• Heartland, Visa Announce $60 Million Settlement
o Heartland Breach Shows Why Compliance Is Not Enough
o Data Losses to Incur Fines of Up to £500,000
o The 2009 Ponemon Institute 2009 Annual Study: Cost of a Data Breach
• France Ponders Right-To-Forget Law
• 10 Tips for Becoming a Smarter, Social Business Person
• Swiss Court Declares Transfers of Banking Data to U.S. Authorities Illegal
• Court Compares Parties' Clickwrap Contents, Process In Rejecting Unconscionability Claim
• Judge Heaps E-Discovery Costs on Plaintiff
• French Court Strikes Down Another SOX Whistleblower Program
• U.S. Law Firm That Sued China Reports Cyberattack
o US Oil Industry Hit By Cyberattacks: Was China Involved?
• Bar Exam Prep Via an iPhone App
• California CIO: Open Source Officially Welcome Here
• Authenticating Web Pages as Evidence
• Learning To Love That Roommate from Hell
• Blogs, YouTube Prompt Campaign Finance Ruling
• You've Been Served
• Legal Sites Plan Revamps as Rivals Undercut Price
• Courts In Maryland, New Jersey, Florida Declare Mistrials After Juror Internet Research
• Sign of the Times: Clorox Seeks Lawyer for Social Media Issues
o Company Requires 'Tweet' as Part of Law Firms' RFP Response
o Social Networking: A Workplace Policy
• Hitting Pause on Class Videos
• E-Filing: Then and Now
• No Access for the Axis: SourceForge Bows to Government Demands
o Cloud Computing and US Export Control Rules
• A Little ‘i’ to Teach About Online Privacy
• Alaska Superior Court Judge Sides With State, Palin In E-Mail Lawsuit
o Michigan State Court Rules that Government Officials' Personal E-Mails Aren't Subject to FOIA
• S.E.C. Adds Climate Risk to Disclosure List
• Connecticut AG the First to File HIPAA Suit
NEWS | PODCASTS | RESOURCES | FUN | LOOKING BACK | NOTES
Heartland, Visa Announce $60 Million Settlement (BankInfoSecurity, 8 Jan 2010) - Heartland Payment Systems announced today that it will pay Visa-branded credit and debit card issuers up to $60 million to cover losses incurred from the Heartland data breach. It is the largest known settlement amount ever paid to Visa as a result of a breach, eclipsing the TJX settlement of $40.9 million in November 2007. In a statement, Heartland and Visa say the $60 million payment will be subject to certain conditions, including a specified level of participation by Visa issuers. Visa says it will provide issuers details in the coming days. The data breach involved an estimated 130 million credit and debit cards, although not all of them were Visa branded. This settlement with Visa is far larger than Heartland’s $3.6 million settlement with American Express, which was announced in December. http://www.bankinfosecurity.com/articles.php?art_id=2054
- and -
Heartland Breach Shows Why Compliance Is Not Enough (ComputerWorld, 6 Jan 2010) - Nearly a year after Heartland Payment Systems Inc. disclosed what turned out to be the biggest breach involving payment card data, the incident remains a potent example of how compliance with industry standards is no guarantee of security. Princeton, N.J.-based Heartland last Jan. 20 disclosed that intruders had broken into its systems and stolen data on what was later revealed to be a staggering 130 million credit and debit cards. That number easily eclipsed the 94 million cards that were compromised in the massive breach disclosed by TJX Companies Inc. in 2007. However, it wasn’t just the scope of the Heartland breach that made it remarkable, but also the company’s insistence that it was certified as fully compliant with the requirements of the Payment Card Industry Data Security Standard (PCI DSS) when it was compromised. http://www.computerworld.com/s/article/9143158/Update_Heartland_breach_shows_why_compliance_is_not_enough?taxonomyId=142
- and -
Data Losses to Incur Fines of Up to £500,000 (BBC, 12 Jan 2010) - The Information Commissioner’s Office will be able to issue fines of up to £500,000 for serious data security breaches. The new rule is expected to come into force in the UK on 6 April 2010. It has been approved by Jack Straw MP, Secretary of State for Justice. The size of the fine will be determined after an investigation to assess the gravity of the breach. Other factors will include the size and finances of the organisation at fault. Individual cases will also be assessed on whether the breach was accidental or deliberate, and how much distress the leak of information caused. There have been several high profile data losses in recent years from large organisations including the Ministry of Defence and the DVLA (Driver and Vehicle Licensing Agency). In an official press statement, Information Commissioner, Christopher Graham said he hoped the penalty would encourage companies to comply more closely with the Data Protection Act. http://news.bbc.co.uk/2/hi/technology/8455123.stm
- and -
The 2009 Ponemon Institute 2009 Annual Study: Cost of a Data Breach (January 26, 2010) - Understanding Financial Impact, Customer Turnover, and Preventive Solutions examines the costs incurred by 45 organizations after experiencing a data breach. Results were not hypothetical responses; they represent the cost estimates of activities resulting from the actual data loss incidents. This is the fifth annual survey of this issues. Breaches included in the survey included ranged from approximately 5,000 records to more than 101,000 records from 15 different industry sectors.” http://www.encryptionreports.com/download/Ponemon_COB_2009_US.pdf [Extremely important annual study, this year with some new findings: e.g., companies that notify victims too quickly incur greater costs; using external consultants to help with breach-response lowers costs significantly; first-timers’ breach costs are higher than those who’ve gone thru earlier responses; pharma/medical companies lose more customers because of breaches]
France Ponders Right-To-Forget Law (BBC, 8 January 2010) - From Britney Spears’s musings to the Tiger Woods scandal, information can take a life of its own once it hits the world wide web. B-list celebs and brand-names bustling for public attention can be particularly vulnerable to people with a gripe against them. The impact of all those online revelations has made France consider the length of time that personal information should remain available in the public arena. A proposed law in the country would give net users the option to have old data about themselves deleted. This right-to-forget would force online and mobile firms to dispose of e-mails and text messages after an agreed length of time or on the request of the individual concerned. http://news.bbc.co.uk/2/hi/programmes/click_online/8447742.stm
10 Tips for Becoming a Smarter, Social Business Person (GigaOm, 10 Jan 2010) - The web is filled with social networks: We have Twitter for meeting new people, Facebook for old college buddies, and Bebo for those of us who don’t want to hang out with the mainstream. Those social networks are rarely viewed as corporate services — they’re relaxing at the end of a long workday, not playgrounds for more business activity. But I would argue that social networks provide value to a business person on several levels, whether it be for those furiously working each day in a cubicle or for others closing big deals on the golf course. Social networks can help make you a smarter business person, and there’s a lot of corporate value to be found in them. (Did you know that Dell has made over $6 million from Twitter alone?) It’s time to exploit them for your business, and here’s how * * * http://gigaom.com/2010/01/10/10-tips-for-becoming-a-smarter-social-business-person/
Swiss Court Declares Transfers of Banking Data to U.S. Authorities Illegal (Hunton & Williams, 11 Jan 2010) - On January 8, 2010, the Swiss Federal Administrative Court (“Bundesverwaltungsgericht”) published a decision that declared the transfer of banking data to U.S. law enforcement authorities by the Swiss bank UBS to be illegal. In late 2009, UBS transferred the data of over 300 customers suspected of evading U.S. taxes to the U.S. Department of Justice and Internal Revenue Service following an order issued by the Swiss Financial Market Supervisory Authority (“Finma”) pursuant to an agreement Finma reached with the U.S. authorities. In its decision, dated January 5, the Court found that Finma overstepped its legal authority in ordering the data transfer. Although strictly speaking the Court’s decision was based on Swiss constitutional, administrative and banking secrecy law, rather than data protection law, the decision contains extensive discussion about the fact that the data transfer significantly impaired the customers’ privacy rights as guaranteed by the Swiss constitution and by human rights instruments to which Switzerland is a party. The Swiss government reportedly is considering whether to appeal the decision to the Swiss Supreme Court, and the decision could have important implications for demonstrating the legal difficulties of transferring personal data from Europe to U.S. law enforcement authorities. Lawyers acting for some of the defendants were also reportedly preparing to file criminal charges against UBS executives and Finma employees for transferring the data illegally. http://www.huntonprivacyblog.com/2010/01/articles/information-security/swiss-court-declares-transfers-of-banking-data-to-us-authorities-illegal/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+PrivacyInformationSecurityLawBlog+%28Privacy+%26+Information+Security+Law+Blog%29&utm_content=Google+Reader
Court Compares Parties’ Clickwrap Contents, Process In Rejecting Unconscionability Claim (BNA’s Internet Law News, 14 Jan 2010) – BNA’s Electronic Commerce & Law Report reports that the U.S. District Court for the Southern District of Indiana held Dec. 22 that clickwrap terms of service, which an appliance company employee clicked to accept when signing up for an online advertising program, formed a binding agreement, rejecting a procedural unconscionability challenge. Case name is Appliance Zone LLC v. NexTag Inc.
Judge Heaps E-Discovery Costs on Plaintiff (Law.com, 14 Jan 2010) - In an action that electronic discovery experts say may signal a sea change in how legal costs are apportioned after trial, a federal judge in Atlanta has ordered the losing company in a patent infringement action to pay more than $268,000 in costs to its opponents for the services of a computer consultant hired to fulfill broad discovery demands. In a Dec. 30 order, U.S. District Judge Thomas W. Thrash Jr. derided the patent infringement case that Cordele, Ga.-based software company CBT Flint Partners filed in 2007 against California company Cisco IronPort Systems (part of technology giant Cisco Systems) as well as the tactics of CBT’s counsel at Atlanta’s King & Spalding. Thrash stopped short of awarding legal fees in the case, however. Cisco IronPort had requested legal fees of more than $1.2 million and its co-defendant, Return Path, an international e-mail and internet technology vendor, had requested $590,000. Both prevailed in the litigation. In his order, Thrash called CBT’s patent infringement claims “objectively baseless” but found that, “although CBT and counsel exercised poor legal judgment in pursuing this action, there is not clear and convincing evidence that the pre-filing investigation was so pathetic as [to] justify an inference of bad faith.” http://www.law.com/jsp/article.jsp?id=1202437930333&rss=newswire&hbxlogin=1
French Court Strikes Down Another SOX Whistleblower Program (Steptoe & Johnson’s E-Commerce Law Week, 14 Jan 2010) - France’s highest court of appeals has ruled that multinational company Dassault Systèmes violated the law by instituting a whistleblower system that included uses not authorized by France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), and by not notifying employees of their right to access, correct, and object to data collected about them. Dassault, which is listed on the New York Stock Exchange, had adopted its whistleblowing system to comply with the U.S. Sarbanes-Oxley Act (SOX), but extended the reporting requirements beyond financial issues without gaining CNIL’s explicit authorization. The court also found that the company’s requirement that employees obtain permission before using company information violated employees’ free speech rights. http://www.steptoe.com/publications-6567.html
U.S. Law Firm That Sued China Reports Cyberattack (Law.com 15 Jan 2010) - A Los Angeles law firm that recently filed a $2.2 billion copyright infringement suit against the People’s Republic of China said that it has become the target of cyberattacks originating in China. “I was the first one to get one of these e-mails,” said Gregory Fayer, a lawyer at Gipson Hoffman & Pancione, which began receiving unsolicited e-mails on its firm computers on Monday. “Something about it didn’t seem right. It didn’t seem quite in the manner in which the person who was supposedly sending it to me would put something, and so I called up the other attorney and said: ‘Did you just send me an e-mail?’ That person said, ‘No.’ That’s how we discovered the first one.” Fayer, who is handling the suit, could not say whether the attacks on the firm were related to it but noted, “It is difficult to believe that the timing is merely coincidental.” The e-mails came the same week that Google Inc. declared that it would stop complying with Chinese censorship requirements for the Internet following reports that several of its computer systems had drawn cyberattacks believed to originate in China. Some of the attacks were aimed at Chinese human rights activists’ Gmail accounts. The firm has contacted the FBI and U.S. Rep. Anna Eshoo, D-Calif., a senior member of the House Permanent Select Committee on Intelligence, who on Tuesday urged companies to come forward about suspected cyberattacks in light of the Google revelation. Fayer said that he and his colleagues already were on “high alert” when the firm filed a $2.2 billion copyright infringement suit on Jan. 5 on behalf of a software firm in Santa Barbara, Calif., against the Chinese government, two Chinese software makers and seven major computer manufacturers that helped distribute Green Dam Youth Escort software. http://www.law.com/jsp/article.jsp?id=1202438338267&rss=newswire&hbxlogin=1 [Editor: GhostNet compromised other US law firms’ files—possibly comprehensively—in early 2009; clients apparently were not informed. The FBI finally issued a warning in early November: http://files.knowconnect.com/public/cyber_advisory.pdf]
- and -
US Oil Industry Hit By Cyberattacks: Was China Involved? (Christian Science Monitor, 25 Jan 2010) - At least three US oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new level of sophistication in the growing global war of Internet espionage. The oil and gas industry breaches, the mere existence of which has been a closely guarded secret of oil companies and federal authorities, were focused on one of the crown jewels of the industry: valuable “bid data” detailing the quantity, value, and location of oil discoveries worldwide, sources familiar with the attacks say and documents obtained by the Monitor show. The companies – Marathon Oil, ExxonMobil, and ConocoPhillips – didn’t realize the full extent of the attacks, which occurred in 2008, until the FBI alerted them that year and in early 2009. Federal officials told the companies proprietary information had been flowing out, including to computers overseas, a source familiar with the attacks says and documents show. The data included e-mail passwords, messages, and other information tied to executives with access to proprietary exploration and discovery information, the source says. What these guys [corporate officials] don’t realize, because nobody tells them, is that a major foreign intelligence agency has taken control of major portions of their network,” says the source familiar with the attacks. “You can’t get rid of this attacker very easily. It doesn’t work like a normal virus. We’ve never seen anything this clever, this tenacious.” http://www.csmonitor.com/USA/2010/0125/US-oil-industry-hit-by-cyberattacks-Was-China-involved [I worked in this sector; we saw national governments trying to access oil field reservoir data back in the 1990s.]
Bar Exam Prep Via an iPhone App (LawSites, 18 Jan 2010) - At $999, it is the most expensive app available for the iPhone. But this one may actually be worth it, as TechCrunch reports. Called BarMax CA, it is a full-fledged preparation course for the California bar exam, offered entirely on the iPhone, at a third to a quarter less than the price of a BarBri course. The app was the brainchild of Mike Ghaffary, a graduate of both Harvard Law School and Harvard Business School. He pulled together a team of Harvard law grads to create the app. What does the app offer? A lot, says TechCrunch: “The app is over 1 gigabyte in size, which is the largest application I’ve ever seen. It includes thousands of pages of materials as well as hundreds of hours of audio lectures. It’s all the information you could ever want for the two-month course. And again, it can be done all on your iPhone. That said, if you do want some more tangible paperwork for certain sections, BarMax will send you that electronically as well.” By the end of the year, the company plans to add bar-exam apps for New York and five other states. It may also offer a version for just the multi-state for $500. http://www.legaline.com/2010/01/bar-exam-prep-via-iphone-app.html
California CIO: Open Source Officially Welcome Here (ArsTechnica, 20 Jan 2010) - The Chief Information Officer (CIO) of the state of California has issued an IT policy letter to formally affirm that open source software is acceptable for use by government agencies in California. As the state lies crushed beneath the burden of an unprecedented $20 billion deficit, government officials are looking for ways to cut spending and manage infrastructure more efficiently. Reducing vendor lock-in and giving more consideration to free and open source software could help the state improve its financial health. The same dynamic is also true at the national level. Last year, the national governments of Canada and the UK both began formulating open source IT strategies. The US Department of Defense, which has a history of open source advocacy, issued a memo last year highlighting the advantages of open source adoption. http://arstechnica.com/open-source/news/2010/01/california-cio-issues-it-policy-letter-about-open-source.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss
Authenticating Web Pages as Evidence (Law.com, 21 Jan 2010) - Plaintiff sues your client, claiming that his injuries have significantly affected his lifestyle. He is unable to work, travel or bowl. Not surprisingly, his spouse alleges loss of consortium. On the eve of trial, you discover pictures and other details on a social networking website about plaintiff’s recent trip to the International Bowling Museum & Hall of Fame, including a picture of plaintiff proudly holding a fluorescent orange bowling ball and a four-foot tall gilded trophy dated four days earlier. As you approach the witness with printouts of the web pages, you are stopped in your tracks: “Objection, lack of foundation.” It is now routine for litigators to conduct internet research to work up a case. Indeed, for many litigators, one of the first things they do is see what is available about the opposing party, searching Google, social networking sites like Twitter, MySpace and Facebook, and the party’s personal websites. During the life of any case, there will likely be valuable information obtained from the internet that will be used at deposition or trial. Commonly, the proponent of online evidence will present a screen shot of the web page, which was either downloaded as a .pdf or printed directly from the website. The process is like taking a photograph of the image as it appears on the monitor. In general, this captures not only the look, but also the download date and the URL. If proper steps are not taken to admit the evidence, the value of this information may be lost. [Editor: article continues usefully.] http://www.law.com/jsp/article.jsp?id=1202439301020&rss=newswire
Learning To Love That Roommate from Hell (Steptoe & Johnson’s E-Commerce Law Week, 21 Jan 2010) - Back when it was decided, the Ninth Circuit’s en banc decision in Fair Housing Council of San Fernando Valley v. Roommates.com, LLC struck fear in the hearts of website operators who depend on user-generated content because it seemed to open a gaping hole in the immunity shield provided by section 230 of the Communications Decency Act (47 U.S.C. § 230(c)(1)) (CDA). As we’ve previously reported, the Ninth Circuit held that Roommates.com forfeited its CDA immunity when it “encourag[ed] illegal content” by offering users limited content options via drop-down menus as a precondition for using the service. But since then, most courts have interpreted Roommates.com narrowly, thus assuaging some of the concern that the section 230 aegis would be reduced to tatters. The Fourth Circuit recently continued that trend in Nemet Chevrolet Ltd., et al., v Consumeraffairs.com, Incorporated, rejecting claims that a website acted as an “information content provider” -- and thereby lost its immunity -- by soliciting, revising, and categorizing consumer complaints in order to “attract attention by consumer class action lawyers.” http://www.steptoe.com/publications-6580.html
Blogs, YouTube Prompt Campaign Finance Ruling (CNET, 21 Jan 2010) - The U.S. Supreme Court’s sweeping ruling on Thursday that invalidated large chunks of campaign finance law arose in part from an unlikely source: the emergence of Facebook, YouTube, and blogs, and the decline of traditional media outlets. A 5-4 majority concluded that technological changes have chipped away at the justification for a law that allows individuals to create a blog with opinions about a political candidate--but threatens the ACLU, the National Rifle Association, a labor union, or a corporation with felony charges if they do the same. The now-invalidated law “would seem to ban a blog post expressly advocating the election or defeat of a candidate if that blog were created with corporate funds,” Justice Anthony Kennedy wrote in the majority opinion (PDF). “The First Amendment does not permit Congress to make these categorical distinctions based on the corporate identity of the speaker and the content of the political speech.” Eugene Volokh, a law professor at UCLA, called it the “first appearance” of the word “blog” in a Supreme Court opinion. And Google’s video-sharing site is singled out in the conclusion, with Kennedy writing that “skits on YouTube.com” that cast politicians in an unflattering light could give rise to “felony” charges if a corporation dared to post them. Kennedy added: “Rapid changes in technology--and the creative dynamic inherent in the concept of free expression--counsel against upholding a law that restricts political speech in certain media or by certain speakers. Today, 30-second television ads may be the most effective way to convey a political message. Soon, however, it may be that Internet sources, such as blogs and social-networking Web sites, will provide citizens with significant information about political candidates and issues.” http://news.cnet.com/8301-13578_3-10439023-38.html
You’ve Been Served (Tech Bankruptcy blog, 22 Jan 2010) - BBC News reported a couple of months ago about a British court allowing service of a court order using Twitter. Twitter is, for those who do not yet know, an on-line network allowing users to post short messages that are then broadcast to a list of subscribers. In the particular case, a political blogger named Donal Blarney sought an order enjoining another user of the Twitter service. Because the target of the court injunction had not yet actually been identified, the court allowed the injunction to be served via a posting on Twitter. The posting gave notice of the court order and, because twitter postings are very limited in length, contained a link to the order itself. Apparently, according to a story in The Register, the tactic succeeded. The malefactor did in fact receive the notice of the order and agreed to comply with the order. Would similar tactics work in the U.S. Bankruptcy Court? Perhaps in limited circumstances. Fed. R. Civ. P. 5(b)(2)(D) and Fed. R. Bankr. P. 7005 allow service by “electronic means” when the recipient has previously consented in writing. Service is effective on transmission. This rule was designed to allow service by e-mail through the ECF system, but there really is no reason why other means could not be used as well. The catch is, of course, getting that advance written consent. http://tech-bankruptcy.blogspot.com/2010/01/youve-been-served.html
Legal Sites Plan Revamps as Rivals Undercut Price (New York Times, 24 Jan 2010) - Westlaw and LexisNexis, the dominant services in the market for computerized legal research, will undergo sweeping changes in a bid to make it easier and faster for lawyers to find the documents they need. Lawyers and researchers paying to go online to find court cases and other legal documents should find better-looking interfaces, more relevant search results and new tools for document-sharing and other collaboration. The changes to the research services are a reaction by Westlaw and LexisNexis to lower-priced — sometimes free — rivals and arrive at a time when law firms are working to cut overhead. The two companies also want to cater to a younger generation of lawyers accustomed to slick Web services and the search interfaces presented by companies like Google and Microsoft. Westlaw will introduce its changes on Feb. 1; LexisNexis has yet to specify a date. Because of advances in computing power and computer science, lawyers can now search all the databases in a given jurisdiction, rather than having to hand-select the pools of information they believe might be relevant to a given case. Most important, according to Mr. Dahn, the WestlawNext service has a revamped search system that allows lawyers to type in general requests, as they might on Google, rather than their typical narrow searches. The search system also relies on algorithms to find documents related to a case that the lawyers may not have thought they needed. http://www.nytimes.com/2010/01/25/technology/25westlaw.html?ref=business
Courts In Maryland, New Jersey, Florida Declare Mistrials After Juror Internet Research (Citizen Media Law Project, 25 Jan 2010) - Appeals courts in Maryland and New Jersey appear to be the first to reverse jury verdicts because of social media use by jurors during trial. http://www.citmedialaw.org/blog/2010/courts-maryland-new-jersey-florida-declare-mistrials-after-juror-internet-research?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+CitizenMediaLawProject+(Citizen+Media+Law+Project)
Sign of the Times: Clorox Seeks Lawyer for Social Media Issues (ABA Journal, 25 Jan 2010) - Clorox is hiring an in-house lawyer to focus on legal issues surrounding social media. The company’s ad for a social media legal expert is “rather surprising,” but it’s a sign of the times, Advertising Age reports. Many companies already use social media to promote their products, and Clorox is no exception, Advertising Age says. The company has Facebook fan pages for Clorox and Brita, uses Twitter to solicit product ideas, and solicits reader feedback on its new blog Understanding Bleach. A job description posted at JDHunter.com says the new hire at Clorox will be expected to provide legal counsel on managing and securing advertising content “especially as it relates to social media and other Web 2.0 executions, TV and radio.” Among other things, the new lawyer will be expected to draft celebrity talent contracts that apply across multimedia platforms, advise on music and video licensing across platforms, and advise on the application of privacy laws to the collection of consumers’ information. Advertising Age interviewed Jack Greiner, an attorney with Cincinnati’s Graydon Head & Ritchey who listed social media as a specialty on LinkedIn. He said the in-house lawyer may want to tackle the issue of how Clorox employees talk about the company and its products on social media by writing a policy establishing the ground rules. The new lawyer would also be wise to counsel against unwise moves that could be used by competitors to gain attention, he said. As an example, he cites the infringement suit filed by The North Face against a clothing upstart called The South Butt. In the end, he said, The North Face became the butt of South Butt’s joke. http://www.abajournal.com/mobile/article/sign_of_the_times_clorox_seeks_lawyer_for_social_media_issues [Editor: I gave a presentation on this on 12 January; key lesson: be careful of issuing policies that over-restrict use of social media, and of lawyers’ natural, too-conservative tendencies. PowerPoint presentation here: http://www.knowconnect.com/policies/cat/e_policy_presentations]
- and -
Company Requires ‘Tweet’ as Part of Law Firms’ RFP Response (Law.com, 21 Jan 2010) - In a post yesterday, Larry Bodine’s LawMarketing Blog gave us an update on an interesting RFP issued last year by a company called FMC Technologies. The beauty contest is now down to the final cut. Not only did FMC post the RFP on Legal OnRamp, an online social network for in-house lawyers, it also required interested law firms to “state in a Tweet on Twitter (140 character limit) why FMC should hire the law firm.” Keep in mind that this all occurred in May 2009, when Twitter was even more of a mystery to law firms than it is today. Fifty law firms downloaded the two-page RFP, but as Corporate Counsel reporter Amy Miller wrote last June, BigLaw was generally reluctant to participate. Bodine reports that the following eight firms tweeted and made the final cut:
• Beirne, Maynard & Parsons
• The Law Offices of Tom Fulkerson
• Littler Mendelson
• Seyfarth Shaw
• Summit Law Group
• Sutherland Asbill & Brennan
• Valorem Law Group
• Womble Carlyle Sandridge & Rice
FMC’s general counsel, Jeffrey Carr, is on the board of the Association of Corporate Counsel, and has strong views on the existing model for legal service delivery. He views it as unsustainable and states that it is “antiquated, inefficient and ineffective and it fails to deliver value to the client by avoiding -- indeed by punishing -- those that leverage prior work product, streamline processes and focus on profitability by cost reduction as opposed to top line revenue growth.” Carr says he employed this type of digital/social RFP because he was seeking tech-savvy firms that offered alternative fees and online billing. http://legalblogwatch.typepad.com/legal_blog_watch/2010/01/twitter-required-company-requires-tweet-as-part-of-law-firms-rfp-response.html?utm_source=twitterfeed&utm_medium=twitter
- and -
Social Networking: A Workplace Policy (Law.com, 22 Jan 2010) - The first part of this article addressed issues surrounding the effect of the internet on hiring and firing in the 21st Century. This article discusses the laws that impact social networking in the workplace and provides guidance on developing a social networking and blogging policy. Many states have enacted off-duty conduct statutes, which prohibit an employer from disciplining an employee for engaging in lawful conduct while away from the employer’s premises. These states include, most notably, California, Colorado and New York. However, these statutes also provide exceptions that allow employers to limit otherwise lawful, off-duty conduct where it creates a material conflict of interest for the employer or is reasonably related to the employee’s job. For example, the New York statute allows an employer to discharge an employee for off-duty conduct that creates a material conflict of interest related to trade secrets, proprietary information, or some other business interest. http://www.law.com/jsp/article.jsp?id=1202439369681&rss=newswire [Editor: much more here.]
Hitting Pause on Class Videos (InsideHigherEd, 26 Jan 2010) - In the latest clash of copyright law and instructional technology, the University of California at Los Angeles has stopping allowing faculty members to post copyrighted videos on their course Web sites after coming under fire from an educational media trade group. The policy, enacted earlier this month, has been planned since last fall, when the Association for Information and Media Equipment — a group that protects the copyrights of education media companies — charged the university with violating copyright laws by posting the videos to the password-protected course Web pages without the proper permissions. Copyright law does include exemptions for professors who wish to use audiovisual media “in the course of face-to-face teaching activities of a nonprofit educational institution, in a classroom or similar place devoted to instruction” — so long as the professor is not showing media that he or she knows has been made illegally. The university said streaming the video on a password-protected Web site, where only students who are registered members of the class can access it, satisfies these criteria. But the trade group is arguing that a password-protected space on the Web is not a classroom. “The face-to-face teaching exemption allows a video to be played in class, not streamed to the classroom from a remote location,” Dohra said in an e-mail. “As to the fair use claim, when videos are streamed to students outside the classroom, password protection may limit access to some degree. However, requiring a password doesn’t make an infringement fair use.” http://www.insidehighered.com/news/2010/01/26/copyright
E-Filing: Then and Now (New York Law Journal, 26 Jan 2010) - Over the past decade, we have witnessed a technological revolution that has fundamentally changed our lives. We now routinely check the internet for news updates and shop online, not to mention social networking and tweets. Even in the staid and traditional world of justice, we are affected by this revolution. A little over 10 years ago the New York state Legislature enacted Chapter 367 of the Laws of 1999, which created a pilot program to test electronic filing (“e-filing”) in certain civil cases. When the New York State Courts Electronic Filing System was introduced in 1999, only one case was e-filed all year. Ten years later, e-filing by New York’s legal community has increased exponentially. Since 2002, the number of attorneys registered to e-file their cases has grown from 300 to over 13,000 currently registered. As of the end of 2009, over 200,000 cases and over 500,000 documents have been e-filed with the system. After 10 years of acceptance and growth, electronic filing in the state courts significantly advanced with the enactment of Chapter 416 of the Laws of 2009, effective Sept. 1, 2009. With this new legislation, electronic filing now has a permanent place in New York’s legal system. The legislation makes three important changes to New York’s e-filing program. http://www.law.com/jsp/article.jsp?id=1202439497847&rss=newswire
No Access for the Axis: SourceForge Bows to Government Demands (ReadWriteWeb, 26 Jan 2010) – SourceForge one of the primary distribution hubs of the open source software movement, has shut its doors to visitors from a number of countries, saying that it is working to be in compliance with existing U.S. laws. In a blog post yesterday, the site responded to rumors around the Twittersphere that various users from outside the U.S. were now unable to access the site. The open source movement has always been community based, working outside of standard boundaries and borders, and some see this as going against those basic tenets. Here is the reasoning for the move in SourceForge’s own words: Since 2003, the SourceForge.net Terms and Conditions of Use have prohibited certain persons from receiving services pursuant to U.S. laws, including, without limitations, the Denied Persons List and the Entity List, and other lists issued by the U.S. Department of Commerce, Bureau of Industry and Security. The specific list of sanctions that affect our users concern the transfer and export of certain technology to foreign persons and governments on the sanctions list. The site began using automatic IP blocking last week and users from a number of countries, including Cuba, Iran, North Korea, Sudan, and Syria, are now unable to access the site. While some are calling foul and declaring the premature death of the open source movement, we have to assume that the technologically savvy users accessing the site would know how to get around a simple IP-based filter. Whether using a tool like Tor or a proxy service like HotSpot Shield, it can’t be all that difficult to access the site. http://www.readwriteweb.com/archives/no_access_for_the_axis.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+readwriteweb+(ReadWriteWeb)
- and -
Cloud Computing and US Export Control Rules (Roland Trope, 26 Jan 2010) - Enterprises are giving increasing consideration to the promised benefits of renting storage, processing, and applications hosted beyond their premises on third party servers that can be accessed wirelessly (i.e., “cloud computing”). However, there are growing concerns that companies and professionals (e.g., lawyers, doctors, engineers, accountants) may not understand the inherent risks of entrusting sensitive data to the “cloud.” One risk is that enterprises responsible for export-controlled data (i.e., data subject to the “dual-use” controls of the Export Administration Regulations (EAR), or the defense article controls of the International Traffic in Arms Regulations (ITAR)) will belatedly learn that the data they released to the “cloud” has been transferred by the cloud service provider from servers located in the U.S. to servers located overseas without a license and thus in violation of the EAR and/or the ITAR. One cloud service provider, apparently worried about its own potential liability, obtained back in January 2009 an advisory opinion from the Bureau of Industry and Security on the applicability of the EAR to the service provider’s cross-border transfers of customers’ data. http://www.bis.doc.gov/policiesandregulations/advisoryopinions/jan13_2009_ao_on_cloud_grid_computing.pdf The opinion noted that providing computation capacity via the cloud would not be subject to the EAR, but that if the provider “ships or transmits software that is subject to the EAR, an ‘export’ would occur.” The opinion further noted that an export of data via the “cloud” would be for the benefit of the user, not the provider, and that therefore the user (or customer) would be responsible for compliance with the EAR (and, by implication, potentially liable for any noncompliance). Since the ITAR are more restrictive and are interpreted and enforced not by the BIS, but by the State Department’s Directorate of Defense Trade Controls, enterprises should not rely on the BIS opinion for guidance on their responsibilities for ITAR compliance when using “cloud” services. [Roland Trope is a partner in the New York offices of Trope and Schramm LLP, and can be contacted at firstname.lastname@example.org]
A Little ‘i’ to Teach About Online Privacy (New York Times, 27 Jan 2010) – A little blue symbol is carrying big implications. Trying to ward off regulators, the advertising industry has agreed on a standard icon — a little “i” — that it will add to most online ads that use demographics and behavioral data to tell consumers what is happening. Jules Polonetsky, the co-chairman and director of the Future of Privacy Forum, an advocacy group that helped create the symbol, compared it to the triangle made up of three arrows that tells consumers that something is recyclable. The idea was “to come up with a recycling symbol — people will look at it, and once they know what it is, they’ll get it, and always get it,” Mr. Polonetsky said. Most major companies running online ads are expected to begin adding the icon to their ads by midsummer, along with phrases like “Why did I get this ad?” When consumers click on the icon, a white “i” surrounded by a circle on a blue background, they will be taken to a page explaining how the advertiser uses their Web surfing history and demographic profile to send them certain ads. http://www.nytimes.com/2010/01/27/business/media/27adco.html?scp=1&sq=polonetsky&st=cse
Alaska Superior Court Judge Sides With State, Palin In E-Mail Lawsuit (JuneauEmpire.com, 25 Jan 2010) - An Alaska judge has sided with former Gov. Sarah Palin in a lawsuit over e-mail, finding that state law doesn’t forbid the use of private e-mail accounts to conduct state business. http://juneauempire.com/stories/012510/sta_554316966.shtml?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+StatelineorgRss-Technology+(Stateline.org+RSS+-+Technology)
- and -
Michigan State Court Rules that Government Officials’ Personal E-Mails Aren’t Subject to FOIA (AnnArbor.com, 27 Jan 2010) - A sweeping decision released by the Michigan Court of Appeals today places new limits on the state’s Freedom of Information Act, concluding that personal e-mails exchanged between government officials are not subject to disclosure. The ruling stems from a case out of Livingston County Circuit Court involving the Howell Education Association, the Howell Board of Education and Howell Public Schools. The state appeals court ruled this week that e-mails exchanged between teachers union officials on a school district’s computer system are not subject to FOIA. The three-judge panel reversed a lower court ruling from 2007 that found e-mails stored on the school system’s server were public records. According to the new ruling, only records created to further a public institution’s official duties are subject to FOIA and that “personal communication,” even if related to school issues such as union contract negotiations, are exempt. http://www.annarbor.com/news/state-court-rules-that-government-officials-personal-e-mails-arent-subject-to-foia/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+StatelineorgRss-Technology+(Stateline.org+RSS+-+Technology)
S.E.C. Adds Climate Risk to Disclosure List (New York Times, 28 Jan 2010) - The Securities and Exchange Commission said on Wednesday for the first time that public companies should warn investors of any serious risks that global warming might pose to their businesses. Although the agency has long required companies to reveal possible financial or legal impacts from a variety of environmental challenges, it has never specifically cited climate change as bringing potentially significant business risks or rewards. The S.E.C., on a party-line 3-2 vote, issued “interpretive guidance” to help companies decide when and whether to disclose matters related to climate change. The commission said that companies could be helped or hurt by climate-related lawsuits, business opportunities or legislation and should promptly disclose such potential impacts. Banks or insurance companies that invest in coastal property that could be affected by storms or rising seas, for example, should disclose such risks, the agency said. http://www.nytimes.com/2010/01/28/business/28sec.html?ref=business [Editor: Why is this in MIRLN? Climate-change risk is more speculative than security-breach risk; Y2K risks were disclosed in 1999, and the SEC may turn its sights now to security-breach risk.]
Connecticut AG the First to File HIPAA Suit (Steptoe & Johnson’s E-Commerce Law Week, 28 Jan 2010) - Connecticut Attorney General (and senatorial candidate) Richard Blumenthal has become the first state attorney general to file a complaint for violation of the Health Insurance Portability and Accountability Act (HIPAA). State attorneys general were granted the authority to enforce HIPAA by the Health Information Technology for Economic and Clinical Health (HITECH) Act, which amended HIPAA as part of the American Recovery and Reinvestment Act of 2009. Blumenthal has sued Health Net of the Northeast, Inc., and affiliated and successor companies in federal court in Connecticut after a portable computer disk drive holding the protected health information and other personal information of 1.5 million customers disappeared from the company’s Connecticut office. Blumenthal has also alleged that Health Net violated Connecticut’s breach notification law by delaying notification of affected individuals for six months. Blumenthal is seeking injunctive relief and damages. http://www.steptoe.com/publications-6595.html
**** NOTED PODCASTS ****
BooksAhead.com (Mitch Ratcliffe, IT Conversations) - Calling from the 2010 CES in Las Vegasi, tech journalist Mitch Ratcliffe joins Phil and Scott to discuss the future of books, reading, and publishing. He talks about how his blog Booksahead.com is a platform to discuss authors and publishing, as well as news about the industry. He also reviews new mobile devices, including E-Book readers and tablet computers, as well as the Sophie Project, open source software for writing and reading. http://itc.conversationsnetwork.org/shows/detail4361.html [Interesting 45 minute discussion about an expansive, evolutionary future for e-books, with crowd-sourced annotations, social-network asynch recommendations and discussions, author-feedback systems, and perpetual cloud-libraries. ONE STAR.]
Data Mining Spurs Innovation, Threatens Privacy (NPR, 18 Dec 2009; 22 minute audio segment) - By analyzing cell phone movements and online search queries, scientists can monitor traffic in real time and track disease outbreaks more efficiently, but at what cost to privacy? Computer scientists Tom Mitchell and Deborah Estrin discuss the pros and cons of crowd sourcing personal data. http://www.npr.org/templates/story/story.php?storyId=121615586 [Story driven by “Mining Our Reality”, from the 18 December 2009 issue of Science Magazine, and available here: http://www.scribd.com/doc/24279809/Mining-our-Reality-by-Tom-Mitchell-Carnegie-Mellon-University]
**** RESOURCES ****
Exclusive First Look: Fastcase iPhone App (Robert Ambrogi’s blog, 25 Jan 2010) - The legal research service Fastcase is preparing to launch an application that will let users research cases and statutes on their iPhones, all for free. The app is awaiting final approval from Apple before it will be available in the App Store. Fastcase granted me an exclusive first look at a pre-release version of the app. Here is what I found. http://www.legaline.com/2010/01/exclusive-first-look-fastcase-iphone.html
Panopticlick (by EFF) - Is your browser configuration rare or unique? If so, web sites may be able to track you, even if you limit or disable cookies. Panopticlick tests your browser to see how unique it is based on the information it will share with sites it visits. Click below and you will be given a uniqueness score, letting you see how easily identifiable you might be as you surf the web. http://panopticlick.eff.org/
Google Reader Lets You Subscribe to Any Page on the Web (Mashable, 25 Jan 2010) - RSS technology makes it possible for anyone to keep up with fresh content without having to visit the site in question. Now the same holds for webpages without RSS thanks to a new Google Reader feature. Today Google has rolled out a subtle change to Google Reader that lets you create custom feeds to track pages that don’t already have them. So you can subscribe to updates for any webpage simply by typing the URL into the “Add a subscription” text box. Should you put the new feature to work, you’ll start to receive short snippets for any updates made to the pages, and Google asserts that it’s committed to improving the quality of these tiny blurbs over time. On the flip side, webpage owners can choose to opt out by adjusting a few lines of code. http://mashable.com/2010/01/25/google-reader-custom-feeds/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+Mashable+(Mashable)
**** FUN ****
Michael Jackson’s Thriller Inmates, The Sequel: This Is It [VIDEO] (Mashable, 25 Jan 2010) - A new video of hundreds of prison inmates performing a dance routine inspired by the Michael Jackson documentary “This Is It” is something of a sequel to one of the most popular viral videos of all time. Two years ago, a video of 1,500 inmates in the Philippines’ Cebu Provincial Detention and Rehabilitation Center dancing a routine set to Michael Jackson’s “Thriller” was uploaded to YouTube. Since then, it’s reached more than 37 million views. Prison Chief Byron F. Garcia has actually released several videos since “Thriller.” The prison has even become a tourist spot, putting on a monthly performance, selling souvenir shirts and offering visitors chances to have their pictures taken with the dancing inmates. None of the previous videos have come close to the viral success of “Thriller,” though. But now that MJ has sadly passed on, we thought it appropriate to share this performance. It was actually made possible by MJ’s choreographer, Travis Payne. He and two dancers (Daniel Celebre and Dres Reid) taught the inmates all the steps. Go ahead and watch both the dance routine based on “This Is It” (set to “They Don’t Care About Us”) and the classic “Thriller” video below if you like dancing. Hey, we all do — that’s why videos like these are so insanely popular. http://mashable.com/2010/01/25/inmates-this-is-it-michael-jackson/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+Mashable+(Mashable)
**** LOOKING BACK - MIRLN TEN YEARS AGO ****
CIA Says Cyber Threat from Russia and China is Developing (24 February 2000)
The CIA says that there is evidence of “dedicated offensive cyber warfare programs” in China and Russia. Because they know they would lose in conventional warfare confrontation, the countries are focusing on honing their cyber attack capabilities. The US plans to do the same. http://www.computerworld.com/home/print.nsf/all/000224EF6A http://www.zdnet.com/zdnn/stories/news/0,4586,2445516,00.html
**** NOTES ****
MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al., and is produced by KnowConnect PLLC. Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (mailto:email@example.com?subject=MIRLN) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.
Recent MIRLN issues are archived at www.knowconnect.com/mirln.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, firstname.lastname@example.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. BNA’s Internet Law News, http://ecommercecenter.bna.com.
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
7. McGuire Wood’s Technology & Business Articles of Note,
8. Steptoe & Johnson’s E-Commerce Law Week,
9. Eric Goldman’s Technology and Marketing Law Blog, http://blog.ericgoldman.org/.
10. Readers’ submissions, and the editor’s discoveries.
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.