Saturday, April 14, 2007

MIRLN -- Misc. IT Related Legal News [25 March – 14 April 2007; v10.05]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of the American Bar Association’s Cyberspace Law Committee and Dickinson Wright PLLC. Dickinson Wright’s IT & Security Law practice group is described at

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley ( with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at and blogged at

**************End of Introductory Note***************

CALIFORNIA MOVES TO SAFEGUARD PEOPLE FROM BECOMING IDENTITY THEFT VICTIMS (Gov’t Technology, 26 March 2007) -- California Secretary of State Debra Bowen announced last Thursday the implementation of several new security measures that will protect the privacy of Californians and help them avoid becoming identity theft victims. The Secretary of State serves as the central filing office for certain financing statements and lien documents as required under the Uniform Commercial Code (UCC). Under the law, those documents are public records, meaning they’re available to anyone who requests and pays for a copy of them. Bowen, who took office in January, moved quickly to shut off Web-based access to the UCC filings after learning that many of the documents contain people’s Social Security numbers -- a key piece of information sought by identity thieves. Colorado Secretary of State follows suit:

NAPSTER LAWSUITS NEAR RESOLUTION (LA Times, 27 March 2007) -- Bertelsmann said Monday that it had settled the last lawsuit filed by a record company over the German media conglomerate’s role in funding the original Napster electronic file-swapping service that was once the scourge of the music industry. The deal all but ends years of effort to settle scores over the program that brought file-swapping to the masses, letting more than 40 million users download music without paying for it. Bertelsmann didn’t disclose the terms of its deal with EMI Group of London, but people familiar with the arrangement said Bertelsmann was to pay $50 million to $150 million. Bertelsmann last year agreed to pay Universal Music Group $60 million to end the record company’s copyright claims. It still faces a suit by songwriters and music publishers, but people involved in the case said they doubted that group would want to continue the expensive, 4-year-old legal fight by itself. Bertelsmann infuriated its peers in the recording industry by lending the beleaguered Napster $85 million, allowing users to continue trading MP3 song files for free. After the courts effectively forced Napster to shut down in 2001 and file for Bankruptcy Court protection, labels including EMI and Universal trained their legal guns on Bertelsmann. The record companies argued that Bertelsmann had directly helped Napster users infringe their copyrights because the German media giant had effective control of the operation in its latter days. Bertelsmann had the right to convert its loan to Napster into an equity stake, and a former Bertelsmann executive was installed as the company’s chief executive.,1,3736811.story

ITT FINED $100M FOR ILLEGAL TECH EXPORTS (Washington Post, 27 March 2007) -- ITT Corp. has agreed to pay a $100 million penalty for illegally sending classified night-vision technology used in military operations to China and other countries, U.S. Attorney John Brownlee announced Tuesday. ITT, the leading manufacturer of night-vision equipment for U.S. armed forces, will plead guilty in U.S. District Court on Wednesday to two felony charges, Brownlee said at a news conference. One count is export of defense articles without a license and the other is omission of statements of material facts in arms exports reports. ITT defense-related technical data was given to contractors in China, Singapore and the United Kingdom in order to cut costs, government investigators said. ITT, which Brownlee said is the U.S. military’s 12th largest systems supplier, is the first major defense contractor convicted of a criminal violation under the Arms Export Control Act that a Brownlee spokesman said was passed in 1976. The fine will be suspended for five years and the White Plains, N.Y.-based company can reduce it dollar-for-dollar by investing in the development and production of more advanced night-vision technology so the U.S. military maintains battlefield advantage. The government will maintain the rights to any technologies ITT develops and can share them with rival defense firms bidding on future contracts, Brownlee said.

TOUGHER STANDARDS COULD END E-VOTING (, 28 March 2007) – California’s elections chief is proposing the toughest standards for voting systems in the country, so tough that they could banish ATM-like touch-screen voting machines from the state. For the first time, California is demanding the right to try hacking every voting machine with red teams of computer experts and to study the software inside the machines, line-by-line, for security holes. The proposals are the first step toward fulfilling a promise that Secretary of State Debra Bowen made during her 2006 election campaign to perform a top-to-bottom review of all voting machinery used in California. County elections officials balked at the proposed standards in a letter Monday to Bowen and hinted broadly at the same conclusion reached by several computer scientists: If enforced rigidly, the standards could send many voting machines, especially touch-screens, back for major upgrades. Local elections officials argued that there isnt enough time to fix any deficiencies before the February presidential primary. When they moved that election up 119 days, I think the door closed on any significant changes to election systems for the presidential cycle in 2008, said Steve Weir, president of theCalifornia Association of Clerks and Elections Officials, and chief elections officer in Contra Costa County. Advocates for stronger security in voting machinery applauded Bowens standards and said it marked a refreshing change from regulating voting systems based heavily on what manufacturers were willing to sell. Debra Bowen is holding up voting machines to the standards they deserve, said Avi Rubin, a computer science professor at Johns Hopkins University who published one of the first technical critiques of e-voting software. I dont know of any other state in the country that requires red team testing of voting machines, and Ive long maintained that this is the only reasonable way to test security. Stanford computer science professor David Dill, the founder of, endorsed Bowens standards as quite good.

ITALIAN DATA PROTECTION AUTHORITY SEVERELY RESTRICTS EMPLOYER MONITORING OF EMAIL (Steptoe & Johnson’s E-Commerce Law Week, 29 March 2007) -- Italy’s national data protection authority, the Garante, on March 6 issued a Decree entitled “Employment: Garante Guidelines for Email and Internet” (the “Guidelines”), which sets out strict limitations on routine employer monitoring of workplace email accounts (even where employees implicitly or explicitly consent to monitoring), as well as preserving existing restrictions on monitoring of employee activities on the Internet. The Guidelines, which were issued to clarify restrictions under the Italian Data Protection Code, provide that it is “prohibited for private and public employers … to undertake treatment of personal data using hardware and software systems that implement remote controls over workers, in particular through ... the reading and systematic recording of email messages, in particular in relation to external data, except to the extent necessary to provide email service.” There are, however, certain exceptions to this prohibition. The language of this prohibition itself exempts actions “necessary to provide email service.” The Guidelines also include a separate exception for “unanticipated and prolonged absence” of an employee, in which case emails may be examined where necessary for work-related purposes. Finally, although the Guidelines do not explicitly say so, Italian case law reportedly permits monitoring of specific employees suspected of wrongdoing.

-- and --

EMAIL MONITORING MAY CONTRAVENE EUROPEAN LAWS (ZDnet, 11 April 2007) -- Monitoring employees’ internet and telephone use at work may contravene human rights laws, after a landmark case in the European Court of Human Rights last week. The case involved a public-sector employee, who won €3,000 in damages and €6,000 in court costs and expenses, after her communications were intercepted by her employer, Carmarthenshire College, based in South Wales. Lynette Copland successfully took the UK government to court after her personal internet usage and telephone calls were monitored by one of her bosses in 1999. The ruling means that the private use of company telecoms equipment and internet access may be protected under European human rights legislation, if the company has an acceptable personal-use policy and fails to inform the employee that their communications may be monitored. Employee communications are also covered by human rights legislation if the organisation has no explicit acceptable use policy and fails to inform the employee of the monitoring of personal email. Privacy experts at law firm Pinsent Masons said that although businesses now have clear guidance for monitoring work communications under the Regulation of Investigatory Powers Act (RIPA) 2000, personal communications at work may be protected by the European Convention on Human Rights, and the Human Rights Act 1998. “The lawful business practice regulations allow an employer to monitor and intercept business communications, so the court is implying that private use of a telecommunications system, assuming it is authorised via an acceptable-use policy, can be protected [by human rights legislation],” said Dr Chris Pounder, a privacy specialist. “The ruling is important in that it reinforces the need for a statutory basis for any interference with respect to private use of a telecommunications system by an employee,” Pounder added.

TJX DATA BREACH: AT 45.6M CARD NUMBERS, IT’S THE BIGGEST EVER (Computerworld, 29 March 2007) -- After more than two months of refusing to reveal the size and scope of its data breach, TJX Companies Inc. is finally offering more details about the extent of the compromise. In filings with the U.S. Securities and Exchange Commission yesterday, the company said 45.6 million credit and debit card numbers were stolen from one of its systems over a period of more than 18 months by an unknown number of intruders. That number eclipses the 40 million records compromised in the mid-2005 breach at CardSystems Solutions and makes the TJX compromise the worst ever involving the loss of personal data. In addition, personal data provided in connection with the return of merchandise without receipts by about 451,000 individuals in 2003 was also stolen. The company is in the process of contacting individuals affected by the breach, TJX said in its filings. “Given the scale and geographic scope of our business and computer systems and the time frames involved in the computer intrusion, our investigation has required a substantial period of time to date and is not completed,” the company said. Framingham, Mass.-based TJX is the owner of a number of retail brands, including T.J.Maxx, Marshalls and Bob’s Stores. In January, the company announced that someone had illegally accessed one of its payment systems and made off with card data belonging to an unspecified number of customers in the U.S., Canada, Puerto Rico and potentially the U.K. and Ireland.

WHITE HOUSE USE OF OUTSIDE E-MAIL RAISES RED FLAGS (Computer World, 29 March 2007) -- For official government business, staff members in the Bush White House use government-issued e-mail accounts where all communications are then stored, archived and preserved for eventual inclusion in the National Archives. But for several years, some high-ranking Bush staff members have also apparently been using outside e-mail accounts for nongovernmental, political communications. Those accounts, through the Republican National Committee (RNC) and the 2004 Bush-Cheney re-election campaign, allowed the officials to keep up with both their official and political responsibilities while not violating the Hatch Act. That law forbids many government officials from engaging in political activities from their workplaces. While the focus of those particular incidents is on the White House, the issue is one that should be getting close scrutiny from businesses across the nation, experts said. The concern is that if company communications are being conducted outside official corporate e-mail systems, there’s no way to control their security, preservation or use, something that can leave companies vulnerable to a wide variety of legal problems and regulatory compliance issues. In the White House case this week, the House Committee on Oversight and Government Reform sent letters Monday to the chairmen of the RNC and the former Bush-Cheney 2004 campaign committee, asking them to explain more about the use of the outside e-mail accounts. In the letters, Oversight Committee Chairman Henry Waxman (D-Calif.) said his group wants to know what’s been done to preserve the contents of the outside e-mail accounts used by government officials for possible review and to assure that “no e-mails involving official White House business have been destroyed or altered. and

-- and then --

MISSING E-MAIL MAY BE RELATED TO PROSECUTORS (New York Times, 13 April 2007) -- The White House said Thursday that missing e-mail messages sent on Republican Party accounts may include some relating to the firing of eight United States attorneys. The disclosure became a fresh political problem for the White House, as Democrats stepped up their inquiry into whether Karl Rove and other top aides to President Bush used the e-mail accounts maintained by the Republican National Committee to circumvent record-keeping requirements. It also exposed the dual electronic lives led by Mr. Rove and 21 other White House officials who maintain separate e-mail accounts for government business and work on political campaigns — and raised serious questions, in the eyes of Democrats, about whether political accounts were used to conduct official work without leaving a paper trail. The clash also seemed to push the White House and Democrats closer to a serious confrontation over executive privilege, with the White House counsel, Fred F. Fielding, asserting that the administration has control over countless other e-mail messages that the Republican National Committee has archived. Democrats are insisting that they are entitled to get the e-mail messages directly from the national committee. Representative Henry A. Waxman, the California Democrat who is chairman of a House committee looking into the use of political e-mail accounts, wrote a letter to the attorney general on Thursday saying he had “particular concerns about Karl Rove” after a briefing his aides received from Rob Kelner, a lawyer for the Republican National Committee. Mr. Rove uses several e-mail accounts, including one with the Republican National Committee, one with the White House and a private domain account that is registered to the political consulting company he once owned.

ALBERTO GONZALES AND E-MAILS: IS SILENCE GOLDEN? (ABA Journal, 30 March 2007) -- Earlier this month, the U.S. Department of Justice released more than 3,000 pages of internal e-mails related to the firing of eight U.S. attorneys. And not one was from Attorney General Alberto Gonzales. That’s because the nation’s top lawyer doesn’t communicate through e-mail, according to a Justice Department spokesman. Other senior administration officials also avoid the “send” button. President Bush has acknowledged he does not use e-mail, and media reports say several of his cabinet members, including Secretary of State Condoleezza Rice and former Secretary of Defense Donald Rumsfeld, follow that practice. They are not the only top government and corporate officials who have sworn off e-mail, according to lawyers. The desire to avoid leaving a digital trail for investigators—like those on congressional staffs now looking into the dismissals of the U.S. attorneys, or DOJ’s own lawyers handling countless criminal probes nationwide—is one reason for preferring conversations or paper over pixels. “Because of e-mail-driven prosecutions, some [senior managers] have lifted their fingers entirely from the keyboard,” says Jacob S. Frenkel, a Rockville, Md., lawyer. A former senior counsel with the Securities and Exchange Commission, he chairs Shulman, Rogers, Gandal, Pordy & Ecker’s securities enforcement and white-collar crime practice group. If a top manager does not use e-mail, Frenkel says, assistants often keep their boss abreast of what’s going on, and the executive may dictate how his or her assistant responds to e-mails. “There absolutely are CEOs whose names never appear as the sender or receiver on e-mail, but all the e-mails are read to them,” Frenkel says. That may make it harder for investigators to learn what a corporate or government leader knew and when he or she knew it, but it doesn’t make it impossible. “If there was any notion that not being the name on the ‘to’ or ‘from’ line somehow provides insulation from knowledge, that’s a grave mistake,” Frenkel says. Alternatively, some leaders may not use e-mail because they have better things to do, says Peter J. Henning, a professor at Wayne State University Law School in Detroit. He previously worked for the Justice Department’s fraud section. “I think CEOs do limit what they put in writing because writing e-mails takes time,” Henning says. “A good CEO should be at the top of the pyramid, dealing with larger issues, and be the organization’s public face. That’s certainly true with Gonzales.” The nondigital corporate or government leader remains the exception. Attorneys say they continue to see clients writing about things in e-mail that can come back to haunt them.

BRITISH HACKER LOSES U.S. EXTRADITION APPEAL (Wired, 3 April 2007) -- A British computer expert accused by Washington of the “biggest military hack of all time” lost an appeal on Tuesday against plans to extradite him to the United States to stand trial. Gary McKinnon was arrested in 2002 following charges by U.S. prosecutors that he illegally accessed 97 government computers--including Pentagon, U.S. army, navy and NASA systems--causing $700,000 worth of damage. Two of Britain’s leading judges rejected a High Court challenge by McKinnon to an earlier court order backed by Britain’s Home Secretary that he should be extradited. “We do not find any grounds of appeal against the decision,” said one of the judges, Lord Justice Maurice Kay. “Mr McKinnon’s conduct was intentional and calculated to influence and affect the U.S. government by intimidation and coercion.””As a result of his conduct, damage was caused to computers by impairing their integrity, availability and operation of programs, systems, information and data on the computers, rendering them unreliable,” Kay said. McKinnon’s lawyers had argued that sending him to the United States would breach his human rights and should not be allowed on the basis that his extradition was sought “for the purpose of prosecuting him on account of his nationality or political opinions.” McKinnon, whose hacking name was “Solo,” has admitted gaining access to U.S. government computers but denies causing any damage. At the time of his indictment, Paul McNulty, U.S. Attorney for the Eastern District of Virginia, said “Mr McKinnon is charged with the biggest military computer hack of all time.” If found guilty in the U.S, McKinnon could face up to 70 years in jail and fines of up to $1.75 million.

FLORIDA BAR’S BOARD FAVORS WEB AD REGULATION (Orlando Business Journal, 30 March 2007) -- The board for the Florida Bar has approved a proposed Web site advertisement rule, and it plans to soon take it to the Florida Supreme Court. Website Rule 4-7.6 would allow lawyers to advertise their past results and statement characteristics concerning the quality of legal services through testimonials on Web pages that are just one click past the homepage, says Elizabeth Tarbert, who serves as the ethics counsel for the Florida Bar. Still, the lawyers’ homepages must comply with traditional advertisement rules applied to print, radio and elsewhere. If the Supreme Court approves the proposed rule, it would make Florida the first state to address lawyer advertisements via the Internet. The Florida Bar is the third largest in the United States with 80,000 members, 15,000 of whom practice outside the state.

FCC ADOPTS TOUGHER PHONE RECORD PRIVACY RULES (Information Week, 3 April 2007) -- The U.S. Federal Communications Commission issued an order Monday aimed at toughening up protections for consumers’ personal phone records after revelations last year of leaks. The FCC said carriers such as AT&T Inc. and Verizon Communications Inc., the two biggest telephone carriers, are prohibited from releasing customers’ phone records when a customer calls the carrier except when a password is provided. If a customer does not provide a password, carriers may not release the customer’s phone call records except by sending it to the address of record or by the carrier calling the customer at the telephone number on record, the agency said. The order, which was approved with varying levels of support from the five commissioners that vote on agency rules, would also require companies to get permission from a customer before sharing their data with a third party, such as a marketing partner. “Compliance with our consumer protection regulations is not optional for any telephone service provider,” FCC Chairman Kevin Martin said in a statement. “We need to take whatever actions are necessary to enforce these requirements to secure the privacy of personal and confidential information of American customers,” he said. The move follows the high-profile case in which Hewlett-Packard Co. admitted last year that investigators it hired used false identities to obtain telephone records of directors, employees and journalists. The FCC action angered the telecom industry, which said the agency’s heavy regulatory hand will impede competition. FCC’s order is here:

SETTING BOUNDARIES AT BORDERS: RECONCILING LAPTOP SEARCHES AND PRIVACY (IEEE Security & Privacy, 4 April 2007) -- If you’ve traveled internationally on business, the odds are that you’ve taken your laptop with you. Like most business travelers, you need these ubiquitous devices to do work, make presentations, and communicate with coworkers, family, and friends via the Internet. In a previous department, we explored the notion that laptops deserve special consideration because of the increasingly blurred line between home and office, the entrusting of intimate, private information to storage on laptops, and the resulting need to rethink the rules surrounding reasonable expectations of privacy.1 This time, we examine the nexus between laptops, a government’s search and seizure powers, and a traveler’s transit through an international border checkpoint where customs officials have enhanced powers to search travelers and their belongings. [More, with case analysis.]

FBI CHECKS GAMBLING IN SECOND LIFE VIRTUAL WORLD (Fox News, 4 April 2007) -- FBI investigators have visited Second Life’s Internet casinos at the invitation of the virtual world’s creator Linden Lab, but the U.S. government has not decided on the legality of virtual gambling. “We have invited the FBI several times to take a look around in Second Life and raise any concerns they would like, and we know of at least one instance that federal agents did look around in a virtual casino,” said Ginsu Yoon, until recently Linden Lab’s general counsel and currently vice president for business affairs. Second Life is a popular online virtual world with millions of registered users and its own economy and currency, known as the Linden dollar, which can be exchanged for U.S. dollars. Yoon said the company was seeking guidance on virtual gaming activity in Second Life but had not yet received clear rules from U.S. authorities. The FBI and the U.S. Attorney’s Office for Northern California declined comment. Hundreds of casinos offering poker, slot machines and blackjack can easily be found in Second Life. While it is difficult to estimate the total size of the gambling economy in Second Life, the three largest poker casinos are earning profits of a modest $1,500 each per month, according to casino owners and people familiar with the industry.,2933,264000,00.html

BLOGGER MAKES DEAL, IS RELEASED FROM JAIL (Washington Post, 4 April 2007) -- A San Francisco blogger who spent nearly eight months in jail for refusing to testify about an anarchists’ demonstration was released yesterday after turning over a videotape of the protest and posting it on his Web site. Josh Wolf, 24, also answered two questions from prosecutors, after striking a deal that ends the longest contempt-of-court term ever served by someone in the U.S. media. “I’m completely satisfied with the resolution,” Wolf said by phone from California one hour after being released. “There’s a very large problem with forcing a reporter to act as an investigator for a government prosecution. . . . It’s absolutely a victory.” Since the video captured no violent incidents, he said, “it wasn’t worth being a martyr for no purpose.” Martin Garbus, Wolf’s attorney, said he had offered prosecutors a similar compromise in November. “The question is, why did it take this long to persuade the U.S. attorney?” Garbus said. “They were getting embarrassed.” The U.S. attorney’s office in San Francisco, which agreed to drop the contempt charge after a mediation session Monday, declined to comment. The case sparked a First Amendment debate over whether Wolf is a journalist and whether he deserved protection for the video he shot of the 2005 protest against a G-8 summit meeting in Scotland, since he made no explicit promises of confidentiality. Wolf sold other parts of the tape to local television stations and posted those portions online. In reaching the agreement with prosecutors, Wolf backed off his original position that he would not turn over the footage. A viewing of the video leaves unclear why Wolf fought so hard to protect it. Three protesters in hooded sweat shirts and kerchiefs partly hiding their faces are seen talking to bystanders, followed by a handful of protesters who make no effort to hide their identity. Demonstrators are seen marching with such banners as “Destroy the War Machine,” and in one case dragging newspaper boxes into the street to block traffic. At one point they surround a fallen colleague on the sidewalk, and a police officer walks over and tells everyone to stand back. Asked if he was worried about identifying protesters, Wolf said: “I could not answer that question before the grand jury. There were various promises made, both directly and indirectly.” He declined to elaborate.

PAPERLESS PROXIES (, 5 April 2007) -- The long-anticipated “eProxy” ruling from the Securities and Exchange Commission will go into effect on July 1, to the relief of companies and their investor-relations departments. The new rule may allow companies to almost entirely bypass the costly process of printing and shipping proxy statements by providing the information via the Web. “It’s definitely a step in the right direction,” says John Stantial, director of financial reporting for United Technologies Corp. With the new rules, UTC is likely to save about $1 million in shipping, graphics, and printing costs, not to mention what Stantial describes as “hundreds of man hours.” Thomas Murphy, a partner with McDermott Will & Emery, says the benefits of the eProxy rules go beyond savings. They should also speed up voting and increase participation because most investors and shareholders are already comfortable using the Internet. According to the SEC, 10.7 million shareholders agreed to receive their proxy materials electronically last year and about 88 percent of shares voted were voted electronically or by phone during the 2006 proxy season. There is one possible downside, says Jason Simon, an attorney at Greenberg Traurig: companies could see more shareholder fights because shareholders can now use eProxies to more cost-effectively pitch their own board candidates or bring other matters to a vote.

CT RULES CLICKWRAP CONTRACT ENFORCEABLE EVEN IF UNREAD (BNA’s Internet Law News, 5 April 2007) -- BNA’s Electronic Commerce & Law Report reports that a federal court in Pennsylvania has ruled that so long as a forum selection clause in an online contract’s terms is readily accessible and clear, requiring users to scroll down or print the contract to see it and other terms is acceptable, and will not absolve a party who clicks “I Agree” without taking the time to view the whole agreement. The court determined that Google’s AdWords contract, a “clickwrap” contract, was enforceable in its entirety. Case name is Feldman v. Google Inc.

POLICE BLOTTER: NO PRIVACY IN HOME PC BROUGHT TO WORK (CNET, 5 April 2007) -- What: City treasurer in Oklahoma protests warrantless search of his personally owned computer after a police inspection allegedly discovered child pornography. When: 10th Circuit Court of Appeals rules on April 3. Outcome: Appeals court rules in favor of police search of computer brought into the office, and the treasurer is sentenced to more than six years in federal prison. What happened, according to court documents: [more]

UCSF BREAK-IN PUTS INFO ON 46,000 AT RISK (Information Week, 5 April 2007) -- Personal information for 46,000 students, faculty, and staff at the University of California at San Francisco is at risk after a hacker broke into the network, campus officials said this week. The university has sent out advisories that there was a security breach in a server on the school’s network, and a hacker may have accessed their names, Social Security numbers, and bank account numbers. The university hasn’t released any details about how the hacker accessed the server, which was located in the school’s system-wide data center. An advisory on the university’s Web site noted that the compromised server was taken offline once the break-in was discovered in late March.

YOUR GUIDE TO GOOD-ENOUGH COMPLIANCE (, 6 April 2007) -- In November 2005, Jason Spaltro, executive director of information security at Sony Pictures Entertainment, sat down in a conference room with an auditor who had just completed a review of his security practices. The auditor told Spaltro that Sony had several security weaknesses, including insufficiently strong access controls, which is a key Sarbanes-Oxley requirement. Furthermore, the auditor told Spaltro, the passwords Sony employees were using did not meet best practice standards that called for combinations of random letters, numbers and symbols. Sony employees were using proper nouns. (Sox does not dictate how secure passwords need to be, but it does insist that public companies protect and monitor access to networks, which many auditors and consultants interpret as requiring complex password-naming conventions.) Summing up, the auditor told Spaltro, “If you were a bank, you’d be out of business.” Frustrated, Spaltro responded, “If a bank was a Hollywood studio, it would be out of business.” Spaltro argued that if his people had to remember those nonintuitive passwords, they’d most likely write them down on sticky notes and post them on their monitors. And how secure would that be? After some debate, the auditor agreed not to note “weak passwords” as a Sox failure. Spaltro’s experience illuminates a transaction that’s rarely discussed outside corporate walls. Compliance with federal, state, and international privacy and security laws and regulations often is more an interpretive art than an empirical science—and it is frequently a matter for negotiation. How to (or, for some CIOs, even whether to) follow regulations is neither a simple question with a simple answer nor a straightforward issue of following instructions. This makes it more an exercise in risk management than governance. Often, doing the right thing means doing what’s right for the bottom line, not necessarily what’s right in terms of the regulation or even what’s right for the customer.

DIGITAL SIGNATURES GET A BIG BREAK (CIO Update, 6 April 2007) -- If you’re outside the pharmaceutical industry something happened last September that you probably didn’t hear about and may not seem like a big deal, but it is. For the first time ever a big pharmaceutical company, in this case AstraZeneca, filed a new drug application (NDA) with the Food & Drug Administration (FDA) all electronically — including the signature pages. Big deal, you say? Maybe so, but the implications for business contracts everywhere are huge. If the government and big pharma can work together electronically on something as important as a new drug, the door opens wide for all businesses to do the same. “What we see as significant about it, is now that you’ve got something like AstraZeneca saying, ‘Okay, the FDA is willing to do this with us, we’re ready to go’, other companies are going to say, ‘Okay, if they can do it we can take the plunge too.’,” said Sally Hudson, research director for Identity and Access Management at IDC. What differentiates this event from, say, EDI that banks use to exchange funds electronically, is there was no source contracts used ahead of time. Astra’s entire filing was based on a digital signature standard called SAFE, short for Signatures and Authentication for Everyone. Right now, SAFE is designed specifically for the bio-pharma industry but the idea is no different than the federation standards being developed and deployed by OASIS or the Liberty Alliance around web services. There is also IdenTrust, a provider of digital identity authentication being used in the financial services industry. “What SAFE has done is it’s created that same multilateral contract framework but independent of what the transactions are,” said Paul Donfried, VP of Identity and Access Solutions for Science Applications International Corp., a systems, solutions and technical services company. Donfried was also a founding member of IdenTrust. Aside from the ease-of-use issue, there are a couple of other important aspects to this filing: security, version control and synchronization and money.

DEFINING STUDENT PRIVACY — AND ITS LIMITS (Inside Higher Ed, 9 April 2007) -- A student in a public university dormitory room had a “reasonable expectation of privacy” for his personal computer and its hard drive, a federal appeals court ruled on Thursday. The decision also found that despite that right to privacy, an administrator in the case under review had the right to conduct a remote search of the computer — without a warrant — because of the circumstances involved. The decision — by the U.S. Court of Appeals for the Ninth Circuit — is among the highest level court rulings to date on a set of legal questions pitting privacy vs. security that are increasingly present in academe. While experts cautioned that the decision involved a specific set of facts, several also said it provided guidance for students on their privacy rights and for administrators at public colleges and universities on setting computer policies that give them the flexibility they feel they need to prevent security breaches. The ruling dates back to an incident in 1999, and the actions of administrators at the University of Wisconsin at Madison, when they were notified by Qualcomm Corporation, a San Diego company that produces wireless computing devices, that someone on Madison’s network was hacking into the company’s network. Ultimately, a then-student at Madison whose computer was found to be used in the hacking entered into an agreement with prosecutors in which he agreed to admit guilt, received a sentence of time served on federal charges arising from the hacking, and was released after eight months in prison. But Jerome T. Heckenkamp, the then-student, also won the right to appeal the case in the hope of clearing his name, and his appeal focused on information gathered by Madison officials. Decision at$file/0510322.pdf?openelement

JUDGE TOSSES DATE-DISSING WEB SUIT OVER JURISDICTION QUESTION (, 10 April 2007) -- A Florida-based Web site that invites women to warn others about men they’ve dated cannot be sued in a Pennsylvania court by an attorney who said its postings falsely claimed he was unfaithful and had sexually transmitted diseases. Allegheny County Common Pleas Judge R. Stanton Wettick Jr. said he had no jurisdiction over the lawsuit Todd Hollis filed last June against and its creator, Tasha C. Cunningham, 34, of Miami. Hollis, of Pittsburgh, claimed Cunningham’s site is liable because it solicits negative comments but does not screen them for truthfulness. Hollis also is suing those who posted comments that questioned his sexuality and claimed he tried to dodge paying child support. Cunningham and her attorneys say a 1996 federal law shields Web sites from such lawsuits when they merely transmit user postings. Wettick did not address that issue and ruled simply that Pennsylvania’s court system has no jurisdiction over a Florida Web site, even though Pennsylvanians post messages on it.

HOW MUCH WOULD DATA THEFT COST YOU? CALCULATE IT ONLINE (Information Week, 11 April 2007) -- Worried about how much a network security breach or data theft might cost? There’s a new way to figure it out. Darwin Professional Underwriters, a specialty insurance company and provider of technology liability insurance, has posted an online calculator to help IT managers calculate how much their company stands to lose from data theft. The Tech//404 Data Loss Cost Calculator is a free, interactive tool designed to assess the impact of a data breach or identity theft data loss incident, according to a release. Analysts at the Farmington, Conn.-based company studied data from media reports, as well as several industry analyst reports, to develop the tool’s proprietary algorithms. “Until now, organizations have struggled to assess the scope of their financial risk should they be hit with a data loss incident,” said Adam Sills, a lead underwriter with Darwin, in a written statement. “Meanwhile, the explosion of corporate data collection and storage is putting nearly every organization at risk.” He added that it’s becoming increasingly important for companies to calculate -- and prepare for -- their own risk. “Major data losses in health care, financial services, and retail industries are reported almost weekly, and the financial consequences can be severe,” Sills added. “Affected companies can be hit with very substantial costs both from regulatory compliance and from liability issues. We believe it’s imperative that organizations have a clear understanding of the bottom-line impact of data theft. The quantification of business risk -- even a best estimate -- is often the quickest path to building awareness for CEOs and CFOS alike.” On Wednesday, Forrester Research Inc. released its own calculations, noting that the average security breach can cost a company between $90 and $305 per lost record. Forrester Senior Analyst Khalid Kark said in the report that it’s important to be able to make an educated estimate of the cost of a data loss. Calculator at

INCONSISTENT ENFORCEMENT OF EMAIL POLICIES: THE EMPLOYER’S HOBGOBLIN? (Steptoe & Johnson’s E-Commerce Law Week, 12 April 2007) -- Ralph Waldo Emerson famously wrote that “a foolish consistency is the hobgoblin of little minds.” But, as a recent Fourth Circuit decision suggests, consistency is a good idea when it comes to enforcement of email use policies. In Media General Operations, Inc. v. National Labor Relations Board, the Fourth Circuit upheld the NLRB’s finding that the Richmond Times-Dispatch, a newspaper owned by Media General, had wrongly interfered with employees’ union communications. Although Media General had a policy prohibiting personal use of the company email system, the court noted that the company’s enforcement of the policy was uneven, allowing a “wide variety of messages unrelated to company business” while prohibiting “union messages.” Although this decision dealt with the narrow issue of labor relations, its reasoning could affect how courts treat claims by or against employees where employer monitoring of employees’ communications or workers’ violations of company computer policies are at issue. The lesson for employers: without uniform enforcement, an email use policy might not be very useful.

**** RESOURCES ****
DoJ FOIA GUIDE (Department of Justice, 6 April 2007) -- “The Office of Information and Privacy has completed the latest revision of the Freedom of Information Act Guide, a comprehensive reference volume covering all aspects of the Freedom of Information Act (FOIA). The March 2007 edition of the FOIA Guide contains a newly updated and revised discussion of the procedural requirements of the FOIA, the contours of the FOIA’s nine exemptions and three exclusions, as well as the considerations applicable to FOIA litigation. This latest edition of the FOIA Guide also contains an overview of Executive Order 13,392, entitled “Improving Agency Disclosure of Information.” This Executive Order was signed by the President on December 14, 2005, and calls upon all agencies to improve their FOIA operations by ensuring that they are “both results-oriented and produce results.” Guide at

HOMES, NOT JUST HOMEPAGES (Google, 5 April 2007) -- More than ever, home buyers are starting their search online, and we want to make it easier for every one of you to find the home of your dreams. Searching on Google for Seattle real estate or homes for sale in San Diego prompts you to enter a location and choose whether you want to buy or rent.* After clicking “Go,” you can see the individual homes that Google has indexed, provided by our partners and culled from the web. When you want more information on a particular home, you can click straight through to the source of the listing—no detail pages or sign-up forms get in the way. And when Google gets the same listing from multiple sources, we show links to all the data providers and websites, ranked according to many factors including, but not limited to, the quality and comprehensiveness of the data.

AALL STATE-BY-STATE REPORT ON AUTHENTICATION OF ONLINE LEGAL RESOURCES (American Assn of Law Libraries, March 2007) -- How trustworthy are state-level primary legal resources on the Web? The American Association of Law Libraries is pleased to announce the publication of the State-by-State Report on Authentication of Online Legal Resources that answers this very important and timely question. The comprehensive report examines the results of a state survey that investigated whether government-hosted legal resources on the Web are official and capable of being considered authentic. Report at

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. Edupage,
3. SANS Newsbites,
4. NewsScan and Innovation,
5. Internet Law & Policy Forum,
6. BNA’s Internet Law News,
7. Crypto-Gram,
8. McGuire Wood’s Technology & Business Articles of Note,
9. Steptoe & Johnson’s E-Commerce Law Week,
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

1 comment:

Michael Fleming said...

I think that story about CIOs who are making subjective decisions on the bottom line value of 'compliance' is a very important practice point. As attorneys and lawmakers, we have largely deferred to non-lawyers the job of determining standards for compliance with certain laws. That has many consequences, and one of them is that those non-legal types are usually ill-equipped to understand the concept of subjective legal standards. It's their nature to look for the checklist and then demand absolute fealty to it. Maybe we need to rethink our whole concept of putting off for others to think of the standards, and get those legal compliance concerns back into the fold of the practice of law where it belongs.