie Drenner, daughter of a state legislator, who graduated from Oak Brook College of Law and Government in California, passed that state's bar exam, and now wants to practice law in Texas. (sub. req'd)

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, June 27, 2015

MIRLN --- 7-27 June 2015 (v18.09)

MIRLN --- 7-27 June 2015 (v18.09) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | PODCASTS | RESOURCES | FUN | LOOKING BACK | NOTES

Lawyers may need to encrypt e-mail in especially risky or sensitive scenarios (Bloomberg, 20 May 2015) - Attorneys who handle divorce, employment and criminal defense matters may in some circumstances have a duty "to consider whether it is prudent to use encrypted email" to communicate with clients, the Texas bar's ethics committee concluded in April. The opinion addresses an issue that many experts have urged bar authorities to look at anew: whether technological changes and escalating concerns over computer hacking have made it necessary to revisit existing guidance on using e-mail to communicate with clients. "Having read reports about email accounts being hacked and the National Security Agency obtaining email communications without a search warrant, [inquiring] lawyers are concerned about whether it is proper for them to continue using email to communicate confidential information," the opinion states. The panel said that although it "has not addressed the propriety of communicating confidential information by email, many other ethics committees have [concluded that] except in special circumstances, the use of email, including unencrypted email, is a proper method of communicating confidential information." * * *

top

Protecting directors and officers from derivative liability arising from data breaches (Proskauer, 1 June 2015) - With data breaches affecting companies across virtually every industry, cyber security has remained front page news. Lawsuits brought by aggrieved consumers and financial institutions against companies that have suffered data breaches are not uncommon. Increasingly, companies are also being subjected to shareholder derivative suits against directors and officers alleging breach of fiduciary duty relating to a data breach. As a result, corporate boards should expect closer scrutiny of their actions regarding cybersecurity and data breaches. A proactive approach to risk management and insurance coverage may make the difference in minimizing exposure. * * * With data breaches showing no signs of slowing down, the attendant litigation can also be expected to continue. Following the data breach suffered by Target, a 2014 shareholder derivative action was filed against the company's board for failing to adequately attend to its cybersecurity. The lawsuit against Target alleges that the board's conduct caused the data breach, and challenges the board's subsequent containment, disclosure and analysis. In addition to the derivative action, a prominent proxy adviser also called for the ouster of Target's directors due to their perceived "failure…to ensure appropriate management of [the] risks" of Target's December 2013 cyber-attack ( reported by the Wall Street Journal ). As the available precedent confirms, perfect data security is not the standard. Instead, courts will look to verify that boards are taking steps to understand and protect against this very real threat. However, there are practical steps that companies can take, including: * * *

top

Russian billboard advertising contraband hides when it recognises cops (Naked Security, 1 June 2015) - Moscow's Don Giulio Salumeria promises "small islands of warm and sunny Italy," offering authentic Italian prosciutto, ricotta, mozzarella and tiramisu for sale in the cold lands of Russia. Fat lot of good any of it will do Muscovites, given that Russia has banned food imports from the European Union and the US. It's not that Don Giulio can't figure out how to import it, but the shop sure can't advertise those delicious imported foods. So what's a well-stocked salumeria to do? Pay an ad company to rig billboards with facial recognition that's been tweaked to spot the official symbols and logos on the uniforms worn by Russian police, that's what. As Adweek reports, an ad agency called The 23 created an outdoor ad that could apparently spot police uniforms. As police approached the ad, as you can see in this YouTube video , the billboard would switch from advertising a nice, fat wedge of Don Giulio Salumeria's imported cheese, rolling over instead to an ad for a nice, completely non-contraband Matryoshka doll shop. An ad that hides itself from the law is a clever stunt, albeit not too effective, as you can see from the police in the video, who had time to spot the ad for imported food before it scurried behind Matryoshka dolls. But what's more interesting than the effectiveness of this particular ad is the idea that billboards can use facial recognition to this degree as they tailor offerings. Gizmodo suggested that it's not much of a leap to imagine having your jacket's sports team logo recognized as you wait at the bus stop, so you can be target-marketed for your team's next big game...or to have your car make and model recognised and your daily commute crunched so that the ad makers could pitch getaway vacations at you...or how about a beverage vending machine that takes photos of people nearby, superimposes wigs on their heads and exhorts them to buy a drink, or even guesses those people's names and genders - the better to target-market at them.

top

Does a data breach cost an average of 58 cents a record -- or $154? (Network World, 5 June 2015) - Does a data breach cost an average of 58 cents a record -- or $154? That's a significant difference for companies preparing incident response plans, as well as for insurance companies, regulators, auditors and others looking to ensure that companies are adequately prepared or covered for such an event. Ponemon Institute's $154 number is based on an analysis of 350 companies that suffered breaches in 2014, and uses an analytical model based on the real costs of a breach that the company has been refining for a decade. Verizon's 58 cents calculation is based on 191 insurance claims filed in 2014, and this is the first year that Verizon has run these numbers. In addition to different data sources, Ponemon also includes indirect costs, while Verizon's does not. But Verizon's estimate seems unreasonably low, said Caleb Barlow, vice president at IBM Security. IBM sponsored this year's Ponemon report. At a minimum, a company with a data breach has to send out letters notifying customers that they were breached and pay for credit monitoring, he said. "Normally, Verizon does some great work," he said, "But we had to discount this because 58 cents doesn't even cover the cost of the postage and printing the letter." Companies usually don't have enough insurance coverage to cover the total cost of a breach, said Larry Ponemon, chairman and founder of the Ponemon Institution, and the insurance doesn't cover indirect costs or loss of business. For example, he said, Target's latest breach is estimated to cost the company over $1 billion, but it was only insured for $100 million. In general, he said, companies buy enough insurance to cover 50 percent of the value of their fixed assets -- but only 12 percent of the value of their digital assets, according to a study released last month by Ponemon and sponsored by Aon Plc, a global insurance brokerage.

top

The data that's collected from you when you're routed to a call center (Quartz, 5 June 2015) - "This call may be recorded for quality and training purposes." It's a familiar phrase, and one that people likely don't even notice anymore when they phone a call center. But companies are listening carefully to these recordings, trying to glean insights that can help them run their businesses more effectively. Sifting through hours upon hours of audio recordings is a laborious task. One company that helps automate the process is Santa Barbara, California-based Invoca. With its technology, the marketing firm has analyzed more than 100 million calls since 2008 and provides its clients with a trove of data. One of Invoca's clients, an unnamed satellite TV company, listens carefully for certain keywords. When someone calls in and mentions "sports package," for example, the company makes a note in the customer's file and tailors its marketing for that person accordingly. "Because it's said in a call, it's a huge buying signal you can capitalize on," says Christensen. Prospective customers who pick up the phone generally have higher purchasing intent. According to the company's data, 30% to 50% of phone calls lead to sales, compared with 2% for online leads. When sales reps lose a deal, they usually just chalk it up to the price and move on. "You never get insight into why people aren't buying," he says. But by scanning audio recordings, companies can track how often a competitor is mentioned in calls, and amend their strategies accordingly. Christensen says some companies are using Invoca to listen for specific keywords, such as confirmation number or email receipt, mentioned by the caller. The system can then tie in purchasing data, so customer service representatives don't have to wait for other departments to pull this information for them.

top

HackerOne connects hackers with companies, and hopes for a win-win (NYT, 7 June 2015) - In 2011, two Dutch hackers in their early 20s made a target list of 100 high-tech companies they would try to hack. Soon, they had found security vulnerabilities in Facebook, Google, Apple, Microsoft, Twitter and 95 other companies' systems. They called their list the Hack 100. When they alerted executives of those companies, about a third ignored them. Another third thanked them, curtly, but never fixed the flaws, while the rest raced to solve their issues. Thankfully for the young hackers, no one called the police. Now the duo, Michiel Prins and Jobert Abma, are among the four co-founders of a San Francisco tech start-up that aims to become a mediator between companies with cybersecurity issues and hackers like them who are looking to solve problems rather than cause them. They hope their outfit, called HackerOne, can persuade other hackers to responsibly report security flaws, rather than exploit them, and connect those "white hats" with companies willing to pay a bounty for their finds. In the last year, the start-up has persuaded some of the biggest names in tech - including Yahoo, Square and Twitter - and companies you might never expect, like banks and oil companies, to work with their service. They have also convinced venture capitalists that, with billions more devices moving online and flaws inevitable in each, HackerOne has the potential to be very lucrative. HackerOne gets a 20 percent commission on top of each bounty paid through its service.

top

Hacker can send fatal dose to hospital drug pumps (Wired, 8 June 2015) - When security researcher Billy Rios reported earlier this year that he'd found vulnerabilities in a popular drug infusion pump that would allow a hacker to raise the dosage limit on medication delivered to patients, there was little cause for concern. Altering the allowable limits of a particular drug simply meant that if a caregiver accidentally instructed the pump to give too high or too low a dosage, the pump wouldn't issue an alert. This seemed much less alarming than if the pumps had vulnerabilities that would allow a hacker to actually alter the dosage itself. Now Rios says he's found the more serious vulnerabilities in several models of pumps made by the same manufacturer, which would allow a hacker to surreptitiously and remotely change the amount of drugs administered to a patient. The vulnerabilities are known to affect at least five models of drug infusion pumps made by Hospira-an Illinois firm with more than 400,000 intravenous drug pumps installed in hospitals around the world.

top

US Justice Department selects Box for file sharing (Robert Ambrogi, 8 June 2015) - When it comes to identifying a group of lawyers who are particularly fussy about file security, it is hard to imagine a better example than the U.S. Department of Justice. These, after all, are the lawyers who handle the nation's most sensitive criminal and civil matters. For that reason, it is notable that the DOJ has awarded a contract to Box to serve as its platform for file sharing and information management, according to a recent announcement by Box. Box also received a DOJ authority to operate, which is essentially an IT certification of the security of a cloud-based product.

top

Surveillance Law and Surveillance Studies (Bruce Schneier, 8 June 2015) - Interesting paper by Julie Cohen: Abstract : The dialogue between law and Surveillance Studies has been complicated by a mutual misrecognition that is both theoretical and temperamental. Legal scholars are inclined to consider surveillance simply as the (potential) subject of regulation, while scholarship in Surveillance Studies often seems not to grapple with the ways in which legal processes and doctrines are sites of contestation over both the modalities and the limits of surveillance. Put differently, Surveillance Studies takes notice of what law does not -- the relationship between surveillance and social shaping -- but glosses over what legal scholarship rightly recognizes as essential­ -- the processes of definition and compromise that regulators and other interested parties must navigate, and the ways that legal doctrines and constructs shape those processes. This article explores the fault lines between law and Surveillance Studies and considers the potential for more productive confrontation and dialogue in ways that leverage the strengths of each tradition.

top

22 years after Verizon fiber promise, millions have only DSL or wireless (Ars Technica, 9 June 2015) - A 22-year-old Verizon promise to bring fiber Internet or "comparable technology" to its entire service area in Pennsylvania has instead left more than two million homes with nothing but slower DSL or wireless service. In 1993, Verizon predecessor Bell signed an agreement with state regulators in which it committed "to deploy the technologies necessary to provide universal broadband availability in 2015. In order to meet this commitment, Bell plans to deploy a broadband network using fiber optics or other comparable technology that is capable of supporting services requiring bandwidth of at least 45 megabits per second or its equivalent." In exchange, Verizon was allowed to charge higher phone rates. (More specifically, the company was freed from the restrictions of rate-of-return regulation.) But today, at least 2.1 million Pennsylvania households in Verizon's phone territory do not have access to the company's fiber network. "The fiber network is available to approximately 2.1 million premises (which includes residential and business). The vast majority of the remaining households have either DSL or wireless LTE broadband options available to them," a Verizon spokesperson told Ars this week. [ see also , NYC possible lawsuit: Verizon ordered to finish fiber build that it promised but didn't deliver (Ars Technica, 18 June 2015)]

top

House passes extension of Internet tax ban (The Hill, 9 June 2015) - The House on Tuesday passed a bill that would permanently extend a ban on state and local taxes on Internet access. Lawmakers approved the legislation on a voice vote, which would also ban discriminatory taxes on e-commerce. The ban, first passed in 1998, has required a series of extensions over nearly two decades. But Tuesday's proposal would put the law in place for the long term, removing any sunset date. The long-term extension is largely noncontroversial. The House bill sponsored by Judiciary Committee Chairman Bob Goodlatte (R-Va.) had 188 co-sponsors, and 50 senators are backing a similar bill in the Senate. The House easily passed the proposal last Congress, but it stalled in the Senate after some members attempted to tie the measure to a more controversial online sales tax bill, which would give states the power to collect a sales tax from businesses that don't have a physical presence in their boundaries. [ Polley : normally I don't post about pending legislation, but was impressed by this bill's permanent extension of the tax ban.]

top

One of the biggest security firms in the world admits it was hacked (Business Insider, 10 June 2015) - Russia-based Kaspersky Lab, one of the biggest and most well-known cybersecurity research firms in the world, has admitted to being hacked. In a blog post published earlier today , Kaspersky Lab CEO and founder Eugene Kaspersky wrote, "We discovered an advanced attack on our own internal networks. It was complex, stealthy, it exploded several zero-day vulnerabilities, and we're quite confident that there's a nation state behind it."

top

Airbus transport crash caused by "wipe" of critical engine control data (Ars Technica, 10 June 2015) - Airbus had already revealed that the fatal crash of an Airbus A400M military transport was caused by what was described as a "quality issue in the final assembly" of the electronic control units (ECU)-a fault in software configuration that led to a loss of control of the aircraft and resulted in the death of four crew members . Reuters reported additional details today provided by individuals familiar with the investigation into the crash, stating that a critical part of the configuration data in three of the aircraft's four ECUs-a file storing torque calibration parameters for each engine-was somehow "accidentally wiped" when the software was being installed. As a result, three of the aircraft's engines automatically shut down in flight. Citing a safety document shown to Reuters, Tim Hepher reported that the pilot of the A400M would not have gotten an alert about the missing data until the aircraft was already at an altitude of 400 feet. No cockpit alert about the data fault would appear while the aircraft was on the ground. According to Hepher's sources, the lack of a ground warning was an issue raised during a safety review last year, but "regulators approved it on the basis that the chances of failure were small and the installation procedure included extra checks," people familiar with the matter said.

top

Facial recognition technology is everywhere. It may not be legal. (WaPo, 11 June 2015) - Being anonymous in public might be a thing of the past. Facial recognition technology is already being deployed to let brick-and-mortar stores scan the face of every shopper, identify returning customers and offer them individualized pricing - or find "pre-identified shoplifters" and "known litigious individuals." Microsoft has patented a billboard that identifies you as you walk by and serves ads personalized to your purchase history. An app called NameTag claims it can identify people on the street just by looking at them through Google Glass. Privacy advocates and representatives from companies like Facebook and Google are meeting in Washington on Thursday to try to set rules for how companies should use this powerful technology. They may be forgetting that a good deal of it could already be illegal. There are no federal laws that specifically govern the use of facial recognition technology. But while few people know it, and even fewer are talking about it, both Illinois and Texas have laws against using such technology to identify people without their informed consent. That means that one out of every eight Americans currently has a legal right to biometric privacy. The Illinois law is facing the most public test to date of what its protections mean for facial recognition technology. A lawsuit filed in Illinois trial court in April alleges Facebook violates the state's Biometric Information Privacy Act by taking users' faceprints "without even informing its users - let alone obtaining their informed written consent." This suit, Licata v. Facebook , could reshape Facebook's practices for getting user consent, and may even influence the expansion of facial recognition technology. * * * Companies like Facebook and Google routinely collect facial recognition data from their users, too. Google's FaceNet algorithm can identify faces with 99.63 percent accuracy . Facebook's algorithm, DeepFace, gets a 97.25 percent rating. The FBI, on the other hand, has roughly 85 percent accuracy in identifying potential matches-though, admittedly, the photographs it handles may be harder to analyze than those used by the social networks.

top

FTC announces first consent order on misrepresentation in crowdsourcing (Covington, 11 June 2015) - The Federal Trade Commission ("FTC") announced today that it has entered into a proposed consent order against the founder of a failed Kickstarter project, marking the first time that the agency has taken a consumer protection action in the rapidly-emerging field of crowdsourcing. According to the complaint , the defendant, Erik Chevalier misused money raised through Kickstarter for personal expenses despite promises to use this money to develop a board game, or otherwise to return the contributions. While State Attorneys General have brought similar enforcement actions in the past against misrepresentations in crowdsourcing campaigns, this action breaks new ground for the FTC as part of its self-described efforts to "protect consumers taking advantage of new and emerging financial technology." Mr. Chevalier's campaign began in May 2012 when he pitched the idea of a Monopoly-like board game taking place in Atlantic City, where players take the role of H.P. Lovecraft's Great Old Ones laying waste to the city. The idea quickly garnered attention from the internet, raising $122,874 , almost four times the original funding goal. Backers were promised a copy of the completed board game, and those who pledged more were promised exclusive pewter figurines that could be used as game pieces. However, the project quickly ran into significant delays, and in June 2013, Mr. Chevalier announced that the project had been cancelled because the majority of the money had already been spent on game development with no end in sight. He also posted on Kickstarter that: "My hope is .[] to eventually refund everyone in full." Yet according to the FTC complaint , Erik Chevalier had actually used these funds for "miscellaneous personal equipment, rent for a personal residence, and licenses for a separate project," contrary to his representations to consumers. While the proposed consent order does not admit fault, Mr. Chevalier agreed to a judgment of $111,794 (suspended due to an inability to pay); a prohibition against using, disclosing, or benefiting from customer information obtained through the fundraising campaign; a promise to refrain from making misrepresentations to consumers in future projects, and an ongoing duty for compliance reporting and record keeping for the next 18 years.

top

Feds tighten restrictions on 3-D printed gun files online (Wired, 11 June 2015) - The notion of a 3-D printable gun has become the perfect flashpoint in a new conflict between digital arms control and free speech . Should Americans be allowed to say and share whatever they want online, even if that "speech" is a blueprint for a gun? The State Department has now answered that question with a resounding "no." In the last few days, the State Department has issued two new statements confirming its intention to act as gatekeeper for when Americans can legally publish online data that could allow someone to digitally fabricate a gun. And those statements outline how it plans to restrict those publications as a controlled "foreign export" of munitions. Earlier this week, the State Department sent a letter to the controversial gun access group Defense Distributed, confirming that it will require the group to get specific permission from the government before publishing its 3-D printable gun files online. That warning comes more than two years after the State Department sent Defense Distributed an initial letter telling it to take its gun files off its website pending a decision about their legality . And in a separate filing to the federal register last week, the State Department also wrote that it intends to require prior approval for the online publication of any "technical data" that, vaguely defined, would allow for the creation of weapons, an even broader swathe of files. The agency's statement warns that publishing those weapon files to the Internet, with its global connections, could amount to violating the International Trade in Arms Regulations (ITAR) by exporting controlled weapons data to a foreign country-hardly different, by its definition, from sending missile schematics to Iran.

top

Where cyber insurance underwriting stands today (Insurance Journal, 12 June 2015) - "You would think the first question to ask would be: Do insured parties understand the elements and limitations of coverage?" said Kevin Kalinich, speaking on cyber risk. "The real first question is: Do the insurance companies understand?" Kalinich, global practice leader for cyber/network risk, at consulting firm Aon Risk Services, was a panelist at the Standard & Poor's Ratings Services 2015 Insurance Conference this week in New York where experts stressed the importance of underwriters working together to gain a better understanding of the market so they can properly assess and price cyber risk. Demand for insurance covering cyber attacks is mounting and the risk is evolving rapidly, panelists noted. A number of U.S. insurers are testing the waters but panelists said that even the insurers with larger market shares have thus far been cautious due to the lack of actuarial data available in this nascent market. They have been writing policies with low limits and a slew of exclusions such as excluding damages resulting from data handled by an external contractor. Right now, a handful of players - American International Group Inc., ACE Ltd., Chubb Corp., Zurich Insurance Co. Ltd., and Beazley Group Ltd. - dominate the market for cyber insurance, but panelists said clients are looking to buy more coverage than insurers are willing to offer. As the market develops, providers will need some time to model risk sufficiently and to set premiums accordingly. This will remain difficult, Kalinich said, because the threat is evolving fast. He said two decades of reliable data are needed to feed models. "We're much farther along than we were two years ago; we have much better information now," he said. "But it's not a static model. It changes over time, and in two years it will be much better." Regulators have taken steps to guide insurers toward a consistent approach to the market. The National Association of Insurance Commissioners (NAIC) recently adopted guiding principles for insurers underwriting cyber risk. The NAIC is also developing a set of best practices for insurance company examiners to test protocols and processes, as well as a consumer bill of rights so that consumers know when data has been hacked. [ Polley : So far, the insurance industry has failed to provide the de facto best-practice development many had hoped would guide cyber-risk management ( compare, insurance-led development of fire safety codes in the early 20th century). Looks like it's going to take much longer.]

top

Cyberattacks are exploding and investors are cashing in (Business Insider, 15 June 2015) - The amount of sensitive data stored online has increased exponentially in recent years, and so has the number of attempts to steal that information. While this is a huge problem to both the government and private companies, for some it is an opportunity. "In May 2015, the Goldman Sachs Chief Information Security Officers (CISOs) survey found that almost 60% of respondents expected to boost security spending by at least 5%, with 20% budgeting increases greater than 15%," Goldman Sachs' David Kostin said in a note to clients. The value of good cybersecurity, and the bottom lines of companies offering it, has exploded. Goldman's ISE Cyber Security Index, a collection of 30 publicly traded cybersecurity companies, has grown 19% faster than the S&P 500 year-to-date, following a trend established the last few years. Companies in the index include FireEye, CyberArk Software, Infoblox, Palo Alto Networks, Fortinet, and AVG Technologies. "Since 2011, the total return of the index is 123pp higher than the S&P 500 (207% vs. 84%)," Kostin said. As you can see in the chart, the amount the stocks are outperforming the S&P coincides with the number of files exposed through cyberattacks. And sales for cybersecurity companies are expected to continue their meteoric rise.

top

Catching up on the OPM breach (Brian Krebs, 15 June 2015) - I heard from many readers last week who were curious why I had not weighed in on the massive (and apparently still unfolding) data breach at the U.S. Office of Personnel Management (OPM). Turns out, the easiest way for a reporter to make sure everything hits the fan from a cybersecurity perspective is to take a two week vacation to the other end of the world. What follows is a timeline that helped me get my head on straight about the events that preceded this breach, followed by some analysis and links to other perspectives on the matter.

top

Ethical responsibilities and information security (InsideCounsel, 16 June 2015) - The elephant in the room is: You will be hacked. This is the opinion of Mark Sangster, vice president of marketing at eSentire, who was speaking at the Mid-year Cybersecurity and Data Protection Legal Summit. He, along with Vince Polley , principal at KnowConnect, spoke during the panel "Protect Your Ethics - Infosec Responsibilities in the Attorney-Client Relationship." It's no surprise that cybercrime is big business. According to Sangster, estimates show that somewhere north of $500 billion are lost every year due to cybercrime. Hackers have easy access to cyber-weapons, need few skills, are highly motivated and face few consequences. These days, many threats come in the form of "spear-phishing," where criminals do research on you to send you personally specific messages that, when opened, unleash havoc on your network. Polley was a co-author of the ABA cybersecurity handbook, and stated flatly to the audience that "you've all been hacked." Though there has not yet been a single law firm that has admitted to being hacked, the fact of the matter is, hackers are targeting law firms, in real life and on "The Good Wife." Even some of the biggest security firms in the world themselves have been hacked. So the question is, what to do about it? Law firms are targets, Polley says, because they are soft and attractive targets will lots of confidential client information and little technological sophistication, representing a back door into client systems. Clients in highly regulated and vulnerable industries - such as medical, insurance and financial sectors - are going to law firms and auditing their security measures. In terms of ethics, the ABA Model Rules of Professional Conduct lay out several rules that apply - competence, confidentiality and supervision (1.1, 1.6 and 5), and there are common law requirements as well. Rule 1.1, comment 6, says that lawyers must remain up-to-date with the benefits and risks of technology. As Polley puts it, they must acquire it or hire it. State bars have been saying the same thing for years. [Polley : I'm not sure the quotes are precise, but the essence of the story is accurate. Email me if you'd like an annotated copy of the PPT I delivered there.]

top

EFF's 2015 data privacy report lauds Apple, Dropbox, slams Verizon (TechCrunch, 18 June 2015) - Digital rights organization the Electronic Frontier Foundation (EFF) has published its fifth annual Who has your back? report into online service providers' transparency and privacy practices when it comes to government requests for accessing user data. The organization notes a general transformation among major Internet players to be more transparent with users about data requests over the past four years. But for its latest report it's tightened evaluation criteria, arguing that "it's time to expect more from Silicon Valley". The report awards companies up to a maximum of five stars for performance in various areas, such as following what the EFF judges as "industry-accepted best practices"; telling users about government data demands; disclosing policies on data retention disclosing government content removal requests; and taking what it dubs a "pro-user" public policy position and specifically opposing government mandated backdoors in digital services.

top

Can liberal musicians stop Republicans from using their songs? (WaPo, 18 June 2015) - Neil Young's song "Rockin' In The Free World" was played Tuesday at Donald Trump's campaign announcement, and as has become standard operating procedure, Young's manager released a statement saying Trump wasn't authorized to use the song and that Young doesn't support Trump's candidacy. It's all very predictable, something we see played out over and over again in politics (mostly among Republican politicians and liberal musicians). What if a politician X was like, "You know what, I don't care what musician Y thinks; we're going to keep playing that song. Louder, even. We're going to blast it, on repeat, from Iowa to New Hampshire until I'm elected President of these United States!?" Despite the fact politicians usually stop playing songs when asked, they could fight it if they really wanted to. According to the ASCAP guidelines on using music in political campaigns , if campaigns obtain a public performance license from them or other performing rights organizations like BMI, they're in compliance with copyright law, which is why campaigns always first respond to statements from angry musicians by saying they were following the rules. But being in compliance with copyright rules doesn't mean musicians can't complain and even take legal action -- which is why the ASCAP advises campaigns get permission from artists' management and songwriters as well, to avoid all this. Per the ASCAP, musicians could seek recourse through their right to publicity (which public figures have for their image in some states), false endorsement (an argument that their work is being used to incorrectly imply support for something) or the Lanham Act (dealing with unauthorized use of a trademark leading to confusion). So there are legal grounds for them to fight the song's use. But there's not much precedent for that happening, because campaigns generally give in to musician's demands so quickly.

top

Secretive surveillance court skips talking to privacy advocates (National Journal, 19 June 2015) - The secretive court that oversees U.S. spying programs selected to not consult a panel of privacy advocates in its first decision made since the enactment earlier this month of major surveillance reform, according to an opinion declassified Friday. The Foreign Intelligence Surveillance Court opted to forgo appointing a so-called "amicus" of privacy advocates as it considered whether the USA Freedom Act could reinstate spying provisions of the Patriot Act even though they expired on June 1 amid an impasse in the Senate. The Court ruled that the Freedom Act's language-which will restore the National Security Agency's bulk collection of U.S. call data for six months before transitioning to a more limited program-could revive those lapsed provisions, but in assessing that narrow legal question, Judge Dennis Saylor concluded that the Court did not first need confer with a privacy panel as proscribed under the reform law. "The statute provides some limited guidance, in that it clearly contemplates that there will be circumstances where an amicus curiae is unnecessary (that is, 'not appropriate')," Saylor wrote . "At a minimum, it seems likely that those circumstances would include situations where the court concludes that it does not need the assistance or advice of amicus curiae because the legal question is relatively simple, or is capable of only a single reasonable or rational outcome." [ Polley : uh-oh… I think I'd prefer an amicus even when it's "simple" or there's only a "single reasonable or rational outcome." Think: Dick Cheney.]

top

Google Earth's digital tack, used to show location, wasn't hearsay, 9th Circuit rules (ABA Journal, 22 June 2015) - A "digital tack" on Google Earth used to pinpoint the location of an arrest isn't an inadmissible statement governed by hearsay rules, a federal appeals court has ruled. The San Francisco-based 9th U.S. Circuit Court of Appeals ruled in the case of a defendant, Paciano Lizarraga-Tirado, who claimed he was on the Mexican side of the border when he was arrested by Border Patrol agents for illegal re-entry into the United States, report the Wall Street Journal Law Blog and IDG News Service . An arresting agent recorded the coordinates of the arrest with a GPS device. At trial, prosecutors introduced evidence of the location by entering the GPS coordinates into Google Earth, creating a digital tack on Google Earth's satellite image. The tack was clearly north of the border. The appeals court considered Lizarraga-Tirado's objection under the hearsay rule, which generally bars out-of-court statements to prove the truth of the matter asserted. The rule defines a statement as a person's oral assertion, written assertion, or nonverbal conduct, if the person intended it as an assertion. A satellite image, absent any markers, makes no assertion and isn't hearsay, the court said in an opinion (PDF) by Judge Alex Kozinski. Because the tack was computer-generated rather than placed manually and labeled, it isn't an assertion made by a person and isn't hearsay, the court said. "Though a person types in the GPS coordinates," Kozinski wrote, "he has no role in figuring out where the tack will be placed. The real work is done by the computer program itself." Machine statements do raise evidentiary concerns, Kozinski said, but they should be addressed by the rules of authentication, not hearsay. A litigant seeking admission of Google Earth evidence over an objection would have to establish its reliability and accuracy, perhaps by testimony from a Google Earth programmer or perhaps by judicial notice, Kozinski said. The defendant in the case before the court had not raised an authentication objection.

top

ABA President pushes online models for civil disputes (DailyNews, 22 June 2015) - The president of the American Bar Association says the traditional method of providing pro bono legal services in civil matters to those who can't afford to pay for an attorney isn't working despite best efforts. And William C. Hubbard wants those in the legal system to work more with tech companies finding a demand for online dispute resolution programs. "Despite all of our best efforts, we have not closed this justice gap despite more pro bono work and more support," Hubbard told a group of 200 attorneys and judges Thursday, June 18, at the Tennessee Bar Association's annual meeting, held this year in Memphis. Hubbard cites a report from Modria.com , the online dispute resolution company that spun off from eBay and PayPal in 2011. Of 60 million annual disputes on eBay, 90 percent are resolved using software with no human intervention and the results are "almost never" appealed in court, according to Modria. While Modria's efforts and pitch are aimed at business disputes, Hubbard has already begun talking with the company and similar online companies. Modria cites property tax disputes in Nashville that are settled online among other uses and concludes "the next justice system will look more like ODR than the courts."

top

SEC hunts hackers who stole corporate emails to trade stock (Reuters/ReCode, 23 June 2015) - U.S. securities regulators are investigating a group of hackers suspected of breaking into corporate email accounts to steal information to trade on, such as confidential details about mergers, according to people familiar with the matter. The Securities and Exchange Commission has asked at least eight listed companies to provide details of their data breaches, one of the people said. The unusual move by the agency reflects increasing concerns about cyber attacks on U.S. companies and government agencies. It is an "absolute first" for the SEC to approach companies about possible breaches in connection with an insider trading probe, said John Reed Stark, a former head of Internet enforcement at the SEC. "The SEC is interested because failures in cyber security have prompted a dangerous, new method of unlawful insider trading," said Stark, now a private cyber security consultant. According to people familiar with the matter, the SEC's inquiry and a parallel probe by the U.S. Secret Service - which investigates cyber crimes and financial fraud - were spurred by a December report by security company FireEye about a sophisticated hacking group that it dubbed "FIN4." Since mid-2013, FIN4 has tried to hack into email accounts at more than 100 companies, looking for confidential information on mergers and other market-moving events. The targets include more than 60 listed companies in biotechnology and other healthcare-related fields, such as medical instruments, hospital equipment and drugs, according to the FireEye report. The SEC has asked companies for data on cyber intrusions or attempted intrusions, as well as information on the tactics that the unknown hackers used to lure employees into giving up email passwords, known as "spear phishing" or "credential harvesting," people familiar with the investigation said. As concerns about cyber security grew, the SEC in 2011 issued guidance for public companies on disclosing breaches. Companies are not required to disclose any breaches unless they are deemed to be "material" under federal securities laws. The probe is unusual for the SEC, which has typically searched for questionable trading activity in stocks and options when investigating insider trading cases, said Stark. The SEC only has the power to bring civil cases, so any possible criminal cases resulting from the probe would be brought by a federal prosecutor.

top

GCHQ asked court to let it infringe on anti-virus copyrights... for national security (TechDirt, 24 June 2015) - National security apparently means "securing" the nation at the expense of citizens' security. New Snowden documents published by The Intercept show massive amounts of dicking around in the coding of popular anti-virus software by the NSA and GCHQ. The list of antivirus products not affected would be much, much shorter than a list of those that have been. The GCHQ obtained a warrant to reverse engineer Kapersky products because it felt the company's software was "obstructing" its hacking attempts. Not only did the GCHQ seek permission to tear apart a legitimate security product for its own ends, but it also asked for an exception to UK copyright law in order to do so: GCHQ's success as an intelligence agency is founded on technical knowledge and creativity. In particular this may involve modifying commercially available software to enable interception, decryption and other related tasks, or "reverse engineering" software (this means to convert it from machine readable code into the original format, which is then comprehensible to a person). These actions, and others necessary to understand how the software works, may represent an infringement of copyright. The interference may also be contrary to, or inconsistent with, the provisions of any licensing agreement between GCHQ and the owners of the rights in the software. Recognizing this could potentially cause a problem if its efforts were discovered, GCHQ explicitly asked that it be granted permission to engage in copyright infringement in the name of national security. [ Polley : How far can a court go in "authorizing" otherwise unlawful activity? Transcend copyright law? Break into computers? Defraud? Steal? Torture?]

top

NOTED PODCASTS

Distributed and digital disaster response (Willow Brugh at Berkman, 10 March 2015; 59mins) - The citizen response to 2012's Hurricane Sandy was in many important ways more effective than the response from established disaster response institutions like FEMA. New York-based response efforts like Occupy Sandy leveraged existing community networks and digital tools to find missing people; provide food, shelter, and medical assistance; and offer a hub for volunteers and donors. In this talk Willow Brugh -- Berkman fellow and Professor of Practice at Brown University -- demonstrates examples ranging from Oklahoma to Tanzania where such distributed and digital disaster response have proved successful, and empowered citizens to respond in ways traditional institutions cannot. Find Willow's presentation deck here . [ Polley : Lots of stuff here on KM and knowledge sharing across time and across events/communities. This also implicates the question of meta-KM - i.e., knowledge sharing outside an "enterprise" and among/between ad hoc virtual teams.]

top

RESOURCES

Irving Younger's 10 Commandments Of Cross Examination (Lawyerist, 24 June 2015) - If you will put these suggestions to use, if you will cross-examine in accordance with these suggestions, I can virtually guarantee - not that you will be a brilliant cross-examiner, but that you won't be ashamed of yourself, you won't be a buffoon in that courtroom. Whenever you do not comply with them, you will regret it. Instantly. [ Polley : This is the classic; guaranteed to educate and entertain. Highly recommended.]

top

Privacy and Security Training Requirements (web compendium maintained by Prof. Dan Solove) - Many laws, regulations, and industry codes require privacy awareness training and/or data security awareness training. Here is a list of a number of these requirements: * * * Below is a brief description of each requirement with excerpts of the relevant provisions: * * *

top

The Legal Impact of Technology on M&A Transactions (Kaye Scholer white paper; undated) - Across the hundreds of M&A transactions that our firm has worked on in recent years, we and our clients have together explored and analyzed a relatively consistent set of diligence concerns. Increasingly, however, a new subject is beginning to interest dealmakers: the underlying technologies at each acquisition candidate and their related obligations and risk implications. This report, The Legal Impact of Technology on M&A, explores this important and still-evolving area of interest.

top

FUN

The Influence Of Immanuel Kant On Evidentiary Approaches In 18th-Century Bulgaria (Orin Kerr, June 2015) - Chief Justice Roberts has drawn attention to the influence of Immanuel Kant on evidentiary approaches in 18th- century Bulgaria. [fn omitted] No scholarship has analyzed Kant's influence in that context. This Article fills the gap in the literature by exploring Kant's influence on evidentiary approaches in 18th-century Bulgaria. It concludes that Kant's influence, in all likelihood, was none. [Kerr's explication of this tongue-in-cheek article is here .]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Plan to put company reports on the web (Reuters, 30 Nov 2005) -- Corporations would be allowed to post proxy statements and annual reports on Web sites, instead of sending them through the mail, under a plan proposed Tuesday by federal regulators. The Securities and Exchange Commission voted 5 to 0 to submit the plan to a 60-day public comment period, with a final vote by the commission expected later. Aimed at saving postage and printing costs, the so-called e-proxy measure is also seen as a way to cut the costs to shareholders of waging proxy contests. Under the proposed rule, investors would receive a postcard notice in the mail telling them that a proxy statement and annual report was available online. Investors wishing to continue receiving printed matter could request it. "Studies show that today 75 percent of Americans now have access to the Internet and this percentage is rising steadily," Christopher Cox, the S.E.C. chairman, said at a meeting. "The percentage of investors with Internet access is even higher." The proposal, if adopted early next year, would probably not be enacted in time for the 2006 proxy season but would come into play in 2007, said Alan L. Beller, director of the S.E.C.'s corporate finance division.

top

Sony's anti-file-sharing CD causes a firestorm of anger (Houston Chronicle, 8 Nov 2005) -- Since the dawn of file-sharing in the late 1990s, the music industry has struggled with keeping its wares from being traded freely. Recording labels have tried all kinds of approaches, from suing their own customers to Draconian copy protection to changing formats. The one that has worked the best - surprise! - has been to offer a low-cost way to buy music that allows users to do pretty much what they want to do with the tunes they purchase. It's almost as though there's a Good Side and a Dark Side to the musical force. Over time, you'd think the business would get that the Good Side will win more converts. That is, until you see something like the strange case of the Sony rootkit. On Halloween, a developer with an Austin-based software company posted on his blog a detailed report on a troubling discovery - a CD from Sony BMG had installed software on his PC that uses the same technique for hiding itself as the most pernicious type of spyware. Mark Russinovich of Sysinternals also discovered that the software, known as a rootkit, could then be used by the creators of viruses and worms to hide their own malicious payloads. A rootkit works at the very lowest levels of the Windows operating system to cloak files. Spyware purveyors use the technique to hide their code from programs designed to find and remove it. In Sony's case, the rootkit was part of a media player designed to restrict how a CD's tunes are played, stored to a computer's hard drive or copied, and was used to hide those files, making it difficult to get around the protection. The software was installed when the CD's buyers - in Russinovich's case, Van Zant's Get Right with the Man - first tried to play the disc on a PC. The disc can't be used in a PC without Sony's player. The rootkit hid the software by looking for a particular sequence of characters in the name. Any files that included the sequence were cloaked. Russinovich had to jump through hoops to find the software, trace its source and remove it. When he did, he found the process disabled his CD drives, which were no longer visible in Windows Explorer. His report, at www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html , concluded: "The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files ... will cripple their computer if they attempt the obvious step of deleting the cloaked files." http://www.chron.com/cs/CDA/ssistory.mpl/business/3445666

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top