Saturday, May 16, 2015

MIRLN --- 26 April – 16 May 2015 (v18.07)

MIRLN --- 26 April - 16 May 2015 (v18.07) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | NOTED PODCASTS | RESOURCES | LOOKING BACK | NOTES

Addressing cyber attacks and data breaches in supplier contracts (Pillsbury, 17 April 2015) - Ten years ago, most "buyers/customers" expected their suppliers to absorb unlimited contractual liability if the supplier was responsible for a breach affecting the customer's data. Today, while customers may continue to insist upon such a position at the beginning of negotiations, they frequently expect that market-leading suppliers will ask for some sort of limit to the supplier's potential liability for data breaches. When customers are forced to negotiate a liability cap applicable to breaches of data (including PII and PHI), they usually insist that such liability cap be an amount that is greater than the "standard" limit of liability under the Agreement (i.e., greater than the standard financial cap applicable other contract breaches). In negotiating what that "higher cap" should be for data breaches, customers should not necessarily tie that higher cap to the total fees (or total annual fees) payable under the Agreement (for example, a liability cap for data breaches equal to 3 times the annual fees under the Agreement), unless those total fees (or total annual fees) will be so large that having a cap equal to a multiple of the contractual fees will provide adequate protection to the customer for a data breach. Instead, customers should focus on the question of "What is the potential amount of damages that I could suffer, if my supplier's actions (or inactions) lead to a data breach?" And the customer is, then, basing the higher liability cap for data breaches, on that potential damage amount. In other words, customers should insist that the higher financial cap for data breaches BE A DISCRETE AMOUNT OF MONEY (such as, for example, $5 million or $10 million or $50 million or $75 million). This should not impact the "standard" limit of liability for other breach of the agreement, which generally continues to be a multiple of the annual fees (such as 12 months' trailing fees, or 18 months or 24 months depending on the transaction). * * *

top

The FCC's $365 million man (National Journal, 26 April 2015) - There's a new sheriff in town at the Federal Communications Commission. And he's got corporations reaching for their checkbooks. In his first year on the job as chief of the FCC's Enforcement Bureau, Travis LeBlanc has issued some of the largest fines in the agency's history. AT&T agreed to pay $105 million for placing unwanted charges on consumers' phone bills. T-Mobile had to pay $90 million over similar allegations. Marriott Hotels paid $600,000 for blocking its customers' Wi-Fi hotspots. And CenturyLink and Verizon got fined $16 million and $3.4 million, respectively, for a software glitch that blocked 911 calls for six hours. In total, the FCC, working with other agencies, has collected more than $365 million in fines, settlements, and refunds for consumers since LeBlanc took office last March, according to a National Journal review of agency records. LeBlanc is a new kind of enforcement chief for the FCC. Previous heads of the bureau have usually been career FCC lawyers, with extensive experience in telecommunications issues in other parts of the agency. They were used to working closely with companies, often negotiating with them as the FCC crafted regulations. But LeBlanc is a prosecutor, who has little interest in playing nice. He has already helped the FCC earn a tougher reputation on enforcement, and his role will only grow under the agency's controversial net-neutrality rules, which will empower him to review complaints and launch investigations into a range of disputes over Internet access.

top

Boards are on high alert over security threats (CSO Online, 27 April 2015) - Fear of cyberattacks has corporate directors on edge. CIOs must paint a realistic view of the company's security posture and steer the conversation toward managing business risk. When Anthem revealed in early February that hackers had breached a database containing the personal information on 80 million of its customers and employees, the news hit a little too close to home for Gary Scholten, executive vice president and CIO of Principal Financial Group. His first order of business that day was to gather all the information he could to reassure his board of directors that the financial services provider did not have similar vulnerabilities. He contacted the industry's Financial Services Information Sharing and Analysis Center to get detailed intelligence on the exact nature of what Anthem publicly called a "very sophisticated external cyber attack" and was able to assure his board members that Principal's customer and employee data was not at risk from the type of attack launched against Anthem. Anthem is one of the nation's largest health insurers. Because of the size of its breach, the industry in which it occurred and the media attention it received, Scholten wanted to get ahead of the questions that Principal's directors might ask. "Cybersecurity is a huge priority for them because the service we provide is so reputation-based," says Scholten. "It's a top-of-mind board issue."

top

Texas admonishes judge for posting Facebook updates about her trials (Ars Technica, 27 April 2015) - A Texas judge is challenging a state panel's decision reprimanding her for posting Facebook updates about trials she was presiding over. The State Commission on Judicial Conduct ordered Michelle Slaughter, a Galveston County judge, to enroll in a four-hour class on the "proper and ethical use of social media by judges." The panel concluded that the judge's posts cast "reasonable doubt" on her impartiality. At the beginning of a high-profile trial last year in which a father was accused of keeping his nine-year-old son in a six-foot by eight-foot wooden box, the judge instructed jurors not to discuss the case against defendant David Wieseckel with "anyone." "Again, this is by any means of communication. So no texting, e-mailing, talking person to person or on the phone or on Facebook. Any of that is absolutely forbidden," the judge told jurors. But Slaughter didn't take her own advice, leading to her removal from the case and a mistrial. The defendant eventual was acquitted of unlawful-restraint-of-a-child charges. The judge told local media Friday that her Facebook posts about the "Boy in the Box" case and others were unbiased. "I will always conduct my proceedings in a fair and impartial way. The Commission's opinion appears to unduly restrict transparency and openness in government and in our judiciary," she told the Houston Chronicle . "Everything I posted was publicly available information." The commission didn't agree in its ruling last week: * * *

top

Apple makes ethics board approval mandatory for all medical research apps (The Verge, 29 April 2015) - Getting approval from an independent ethics board is now mandatory for all apps made using Apple's Researchkit - an open-source software platform meant to help scientists run clinical trials through apps available in the Apple app store. The additional guidelines, spotted by 9to5Mac, come two weeks after Apple opened up the platform to developers and medical researchers around the world. Apple announced ResearchKit in early March to great fanfare. At the time, only a handful of institutions had been given access to the platform. Almost immediately questions about the ethics of running clinical trials exclusively through mobile phones were raised. When The Verge reported on the story in March, it was unclear whether IRB approval would become mandatory for apps that made it to the Apple apps store. The five apps that were released through the app store on the day of the announcement had all been approved by an independent ethics review board, but the app store guidelines lacked specific wording about the need for Institutional Review Board (IRB) approval for these apps. Now, two weeks after making ResearchKit available to all developers, Apple has added another set of guidelines that make IRB approval mandatory. " Apps conducting health-related human subject research must secure approval from an independent ethics review board," the new guidelines read . "Proof of such approval must be provided upon request." It's unclear what might have prompted the addition.

top

SEC releases cybersecurity guidance for RIAs (Think Advisor, 29 April 2015) - The Securities and Exchange Commission's Division of Investment Management has released cybersecurity guidance to help advisors and funds address their cyber risks.

The IM Division's April cyber guidance recommends that advisors and funds conduct periodic assessments, have a cybersecurity strategy as well as written policies and procedures to mitigate cyberattacks. Cipperman Compliance Services warns that if advisors and funds have a data breach and have not implemented the measures described in the IM guidance, the SEC "may take regulatory action because your cybersecurity internal controls and policies and procedures were not sufficient." * * *

top

- and -

Department of Justice issues best practices guidance on cyber incidents (WilmerHale, 1 May 2015) - On Wednesday, April 29, the US Department of Justice released guidance titled "Best Practices for Victim Response and Reporting of Cyber Incidents." The guidance outlines steps companies should take before, during, and after an incident, and includes a summary checklist. The guidance also states the Justice Department's positions on the legal permissibility of a number of monitoring techniques and the impermissibility of many forms of so-called "hacking back." * * * [ Polley : guidelines are here .]

top

Unhappy anniversary, Google (InsideHigherEd, 30 April 2015) - On April 30 a year ago, Google announced: "Today, we're taking additional steps to enhance the educational experience for Apps for Education customers: (o) We've permanently removed the "enable/disable" toggle for ads in the Apps for Education Administrator console. This means ads in Apps for Education services are turned off and administrators no longer have the option or ability to turn ads in these services on. (o)We've permanently removed all ads scanning in Gmail for Apps for Education, which means Google cannot collect or use student data in Apps for Education services for advertising purposes." This announcement presumably came about to forestall attention from the May 1, 2014, publication of the White House Big Data Report, which warned of potential abuses of student data privacy. For some years, and then with momentum in the recent months, Congress held hearings on the subject, parents were raising critical questions of how school districts were managing their children's privacy, and research was coming out to suggest significant gaps between the Family Education Rights Privacy Act and practices of technological companies in the education space. I did not then nor do I now feel assuaged by Google's promise. First, their "don't ask permission, beg forgiveness" approach had already become hackneyed observing how they navigated F.T.C. investigations for Street View, Buzz, and Safari By-Pass. Second, their "clever by half" approach to the issue of talking about ads when the most pressing issues are data-mining and profiling felt flat on this audience of one. Finally, Google still has not presented any verification that on that day, or any time since, they stopped data-mining and profiling in Google Apps in Education (GAFE). Consequently, I have written a formal paper on this subject entitled, "Student Data and Blurred Lines: A Closer Look at Google's Aim to Organize U.S. Youth and Student Information." Eventually, I will present at a Berkman Center Forum on Student Data Privacy on May 20, eventually work it into a book on the culture, law and politics of the Internet in higher education that I am publishing through Cornell University Press.

top

How to conduct free legal research using Google Scholar in 2015 (part 2) (Nicole Black on LLRX, 30 April 2015) - Legal research is something lawyers do nearly every day. That's why convenient, affordable access to legal research materials is so important. The advent of computer-based legal research was the first step toward leveling the playing field and providing solos and small firms with access to the incredible depth of materials once only available in academic or government law libraries or in the law libraries of large law firms. But it was web-based legal research that truly gave solos and small firms the tools they needed to compete-and at a price they could afford. Google Scholar is a prime example of this-it provides free access to a wide range of legal materials, all of which are accessible and searchable via a user-friendly interface. The trick is to set aside time to learn the ins and outs of conducting legal research on Google Scholar. To make this process even easier for you, I'm writing this 2-part blog post series. Last week, in Part 1, I explained the basics of using Google Scholar for legal research. In today's post I'll delve into the more advanced search features and will also cover ways to sort and organize your research. * * *

top

Enterprises overlook legal issues in breach preparedness (CSO Online, 1 May 2015) - Companies preparing for data breaches and cyber security incidents too often focus on the technology and overlook the legal aspects. In a recent study by Hanover Research, for example, while about 54 percent of companies conducted a cyber threat audit -- but only 33 percent involved their legal departments in the process. "Companies are more likely to involve lawyers as a reactive measure, after an incident has occurred, rather than as a proactive measure," researchers said in their report, which was based on a survey of corporate law departments conducted on behalf of Indiana University's Maurer School of Law. This is a problem, because IT or security staff typically focus on physical and electronic security, not necessarily the legal, compliance, or privacy issues of a data breach, said Scott Vernick, the head of the data protection and privacy practice at the law firm of Fox Rothschild LLP, in Philadelphia. "They won't necessarily be sensitive to or be able to spot the issues that the lawyers are thinking about," he said. Corporations should bring in legal counsel early in the process, he said.

top

ACLU app lets you automatically send videos of police encounters (Mashable, 2 May 2015) - In a time when nearly everyone, regardless of income, seems to have a smartphone, the ACLU has come up with something that could help during your next encounter with an overzealous law enforcement officer: an instant reporting app. Mobile Justice CA was created by the Southern California branch of the American Civil Liberties Union as a way to "keep law enforcement accountable and protect your rights." Available for iOS and for Android, the free app allows users to instantly record and send a video of a police encounter to the ACLU. Available for iOS and for Android , the free app allows users to instantly record and send a video of a police encounter to the ACLU. Additionally, the app also allows you to turn on GPS tracking so that you can be notified if anyone else using the app near your location reports an incident. In light of recent demonstrations against police brutality, the app could be seen as essential equipment for some engaging in peaceful protests. The app also includes a list of U.S. rights, giving the user an additional tool in potentially touchy situations involving police encounters, as well as free speech and student rights demonstrations.

top

- and -

Witness's live-streaming app is a panic button for the smartphone age (TechCrunch, 3 May 2015) - What if live streaming, like those streams that run today on apps like Periscope or Meerkat, could be used to save lives? That's the premise behind an app called Witness , which made its debut today at the TechCrunch Disrupt NY Hackathon. Built over the course of the weekend, developer Marinos Bernitsas demoed an app that immediately begins recording live audio and video as soon as you tap the app's icon, but doesn't actually display the video stream being recorded on the smartphone's screen. Meanwhile, instead of having the stream sent out to the public via social networks like Twitter, only designated contacts you've previously configured in the app's settings are alerted to the incident via phone calls and text messages.

top

Effective social media practices and good online teaching (InsideHigherEd, 4 May 2015) - I have this theory that if you are effective on social media then you stand a good chance of being effective in online teaching. How do these two activities go together? Two words: presence and community . The people who seem to get the most out of social media are those who dedicate themselves to being present on their platform of choice. Presence does not necessarily mean contribution. You can be present in the IHE community if you show up daily to read the articles and opinion pieces. You can also be present if you regularly provide your opinions in a comment, even if your commenting is on every 1-in-50 articles. The power of IHE is that we are a community that is informed by both a common set of interests, and a common pool of content. We are all reading, thinking about, and commenting on the same articles and opinion pieces. On Twitter, being present means actively (on a daily basis), committing to interact with the platform. This may mean writing your own tweets, using Twitter to link to other things that you've read or seen on the Web, or simply using Twitter to filter what you consume. Presence on Twitter means that the people who follow you will reliably learn things from you. You build a community around the people you follow. We should always be suspicious of anyone who follows too many Twitter feeds, as above a certain number (maybe 500 follows at most), Twitter moves from a community to a promotional platform. The goal to invest in presence and achieve community are also the two hallmarks of effective online teaching. If you teach online you need be present. This does not mean answering every single discussion thread, or constantly putting up just-in-time videos to explain concepts. Rather, presence can take the form of active listening. Of knowing when it is time to contribute, when it is time to guide, and when it makes more sense to step back and let the conversation play out.

top

Why workers want self-service IT (MSP Hub, 4 May 2015) - The pendulum is in full swing toward employees empowered to make tech choices at work and away from traditional IT departments. A new survey found that workers are seeking self-service IT, driven in large part by cool consumer tech, "freemium" cloud services and an autocratic IT department whose slow, conservative ways aren't able to keep up with the urgent demand of business technology. "We're seeing a huge shift in the way enterprises define and enable 'efficiency,'" says CEO Adriaan van Wyk at K2, a business applications vendor that commissioned Harris Poll to survey more than 700 U.S. office workers. "It's no longer about deploying uniform business solutions across departments, but rather letting go of the reins and allowing employees to discover and use independent solutions on their own." Here are some of the more alarming findings: Seven out of 10 office employees use online tools outside of those licensed by their IT department for work purposes. More than half admitted they'd look for a free cloud service, such as Google Hangouts, Google Docs, DropBox, Evernote and Skype, before going through formal IT channels to procure a solution. Separately, a recent CompTIA study found that one out of three business units procures its own cloud applications, often leading to security breaches or system failures down the line.

top

With boxing match, video piracy battle enters latest round: mobile apps (NYT, 4 May 2015) - The method used by thousands of people to watch unauthorized broadcasts of Saturday night's big boxing match might have been new, but to longtime media executives, who have led one battle against piracy after another, it was the same old story. Technology and its acolytes always find a way to make their content free. In the latest case, the tools used to watch the welterweight boxer Floyd Mayweather Jr. defeat Manny Pacquiao included mobile apps, from Meerkat and Twitter's Periscope, that let people live-stream the pay-per-view bout by capturing their TV screens with the cameras on their smartphones. But live streaming from mobile apps is just one of the new piracy headaches facing media companies. Executives are stepping up efforts to fight Popcorn Time, an app with a slick user interface that makes using the years-old BitTorrent file-sharing technology as easy as Netflix. And they are scrambling to take down websites that illegally broadcast sports and other live events. "The challenge is technology is far outpacing the rules and regulations around media usage," said Rich Greenfield, an analyst at BTIG Research. "Media contracts never anticipated Periscope." Mr. Greenfield watched the boxing match himself on Periscope, and at one point posted a screenshot of his phone on Twitter showing nearly 10,000 people logged on to a single broadcast of the match.

top

How the NSA converts spoken words into searchable text (The Intercept, 5 May 2015) - Most people realize that emails and other digital communications they once considered private can now become part of their permanent record. But even as they increasingly use apps that understand what they say, most people don't realize that the words they speak are not so private anymore, either. Top-secret documents from the archive of former NSA contractor Edward Snowden show the National Security Agency can now automatically recognize the content within phone calls by creating rough transcripts and phonetic representations that can be easily searched and stored. The documents show NSA analysts celebrating the development of what they called "Google for Voice" nearly a decade ago . Though perfect transcription of natural conversation apparently remains the Intelligence Community's " holy grail ," the Snowden documents describe extensive use of keyword searching as well as computer programs designed to analyze and "extract" the content of voice conversations, and even use sophisticated algorithms to flag conversations of interest. The documents include vivid examples of the use of speech recognition in war zones like Iraq and Afghanistan, as well as in Latin America. But they leave unclear exactly how widely the spy agency uses this ability, particularly in programs that pick up considerable amounts of conversations that include people who live in or are citizens of the United States. Spying on international telephone calls has always been a staple of NSA surveillance, but the requirement that an actual person do the listening meant it was effectively limited to a tiny percentage of the total traffic. By leveraging advances in automated speech recognition, the NSA has entered the era of bulk listening. And this has happened with no apparent public oversight, hearings or legislative action. Congress hasn't shown signs of even knowing that it's going on.

top

Eleventh Circuit rules for the feds on cell-site records - but then overreaches (Orin Kerr on Volokh Conspiracy, 5 May 2015) - The en banc Eleventh Circuit has ruled that historical cell-site records are not protected by the Fourth Amendment under the third-party doctrine. The case, United States v. Davis , also adds an alternative holding that is even more important: Even if cell-site records were protected, the en banc court holds, accessing them would trigger only minimal Fourth Amendment concerns and would not require a warrant or probable cause. My bottom line: I agree with court's ruling that the third-party doctrine applies and there was no search, but I think the alternative holding is puzzling, inconsistent with precedent, and unnecessary. But stay tuned. It's a long shot, but that second alternative holding might end up drawing Supreme Court review of both holdings. This post will go through the majority's reasoning and then offer my thoughts. There's also lots of interesting stuff in the concurring and dissenting opinions, but in the interests of space and time I'll stick with the majority opinion. * * *

top

Google relieved of duty to search for relevant evidence in executing search warrant (Orin Kerr on Volokh Conspiracy, 6 May 2015) - I'm working on a new law review article about the internal procedures that Internet providers follow when executing search warrants for content. Given that, I was particularly interested in this new decision from a magistrate judge in Alaska relieving Google of a duty to execute a warrant by combing through stored files for relevant content. The case involves a search for evidence in e-mail accounts that were used to respond to a Craigslist advertisement about underage sexual activity. The warrant wasn't well-drafted, but it could be read as giving Google the job of searching through the e-mail accounts and identifying which e-mails were relevant to the case before handing them over to the government. The warrant was served on Google, which then challenged the warrant. From the opinion: Google asks the Court to amend the first warrant, relieving it from any requirement to inspect the content of email correspondence for relevance and evidentiary value. Google asserts that such content review of email is a law-enforcement function that cannot properly be delegated to service providers. Google also notes that it is "not steeped in the investigation," and does not have the background, expertise, or resources to sift through email correspondence for content to determine relevancy and evidentiary value under the warrant. For these reasons, Google asserts that the first warrant is unduly burdensome. It illustrates the burden by pointing out that over the twelve month period between July 2013 and June 2014, Google received 23,113 pieces of legal process from law enforcement agencies seeking information on 39,830 accounts. These legal process requests ran "the gamut from fraud cases, kidnapping and other emergencies, to routine civil and criminal demands for records." To respond to the myriad requests for assistance from law enforcement, Google maintains a "dedicated team" exclusively devoted to responding to legal process requests from law enforcement. Notwithstanding its policy of cooperation, Google asserts that the first warrant goes too far and imposes an undue burden on it because it does not have the resources necessary to review email content for relevance and for evidentiary value in a particular case. Moreover, even if it did have the resources, Google contends that the review of email content for investigative value should remain with law enforcement, should not be delegated to service providers. These arguments are persuasive.

top

LinkedIn serves up resumes of 27,000 US intelligence personnel (ZDnet, 6 May 2015) - The resumes of over 27,000 people working in the US intelligence community were revealed today in a searchable database created by mining LinkedIn. Transparency Toolkit said the database, called ICWatch, includes the public resumes of people working for intelligence contractors, the military and intelligence agencies. The group said the resumes frequently mention secret codewords and surveillance programs. "These resumes include many details about the names and functions of secret surveillance programs, including previously unknown secret codewords," Transparency Toolkit said. "We are releasing these resumes in searchable form with the hopes that people can use them to better understand mass surveillance programs and research trends in the intelligence community." The data was collected from LinkedIn public profiles using search terms like known codewords, intelligence agencies and departments, intelligence contractors, and industry terms, the group said. To create the database, Transparency Toolkit built search software, called LookingGlass, to make it easy to browse the data. Both Looking Glass and the ICWatch data have been released on Github.

top

Legal threat against security researcher claims he violated lock's copyright (BoingBoing, 6 May 2015) - Mike Davis from Ioactive found serious flaws in the high-security the Cyberlock locks used by hospitals, airports and critical infrastructure, but when he announced his findings, he got a legal threat that cited the Digital Millennium Copyright Act. Jeff Rabkin, a partner at the "elite international law firm" Jones Day sent the thinly veiled threat on April 29, asking Ioactive to help him discover whether "intellectual property laws such as the anticircumvention provision of the Digital Millennium Copyright Act" had been violated in the course of Davis's research. The 1998 DMCA prohibits actions that assist in bypassing "effective means of access control" to copyrighted works. It's the statute that lets Apple prevent competitors from launching rival App Stores, and stops companies from selling DVD-ripping software. Rabkin and Jones Day are quite possibly barking up the wrong tree here. Two early DMCA cases -- Skylink and Lexmark -- tested whether the law stretched to preventing competitors from reverse-engineering devices in order to make interoperable spares and consumables (garage door openers and printer cartridges) and in both cases, the Federal Circuit found that the DMCA could not be used to prevent this sort of activity. Disclosing vulnerabilities isn't exactly parallel to Lexmark/Skylink. In those cases, an original manufacturer sued a commercial rival, and the judges took offense at the use of copyright law to such a nakedly anti-competitive purpose. To me, it's clear that disclosing the drastic defects that a manufacturer made in its products is of the same character as making competing products -- a legitimate and socially vital process that is obviously out of copyright's scope.

top

- and -

Copyright as censorship? Katz v. Chevaldina (David Post on Volokh Conspiracy, 11 May 2015) - Briefs have now been filed in the very interesting Katz v. Chevaldina case, now on appeal in the 11th Circuit. Eugene blogged about this here on the VC almost a year ago , when the case was before the district court, and it remains a pretty interesting case about the limits of copyright law and copyright protection. [Full disclosure: I worked with defendant Chevaldina's attorney in the appeal - Michael Rosman at the Center for Individual Rights - so I won't pretend to be neutral and/or disinterested] The facts are pretty simple. Katz is a wealthy Miami real estate developer (and part owner of the NBA's Miami Heat franchise). While visiting Israel, a photograph of Katz - described as "unflattering" by the lower court and "ugly and embarrassing" by Katz himself [you can see the photo itself in Eugene's original posting ] - was published in the Israeli paper H'aaretz, accompanying a story about his purported interest in purchasing a stake in an Israeli basketball team. Chevaldina, who has a number of ongoing disputes with Katz and who operates several blogs which are highly critical of him and of his business practices, republished the photograph numerous times, "in its original state, sometimes accompanied by sharply worded captions, or cropped and pasted into derisive cartoons." Katz obtained an assignment of the copyright in the photograph from the Israeli photographer, and then sued Chevaldina for infringing his copyright. The district court found that Chevaldina was not infringing Katz' copyright because she was making "fair use" of the photographs, and Katz appealed to the 11th Circuit. There's some really interesting copyright law, and some really interesting copyright policy, in all this. The Copyright Act requires a court to consider "the effect" of Chevaldina's use on "the potential market for or value of the copyrighted work," in deciding whether or not her use is "fair." The district court found - correctly, in my view (but see disclosure above!) - that there was no "harm" to the market for the work because there was, for all intents and purposes, no market for the work at all, now that Katz had purchased the copyright (and clearly was not interested in having it distributed further by anybody) * * *

top

2015 Data Breach Class Action Report (Bryan Cave, May 2016) - We are pleased to announce the 5th edition of our whitepaper discussing trends in data breach class action litigation. The 2015 report provides the most comprehensive analysis of trends in complaint filings by industry, court, legal theory, and type of data breach * * *

top

Canadian law firms warned to encrypt client data or risk surveillance threat (Global Legal Post, 8 May 2015) - The Canadian Anti-Terrorism Act, now passing through parliament, could mean that law firms which do not encrypt data will imperil the confidentiality of clients - as the security forces will find it easier to get warrants that breach privacy. The Act paves the way for greater powers for the Canadian Security Intelligence Service to undertake mass transfers of data from government departments. David Fraser, technology and privacy specialist at McInnes Cooper, said: 'There's all kinds of mischief that can take place under the provisions.' He continued: 'Could a judge theoretically override solicitor-client privilege in one of these scenarios? Yes. Would it take place in secret? Absolutely.' The obvious solution is encrypting data so that the security forces cannot access it. For firms on the cloud this would mean that the service provider itself could not decrypt data that it holds even when warrants are issued.

top

Can you touch an electron? The weird metaphysics when states try to tax digital goods (Washington Post, 8 May 2015) - Are you in the mood for some House of Cards? Cue up an episode. Here's what will happen. A faraway computer will start spewing electronic information toward you. These pulses of energy might travel by copper wire, by optical fiber, or by radio before they reach your laptop, reassembling into closeups of Robin Wright giving a masterclass in side-eye. Once, not so long ago, people got their entertainment on discs engraved with microscopic bumps, a computer version of braille. Stores like Blockbuster rented these plastic pucks, which people referred to as "DVDs." Music, too, traveled around on platters of polycarbonate called "CDs." These days, your Britney albums are more likely to live on your computer's hard drive as a collection of magnetic stripes. You can still cuddle this hard drive, but it's really not the same thing. Right? Some state governments would argue yes. Some state governments are confused. Some state governments still grappling with the idea of goods that have transcended the material plane. How do you regulate them? How do you tax them? Though it's been over a decade since Apple sold its first song on iTunes, there's still a lot of murkiness concerning the metaphysics of, say, Miley Cyrus's latest digital exclusive. Alabama is the latest example of a state trying to reconcile reality with its behind-the-times tax code. In March, its Department of Revenue announced it would start taxing streaming services like Netflix and Spotify the same way it taxes rental stores that deal in physical discs. The actual law, which hasn't changed, says that the state will levy a 4 percent tax on rentals of "tangible personal property." So in order to tax a Netflix subscription, Alabama's tax collectors have been forced to argue that streaming movies are somehow exactly that - tangible. But the law in Alabama (and several other states) provides a much looser definition. It's anything "which may be seen, weighed, measured, felt, or touched, or is in any other manner perceptible to the senses." * * * Many states have chosen to define digital downloads (like movies or MP3s) as a third kind of property, neither tangible nor intangible. That's the position laid out in the Streamlined Sales and Use Tax Agreement, which about half of states have passed laws to participate in. The goal of this agreement is for states to coordinate on how to tax commerce between states, an issue that has become increasingly complicated with Internet sellers conducting business from thousands of miles away. In Louisiana, administrators from Jefferson Parish recently lost a lawsuit over whether they could tax streaming video-on-demand and pay-per-view services. Like Alabama, Jefferson Parish levies a tax when people rent "tangible personal property." Much of the argument went back to definition of "tangible." Lawyers from cable company Cox argued that video streams aren't really tangible property because they're not stored permanently; the data is thrown out after it hits the screen, so there is not even temporary transfer of ownership. In December, an appeals court agreed with Cox, ruling that streaming video was an untaxable service, not a taxable rental transaction.

top

Brick by brick (InsideHigherEd, 11 May 2015) - The next-generation learning management system shouldn't be a system at all, but a "digital learning environment" where individual components -- from grade books to analytics to support for competency-based education -- fit together like Lego bricks, a new white paper recommends. "The Next Generation Digital Learning Environment: A Report on Research," released last month, advances Educause's initiative to examine how faculty members and students feel about their learning management systems and what they want from them in the future. The effort , which is funded by the Bill & Melinda Gates Foundation, is known as the Next Generation Digital Learning Environment Initiative. Even though virtually all colleges and universities run some form of learning management system, many faculty members have a "love-hate relationship" with the software, Malcolm Brown, director of the Educause Learning Initiative, said in an interview. On the one hand, he pointed out, it's technology "you can't live without," but on the other, it's a source of frustration and impatience for many. Educause hoped to consider whether existing learning management systems can support higher education at a time when many colleges and universities are experimenting with new forms of delivering courses and awarding credit. Instead of focusing on "incremental change," the researchers decided to articulate what a re-envisioning of the market would look like, Brown said. The white paper combines Educause's own research with input from learning management system providers, accessibility and universal design experts, IT officials, university leaders, and others. Authors Malcolm Brown, Joanne Dehoney and Nancy Millichap then synthesized those opinions into one overarching recommendation: that commercial providers, open-source communities and individual developers settle on a set of specifications to make different software work together -- in other words, the studs and cylinders that make Lego bricks interlock.

top

New PacerPro service automatically retrieves and delivers federal 'free look' documents (Robert Ambrogi, 11 May 2015) - If I were to tell you that a new service could help you avoid a $40 million mistake in litigation, would you be interested? The mistake to which I refer was Sidley Austin's failure to timely read orders referenced in a notice of electronic filing (NEF). The orders denied Sidley's post-trial motions filed on behalf of AT&T after it was hit with a $40 million verdict in a patent infringement case. Because Sidley did not read the orders in time, it missed the deadline to file an appeal. Claiming that the NEFs were misleadingly labeled, Sidley sought to reopen the appeal period. In a March 19, 2015, decision , the Federal Circuit shot down Sidley's request, agreeing with the trial judge that it was "inexcusable for AT&T's multiple counsel to fail to read all of the underlying orders they received, or-at minimum-to monitor the docket for any corrections or additional rulings." A new service being launched this week by PacerPro could have helped avoid this outcome. On top of that, it solves a problem that vexes many law firms - the retrieval of electronically filed documents in federal district and bankruptcy courts. The new service automatically retrieves the documents referenced in NEFs from PACER and sends them to you by email. Whether the NEF references a single document or a dozen, you get them all in your inbox, available on your computer or mobile device.

top

Every computer border search requires case-by-case reasonableness, DC court holds (Orin Kerr on Volokh Conspiracy, 12 May 2015) - Imagine you're flying from the United States to a foreign country and you're carrying a laptop. Federal agents stop you on the jetway as you're about to board your flight. They want to take your computer and search it. Can they? And if they can do that, what are the limits on how much they can search, for how long, and where? Lower courts have divided on the question. Some courts have concluded that the "border search exception" that the Supreme Court has applied for searches of physical objects should also apply equally to computers. Under that approach, agents can seize and search computers at the border (or at its "functional equivalent," such as at international airports where passengers are boarding international flights) apparently without limit. The Ninth Circuit has adopted a different approach , ruling that agents need "reasonable suspicion" to seize and search a computer at the border if the search is a "forensic" search but not if it is a "manual" search. Last Friday, Judge Amy Berman Jackson of the D.C. District Court adopted a third approach in a new case called United States v. Kim . The opinion holds that that every computer search at the border must be justified as reasonable under the totality of the circumstances. After concluding that the search in this case was not reasonable under that test, she suppressed the evidence. I think Judge Jackson's decision is highly problematic. I won't be surprised if DOJ appeals it, as it raises a really important set of questions and answers them in some unusual ways. Will the Court of Appeals agree with Judge Jackson? Time will tell. But we'll probably hear more about this case either way, so here's a detailed rundown of the new decision together with my thoughts. * * *

top

Vast majority of companies significantly under-insured for cyber risk (Insurance Business, 12 May 2015) - About 80% of companies are likely to suffer a data breach within 12 months, and while most of the associated costs will total less than $1 million, there's a 5% chance the breach will cost the company $20 million or more. Despite these frightening statistics, however, the vast majority of companies are significantly under-insured for cyber risk. In fact, companies are likelier to buy fire insurance than they are to buy a cyber policy, according to a new report from the research firm Ponemon Institute. Researchers surveyed 2,243 company representatives in 37 countries on cyber risk and security. Of those, just one in five have a current cyber liability policy in place. Much of that lack of market penetration has to do with ignorance surrounding cyber coverage. Many companies believe their general liability policies will cover cyber risk, while others mistakenly believe their companies are too small to be at risk of a data breach. However, one other significant reason companies aren't buying coverage is a lack of market capacity. According to Kevin Kalinich, leader of the global cyber risk practice for Aon Risk Solutions - which sponsored the Ponemon study - it is difficult to find policies with adequate limits. "We are working with alternative markets because the traditional cyberinsurance markets run out of capacity between $200 million and $300 million," Kalinich said.

top

Polygraph.com owner pleads guilty to training customers to beat polygraph (Ars Technica, 14 May 2015) - A 69-year-old former Oklahoma police officer has pleaded guilty to five obstruction of justice and mail fraud charges in connection to an indictment accusing him of teaching people to successfully cheat on lie detector tests. According to last year's indictment (PDF), Douglas Williams charged customers for instruction on how to beat lie detector tests given during national security, federal, state, and local employment suitability assessments and for internal federal investigations. "Lying, deception and fraud cannot be allowed to influence the hiring of national security and law enforcement officials, particularly when it might affect the security of our borders," Assistant Attorney General Leslie Caldwell said . "Today's conviction sends a message that we pursue those who attempt to corrupt law enforcement wherever and however they may try to do so."

top

NOTED PODCASTS

The iGEM Revolution (Drew Endy at the Longnow Foundation, Sept 2014; 90 minutes) - Natural genomes are nearly impossible to figure out, Endy began, because they were evolved, not designed. Everything is context dependent, tangled, and often unique. So most biotech efforts become herculean. It cost $25 million to develop a way to biosynthesize the malaria drug artemisinin, for example. Yet the field has so much promise that most of what biotechnology can do hasn't even been imagined yet. How could the nearly-impossible be made easy? Could biology become programmable? Endy asked Lynn Conway, the legendary inventor of efficient chip design and manufacturing, how to proceed. She said, "Go meta." If the recrafting of DNA is viewed from a meta perspective, the standard engineering cycle---Design, Build, Test, Design better, etc.-requires a framework of DNA Synthesis, using Standards, understood with Abstraction, leading to better Synthesis, etc. "In 2003 at MIT," Endy said, "we didn't know how to teach it, but we thought that maybe working with students we could figure out how to learn it." It would be learning-by-building. So began a student project to engineer a biological oscillator-a genetic blinker-which led next year to several teams creating new life forms, which led to the burgeoning iGEM phenomenon. Tom Knight came up with the idea of standard genetic parts, like Lego blocks, now called BioBricks. Randy Rettberg declared that cooperation had to be the essence of the work, both within teams (which would compete) and among all the participants to develop the vast collaborative enterprise that became the iGEM universe-students creating new BioBricks (now 10,000+) and meeting at the annual Jamboree in Boston (this year there are 2,500 competitors from 32 countries). "iGEM" stands for International Genetically Engineered Machine. [ Polley : absolutely fascinating; I'd completely missed that distributed genetics "programming" has replaced nanotech. The confluences of serendipity & intention, cooperation & collaboration, knowledge management & sharing, all drive this process. For lawyers, around 60m45s this gets into ownership issues (genetic programming languages, DNA widgets/parts/tools/gizmos), applicability of DMCA (and the like) to ownership claims, and Creative Commons like approaches. Cites to the alluring BioBrick Public Agreement (BPA) 63m23s.]

top

RESOURCES

New draft article, "Norms of Computer Trespass" (Orin Kerr on Volokh Conspiracy, 4 May 2015) - I have posted a draft of a new article, Norms of Computer Trespass , forthcoming in the Columbia Law Review . The article addresses a recurring problem in computer crime law: What is unauthorized access? The article tries to answer that question at a conceptual level, and along the way resolves a lot of the hard cases courts have encountered in applying the Computer Fraud and Abuse Act. Here's the abstract: Federal and state laws prohibit computer trespass, codified as a ban on unauthorized access to a computer. In the last decade, however, courts have divided sharply on what makes access unauthorized. Some courts have interpreted computer trespass laws broadly to prohibit trivial wrongs such as violating Terms of Service to a website. Other courts have limited the laws to harmful examples of hacking into a computer. Courts have struggled to interpret authorization because they lack an underlying theory of how to distinguish authorized from unauthorized access. This Essay offers such a theory. It contends that authorization is inherently contingent on social norms. Starting with trespass in physical space, it shows how concepts of authorization necessarily rest on shared understandings of what technologies and its users are allowed to do. Norms classify the nature of each space, the permitted means of access, and the permitted context of access. This idea, applied to the Internet, readily answers a wide range of difficult questions of authorization under computer trespass laws such as the Computer Fraud and Abuse Act. It shows that the open norms of the web authorize most kinds of web use. On the other hand, the closed norms of authentication limit use of canceled or shared accounts. Properly understood, the norms-based nature of trespass does not render unauthorized access laws uncertain. To the contrary, the lines to be drawn become surprisingly clear once you identify the correct norms of computer usage.

top

Congress, the courts, and the development of copyright law (MLPB, 28 April 2015) - Christopher S. Yoo, University of Pennsylvania Law School; University of Pennsylvania Annenberg School for Communication; University of Pennsylvania School of Engineering and Applied Science, is publishing The Impact of Codification on the Judicial Development of Copyright in Intellectual Property and the Common Law (Shyamkrishna Balganesh, ed., 2014). Here is the abstract: Despite the Supreme Court's rejection of common law copyright in Wheaton v. Peters and the more specific codification by the Copyright Act of 1976, courts have continued to play an active role in determining the scope of copyright. Four areas of continuing judicial innovation include fair use, misuse, third-party liability, and the first sale doctrine. Some commentators have advocated broad judicial power to revise and overturn statutes. Such sweeping judicial power is hard to reconcile with the democratic commitment to legislative supremacy. At the other extreme are those that view codification as completely displacing courts' authority to develop legal principles. The problem with this position is that not all codifications are intended to be comprehensive or to displace all preexisting law. One way to reconcile democratic legitimacy with current practice would be to adopt a less categorical approach that recognizes that the proper scope for judicial development is itself a question of legislative intent. In some cases, Congress has affirmatively delegated to the courts the explicit authority to continue to develop the law. In others, Congress modeled certain provisions of the copyright statutes on patent or other areas of law, which provides leeway for judicial development. Either approach would not conflict with the democratic commitments reflected in legislative supremacy. Applying this framework to the four areas of law of judicial development identified above reveals that the courts' record in applying these principles consistently is mixed. With respect to fair use and misuse, the courts have adopted readings that either follow or are consistent with legislative intent. With respect to third-party liability and the first sale doctrine, the courts have invoked broad analogies between copyright and patent law or canons of construction without analyzing directly whether such approaches were consistent with legislative intent.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

New York Times to charge for archives, editorials (Reuters, 16 May 2005) -- The New York Times Co. on Monday said it plans to charge for some of its editorial columns and its archive of stories online to boost subscription sales, even as it invests in its free service. The New York-based publisher of the namesake newspaper and The Boston Globe said the new product, TimeSelect, will debut in September and cost $49.95 for an annual subscription. The company said most of its stories will still be available online for free. TimeSelect underscores the paper's push to create more Web products, both free and for a fee, to offset an uncertain advertising market for its print newspapers. The New York Times purchased Web site About.com for about $410 million earlier this year to increase its online advertising inventory. The paper's print subscribers will have free access to the paper's columnists online, including those written by Times staffers and International Herald Tribune writers. TimeSelect will also give subscribers access to its archives dating back initially to 1980. The company plans to eventually extend its archives back to the 1850s, a spokesman said.

top

L.A. Times suspends 'wikitorials' (AP, 21 June 2005) -- A bold Los Angeles Times experiment in letting readers rewrite the paper's editorials lasted all of three days. The newspaper suspended its "Wikitorial" Web feature after some users flooded the site over the weekend with foul language and pornographic photos. The paper had posted on its Web site Friday an editorial urging a better-defined plan to withdraw troops from Iraq. Readers were invited to add their thoughts. Dozens did, with some adding hyperlinks and others adding opposing views. One reader split the long editorial in two, something that pleased Michael Kinsley, the Times' editorial and opinion editor. But the number of "inappropriate" posts soon began to overwhelm the editors' ability to monitor the site. On Sunday, editors decided to remove the feature. The newspaper's Web page was to show the original editorial and interim versions along with the readers' final product. "The result is a constantly evolving collaboration among readers in a communal search for truth," the paper said in its Friday edition. "Or that's the theory." The Times said it might be creating a new form of opinion journalism - or an embarrassing failure. In a statement Monday, the Times said the feature would stay offline indefinitely while it looked at what happened and how to fix it. "We thank the thousands of people who logged onto the Wikitorial in the right spirit," the paper said.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, April 25, 2015

MIRLN --- 5-25 April 2015 (v18.06)

MIRLN --- 5-25 April 2015 (v18.06) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | LOOKING BACK | NOTES

Cyber attacks upend attorney-client privilege (Bloomberg, 19 March 2015) - "Dear Clients," began the letter that law firm Ziprick & Cramer sent out in late February. "It is almost a daily occurrence that we read about cyber attacks in the news. Unfortunately, on or around January 25, 2015, our firm was the victim of a single cyber attack, by a relatively new variant of a Cryptolocker-type virus." Cryptolocker is a kind of ransomware used to encrypt files so they're unreadable; hackers then demand money to restore the data. A security breach is one of the last things a lawyer wants to admit to a client. But the small firm in Redlands, Calif., faced it head-on, reporting the attack to the FBI and calling on its IT specialist to assess the damage and install safeguards to thwart future attacks. Partner Robert Ziprick says clients have been sympathetic and understand hacking is a problem for lots of businesses. "A lot of them are trying to figure it out, too," he says. Law firms of all sizes are vulnerable. Cybersecurity firm Mandiant says at least 80 of the 100 biggest firms in the country, by revenue, have been hacked since 2011. In 2012, Bloomberg reported that the large Washington firm Wiley Rein was targeted by hackers linked to China's military in connection with a trade dispute it was handling for a maker of solar panels. McKenna Long & Aldridge lost Social Security numbers and other employee data last year when one of its vendors was targeted, the firm reported. Since at least 2009, the FBI, the U.S. Secret Service, and other law enforcement agencies have warned the managing partners of big U.S. firms that their computer files are targets for cyberspies and thieves in China, Russia, and other countries, including the U.S., looking for valuable information about potential corporate mergers, patent and trade secrets, litigation plans, and more. "If you're a major law firm, it's safe to say that you've either already been a victim, currently are a victim, or will be a victim," says Chad Pinson, a managing director at Stroz Friedberg, a New York-based cybersecurity firm. "The question is, what are you doing to mitigate it?"

top

- and -

Wall St. is told to tighten digital security of partners (NYT, 8 April 2015) - Wall Street's oversight of cybersecurity measures at outside firms it does business with remains a work in progress, according to a review by New York State's top financial regulator. A survey of 40 banks found that only about a third require their outside vendors to notify them of any breach to their own networks, which could in turn compromise confidential information of the bank and its customers. Fewer than half the banks surveyed said they conducted regular on-site inspections to make sure the vendors they hire - like data providers, check-processing firms, accounting firms, law firms and even janitorial companies - are using adequate security measures. About half require vendors to provide a warranty that their products and data streams are secure and virus-free. One particular area of concern on Wall Street is the security of large law firms, which not only do regulatory work for banks but also advise on corporate transactions. This year, a cybersecurity team at Citigroup issued an internal report that said law firms were a logical target for hackers because they are rich repositories for confidential data. The report also cautioned bank employees that digital security at many law firms, despite improvements, generally remains below the standards of other industries.

top

- and -

Miscreants rummage in lawyers' silky drawers at will, despite warnings (The Register, 16 April 2015) - A total of 187 incidents were recorded last year, with 173 firms investigated for a variety of DPA-related incidents, of which 29 per cent related to "security" and a similar 26 per cent related to incorrect disclosure of data. The figures come from a Freedom of Information request by encryption services firm Egress Software Technologies. Hackers target solicitors in order to get their hands on the confidential data of their clients for identity fraud or other reasons. Accountants and other professional services firms are also on the front line of attacks, with cyber-spies as well as profit-motivated criminals all having a pop. Information Commissioner Christopher Graham issued a warning to law firms last August, following a string of data breaches, Computing reports . In addition, professional body the Law Society issued a practice note 12 months ago, warning that the use of cloud computing services in law firms could break the Data Protection Act. Evidently this advice was not put into practice by scores of law offices up and down the UK, and the issue of insecure practices in law firms is far from restricted to Blighty. Recently published US research by incident response outfit Mandiant uncovered that at least 80 per cent of the country's 100 biggest firms had been involved in a breach since 2011. Separate US research revealed that 89 per cent of US law firms use unencrypted email as a primary means of communication. Almost half of American law firms use free, cloud-based file-sharing services like Dropbox for "privileged information", according to LexisNexis Legal & Professional .

top

- and -

Law firm cyber security and privacy risks (Dan Solove, 23 April 2015) - Law firms are facing grave privacy and security risks. Although a number of firms are taking steps to address these risks, the industry as a whole needs to grasp the severity of the risk. For firms, privacy and security risks can be significantly higher than for other organizations. Incidents can be catastrophic. On a scale of 1 to 10, the risks law firms are facing are an 11. This is not time for firms to keep calm and carry on. The proper response is to freak out. In 2009, the FBI issued an advisory that hackers were targeting law firms. In 2011, the FBI began organizing meetings with the managing partners of top law firms to highlight the risks. In 2013, the FBI repeated its warning : "We have hundreds of law firms that we see increasingly being targeted by hackers." As attorney Simone McCormick notes , recent incidents in the past few years have included ones where "hackers stole all client files of a New York law firm, attacked Canadian law firms for industrial espionage and launched a sophisticated phishing attack against a California firm." Law firms are great targets. For fraudsters, law firms offer a gourmet data feast. Law firms have lots of personal data on employees and clients; they often have health data and protected health information (PHI) under HIPAA; they have tons of financial data; and they have very sensitive information about the corporate strategies, trade secrets, and business transactions of their clients. Law firms have information that could be deeply embarrassing to clients, as well as an array of data that could be used for corporate espionage, or for gaining secret insights into litigation and deals that can be used to buy and sell securities. * * * Law firms have lagged behind other industries when it comes to data protection. Although a number of firms have developed great programs, other law firm privacy and security programs lack all the elements of the programs that many companies in other industries have. A few years ago, the head of the cyber division in the New York City office of the FBI stated : "As financial institutions in New York City and the world become stronger, a hacker can hit a law firm and it's a much, much easier quarry." Also as cybersecurity law expert Vincent Polley has noted , many law firms might not even realize that they've been hacked.

top

Do employers own LinkedIn groups created by employees? (Venkat Balasubramani, 4 April 2015) - Simms worked for plaintiff CDM Media but switched jobs to work for Box, allegedly one of plaintiff's larger customers. Plaintiff alleges that Simms violated a non-compete and misappropriated its trade secrets. Among other issues, plaintiff sought control of a "LinkedIn group" because both the group's membership and the communications' contents were allegedly its trade secrets. The court declines to grant the motion to dismiss: * * *

top

Online test-takers feel anti-cheating software's uneasy glare (NYT, 5 April 2015) - Before Betsy Chao, a senior here at Rutgers University , could take midterm exams in her online courses this semester, her instructors sent emails directing students to download Proctortrack, a new anti-cheating technology. "You have to put your face up to it and you put your knuckles up to it," Ms. Chao said recently, explaining how the program uses webcams to scan students' features and verify their identities before the test. Once her exam started, Ms. Chao said, a red warning band appeared on the computer screen indicating that Proctortrack was monitoring her computer and recording video of her. To constantly remind her that she was being watched, the program also showed a live image of her in miniature on her screen. As universities and colleges around the country expand their online course offerings, many administrators are introducing new technologies to deter cheating. The oversight, administrators say, is crucial to demonstrating the legitimacy of an online degree to students and their prospective employers. Some schools use software that prevents students from opening apps or web browsers during online exams. Others employ services with live exam proctors who monitor students remotely over webcams. But the rise of Proctortrack and other automated student analysis services like it have raised questions about where to draw the line, and whether the new systems are fair and accurate.

top

Government keeps its eyes on the road with invasive license plate reader program (CDT, 6 April 2015) - On April 2, the Department of Homeland Security (DHS) released a Privacy Impact Assessment (PIA) that describes how the DHS Immigration and Customs Enforcement (ICE) - including ICE's primary investigative offices, Enforcement and Removal Operations and Homeland Security Investigations - will find the present and past location of drivers by accessing a massive private database of vehicle location information. The program raises serious privacy concerns, with the specter of individuals' location data being collected on a mass scale, stored for a prolonged period, and used without effective restrictions. According to the PIA, both fixed and mobile license plate readers record license plate number, a digital image of the license plate, the vehicle's make, model, and state of registration, GPS location, a time stamp, and sometimes "the environment surrounding a vehicle, which may include drivers and passengers." A private company - probably Vigilant Solutions, which has amassed of database of 2.5 billion license plate location records, will hold the data. ICE can then use license plate numbers to query a database, and provide a "hot list" of license plate numbers under surveillance to the private company so that when there is a hit on one of those numbers, ICE will receive immediate notice of the location of the license plate. Queries can uncover all recorded sightings of a license plate for the previous five years, or as far back as the statute of limitations for the crime being investigated. The program raises alarming privacy concerns. For years, CDT, other civil society groups, and a broad range of companies in the private sector have worked in the Digital Due Process coalition to establish a warrant requirement for location information generated by cell phone use. As CDT noted last November in its brief to the 11th Circuit arguing that the government must obtain a warrant to gain access to cell-site location information, location data can be highly revealing of sensitive, personal information. Location data can be used to determine one's political and religious affiliation, medical conditions, work activities, and romantic interactions, as well as map a pattern of one's movements and associations. The program also appears to circumvent an important developing legal norm regarding location privacy. As a result of court rulings and legislative action, 12 states now require a warrant for police to demand location data generated in connection with use of a wireless communication device. This rapid trend as well as the Supreme Court's landmark ruling in U.S. v. Jones indicates the entire country may soon follow this rule. The government's response to such an expansion of Fourth Amendment rights cannot be to evade the requirement of independent review by mining license plate location information maintained by a third party; it should have to obtain a warrant or other judicial authorization in order to do so.

top

Lawyer can use client's Facebook account to serve husband with divorce summons, judge says (ABA Journal, 6 April 2015) - A New York lawyer can use a client's Facebook account to serve her elusive husband with a divorce summons, a judge has ruled. "This transmittal shall be repeated by plaintiff's attorney to defendant once a week for three consecutive weeks or until acknowledged," wrote Manhattan Supreme Court Justice Matthew Cooper. The target of the court paperwork, Victor Sena Blood-Dzraku, lives separately from his wife. Although he is in touch with Ellanora Baidoo by Facebook and telephone, he has refused to provide her with his home or work location or make himself available for service voluntarily, reports the New York Daily News .

top

NY cops used 'Stingray' spy tool 46 times without warrant (Wired, 7 April 2015) - The police department in Erie County, New York fought hard to prevent the New York Civil Liberties Union from obtaining records about its use of a controversial surveillance tool known as a stingray. The reason why may be because of what the records show: that cops in that county, which includes the city of Buffalo, used the devices 47 times since 2010 but only once sought and obtained a court order to do so. That revelation contradicts what the county sheriff said last year when he asserted that the department only used the devices under "judicial review." In the single case in which police sought permission from a court, they asked for a court order rather than a warrant, which carries a higher burden of proof. And in their request, they mischaracterized the true nature of the tool. The records, which the NYCLU published in a blog post today , also show that the county sheriff's office signed a stringent gag order with the FBI to maintain secrecy about their stingray records. The department was told to withhold information about the devices in any documents filed with courts, such as affidavits and other documents describing how they obtained evidence in criminal cases. The department was even told that the FBI maintained the right to intervene in county prosecutions to request criminal cases be dismissed if there was a chance that a case might result in the disclosure of information about law enforcement's use of stingrays.

top

DEA sued for snooping on international phone calls (Computerworld, 8 April 2015) - The U.S. Drug Enforcement Administration's logging of international phone calls made from the U.S. was illegal, advocacy group Human Rights Watch has alleged in a lawsuit filed late Tuesday. The DEA and the U.S. Department of Justice ran the secret snooping program for decades without judicial oversight, logging "virtually all telephone calls" from the U.S. to as many as 116 countries linked to drug trafficking , according to a USA Today report. The program did not record the content of the calls and was used to fight drug trafficking. This is yet another government bulk surveillance program used for untargeted and suspicionless surveillance of U.S. citizens, affecting millions of innocent people, said the Electronic Frontier Foundation (EFF), which represents Human Rights Watch in the legal action. The program, said to have been run by the DEA's special operations division, reportedly began logging phone calls in bulk in 1992 but was suspended in September 2013 after the outrage over the U.S. National Security Agency's surveillance programs. This lawsuit , filed with the U.S. District Court of the Central District of California, seeks to ensure the program is permanently terminated, that it cannot restart, and that all of Human Rights Watch's illegally collected records have been purged from all government systems, the EFF said. According to the suit, the DEA disclosed the existence of the program in January when a federal judge ordered the government to reveal more information about it as part of a criminal case against a man accused of violating export restrictions on goods to Iran. The DEA's disclosure showed that the it relied on administrative subpoenas to amass the database of call records, the EFF said, adding that the records were obtained without judicial oversight or approval.

top

Knowledge Management in mergers and acquisitions (KnoCo, 10 April 2015) - Knowledge management delivers maximum value when applied to high value knowledge, to support high value decisions, and in areas where that knowledge is otherwise at risk of being lost. A typical high value area where major decisions will be made is Mergers and Acquisitions. Mergers and Acquisitions are high cost, complex operations, where crucial decisions need to be made very well, and yet which happen relatively rarely, so it is easy for tacit knowledge to be lost. People caught up in the high pressure activity can easily forget the detail of how the decisions were made, and fail to pass the knowledge on to future mergers and acquisitions teams. This combination of high value decisions made relatively infrequently, so that human memory alone cannot be relied on as a knowledge store, means that there is great value on documenting the learning for use in future mergers and acquisitions. In addition, many mergers and acquisitions are conducted for knowledge reasons, in order to acquire competence and capability. The approach to KM for Mergers, Acquisitions and Divestments would be as follows: * * *

top

Neutrality groups diss government web 'blocking' (Multichannel, 10 April 2015) - The U.S. International Trade Commission has asserted the authority to block Internet transmissions, according to some net-neutrality advocates who are crying foul over the decision. In a letter Friday (April 10) to the ITC, 28 organizations and individuals took issue with a decision by the commission last fall concluding that the ITC's authority to prevent the importation of infringing products extended to digital models, data and treatment plans for dental appliances. The groups were a Who's Who of net-neutrality fans including the ACLU, Free Press, Fight for the Future and Public Knowledge. They said they were concerned about the precedent of finding that transmission of digital data was an importation of articles subject to the ITC's authority to block. Preventing the blocking of content by ISPs was one of the FCC's chief arguments for imposing its new Open Internet rules, but here it is a federal agency that is asserting the authority to block.

top

For art's sake! Photoing neighbors with zoom lens not a privacy invasion (Ars Technica, 13 April 2015) - An artist who hid in his apartment's shadows and deployed a telephoto lens to photograph his neighbors through their glass-walled apartment is not liable for invading their privacy, a New York state appellate court has ruled. The appeals court called it a "technological home invasion" but said the defendant used the pictures for art's sake. Because of that, the First Department of the New York Appellate Division ruled Thursday in favor of artist Arne Svenson, who snapped the pics from his lower Manhattan residence as part of an art exhibit called "The Neighbors." * * * The appeals court said that beginning in 2012, Svenson, whose works have appeared in museums and galleries in the United States and Europe, began "hiding himself in the shadows of his darkened apartment" to snap the pictures of his neighbors. Svenson's exhibit was displayed in galleries in Los Angeles and New York. Some of the subjects' faces were obscured, but some of the children's faces were not. The promotional materials on Svenson's website said that for his subjects, "there is no question of privacy; they are performing behind a transparent scrim on a stage of their own creation with the curtain raised high."

top

Social media arbitration clauses and fairness (MLPB, 14 April 2015) - Thomas H. Koenig, Northeastern University and Michael L Rustad, Suffolk University Law School, have published Fundamentally Unfair: An Empirical Analysis of Social Media Arbitration Clauses at 65 Case Western Reserve Law Review 341 (2014). Here is the abstract: Our systematic examination of 329 of the world's largest social media providers reveals that 29 percent of these providers require users to submit to predispute mandatory arbitration as a condition of using their services. Forced consumer arbitration clauses are principally a U.S. phenomenon. Forty-two percent of the 188 U.S.-based social media providers contain forced arbitration clauses -- in sharp contrast to only 13 percent of the 141 providers headquartered in foreign nations. Forty of the social networking websites (SNS) specify the American Arbitration Association (AAA) as the provider and nineteen specify JAMS, the two largest arbitration companies. We compare the fifty-nine social media terms of use (TOU) against the due process fairness tests that have been adopted by these two providers to mitigate the inevitable power imbalance in consumer arbitration proceedings. Our central finding is that the arbitration clauses of providers that specify the AAA and JAMS clearly fail the majority of the provisions of these two arbitral providers' consumer due process fairness tests. Arbitration clauses employed by social media have numerous "gotcha" provisions such as hard damage caps that place an absolute dollar limit on recovery that is significantly below the cost of filing an arbitral claim with either the AAA or JAMS. Our secondary analysis of AAA and JAMS arbitration reports establishes that consumer arbitration agreements have a deterrent effect, blocking all but a handful of social media users from filing claims. In effect, social media providers, encouraged by the U.S. Supreme Court's endorsement of mandatory consumer arbitration, have constructed a liability-free zone where social media users have rights without remedies if social media providers breach their TOU, invade their privacy, or infringe their intellectual property rights. These aggressive arbitration clauses are unlikely to be enforced in the European Union, or even accepted by the most commonly specified arbitral providers, so social networking sites need to draft more balanced TOU that pass due process fundamental fairness rules.

top

Court shoots down carpet cleaner's demand to unmask Yelp reviewers (Ars Technica, 16 April 2015) - Can users of review sites like Yelp bash a business but remain anonymous? Unless a business can show a court from the outset that they have strong evidence the statements are false and defamatory, the user's identity will usually be protected. Yelp says it gets about six subpoenas a month seeking user identities, often from businesses who want to sue anonymous reviewers. One closely watched Virginia case about reviewer anonymity has now been resolved. The anonymous reviewers won, although not on the grounds free speech advocates had hoped for. In 2012, Joe Hadeed, who runs a carpet-cleaning business in Springfield, Virginia, filed a lawsuit over a set of reviews he believes were fraudulent, perhaps posted by his competitors. Last year, he told The Wall Street Journal he couldn't match the reviews to records he had regarding his actual customers. Hadeed sued three Yelp users, identifying them only as "John Does" and sending Yelp a subpoena asking for the reviewers' identities. Yelp refused and fought it out in court. Both a state circuit court and an appeals court ordered Yelp to hand over the users' information, finding the site in contempt. Last year, Yelp appealed to the state's supreme court, and well-known First Amendment lawyer Paul Levy took the company on as a client. Today, the Virginia Supreme Court issued its ruling (PDF) in favor of Yelp, finding that the company doesn't have to disclose any user information, because the lawsuit shouldn't have been filed in Virginia in the first place. The court's decision to focus solely on the issue of jurisdiction means that the more important public policy argument-whether the Yelp reviewers have a right to anonymous speech in this case-goes unaddressed.

top

With judge analytics, Ravel Law starts to judge the judges (Tech Crunch, 16 April 2015) - From murder and terrorism to patent conflicts and sexual discrimination lawsuits, courtrooms are home to some of the most important dramas in our society. While our top retailers can identify people who are pregnant weeks before even the consumer has realized it themselves, lawyers continue to argue cases before judges with data based on a handful of anecdotes from other attorneys. Ravel Law hopes to bring some big data magic to the courtroom, and perhaps improve our justice system along the way. The startup launched their Judge Analytics platform today. The idea is to provide comprehensive insights on every judge in the country, allowing lawyers to research the best strategies for their client before they file a lawsuit or argue a motion before a judge. Armed with better insights, lawyers can then provide their clients with better services, and at a cheaper cost too. While judges are often popularly conceived as objective arbiters of the truth, the reality is that every judge is a human being, a product of their own experiences and biases. "No two judges are exactly alike," Nicholas Reed, a co-founder and CEE (Chief of Everything Else) of Ravel Law, says. The specific judge and even the specific timing of a trial can have a disproportionate effect on the outcome of a trial. Some general insights are already well-known in the industry. For instance, patent trolls often file their lawsuits in East Texas , since those courts have proven to be quite amenable to those sorts of cases. As another example, a study of Israeli parole hearings found that cases held earlier in the day had a massive advantage of receiving a favorable ruling compared to cases held right before lunch. But these sorts of insights are often too general purpose, and don't provide the kind of granular insights that can really aid in a case. Daniel Lewis, the other co-founder and CEO of Ravel Law, explains that the day-to-day job of a lawyer is often much more focused. "Should we bother to apply to a judge for a particular motion? When would a judge make a favorable decision for people in our shoes?"

top

Cybersecurity: another Verizon report & more (CorporateCounsel.net, 17 April 2015) - Like last year , Verizon has put out a new " 2015 Data Breach Investigations Report ." This year's Verizon report is 69 pages, with a host of useful information as it relies on over 80,000 incidents from 70 organizations for it's analysis. Also check out our checklists related to incident response planning, disclosure practices and risk management - as well as a chart of state laws related to security breaches.

top

FBI can't cut Internet and pose as cable guy to search property, judge says (Ars Technica, 18 April 2015) - A federal judge issued a stern rebuke Friday to the Federal Bureau of Investigation's method for breaking up an illegal online betting ring. The Las Vegas court frowned on the FBI's ruse of disconnecting Internet access to $25,000-per-night villas at Caesar's Palace Hotel and Casino. FBI agents posed as the cable guy and secretly searched the premises. The government claimed the search was legal because the suspects invited the agents into the room to fix the Internet. US District Judge Andrew P. Gordon wasn't buying it. He ruled that if the government could get away with such tactics like those they used to nab gambling kingpin Paul Phua and some of his associates, then the government would have carte blanche power to search just about any property. "Permitting the government to create the need for the occupant to invite a third party into his or her home would effectively allow the government to conduct warrantless searches of the vast majority of residents and hotel rooms in America," Gordon wrote in throwing out evidence the agents collected. "Authorities would need only to disrupt phone, Internet, cable, or other 'non-essential' service and then pose as technicians to gain warrantless entry to the vast majority of homes, hotel rooms, and similarly protected premises across America." The government had urged the court to uphold the search, arguing that it employs " ruses every day in its undercover operations ." (PDF) The government noted that US judges have previously upheld government ruses to gain access into dwellings. In 1966, the Supreme Court authorized an agent to pose as a drug buyer to get consent to go inside a house. In 1980, an agent posing as a drug dealer's chauffeur was upheld. Seven years later, agents posed as real estate investors to access a bedroom and closet of a suspect. And in 1989, an agent posed as a UPS delivery man to get inside a drug house, the government argued. But operatives posing as gas company or water district workers seeking permission to enter the premises to check for leaks were deemed illegal searches. That's because the occupants provided "involuntary" consent to enter because they were duped into believing a life-threatening emergency was afoot, Phua's defense pointed out.

top

'Nonmedia' speakers don't get full First Amendment protection, rules a Texas Court of Appeals panel (Eugene Volokh, 20 April 2015) - Do First Amendment protections - for instance, the various rules that protect libel defendants - apply to all speakers? Or are some of them limited to members of "the media," however that might be defined? As I've explained before , the great majority of precedents say that "the freedom of the press" extends to all who use mass communications, and that freedom of speech offers the same protection to speakers who use non-mass communications. The freedom of the press is the freedom for all who use the printing press and its technological descendants - not just a freedom for a specific industry or profession, such as the media or professional journalists. This was the nearly unanimous view until about 1970; and even since then, it has been the view of the great majority of lower court precedents, and no Supreme Court precedent takes the contrary view. Indeed, the Citizens United decision expressly stresses that "We have consistently rejected the proposition that the institutional press has any constitutional privilege beyond that of other speakers." This having been said, the Supreme Court did flag the question as unresolved in several libel cases from the late 1970s to 1990, and a few lower court precedents do conclude that the Supreme Court's case law protecting libel defendants applies (in whole or in part) only to media defendants. I'm sorry to say that a Texas Court of Appeals panel just joined this small minority, in the April 9 Cummins v. Bat World Sanctuary decision. * * * [ Polley : the rest of the post is quite interesting.]

top

Whose number is this? Facebook launches a new app to combat the mysterious incoming call (Re/code, 22 April 2015) - Facebook probably knows a lot about you - and it probably knows a lot about the mystery people ringing your phone, too. The company launched a new app on Wednesday intended to solve the case of the mysterious incoming call. The app, which is called Hello and is only available on Android, uses data from Facebook to tell you who's blowing up your phone. Of course, the feature will only work if the caller has shared his number with Facebook, and if you would normally be able to see that information. For example, if you share your number publicly, people with Hello downloaded will know it's you calling even if they don't have you as a contact. Conversely, if you only share your number with Friends, those are the only people who will see that it's you when you call. You can also block numbers easily, so if there's a reason you've never shared your phone number with old Facebook Friends from high school, you can still keep them from calling.

top

Man is jailed for refusing to turn over Facebook and Twitter passwords in business bankruptcy case (ABA Journal, 22 April 2015) - Jeremy Alcede personally maintained the Facebook and Twitter accounts for his former Texas gun store and shooting range. He thought of them as his own, and didn't hesitate to inject his political views as he publicized Tactical Firearms in Katy. But a federal bankruptcy judge disagreed, and ordered Alcede to turn over the passwords to the new operator of the gun store, finding the social media accounts to be business assets even though Alcede has removed the Tactical Firearms moniker and substituted his own, according to the Houston Chronicle . Alcede refused and was jailed for contempt. He has been held since April 9 in solitary confinement. "He holds the key to his jail cell," said Chief U.S. Bankruptcy Judge Jeff Bohm during a Friday hearing in the Houston case, noting that Alcede will be released when he tells U.S. Marshals that he will turn over the passwords. "I don't think I'm doing my job as a judge if I don't enforce my own orders." Attorney Leif Olson represents Alcede and says the ruling that the accounts are business assets is mistaken, an earlier Houston Chronicle article reports. Olson also says his client was willing to go to jail to prevent the government from silencing the views that Alcede has been presenting to some 11,000 followers via the Internet. "If Steve Jobs posted on Twitter or would have put on Facebook his political observations, his statements about the state of the world and occasional mentions about things going on at Apple, that would be personal, not corporate," said Olson. The unusual case is one of the first in which a bankruptcy court has classified social media accounts as property of a business, the Chronicle says.

top

The digital future: How museums measure up (NYT, 23 April 2015) - The digital future continues to unfold at American art museums. The best recent innovations have been gathered in a new report, "Next Practices in Digital and Technology," that the Association of Art Museum Directors is set to release on Friday. The report describes 41 museum projects that use digital technology to engage visitors, make collections more accessible and understandable or improve museum operations like ticketing and collections management. The projects cover a wide range. The Nasher Sculpture Center in Dallas is compiling a digital census of French sculpture in the United States that will be available as an internet portal . Working with 280 museums, the center has compiled records of 7,000 works made between 1500 and 1960 that can be found in public collections, museums, historic homes, and public spaces. The center estimates that it will add another 8,000 to 13,000 works before the project is completed in 2019. The Worcester Art Museum in Massachusetts has replaced the traditional wall labels in its renovated Baroque galleries with iPads that present not only traditional curatorial information but also alternative labels written by area college students, religious leaders and educators, with an invitation for visitors to write their own labels. More whimsically, the Peabody Essex Museum in Salem, Mass., designed an interactive web app for its 2014 exhibition "Turner and the Sea." Called "Turner's Apothecary Mood-o-Meter," the app quizzes visitors to gauge their mood, using concepts out of a 19th-century apothecary, and then "prescribes" a specific Turner painting to look at.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Really open source (Inside Higher Ed, 29 July 2005) -- Few projects in academe have attracted the attention and praise in recent years of OpenCourseWare, a program in which the Massachusetts Institute of Technology is making all of its course materials available online - free - for anyone to use. In the four years since MIT launched the effort, use of the courseware has skyrocketed, and several other universities have created similar programs, assembling material from their own courses. With less fanfare than MIT, Rice University has also been promoting a model for free, shared information that could be used by faculty members and students anywhere in the world. But the Rice program - Connexions - is different in key respects. It is assembling material from professors (and high school teachers) from anywhere, it is offering free software tools in addition to course materials, and it is trying to reshape the way academe uses both peer review and publishing. The project also has hopes of becoming a major curricular tool at community colleges.

top

Lloyd's taking on open source IP risk (Register, 12 August 2005) -- Lloyd's of London is close to offering independent insurance protection worldwide against potential IP litigation involving Linux and open source software. The financial services giant has agreed to take on the risk associated with open source, and is finalizing arrangements to work through Open Source Risk Management (OSRM) who will become Lloyd's sole US representative. OSRM will assess both the risk of the software in use and the individual company, before passing on the risk to the appropriate insurance company on the Lloyds market. OSRM expects to announce the first customers this Fall, and will initially charge organizations $60 per server. The partnership between OSRM and Lloyd's will be vendor independent, differing from many of the existing intellectual property (IP) protection programs that are primarily designed to ward off attack from the litigious SCO Group. Red Hat, Hewlett Packard and Novell in January 2004 all announced separate protection for customers using their Linux products. JBoss in April this year announced indemnification for its middleware, including JBoss application sever, Cache and Hibernate object relational mapping technology.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top