Saturday, March 04, 2006

MIRLN -- Misc. IT Related Legal News [13 February – 4 March 2006; v9.03]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.buslaw.org/cgi-bin/controlpanel.cgi?committee=CL320000 (click on “Settings” beside Members-Only Listserve Discussion). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at www.vip-law.com and in the public materials section of the Cyberspace Committee’s collaboration space at http://lawplace.metadot.com.

**************End of Introductory Note***************

**** PROGRAM ANNOUNCEMENT ****
ABA Cyberspace Law Committee spring meeting (April 6-9, 2006, in Tampa, Florida). Details at http://www.abanet.org/buslaw/2006spring/index.html; Cyberspace committee activities will be blogged at http://aba-cyberspace.blogspot.com/

US GROUP IMPLANTS ELECTRONIC TAGS IN WORKERS (Financial Times, 12 Feb 2006) -- An Ohio company has embedded silicon chips in two of its employees - the first known case in which US workers have been “tagged” electronically as a way of identifying them. CityWatcher.com, a private video surveillance company, said it was testing the technology as a way of controlling access to a room where it holds security video footage for government agencies and the police. Embedding slivers of silicon in workers is likely to add to the controversy over RFID technology, widely seen as one of the next big growth industries. Sean Darks, chief executive of CityWatcher, said the glass-encased chips were like identity cards. They are planted in the upper right arm of the recipient, and “read” by a device similar to a cardreader. http://news.ft.com/cms/s/ec414700-9bf4-11da-8baa-0000779e2340.html

MORGAN STANLEY OFFERS $15M FINE FOR E-MAIL VIOLATIONS (Computerworld, 14 Feb 2006) -- U.S. investment bank Morgan Stanley has offered to pay $15 million to resolve an investigation by U.S. regulators into its failure to retain e-mail messages, according to a regulatory filing. The Wall Street firm said it had reached “an agreement in principle” with the U.S. Securities and Exchange Commission’s Division of Enforcement to resolve an investigation into its preservation of e-mails. The fine would be one of the largest penalties ever imposed on a Wall Street firm for failing to preserve records. Morgan Stanley said the proposal has yet to be presented to the SEC, and no assurance can be given that it will be accepted. The investigation has been ongoing, with Morgan Stanley last April saying that SEC staff had recommended actions against the firm for failing to comply with a 2002 order relating to retention of e-mails. E-mail played a central role in a $1.58 billion judgment against Morgan Stanley and in favor of Ronald Perelman, the billionaire investor who said he was defrauded by the Wall Street company over the sale of a business and focused on the firm’s inability to produce documents. The judge in that case, frustrated by Morgan Stanley’s inability to produce e-mail documents demanded by Perelman’s lawyers -- the firm said backup tapes had been overwritten -- took the unusual step of switching the burden of proof so that Morgan Stanley had to prove its innocence. http://www.computerworld.com/printthis/2006/0,4814,108687,00.html

UTAH SUP CT RULES STATE CAN’T REGULATE OUT-OF-STATE SPAMMERS (BNA’s Internet Law News, 14 Feb 2006) -- The Utah Supreme Court on Friday dealt a parting blow to a defunct anti-spam statute, reinstating a lower court’s finding that Utah never had jurisdiction over out-of-state violators. The Legislature had repealed the Unsolicited Commercial and Sexually Explicit Email Act in February 2004, just one month after Brittney Fenn sued Arizona-based MLeads Enterprises Inc. Decision at http://www.utcourts.gov/opinions/supopin/Fenn021006.pdf

JUDGE: FIRM NOT NEGLIGENT IN FAILURE TO ENCRYPT DATA (CNET, 14 Feb 2006) -- A federal court has thrown out a lawsuit that accused a student-loan provider of negligence in failing to encrypt a customer database that was subsequently stolen. Stacy Lawton Guin, a customer of Brazos Higher Education Service, sued the corporation on the grounds that encryption should be used as a routine security precaution. But U.S. District Judge Richard Kyle in Minnesota dismissed the case last week, saying Brazos had a written security policy and other “proper safeguards” for customers’ information and that it acted “with reasonable care” even without encrypting the database. http://news.com.com/2100-1030_3-6039645.html But, also see STRICT LIABILITY FOR DATA BREACHES? (SecurityFocus, 20 Feb 2006; article by Mark Rasch) -- http://www.securityfocus.com/columnists/387/1

MIT MEDIA LAB CO-FOUNDER STEPS DOWN (ZDNet, 15 Feb 2006) -- Nicholas Negroponte has stepped down as chairman of the Massachusetts Institute of Technology’s Media Lab to pursue his $100 computer initiative, and entrepreneur Frank Moss has been named the lab’s new director, the university said Wednesday. Negroponte left the Media Lab, which he co-founded in 1985, to devote his time to a nonprofit called One Laptop Per Child that is working to develop the low-cost laptops. In September, Negroponte detailed the specifications for a $100 windup-powered laptop, meant to improve the education of children in developing countries. That plan has gained the endorsement of the United Nations. Lab director Walter Bender is also taking a two-year leave of absence from MIT to serve as president for software and content development at One Laptop Per Child. Moss, who will replace Bender, founded Tivoli Systems and Bowstreet, two software companies that were acquired by IBM. He also worked for a few years at Boston-area biotechnology companies. http://news.zdnet.com/2100-9584_22-6039808.html

YAHOO ON NSA SURVEILLANCE: NO COMMENT (CNET, 15 Feb 2006) -- Under cross-examination during a congressional hearing, Yahoo’s top lawyer refused on Wednesday to say whether the company opens its records for government surveillance without a court order. Michael Callahan, Yahoo’s senior vice president and general counsel, declined five times to answer that question from Rep. Brad Sherman, a California Democrat who was probing whether the Internet company had cooperated with the National Security Agency’s domestic surveillance efforts. “It wouldn’t be appropriate for me to comment,” said Callahan, who was testifying under oath. He added that Yahoo would “only turn over information if it’s required by law.” But Callahan refused to say whether a demand from the NSA--not backed by a court order--qualifies as required by law. No law or regulation prohibits Yahoo from answering the question. In a survey published last week by CNET News.com, companies as varied as BellSouth, Comcast, EarthLink and T-Mobile answered in the negative. Rep. John Conyers, a Michigan Democrat, has posed similar questions to those companies, and AT&T has been sued for allegedly turning information over to the NSA in violation of privacy laws. http://news.com.com/2100-1030_3-6040129.html

FBI WANTS BUSINESSES’ HELP TO FIGHT CYBERCRIME (CNET, 16 Feb 2006) -- The FBI needs more help from private businesses to stay ahead of the curve in the fight on cybercrime, said FBI Director Robert Mueller. “Those of you in the private sector are our first line of defense,” Mueller said Wednesday, during a speech to attendees of the RSA Conference 2006 here. “We recognize that in certain areas we lack the expertise that you possess. We lack the specific knowledge of threats that affect individual businesses every day.” The advent of the information age has made the world smaller and smarter, but the threats have become equally more diverse and dangerous, Mueller said. “We need your help, and we continue to ask for your cooperation,” he said. Information technology has become a “force multiplier for criminals,” with threats including online fraud, identity theft and botnets, Mueller said. “It is not easy for law enforcement and private industry alike to stay ahead of the curve when it comes to these ever-evolving threats.” The FBI has taken steps to improve its own abilities to investigate cybercrime. Four years ago, it created its own Cyber Division, and the agency has set up specially trained cybersquads across the U.S. The bureau has several initiatives to work with private businesses, such as its InfraGard program, which has about 3,000 members. These efforts have helped identify new attacks and track down attackers, Mueller said. For example, in collaboration with Microsoft, the FBI found the alleged creators of the Mytob and Zotob worms. Still, there has been some apprehension in working with law enforcement, especially when it comes to reporting cybercrime. “Most companies that experience computer intrusions or breaches of security do not report the incidents to law enforcement,” Mueller said. That may be because they fear negative publicity or the loss of a competitive advantage, he said. http://news.com.com/2100-7348_3-6040521.html

FUR FLIES OVER GOOGLE DESKTOP PRIVACY (CNET, 16 Feb 2006) -- Google Desktop’s new search-across-computers feature could put sensitive data at risk and violate federal data-privacy regulations, say IT administrators at a public university and a large manufacturing company. Both are banning it from their networks. Last week, Google unveiled Google Desktop 3, a free, downloadable program that includes an option to let users search across multiple computers for files. To do that, the application automatically stores copies of files, for up to a month, on Google servers. From there, copies are transferred to the user’s other computers for archiving. The data is encrypted in transmission and while stored on Google servers. The Electronic Privacy Foundation urged consumers to boycott the software, warning that Google could be forced to turn over the data to the government if subpoenaed, even if the data is stored on Google servers only temporarily. Any amount of time that data is stored on an outside server is too long for institutions that must comply with US laws such as the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA), which provide strict guidelines for protecting student and medical data, respectively, said Michael Holstein, security administrator at Cleveland State University. “We have to be careful about where our data ends up,” he said on Tuesday. “There is no effective way to manage [Google Desktop 3] from a technology policy standpoint, so we have resorted to instituting a policy that it is not to be installed on any university computers.” http://www.zdnet.co.uk/print/?TYPE=story&AT=39252738-39020375t-10000007c

STAKES RISE, AS ANOTHER DATA SECURITY BREACH LEADS TO CLASS ACTION (Steptoe & Johnson’s E-Commerce Law Week, 18 Feb 2006) -- No good deed goes unpunished, the old saying goes. That’s what the lawyers at Providence Health System must be thinking. After discovering the theft of 365,000 unencrypted patient records from an employee’s car in the Portland, Oregon, area in early January, the health-care provider apparently decided to do the right thing and notified affected patients and employees on its own, since Oregon does not (yet) have a security breach notification law. But now Providence finds itself the subject of an investigation by the Oregon State Attorney General into whether it violated consumer protection laws by failing to take reasonable measures to protect medical records. And as if that weren’t enough to worry about, on January 30, a former Providence patient filed a class action complaint against the company in the Oregon Circuit Court, Multnomah County, alleging that Providence was negligent in failing to safeguard health information. So now it’s not just the Federal Trade Commission and State AGs companies need to worry about, but private plaintiffs and the plaintiffs’ bar, too. And if they want to minimize their legal risks, companies need to have an effective plan to prevent and, if necessary, respond to a security breach, and ensure that relevant employees are trained to carry it out. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=11837&siteId=547

IS YOUR COMPANY DOING ENOUGH TO PROTECT ITSELF... AND YOU? (Silicon.com, 20 Feb 2006) -- Conflicting reports out today on the subject of IT security agree on at least one fact - that companies are failing to get a handle on the issue. Figures from Computer Economics suggest some of the world’s largest companies are among the worst offenders, while a report from MessageLabs offers some consolation in suggesting the companies with the most to lose are at least doing better than others in securing their data. The past week has seen a number of stories about companies failing to address security issues - for example, training staff in basic best practice and understanding the threats of emerging technologies such as wi-fi and removable storage units such as iPods. The Computer Economics report suggests 65 per cent of companies do not provide even basic periodic security training for staff while 67 per cent of companies fail to carry out regular software audits of desktops to ascertain whether unauthorised programs - such as peer-to-peer software - are being used within the enterprise. The Computer Economics report also suggested larger companies are actually lagging behind their smaller counterparts in terms of security-specific spending and staffing. http://software.silicon.com/security/0,39024655,39156605,00.htm

EU APPROVES LANDMARK DATA RETENTION LAW (UPI, 21 Feb 2006) -- European Union justice ministers Tuesday approved a controversial new law requiring telecom operators to store phone and Internet data to help fight terrorism. The so-called data retention directive has been the subject of a heated political debate in Brussels for over a year, with supporters saying it is needed to track down terrorists, pedophiles and criminal gangs, and civil liberties campaigners arguing it is an intrusion on basic rights. Under the directive, telecom operators in all 25 EU states will be required to keep records of all phone calls and Internet communications for a period of six months to two years. The measure already has the backing of the European Parliament, which succeeded in watering down the original proposal. http://www.upi.com/SecurityTerrorism/view.php?StoryID=20060221-104633-9768r The latest version of the directive is available here: http://register.consilium.eu.int/pdf/en/05/st03/st03677.en05.pdf.

ARE USENET FANS VULNERABLE TO COPYRIGHT LAWSUITS? (CNET, 26 Feb 2006) -- In a new series of lawsuits, Hollywood studios for the first time are targeting companies that provide access to Usenet newsgroups. This corner of the Internet, largely a leftover from the days before the Web exploded into the mainstream, rarely gets much attention. It’s still primarily a forum for text discussions (and overwhelming amounts of spam), where techies help one another with Windows and driver problems, and animal lovers share cat stories. But in the last few years, a handful of technologies have emerged that have made newsgroups a much more fertile place for downloading copies of movies, music and software. Here’s a quick primer on what happens there and what the Motion Picture Association of America has done… http://news.com.com/Are+Usenet+fans+vulnerable+to+copyright+lawsuits/2100-1025_3-6043057.html?tag=html.alert

CORPORATIONS FAIL TO ENFORCE INTERNET ACCEPTABLE USAGE POLICIES (Business Wire, 27 Feb 2006) -- Employees are ignoring Internet Acceptable Usage Policies (AUPs) according to a survey published today by network security provider SmoothWall. Despite the recognition by seven out of 10 companies that a AUP is crucial to the security of IT systems, 38 percent of employees that are governed by a policy are unaware of its contents. Personal email (such as Hotmail and Gmail) is used by more than 61 percent of respondents at work, while 41 percent admit to using instant messaging applications such as Microsoft Messenger and Yahoo! Messenger to communicate with friends and family. The rapidly growing popularity of Skype is highlighted by that fact that 23 percent of respondents use Skype at work and presumably have loaded the Skype client on to their employers’ computers. http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20060227005778&newsLang=en [Editor: see e.g., “Employee Use of the Internet and E-Mail: A Model Corporate Policy”, by ABA press (August 2002) at http://abastore.abanet.org/abastore/index.cfm?section=main&fm=Product.AddToCart&pid=5070395)

ONLINE COLLEGES RECEIVE A BOOST FROM CONGRESS (New York Times, 1 March 2006) -- It took just a few paragraphs in a budget bill for Congress to open a new frontier in education: Colleges will no longer be required to deliver at least half their courses on a campus instead of online to qualify for federal student aid. That change is expected to be of enormous value to the commercial education industry. Although both for-profit colleges and traditional ones have expanded their Internet and online offerings in recent years, only a few dozen universities are fully Internet-based, and most of them are for-profit ones. http://www.nytimes.com/2006/03/01/national/01educ.html?ex=1298869200&en=4a6bc48fbe560ce0&ei=5090&partner=rssuserland&emc=rss

**** RESOURCES ****
TOP CYBERSPACE IP CASES OF 2005 (TechLawAdvisor blog, 26 Feb 2006; compiled by John Ottaviani) -- http://techlawadvisor.com/2006/02/26/top_cyberspace_ip_cases_of_2005.html

SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://www.ggtech.com
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

No comments: