Saturday, January 09, 2010

MIRLN --- 20 December – 9 January 2010 (v13.01)

• Surveillance Shocker: Sprint Received 8 MILLION Law Enforcement Requests for GPS Location Data in the Past Year
• Lawyers Can Post Clients’ Files on Web
• Heartland pays Amex $3.6M over 2008 data breach
o Massachusetts’s Highest Court Delivers BJ Wholesalers (and other Retailers) a Data Breach Liability Gift
o Even Extortion of Breached Company Doesn’t Help Plaintiff Show Concrete Injury, Court Finds
• Should a Case Go Webwide?
• Ghostnet and the Unclassified Crisis
• Copyright Claim Based on Taping Fashion Show
• Background Checks For All With BeenVerified’s iPhone App
• Drunk Drivers in Texas to Be Named on Twitter
• No Private Right of Action to Enforce Connecticut Electronic Monitoring Statute
• Long arm of law reaches into World of Warcraft
• Court’s Ruling Holds One Shiny Gift and One Lump of Coal for Employers
• Harnessing Free-Flowing Competitive Intelligence Through Social Media Sites
• Whatever happened to Second Life?
• FTC set to examine cloud computing
• Calif. Federal Judge OKs Posting of Prop 8 Trial to YouTube
• Ohio Court Gives Criminals Another Reason to Love Their Smart (and Not-So-Smart) Phones
• Internet pirates find ‘bulletproof’ havens for illegal file sharing


Surveillance Shocker: Sprint Received 8 MILLION Law Enforcement Requests for GPS Location Data in the Past Year (EFF, 1 Dec 2009) - This October, Chris Soghoian — computer security researcher, oft-times journalist, and current technical consultant for the FTC’s privacy protection office — attended a closed-door conference called “ISS World”. ISS World — the “ISS” is for “Intelligence Support Systems for Lawful Interception, Criminal Investigations and Intelligence Gathering” — is where law enforcement and intelligence agencies consult with telco representatives and surveillance equipment manufacturers about the state of electronic surveillance technology and practice. Armed with a tape recorder, Soghoian went to the conference looking for information about the scope of the government’s surveillance practices in the US. What Soghoian uncovered, as he reported on his blog this morning, is more shocking and frightening than anyone could have ever expected. At the ISS conference, Soghoian taped astonishing comments by Paul Taylor, Sprint/Nextel’s Manager of Electronic Surveillance. In complaining about the volume of requests that Sprint receives from law enforcement, Taylor noted a shocking number of requests that Sprint had received in the past year for precise GPS (Global Positioning System) location data revealing the location and movements of Sprint’s customers. That number? EIGHT MILLION. Sprint received over 8 million requests for its customers’ information in the past 13 months. That doesn’t count requests for basic identification and billing information, or wiretapping requests, or requests to monitor who is calling who, or even requests for less-precise location data based on which cell phone towers a cell phone was in contact with. That’s just GPS. And, that’s not including legal requests from civil litigants, or from foreign intelligence investigators. That’s just law enforcement. And, that’s not counting the few other major cell phone carriers like AT&T, Verizon and T-Mobile. That’s just Sprint. Here’s what Taylor had to say; the audio clip is here and we are also mirroring a zip file from Soghoian containing other related mp3 recordings and documents.

Lawyers Can Post Clients’ Files on Web (Arizona Central, 17 Dec 2009) - Lawyers can make their clients’ files available to them on the World Wide Web but only if they take proper safety precautions, the Ethics Committee of the State Bar of Arizona concluded. In a formal written opinion, the panel gave the go-ahead to a lawyer to let clients view and retrieve their own files. Committee members said the plan, as sketched out for them in an inquiry from the attorney, did not run afoul of existing ethics rules about what lawyers must do to safeguard client information. But the committee cautioned that their approval was based on the kind of security the lawyer promised to set up, both in encrypting the files and taking other methods to preclude unauthorized hacking. And the panel also said that the attorney has to conduct periodic reviews to ensure that security precautions in place remain reasonable as technology progresses. This does not mean lawyers have to offer an absolute guarantee that a computer system will be invulnerable to unauthorized access, the committee said. Lawyers are just required to exercise sound professional judgment on what steps are necessary to secure against “foreseeable attempts at unauthorized access.” But the panel said what constitutes “sound professional judgment” is not necessarily based on a judgment that an attorney would reach about what is and is not secure. “It is also important that lawyers recognize their own competence limitations regarding computer security measures,” the opinion states. That requires them to take the necessary time and energy to become competent or to consult available experts in the field.

Heartland pays Amex $3.6M over 2008 data breach (Computerworld, 17 Dec 2009) - Heartland Payment Systems will pay American Express $3.6 million to settle charges relating to the 2008 hacking of its payment system network. This is the first settlement Heartland has reached with a card brand since disclosing the incident in January of this year. The U.S. Department of Justice has charged Albert Gonzalez and several other accomplices with the hack, saying that Heartland was one of several companies that the hackers managed to break into using SQL injection attacks. Other alleged victims include 7-Eleven and Hannaford Brothers. In total, the gang managed to steal more than 130 million credit card numbers from Heartland and about 4.2 million from Hannaford, prosecutors allege. Card-issuing banks such as American Express have had to pay the costs of re-issuing credit cards, following the breach, and many banks have sued Heartland to recover these costs. American Express operates its own credit card brand as well, and the settlement may also cover fines incurred there. Heartland has also had to pay out fines assessed by other brands such as Visa and MasterCard. Typically, these card brands levy fines against those responsible for data breaches. In May, Heartland CEO Bob Carr said that his company had set aside $12.6 million to handle charges related to the hack. More than half of that money was to handle fines levied by MasterCard, he said.

- but -

Massachusetts’s Highest Court Delivers BJ Wholesalers (and other Retailers) a Data Breach Liability Gift (InfoLawGroup, 23 Dec 2009) - While the proverbial jury is still out concerning retailers’ sales success this 2009 holiday season, Massachusetts’s highest court (the Supreme Judicial Court or “Supreme Court” as referenced herein) delivered retailers a significant holiday gift in the form of an opinion slamming the door on some financial institutions seeking to recover reissuance costs arising out a retailer’s payment card data breach. The Cumis Insurance Society, Inc. v. B.J. Wholesale Club, Inc. decision (“Supreme Court Decision”) analyzed and ruled upon most of the mainstream legal theories issuing banks have used to attempt to recover card reissuance costs, including breach of contract under a third party beneficiary theory, fraud, negligence, negligent misrepresentation and breach of unfair/deceptive practices laws (in this case M.G.L. Chapter . 93A, section 11). We have previously commented on multiple decisions involving retailer payment card breaches similar to the BJ Wholesale breach and PCI liability in general, including a 3rd Circuit federal appellate decision that allowed issuing banks to proceed forward with a third party beneficiary breach of contract theory. This blog post dives into and analyzes the Supreme Court Decision, and looks at it in context against similar decisions. Overall, in terms of issuing banks recovering for payment card breaches, the game does not appear to be litigation in the courts, but rather in the backroom contracts and recovery processes contained in the card brand operating regulations that most retailers agree to comply with.

- and -

Even Extortion of Breached Company Doesn’t Help Plaintiff Show Concrete Injury, Court Finds (Steptoe & Johnson’s E-Commerce Law Week, 31 Dec 2009) - A federal court in Missouri has ruled in Amburgy v. Express Scripts, Inc., that a mere fear of identity theft following a data breach, even after the breached company received an extortion letter threatening public release of the confidential information, is insufficient to establish Article III standing and to state a negligence claim. The plaintiff filed a putative class action suit against a pharmacy benefit management company that suffered a breach of customers’ personal information and then received a letter threatening the public release of the information if the company did not pay the persons responsible for the breach. The plaintiff himself was not named in the extortion letter. Nor did he even allege that his personal information had been breached. Nevertheless, the plaintiff claimed that he and fellow class members feared an “increased risk of future injury” following the extortion threat and had to spend money monitoring their credit. The court found that the plaintiff still had not demonstrated a sufficiently concrete injury to satisfy standing requirements or to state a negligence claim, and strongly suggested that this would doom the plaintiff’s contract claims.

Should a Case Go Webwide? (ABA Journal, 21 Dec 2009) - Shortly after oral arguments before the Philadelphia-based 3rd U.S. Circuit Court of Appeals, a marketer for the defense attorney launched a website dedicated to the wrongful-conviction appeal that included everything from court filings to information about the lawyer. The site has received more than 3,400 visitors since April, showing how a case-specific website can help raise the profile of smaller firms, according to Richard Lavinthal, owner of PRforLaw, a Morrisville, Pa.-based legal media relations consulting firm. He developed the site for New York City solo attorney Timothy J. McInnis. But such webpages raise concern among some legal ethicists and marketers, who say the sites could violate rules of professional conduct. Some also argue the marketing tool is inappropriate for a lawyer.

Ghostnet and the Unclassified Crisis (excerpt from coming book by Stewart Baker, 21 Dec 2009) – [Editor: description of the introduction and workings of the surveillance botnet called GhostNet; this excerpt fails to mention that at least one law firm was fully penetrated, resulting in the apparent compromise of all clients files.] [Editor: some of this was alluded to in MIRLN 12.05; the seminal researcher’s report on GhostNet is here:]

Copyright Claim Based on Taping Fashion Show (THR Esq, 22 Dec 2009) - A women’s clothing company is suing Canadian Broadcasting Company after a reporter for the television station snuck into a New York fashion show without an invitation and taped the event. According to the complaint filed by Nygard International in New York district court late last week, members of the media who attended the show signed an agreement limiting their right to record the event and distribute footage without written approval. A CBC employee identifying himself as David Common and a cameraman allegedly evaded security and made an unauthorized recording. When asked to leave, the cameraman is said to have refused to go. The event was held on private premises, so one of the grounds for this complaint is trespass. More intriguing, perhaps, Nygard is also claiming that CBC violated the company’s copyright. We’re reminded of professional sporting league’s restrictions on the kind of audio-video content that news outlets can transmit from inside a sporting event. Some leagues even attempt to limit descriptions of an event. However, these events derive significant revenue from big TV rights licensing deals and broadcasters who show up with their own cameras potentially interfere with these licensing arrangements. In this case, Nygard makes the case that it was potentially damaged “because distribution of images of Plaintiff’s fashions prior to the release of those products in the marketplace could give Plaintiff’s competitors an unfair advantage and cause Plaintiff to lose control over its intellectual property, goodwill, and public image.” Fascinating argument, and leaving aside the hot question over the IP protection on fashion designs, it could be interesting to see what a court has to say in this case. Will companies be more aggressive in making copyright claims to protect public image going forward? [Editor: goes to audience members’ iPhone recording of for-fee CLE events, etc.]

Background Checks For All With BeenVerified’s iPhone App (TechCrunch, 22 Dec 2009) - Back in September, we wrote about a new iPhone app that would allow you to run a background check on a new lover. It’s mildly creepy, but also kind of interesting. Unfortunately, that app, DateCheck, also charged an arm and a leg to run the checks. A new one gives you some background checking ability for free. The aptly named Background Check App does exactly what it says: Using data from the site BeenVerified, it allows you to do background checks on people via name queries or their email addresses. And it even allows you to check your contacts on your iPhone with just one click. Just imagine the fun that will bring. But it’s not all free fun. Unfortunately, you only get three free queries a week. After that, you’re prompted to sign up for a BeenVerified account and pay to get unlimited access. Currently, that will cost you $8-a-month. Beyond looking up things such as age, address history, and relatives, Background Check App gives you access to criminal records, the properties associated with a person (and their values), and even scans the social networks to find data about the person there, such as pictures of them.

Drunk Drivers in Texas to Be Named on Twitter (, 25 Dec 2009) - Drunk driving in Montgomery County, Texas, this holiday season? Expect to see your name in Tweets, as the local district attorney’s office has vowed to name and shame drunk drivers on Twitter. The tactic, hoping to dissuade drunk drivers using the threat of public humiliation, will see DWI (Driving While Intoxicated) arrests documented on the @MontgomeryTXDAO Twitter account, owned by Montgomery County District Attorney, Brett Ligon. The idea was conceived by County Vehicular Crimes Prosecutor Warren Diepraam, and it’s not entirely new: the information is a matter of public record and some newspapers print the names of people charged with such crimes as a deterrent. Moving the practice to Twitter, however, is somewhat controversial: shaming people who have yet to be found guilty is a concept that some law bloggers are rallying against.

No Private Right of Action to Enforce Connecticut Electronic Monitoring Statute (Daniel Schwartz, 29 Dec 2009) - The Connecticut Supreme Court, in a decision that will be officially released on January 5, 2010, has held that employees cannot bring a private right of action against employers that violate the state’s electronic monitoring statute. In Gerardi v. City of Bridgeport, two city fire inspectors were disciplined for improper job performance through the use of GPS devices, allegedly without the employees’ consent. They claimed that the employer violated Conn. Gen. Stat. 31-48d, which prohibits an employer from electronically monitoring an employee’s activities without prior notice, and sought injunctive relief and monetary damages. The employees claimed that even though the statute didn’t contain a private right of action, one should be implied. The Court disagreed.

Long arm of law reaches into World of Warcraft (Kokomo Perspective, 31 Dec 2009) - The virtual world of online gaming seems like the perfect place to hide. There is plenty of anonymity, and it’s almost impossible for someone to trace activity back to its source, right? Wrong. Two weeks ago, Howard County Sheriff’s Department deputy Matt Roberson tracked down a wanted fugitive through one of the most popular games on the Internet — World of Warcraft. And he got his man. “We received information that this guy was a regular player of an online game, which was referred to as ‘some warlock and witches’ game,” said Roberson. “None of that information was sound enough to pursue on its own, but putting everything we had together gave me enough evidence to send a subpoena to Blizzard Entertainment. I knew exactly what he was playing — World of Warcraft. I used to play it. It’s one of the largest online games in the world.” Indeed, World of Warcraft is among the most popular online pastimes today, boasting more than 14 million players in dozens of countries — including Canada. But this is the Internet, and Blizzard is in California. Roberson’s subpoena was nothing more than a politely worded request, considering the limits of his law enforcement jurisdiction and the ambiguity of the online world. Blizzard did more than cooperate. It gave Roberson everything he needed to track down Hightower, including his IP address, his account information and history, his billing address, and even his online screen name and preferred server. From there it was a simple matter to zero in on the suspect’s location. “I did a search off the IP address to locate him,” said Roberson. “I got a longitude and latitude. Then I went to Google Earth. It works wonders. It uses longitude and latitude. Boom! I had an address. I was not able to go streetside at the location, but I had him.” Roberson and Rogers contacted the U.S. Marshals, who immediately notified the Royal Canadian Mounted Police and the Canadian Border Services Agency. According to Rogers, Canadian authorities located Hightower in Ottawa, Ontario, and arranged to have him deported. The marshals picked up the suspect in Minneapolis, and Howard County has until Jan. 5 to bring him back here to face charges.

Court’s Ruling Holds One Shiny Gift and One Lump of Coal for Employers (Steptoe & Johnson’s E-Commerce Law Week, 31 Dec 2009) - A federal district court in Idaho has ruled in Alamar Ranch, LLC, v. County of Boise that an employee waived the attorney-client privilege by communicating with her lawyer over her employer’s email system, where the employer had a clear policy of monitoring employee communications. Other courts have found reasons not to find a waiver under similar circumstances, so this ruling provides support for employers whose monitoring practices come under fire. But the court also found that other people who communicated with the employee and the lawyer simultaneously did not waive their privilege despite the monitoring policy. This part of the ruling could support claims against an employer by non-employees whose communications with an employee were monitored by the employer.

Harnessing Free-Flowing Competitive Intelligence Through Social Media Sites (ABA’s LPM, December 2009) - The Web is a great resource for law firm competitive intelligence (CI). For years, law firm CI analysts have been watching the Web sites of prospective clients and competing firms for any information that can create a competitive advantage for their own firm. This includes monitoring competitor firms’ attorney rosters and tracking trends within other firms based on the publications, press releases and other information posted on their sites. Clients’ and prospective clients’ Web sites are tracked to identify new products, potential litigation issues, and changes within the companies that might enable a firm to capture new work. But for the CI analyst, the disadvantage has been that a lot of the information posted on traditional Web sites is so heavily filtered that it’s ultimately of very little value. The development of Web 2.0 technologies has changed things, however, creating an opportunity to monitor information that doesn’t go through a filter before publication. Resources like social networking sites, “Ning” communities, wikis and blogs encourage the free flow of information, and individuals who were once hidden behind the company’s firewall are conducting all kinds of online conversations outside those walls. For law firm CI analysis, the advent of Web 2.0 has ushered in a whole new era and expanded the abilities to find valuable information that could give the firm a competitive advantage. [Editor: quite interesting.]

Whatever happened to Second Life? (PC Pro, 4 Jan 2010) - It’s desolate, dirty, and sex is outcast to a separate island. Barry Collins returns to Second Life to find out what went wrong, and why it’s raking in more cash than ever before. Three years ago, I underwent one of the most eye-opening experiences of my life – and I barely even left the office. I spent a week virtually living and breathing inside Second Life: the massively multiplayer online world that contains everything from lottery games to libraries, penthouses to pubs, skyscrapers to surrogacy clinics. Oh, and an awful lot of virtual sex. At its peak, the Second Life economy had more money swilling about than several third-world countries. It had even produced its own millionaire, Anshe Chung, who made a very real fortune from buying and selling property that existed only on Second Life servers. Three years on, and the hype has been extinguished. Second Life has seen its status as the web wonderchild supplanted by Facebook and Twitter. The newspapers have forgotten about it, the Reuters correspondent has long since cleared his virtual desk, and you can walk confidently around tech trade shows without a ponytailed “Web 2.0 Consultant” offering to put your company on the Second Life map for the price of a company car.

FTC set to examine cloud computing (The Hill, 4 Jan 2010) - The Federal Trade Commission (FTC) is investigating the privacy and security implications of cloud computing, according to a recent filing with the Federal Communications Commission. The FTC, which shares jurisdiction over broadband issues, says it recognizes the potential cost-savings cloud computing can provide. “However, the storage of data on remote computers may also raise privacy and security concerns for consumers,” wrote David Vladeck, who helms the FTC’s Consumer Protection Bureau.

Calif. Federal Judge OKs Posting of Prop 8 Trial to YouTube (, 7 Jan 2010) - Chief Judge Vaughn Walker made it clear Wednesday that he will forge ahead with televising the federal challenge to Prop 8. But he also signaled he doesn’t want to be the next Lance Ito. The trial, which begins on Monday, will be filmed by court personnel, Walker ruled, but it will not be broadcast live. Instead, the recording will be posted on a YouTube page at some point after the close of the day’s proceedings. Walker declined an offer from In Session (formerly Court TV) to broadcast live, with its own crew.

Ohio Court Gives Criminals Another Reason to Love Their Smart (and Not-So-Smart) Phones (Steptoe & Johnson’s E-Commerce Law Week, 8 Jan 2010) - The Supreme Court of Ohio ruled last month in State v. Smith that the warrantless search of a cell phone seized incident to a lawful arrest is prohibited by the Fourth Amendment. The court refused to extend to cell phones the normal doctrine allowing police to search an arrestee’s person and containers found on or near him without obtaining a search warrant, holding that a cell phone is not a “closed container” because it does not hold other “physical objects.” The court also found that cell phones’ “ability to store large amounts of private data gives their users a reasonable and justifiable expectation of a higher level of privacy in the information they contain,” and that police therefore must “obtain a warrant before intruding into the phone’s contents.”

Internet pirates find ‘bulletproof’ havens for illegal file sharing (The Guardian, 5 Jan 2010) – Internet pirates are moving away from safe havens such as Sweden to new territories that include China and Ukraine, as they try to avoid prosecution for illegal file sharing, according to experts. For several years, piracy groups that run services allowing music, video and software to be illegally shared online have been using legal loopholes across a wide range of countries as a way of escaping prosecution for copyright infringement. In the last year there has been a significant shift, say piracy experts, as the groups have worked to stay beyond the reach of western law enforcement. The change is rooted in the evolution of “bulletproof hosting”, or website provision by companies that make a virtue of being impervious to legal threats and blocks. Not all bulletproof services are linked to illegal activities, but they are popular among criminal groups, spammers and file-sharing services. Not every controversial service has fled beyond traditional jurisdictions, however. Some problematic hosts still exist in the US, such as the infamous host McColo, which was based in San Jose, California, and remained in operation until last year. Pirate Bay, after its brief excursion to Ukraine, is now run out of a Dutch data centre called CyberBunker, which is based in an old nuclear facility of the 1950s, about 120 miles south-west of Amsterdam. Research published last year showed that most bulletproof hosts are located in China, where criminals are able to take advantage of low costs and legal loopholes to avoid prosecution.

The Rewilding: A Metaphor (IT Conversations; by Karl Schroeder; 24 July 2009) - Long ago, when we started using technology, we lacked the collective cognizance to define the limits we wanted to exercise control within, so we tried controlling everything. The notion of technological advancement was about the degree of control exercised over nature. However, the modern trend indicates an inversion of that philosophy. According to sci-fi author Karl Schroeder, the world is now reaching a point where we are learning when to let go, and that, he says, is working well. and [Editor: 15 minute podcast, relevant to Web 2.0 debates about employer loss of control and threats from too much sharing (e.g., at 8m45s and the discussion about “organizational rewilding”. Talks about knowing when to control, and knowing when to leave alone. ONE STAR.]

**** RESOURCES ****
An E-Book Buyer’s Guide to Privacy (EFF, 21 Dec 2009) - As we count down to end of 2009, the emerging star of this year’s holiday shopping season is shaping up to be the electronic book reader (or e-reader). From Amazon’s Kindle to Barnes and Noble’s forthcoming Nook, e-readers are starting to transform how we buy and read books in the same way mp3s changed how we buy and listen to music. Unfortunately, e-reader technology also presents significant new threats to reader privacy. E-readers possess the ability to report back substantial information about their users’ reading habits and locations to the corporations that sell them. And yet none of the major e-reader manufacturers have explained to consumers in clear unequivocal language what data is being collected about them and why. As a first step towards addressing these problems, EFF has created a first draft of our Buyer’s Guide to E-Book Privacy. We’ve examined the privacy policies for the major e-readers on the market to determine what information they reserve the right to collect and share.

Privacy: An Overview of Federal Statutes Governing Wiretapping and Electronic Eavesdropping (Congressional Research Service, 5 Dec 2009) - This report provides an overview of federal law governing wiretapping and electronic eavesdropping. It also appends citations to state law in the area and contains a bibliography of legal commentary as well as the text of the Electronic Communications Privacy Act (ECPA) and the Foreign Intelligence Surveillance Act (FISA). It is a federal crime to wiretap or to use a machine to capture the communications of others without court approval, unless one of the parties has given their prior consent. It is likewise a federal crime to use or disclose any information acquired by illegal wiretapping or electronic eavesdropping. Violations can result in imprisonment for not more than five years; fines up to $250,000 (up to $500,000 for organizations); in civil liability for damages, attorneys’ fees and possibly punitive damages; in disciplinary action against any attorneys involved; and in suppression of any derivative evidence. Congress has created separate but comparable protective schemes for electronic communications (e.g., e-mail) and against the surreptitious use of telephone call monitoring practices such as pen registers and trap and trace devices. Each of these protective schemes comes with a procedural mechanism to afford limited law enforcement access to private communications and communications records under conditions consistent with the dictates of the Fourth Amendment. The government has been given narrowly confined authority to engage in electronic surveillance, conduct physical searches, install and use pen registers and trap and trace devices for law enforcement purposes under the Electronic Communications Privacy Act and for purposes of foreign intelligence gathering under the Foreign Intelligence Surveillance Act. Two FISA provisions, born in the USA PATRIOT Act and dealing with roving wiretaps (section 206) and business records (section 215), are scheduled to expire on December 31, 2009. This report includes a brief summary of the expired Protect America Act, P.L. 110-55 and of the Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008, P.L. 110-261 (H.R. 6304). It is available in an abridged form without footnotes, quotations, or appendices as CRS Report 98-327, Privacy: An Abbreviated Outline of Federal Statutes Governing Wiretapping and Electronic Eavesdropping, by Gina Stevens and Charles Doyle.

The Growing Wave of Data Breach Litigation (Risk Management, December 2009) - Data breaches-the theft, loss or unintended exposure of personally identifiable information-have compromised hundreds of millions of personal records in recent years. In 2009, the trend continued with two of the largest breaches in history. In January, as many as 100 million credit card records were exposed when it was discovered that hackers broke into the network of credit card processor Heartland Payment Systems. And in October, the personal information of more than 70 million U.S. military veterans was compromised when an improperly erased hard drive was sent out for repair. These breaches, and others like them, only scratch the surface of the problem. A study by Gartner Inc. found that financial fraud affected 7.5% of all Americans in 2008, and data breaches spawned 19% of that fraud. The Identity Theft Resource Center (ITRC) reported that data breaches in 2008 increased by 47% over the previous year. And by November, the ITRC had reported more than 400 breaches affecting 220 million records in 2009-an amount of records nearly equal to the previous four years combined. Given the scope of the problem, it should be no surprise that data breaches have led to expensive litigation, including attempted class actions. So far, however, these actions have met with little legal success (as distinguished by sizable costs and settlements). But considering the scope of the risk, it would be wise for companies to be familiar with the important decisions in this area.

**** FUN ****
The Ten Best Viral Videos of the Decade (, 26 Dec 2009) - Long ago — the 90s — the word “viral” applied strictly to illness, and we had only an inkling of how awesome it is to dance at weddings, defy gravity and laugh at the funny things cats and toddlers do. This decade changed that. Though we never want to hear words such as “Miss South Carolina,” “inspirational comedian“ or “Numa Numa“ again, and while we sometimes wonder if those hours spent engrossed in “Planet Unicorn“ were hours squandered, we fully cop to a deep, abiding love for viral video. And what’s not to love? It’s a few moments of the crazy, the joyous and the jaw-dropping plopped into our daily grind, minutes made all the sweeter for their “You have GOT to see this” power to bring people together. These are the ones that made us click Replay again and again. [Editor: my favorite is under Honorable Mentions – “Where the Hell is Matt”]

LEGAL BRIEF: LAWYERS CLAIM CREDIT FOR AVERTING Y2K DISASTER -- The gentle calendar change on 1 January 2000 having dashed the expectation that the legal community would cash in on a flood of liability lawsuits related to the Y2K computer problem, some lawyers are taking a little credit for saving the world from disaster. Ronald N. Weikers, an attorney who coauthored the book, “Litigating Year 2000 Cases,” says: ““Nobody is going to believe that lawyers are heroes in this case, but we had something to do with it. It’s clear to me and a lot of attorneys that by raising red flags in advance we helped avoid bigger problems down the road.” But Weikers hasn’t given up all hope for a little new business, and tells people who are smug about surviving January 1st that “they shouldn’t rest so assured. They should wait a few months. There’s going to be a flurry of activity.” (Washington Post 10 Jan 2000) Related blog posting from 8 Jan 2010:

**** NOTES ****
MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al., and is produced by KnowConnect PLLC. Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley ( with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. Edupage,
3. SANS Newsbites,
4. NewsScan and Innovation,
5. BNA’s Internet Law News,
6. Crypto-Gram,
7. McGuire Wood’s Technology & Business Articles of Note,
8. Steptoe & Johnson’s E-Commerce Law Week,
9. Eric Goldman’s Technology and Marketing Law Blog,
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

No comments: