Saturday, February 23, 2013

MIRLN --- 3-23 February 2013 (v16.03)

MIRLN --- 3-23 February 2013 (v16.03) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENT | NEWS | RESOURCES | LOOKING BACK | FUN | NOTES

ANNOUNCEMENT

ABA Cybersecurity Legal Task Force . ABA President Laurel Bellows launched this task force last August, and it's beginning to bear fruit. Three teams are addressing: (1) lawyers'/lawfirms' cybersecurity vulnerabilities and best-practices; (2) Critical Infrastructure legal issues; and (3) International law vis a vis cyberagression. With Jill Rhodes , I'm co-chairing the team looking at lawyers/lawfirms - we have twenty-one other ABA leaders helping build a guidebook on: (a) cyber basics; (b) the impact on attorneys and lawfirms (small firms, medium sized firms, large lawfirms, in-house environments, government attorneys, and public-interest entities); (c) the client impact (e.g., ethical obligations, disclosure of breach, etc.); and (d) incident response and insurance issues. The guidebook will be published in August; look for collateral materials also to emerge (e.g., CLE programming). See related MIRLN story below here .

top

NEWS

International eDiscovery: The IT/Legal Disconnect (IDG Connect, 31 Jan 2013) - Multinational corporations and cloud storage across the globe mean that eDiscovery (or eDisclosure depending on your jurisdiction) is a problem that is not going anywhere anytime soon. Governance and eDiscovery experts will be needed to help corporations deal with ever-increasing data volumes that are moving rapidly throughout global networks in the perfect storm of a compliance or eDiscovery nightmare. Of course, while we know there is a problem generally speaking, the larger challenge is to deconstruct the problem into a few discreet pieces. The following is in no way exhaustive of the challenges, but are a few of the ones I see as being the biggest culprits. In my mind, the greatest challenge associated with international eDiscovery and data governance issues stems from a very basic push-pull between globalization and balkanization when it comes to data. Globalization is a factor from the standpoint that data is moving around the world, quite rapidly I would add, in furtherance of global commerce and information exchanges. Truly the world has never been smaller at any point in human history. But at the same time, there is virtually no consensus internationally when it comes to data privacy issues, regulations regarding retention and destruction of data, and the like. Further complicating matters is the lack of any real international standards of conduct for retrieval of data in one country for use in legal proceedings in another country. Although there is something approaching consensus for EU member nations, the rules are still far from standardized. The most obvious implication for corporations is the tremendous financial pressures this creates when the issue becomes the focus of a legal investigation or request. Companies can quite literally find themselves between a rock and a hard place when a request for production in the United States can force them to have to process data that resides in another country. When this happens, the obligations to comply with discovery requests can be in direct conflict with the other country's rules concerning privacy. Of course, the issue is compounded because of the rapid proliferation of cloud storage. We can store data anywhere in the world for easy on demand access; however, with that convenience there is the appurtenant tradeoff that different countries, with different legal and regulatory regimes will require compliance with multiple obligations. That is a challenge that is fraught with peril. Of course, these are precisely some of the issues the Working Group 6 of the Sedona Conference tried to address in the International Principles Discovery, Disclosure & Data Protection (December 2011). Although it is focused "principally on the relationship between U.S. preservation and discovery obligations and the EU Data Protection Directive . . . [the principles are] intended to apply broadly wherever Data Protection Laws, regardless of national origin, conflict with U.S. preservation and discovery obligations." This is a vital primer for any company or law firm that deals with such issues. * * * [Polley: Spotted by MIRLN reader Claude Baudoin of Cebe/IT & Knowledge Management .]

top

Your Employer May Share Your Salary, and Equifax Might Sell that Data (NBC, 1 Feb 2013) - The Equifax credit reporting agency, with the aid of thousands of human resource departments around the country, has assembled what may be the most powerful and thorough private database of Americans' personal information ever created, containing 190 million employment and salary records covering more than one-third of U.S. adults. Some of the information in the little-known database, created through an Equifax-owned company called The Work Number, is sold to debt collectors, financial service companies and other entities. "It's the biggest privacy breach in our time, and it's legal and no one knows it's going on," said Robert Mather, who runs a small employment background company named Pre-Employ.com. "It's like a secret CIA." Despite all the information Americans now share on social media and websites, and all the data we know companies collect on us, one piece of information is still sacred to most people: their salaries. After all, who would post their salary as a status update on Facebook or in a tweet? But salary information is also for sale by Equifax through The Work Number. Its database is so detailed that it contains week-by-week paystub information dating back years for many individuals, as well as other kinds of human resources-related information, such as health care provider, whether someone has dental insurance and if they've ever filed an unemployment claim. In 2009, Equifax said the data covered 30 percent of the U.S. working population, and it now says The Work Number is adding 12 million records annually.

top

Big Firms and Contingency Fee Struggles: Parallel Networks v. Jenner & Block (Patently-O, 4 Feb 2013) - Joff Wild at IAM has posted some interesting reading in the ongoing dispute between the patent assertion entity, Parallel Networks and its former litigation counsel at Jenner & Block . According to the pleadings filed by Parallel Networks in Texas state court[link below], Jenner withdrew from its contingency-fee representation of Parallel Networks against Oracle after losing on summary judgment and determining that it was unlikely to win a large award. Parallel Networks then found new counsel and eventually settled the case for about $20 million. Once that case ended, Jenner returned asking for more than $10 million in attorney fees based upon its hourly rates through summary judgment. Under the representation agreement, both parties had agreed to arbitrate any dispute over fees and an arbitrator awarded Jenner with a $3 million fee. Parallel Networks has now asked the court to set aside the arbitration award - arguing that under Texas law, a contingent fee attorney cannot drop its client simply for economic reasons and then expect to receive any further compensation. The suit also alleges a host of other problems with Jenner & Block representation in both the Oracle litigation and the parallel case against QuinStreet. The bulk of those allegation stem from various internal communications at Jenner involving the risk and potential of the cases that were never communicated to Parallel Networks. The lawsuit will be interesting to follow because it offers a rare public glimpse inside big-firm contingency fee structures and the associated political struggle raised by many risk-averse firm leaders. Here, that attempted risk aversion may well cost the firm several million dollars in fees. I should note that Professor David Hricik testified on behalf of Parallel Networks in the Arbitration. Hricik is on leave from his Patently-O writing as he clerks at the Federal Circuit. I have not spoken with him about this case.

top

FBI Again Warns Law Firms About the Threat From Hackers (Ride The Lightning, 4 Feb 2013) - The FBI began warning law firms that they were being targeted by hackers back in 2009. That warning was repeated at LegalTech last week by the FBI's Mary Galligan, the special agent in charge of cyber and special operations for the FBI's New York Office. As Law Technology News reported , Galligan was blunt, saying, "We have hundreds of law firms that we see increasingly being targeted by hackers." The word "hundreds" should give law firms pause. Too many seem complacent even when faced with the unpleasant truth that their information security is sorely short of the mark. It might allay the fears of law firms to learn that the FBI does not tell people they've come to your firm and they don't come in raid jackets. There's no SWAT team and they don't unplug your servers. As Galligan noted, "You need to run your business."

top

- and -

Law Firms, "the Soft Underbelly of American Cyber Security" (Lawyerist.com, 6 Feb 2013) - At Above the Law, Joe Patrice calls law firms "the soft underbelly of American cyber security." And he is right. If you consider the sensitive nature of the information on most lawyers' computers, plus the proud Luddites making technology decisions at most law firms, this should come as no surprise. I know plenty of lawyers who can barely set up their email, much less encrypt their hard drives . More than a few law firms continue to fall for lame 419 scams . I wouldn't be surprised to find a few partners using their CD tray for a cup holder. Compromising the systems of lawyers like this is child's play for hackers who can remotely. compromise a mobile phone with a single misplaced click. Lawyers need to get their acts together, and soon. Think of the information you have about your clients, stored on your computers. For starters, you almost certainly have everything necessary to steal all your clients' identities and empty their financial accounts. If you represent businesses, you may have trade secrets. You definitely have volumes of confidential information that would make excellent extortion ammunition.

top

Florida Bar Issues Ethics Opinion On Cloud Computing (Future Lawyer, 4 Feb 2013) - Florida Bar Ethics Opinion 12-3 The Florida Bar has released a proposed Advisory Opinion on cloud computing. In summary, the opinion says that Florida lawyers may use cloud computing if they take "reasonable" precautions to ensure that confidentiality of client information is maintained. The lawyer should research the service provider to be used should ensure that the service provider maintains adequate security, should ensure that the lawyer has adequate access to the information stored remotely, and should consider backing up the data elsewhere as a precaution. The reasonableness standard is pretty vague, and it almost sounds like the lawyer is a guarantor of the security of the data. Whether lawyers will be comfortable enough with the language of the opinion to use cloud services for confidential data remains to be seen.

top

Why Google's Settlement with French Publishers is Bad for the Web (GigaOM, 4 Feb 2013) - After much diplomatic maneuvering and a series of face-saving gestures on both sides, Google finally signed an agreement with French newspaper publishers late Friday that puts to rest a long-standing legal battle over Google's behavior in excerpting stories on Google News, which the French have argued is copyright infringement . But while the search giant may be relieved to put the whole kerfuffle behind it, there's an argument to be made that it has actually done more harm than good - not only to its own interests, but to the interests of the open web as well. Veteran tech blogger Lauren Weinstein describes this risk well in a recent blog post, in which he calls what the government of France is doing "extortion," and warns of the long-term risk of Google acceding to such demands that it pay for the simple act of linking and excerpting content.

top

Menu of [fedRAMP] Safety-Approved Cloud Products Grows to Three (NextGov, 4 Feb 2013) - Federal agencies soon will have more options when shopping for certified cloud facilities that don't need security tests. Following the first-ever low-risk guarantee, which was granted to Autonomic Resources in late December 2012, the Web services supplier on Friday said private networks soon will be available for instant installation. And on Thursday, the government endorsed the safety of a second company's services - cloud rentals from CGI Federal. The offerings received seals of approval from the Federal Risk and Authorization Management Program after independent, government-approved auditors checked that the companies' data centers, staff and other support services met federal security standards. The CGI nod marks the second accreditation out of a pool of roughly 80 FedRAMP applicants. After a product passes a one-time inspection, any agency can subscribe to the vendor's services without expending time and money on an agency-specific assessment. Officials with Autonomic Resources, a North Carolina-based small business, said their first sanctioned service "has gained wide interest and acceptance" since the General Services Administration, which manages FedRAMP, signed off .

top

E- Discovery: 10 Strategic Steps for Defensible Search (BullsEye blog, 5 Feb 2013) - E-Discovery in litigation today presents a number of challenges in creating a defensible, efficient, and iterative search protocol. A defensible keyword search protocol should contain, at a minimum, the following ten strategic steps * * *

top

"Privacy Policies in the United States" Presentation Slides (Eric Goldman, 6 Feb 2013) - I recently guest lectured on drafting privacy policies in the United States. My presentation slides . One of my big-picture takeaway points is that privacy laws and associated industry self-regulation have gotten so extensive that drafting privacy policies is strictly for privacy experts. Unlike the good ol' days, the average competent lawyer--and even the sophisticated cyberlawyer who dabbles with privacy issues--may be unintentionally treading towards the malpractice line given the number and complexity of the applicable laws and technology. As a result, in all likelihood, I've already drafted the last privacy policy of my career.

top

Yelp Defeats Legal Challenge to Its User Review Filter (Forbes, 6 Feb 2013) - Yelp uses an automated review filter to suppress some user reviews of businesses. The review filter's criteria aren't publicly disclosed, and some businesses feel that legitimate positive reviews from happy customers are unfairly hidden. One business owner, an operator of three restaurants in Mammoth Lakes, California and a Yelp advertiser, got so frustrated with the review filter that he challenged Yelp's review filter in court. Recently, the court ruled decisively in favor of Yelp, confirming that Yelp isn't legally liable for filtering users' reviews as it sees fit. The restaurant owner didn't attack the review filter directly. Instead, he complained about Yelp's marketing descriptions of its review filter, claiming that Yelp falsely advertises its trustworthiness when it uses characterizations such as "remarkable filtering process" and "most trustworthy." Yelp responded that the lawsuit was a "SLAPP"-a lawsuit designed to suppress socially beneficial speech-and therefore should be dismissed per California's anti-SLAPP law. (See this post for more discussion about anti-SLAPP laws). The court agreed with Yelp, finding that "statements regarding the filtering of reviews on a social media site such as yelp.com are matters of public interest." The court also concluded that Yelp's laudatory statements about its review filter were " puffery ," not factual representations. Cf. Seaton v. TripAdvisor . As a result, if the anti-SLAPP dismissal survives a likely appeal, the restaurant owner will have to pay Yelp's legal defense costs. Case is Demetriades v. Yelp , Case No.: BC484055 (Cal. Superior Ct. Jan. 25, 2013).

top

Privatized Lawmaking (Volokh Conspiracy, 6 Feb 2013) - You might want to check out a new article by Dru Stevenson at South Texas Law called Costs of Codification . Dru writes the Privatization Blog - don't confuse it with the Reason Foundation's Privatization Blog ; I think either Dru or Reason should choose a catchier blog name. Here's the abstract to Dru's article, from SSRN: "Between the Civil War and World War II, every state and the federal government shifted toward codified versions of their statutes. Academia has so far ignored the systemic effects of this dramatic change. For example, the consensus view in the academic literature about rules and standards has been that precise rules present higher enactment costs for legislatures than would general standards, while vague standards present higher information costs for courts and citizens than do rules. Systematic codification - featuring hierarchical format and numbering, topical arrangement, and cross-references - inverts this relationship, lowering transaction costs for legislatures and increasing information costs for courts and citizens, as statutes proliferate. This Article takes a first look at this problem. On the legislative side, codification makes it easier for special interest groups to obtain their desired legislation. It facilitates Coasean bargaining between legislators, and encourages legislative borrowing, which diminishes the "laboratories of democracy" phenomenon. For the courts, codification changes how judges interpret statutes, prompting them to focus more on the meaning of individual words than on the overall policy goals of enactment, and to rely more on external sources, such as legislative history. For both legislators and courts, codification functions as a Hartian rule of recognition, signaling legality for enacted rules. For the citizenry, the reduced legislative costs mean increased legislative output, yielding rapid proliferation of statutes and unmanageable legal information costs. More disturbingly, codification also fosters overcriminalization. While it may not be appropriate to revert to the pre-codified regime now, reexamining the unintended effects of codification can inform present and future choices for our legal system."

top

Coursera Classes for College Credit? Five Online Courses Approved for Credit Equivalency (GigaOM, 6 Feb 2013) - Massive open online classes are moving ever closer to legitimacy. Last month, Udacity announced a partnership with San Jose State University to pilot three online classes for college credit. And on Wednesday, Coursera is set to announce that five of its courses have won approval from the American Council on Education (ACE) for credit equivalency. That doesn't mean students of those courses will be guaranteed credit by traditional universities - institutions have the option to accept or decline the credit - but it indicates that the courses meet ACE's standards. And, importantly, it creates the opportunity for Coursera students to not just use online classes to burnish a resume, but to potentially earn a degree.

top

Docracy Tracks Changes In Terms of Service and Privacy Policies So You Don't Have To (Lifehacker, 7 Feb 2013) - Few people bother to read an entire privacy policy or terms of service for every service they use. Even less bother with the changes services make to those terms over time. Docracy Terms of Service Tracker is a webapp that tracks when words change so you can keep up to date without reading the whole thing. Docracy uses a document change analysis to track when terms of service and privacy policies are updated, so anytime a site changes their terms, Docracy knows. In most cases, it's just a couple edits to change the language, but sometimes they're a lot more comprehensive . Terms of Service change all the time, and while companies usually notify you of the changes, you probably don't actually bother reading through them. This is an easy way to track what has changed so you can see if it matters to you. Of course, you'll need to have at least skimmed the Terms of Service to begin with. [Polley: Spotted by MIRLN reader Mike McGuire of Littler .]

top

We're Getting There! (InsideHigherEd, 7 Feb 2013) - Did anyone outside of New York City happen to catch this story about Baruch College? In the scope of international Internet policy it is a proverbial drop in the bucket. But for higher education information technology policy it is an important story. And a good step that administrators there made in how they handled a challenge that in the past has stymied administrators and angered students. Here is the story in a nutshell. Some students come up with software program for course registration. They do not run it by anyone in IT or Student Services, but they also do not intend for it to be destruction or shy away from identification with it. Some of student founders authenticated openly to it. Nonetheless, the program places a considerable load burden on servers, and possibly on bandwidth, as it pings over a million times to maintain current status of courses and selections. IT professionals register the spike, investigate and administrators contact the students. But instead of reading them the riot act (in the form of Responsible Use Policy), it would appear as if they educate … each other! The students to whom we will give the benefit of the doubt may not have appreciated the adverse impact that the program would have on the servers and network. The administrators to whom we will give credit did not throw the book at them. Together they learned more about students' needs, the complexity of technological operation of a network and IT policy. [Polley: EXACTLY! Policy promulgation in a vacuum is bad - instead, entities need to engage in dialogue with users to educate each other (users, of risk; regulators, of new practices; both, of opportunities for collaboration).]

top

It Will Be Hard To Stop The Rise Of Revenge Porn (Business Insider, 8 Feb 2013) - There is a seedy underbelly of the internet where people post nude or otherwise compromising photos of their ex-girlfriends or boyfriends for anyone to see, sometimes to get back at a lover who jilted them. These so-called "revenge porn" sites bring up a number of questions. Why aren't they illegal? How big is the "revenge porn" business? And what does the existence of these sites say about our culture in general? One of the more notorious of these sites in operation today is PinkMeth. The premise is pretty much identical to that of IsAnyoneUp -- users submit nude photographs of people to the site and they're posted for anyone to see. But PinkMeth seems to take this concept a step further, disclosing loads of personal data on the subjects in the photographs -- their names, their birth dates, their email addresses, and even links to their social networking profiles like Twitter and Facebook. Can PinkMeth do this and still operate within the bounds of the law? However intuitively wrong revenge porn might seem, sites operate in a legal gray area due to Section 230 of the Communications Decency Act, which states websites can't be held responsible for content submitted by a third party. We reached out to founder Robert Leshner and policy director Samantha Leland at privacy company Safe Shepherd to learn more. "Most of these sites rely exclusively on third party submissions," they told us, "and most of those submissions are at least nominally anonymous. The sites make money by posting these images, and thus have no incentive to create policies that make it easy for victims to remove the submitted photos ... Congress could try to narrowly define an exception that would protect victims of things like revenge porn and non-consensual pornography, but they'll likely get pushback from companies and organizations that want to keep content restrictions on the internet as minimal as possible. Striking that balance is important." But on the other hand, some see it as unambiguously illegal. We spoke to Jason van Dyke, a Texas attorney who has handled several revenge porn cases, and he says there's no doubt that "it's completely illegal" when published without accompanying documentation verifying the ages of the people in the photos.

top

Demise of the Trial by Jury - Is Social Media to Blame? (BullsEye blog, 8 Feb 2013) - Social media and the increasingly mobile nature of electronic technology may be upsetting the delicate balance found in the U.S. jury system. As in nature, introduction of an invasive species can threaten an ecosystem, forcing it to adapt or risk extinction. As an alien species, social media is no exception. Its growing presence in the legal system is reshaping modern litigation. To what extent is social media threatening the U.S. jury process? This topic has been the subject of intense scrutiny in recent months. Last June the ABA released Proposed Model Jury Instructions to address the growing concern over jurors' use of electronic technology to communicate about or research a case during trial. A prefatory note recommends that the instructions be provided to jurors at the end of each day prior to jurors returning home, (in addition to the beginning and close of a case), perhaps underscoring increasing tension over what transpires once jurors walk out of the courtroom. The legal community may have to come to grips with the fact that completely eliminating and regulating jurors' use of social media may not be entirely possible. The reason is simple - sharing everything via social media and electronic technology, which is increasingly mobile and sophisticated, has become a way of life for many. * * * Two recent articles, one appearing in JD Supra Law News and another academic piece published in the University of Illinois Law Review , have questioned the practical difficulties in preventing social media in the courtroom, pointing out how a juror's use of social media during trial can detrimentally affect the constitutional right to a jury trial.

top

Feds Update Cybersecurity Compliance Handbook (InformationWeek, 8 Feb 2013) - The federal government has nearly finalized its first major overhaul to the primary handbook to federal cybersecurity standards in nearly four years, and its most significant update since the initial release of that handbook in 2005. The National Institute of Standards and Technology (NIST) on Wednesday released the final public draft of the 455-page final public draft of NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, and announced that it was seeking comments on the document. Special Publication 800-53 is the definitive catalog of security controls necessary to meet the federal government's internal cybersecurity requirements such as the Federal Information Security Management Act (FISMA), and has begun to be adopted even by state and local governments and some private companies. Special Publication 800-53 is the product of a collaboration among NIST, the Department of Defense and the U.S. Intelligence Community, as well as the input of thousands of comments received from the general public after release of the first public draft of Revision 4 in February 2012.

top

DHS Watchdog OKs 'Suspicionless' Seizure of Electronic Devices Along Border (Wired, 8 Feb 2013) - The Department of Homeland Security's civil rights watchdog has concluded that travelers along the nation's borders may have their electronics seized and the contents of those devices examined for any reason whatsoever - all in the name of national security. The DHS, which secures the nation's border, in 2009 announced that it would conduct a "Civil Liberties Impact Assessment" of its suspicionless search-and-seizure policy pertaining to electronic devices " within 120 days ." More than three years later, the DHS office of Civil Rights and Civil Liberties published a two-page executive summary of its findings. "We also conclude that imposing a requirement that officers have reasonable suspicion in order to conduct a border search of an electronic device would be operationally harmful without concomitant civil rights/civil liberties benefits," the executive summary said . The DHS watchdog's conclusion isn't surprising, as the DHS is taking that position in litigation in which the ACLU is challenging the suspicionless, electronic-device searches and seizures along the nation's borders. But that conclusion nevertheless is alarming considering it came from the DHS civil rights watchdog, which maintains its mission is "promoting respect for civil rights and civil liberties." * * * The ACLU on Friday filed a Freedom of Information Act request demanding to see the full report that the executive summary discusses. Meantime, a lawsuit the ACLU brought on the issue concerns a New York man whose laptop was seized along the Canadian border in 2010 and returned 11 days later after his attorney complained.

top

Speak Out and Get Sued (InsideHigherEd, 10 Feb 2013) - In 2010 Dale Askey, a librarian at McMaster University in Canada, posted an essay on his personal blog referring to Edwin Mellen Press as a "vanity press." In due time Mr. Askey and McMaster University were sued by Edwin Mellen Press and the press founder, Herbert Richardson, for more than $3 million. The suits allege libel. The "offending" blog was removed from the web. Not too long ago, International Higher Education, a publication I edit, was threatened with a lawsuit by the owner of an institution that, by every measure is a degree mill, when said institution was referenced in an International Higher Education article critical of degree mills. On advice of the university's lawyers who were fearful of being entangled in a legal case (however questionable) in a British court where the suit was threatened, we removed the article from our website. The matter was soon forgotten. Perhaps a few anecdotes do not seem worth much attention but there are aspects of these examples that should be cause for concern. We are teetering on a very fine line between the right of scholars to express informed opinion and the right of enterprises to be protected from libel. Yet the increasing threats of lawsuits inhibit expression as scholars weigh risks before voicing opinions. There are serious consequences for academic freedom. There are some (emphasis on some ) for-profit enterprises that are involved in questionable academic endeavors. In the case of degree mills, this qualifies as fraud. In other cases, services are of substandard quality. In both cases these enterprises are "selling" a product or service in an academic marketplace where they will be judged by a range of constituents who have a vested interest in protecting the integrity of the academic enterprise. Yet the entrepreneurs who have found profit in higher education are often very touchy about any criticism at all. Sadly, they have found that threatening legal action can silence their critics who have neither the deep pockets for legal counsel to defend themselves or the inclination to become immersed in a lengthy legal proceeding. As the threat of lawsuits becomes more frequent, individuals and organizations may be more inclined to self-sensor. This will detract from important public debate that is fundamental in a free society. In the Askey case, his comments about the Edwin Mellen Press reflected his extensive experience reviewing academic journals. The observation was not capricious. Online petitions are circulating to defend his right to express this opinion. The matter has raised the question of whether the Edwin Mellen suit violates Askey's academic freedom.

top

Addressing The Problem: Keep Your Email Address Up To Date (Simple Justice blog, 10 Feb 2013) - Amid the hoopla surrounding every new shiny must-have toy in the lawyer's arsenal lurks a time bomb waiting to go off. Your email address. Most of us have a few of them, born of necessity from sources like Google, which demand the creation of an in-house email if you want to enjoy its functions. Then there are the new websites everyone has purchased because somebody, whether marketeer or youth, informed you that it's no longer cool to have an AOL email address and marks you as a social media dinosaur. So people switch emails with abandon, keeping up with the skirt height or tie width of the internet. It's all good fun, right? Not according to Judge Lewis Kaplan's opinion on appeal in the Worldcom bankruptcy case : "The rulings were entered on the electronic docket, and notice was automatically emailed to CNI's sole counsel of record, W. Mark Mullineaux, at the email address which he previously had registered with the clerk's office for the purpose of receiving such notifications. But that was an old email address. Mullineaux's new email address was listed in his motion to appear pro hac vice in the case, but he hadn't updated his profile in the electronic case files (ECF) system. As a result, Mullineaux didn't receive the court's notification and failed to file a timely notice of appeal." The district court wasn't overly concerned, and granted an extension of time to appeal, based upon the failure to get timely notice and lack of prejudice. The 2d Circuit, however, wasn't nearly as sympathetic. District Judge Lewis Kaplan, sitting by designation, wrote, "There is nothing in the history of the rules ... to suggest that the drafters sought to provide relief when the fault lies with the litigants themselves" and that "CNI's failure to receive Civil Rule 77(d) notice was entirely and indefensibly a problem of its counsel's making, and Rule 4(a)(6) was not designed to reward such negligence." Judge Kaplan makes plain that keeping transmittal information up to date is the lawyer's responsibility, and the client will pay a heavy price for our failure. The ABA says lawyers are ethically required to stay abreast of technology, and even I agree .

top

They Really Don't Know Clouds At All (Volokh Conspiracy, Stewart Baker, 11 Feb 2013) - Every new computing technology seems to bring with it a privacy flap. Cloud computing is going through that phase right now, at least outside the United States. Canadian and European elites fear that putting data in the cloud will somehow let the US government paw through it at will, a fear that usually centers on Section 215 of the USA PATRIOT Act. The debate has been fed by interest groups worried about their future in a world of cloud computing. It was first raised as part of a campaign by the British Columbia Government Employees Union against the outsourcing of British Columbia's health insurance data processing. (Full disclosure: I worked on the issue for clients both at the time and more recently.) After years of remission, the issue has recently returned even more virulently, when Europe's small cloud providers began using the Patriot Act as a marketing tool. In November of 2011, two European companies announced the creation of a European cloud offering that they advertised as providing a "safe haven from the reaches of the U.S. Patriot Act" in a press release that goes on to say, "Under the Patriot Act, data from EU users of U.S.-owned cloud-based services can currently be shared with U.S. law enforcement agencies without the need to tell the user." This is pretty clearly a reference to section 215 of the Patriot Act, which once allowed the FBI to "gag" recipients of 215 orders. (That authority was substantially cut back by Congress in 2005; now recipients may challenge gag orders in court annually until they are revoked. See 50 USC 1861(f)(2)(A).) As a competitive strategy, this line of attack has some problems. It assumes that, while US-owned companies can be compelled to produce data from around the world, European companies can safely refuse to comply. The argument that the US can compel global compliance is grounded in a line of cases ordering banks to produce records from foreign branches. Unfortunately for the European companies making this pitch, the line of cases is named after the unsuccessful party - the Bank of, uh, Nova Scotia - which is rather plainly not a US company and thus hardly the best case to cite if you're arguing that people can defeat American discovery orders by giving their records to companies headquartered outside the US. Nonetheless, the argument is still shaking up customers and officials in Europe, who are understandably not comforted by the response that even European cloud companies can be compelled to produce records. I think for several reasons that this risk has been severely hyped - there are only a couple of hundred section 215 orders a year, compared to tens of thousands of criminal subpoenas, and the Justice Department discourages foreign fishing expeditions. But those reasons have been discussed by others. Instead of digging into them, I'd like to explore a point that hasn't been discussed as widely: the utter uselessness of serving a section 215 order on a cloud computing company * * *

top

National Security Experts Discuss Options for 'Active' Cyber Defense (ABA, 11 Feb 2013) - If a cybercriminal hacks into your network and steals your files, what legal right do you have to track down the thief and perhaps hack into his network and recover or destroy the files? National security experts discussed the legality of varying degrees of such "active" cyber defense, as opposed to passive efforts to lock down information through conventional cybersecurity measures, during an ABA Midyear Meeting panel discussion Feb. 10 sponsored by the ABA Standing Committee on Law and National Security. The risk of cyber theft is faced not only by companies with valuable intellectual property and strategy documents, but also by the law firms that service such clients. Panelists agreed that while private-sector cybersecurity is as strong as ever, systems that are designed merely to keep out thieves are bound to be breached by those determined to steal information. "We have tried to defend our way out of this problem. It has failed," said Stewart Baker, a partner with Steptoe & Johnson in Washington, D.C., and former general counsel of the National Security Agency. This realization is why some companies are exploring the legality of more active security measures, whose legality are in question and may call for coordination between government and the private sector. As articulated by Stephen Chabinsky, chief risk officer at security firm CrowdStrike, the private sector has the technology and reach, but not the legal authority, to take an active role on cyber defense, whereas the government has the authority but not the technology or reach. Panelists agreed that such problems point to the value of the ABA Cybersecurity Legal Task Force , created by ABA President Laurel Bellows. The panelists noted that cybercrime raises a host of legal issues that the organized bar must help figure out and address. [Polley: video excerpts from the program here .]

top

Survey of GCs Sees Cybersecurity Risk, Anxiety (Corporate Counsel, 13 Feb 2013) - Despite the growing threat of computer security breaches, some 30 percent of general counsel in a recent survey said their companies were not prepared to deal with such a crisis. And experts say more GCs need to overcome their technophobia and help their firms face the increasing risk. "Among the most fearsome threats facing corporations in 2012 was an increasing proliferation of cybersecurity breaches of various orders of complexity and impact," according to the "2012 General Counsel Survey," by global consultants Consero Group. The survey, produced in partnership with Applied Discovery Inc., is based on responses from 48 general counsel in December 2012. Some 28 percent of the GCs surveyed indicated that their companies had experienced a cybersecurity breach over the last 12 months. And that figure may be low. "It's safe to assume that a breach is a source of great anxiety and embarrassment for large companies. So there is a natural disinclination to report it," explained attorney Paul Mandell, founder and chief executive of Consero. The group is located in Bethesda, Maryland. "But cybersecurity was clearly a very hot topic and a source of concern for the general counsel," Mandell added. The theft of company data by employees is also a growing concern, Mandell said, and "there was quite a bit of discussion [among general counsel] about employees bringing their own devices [BYOD] to work. It's a huge issue." So far there is very little understanding of what the best practices are in the BYOD area, he said. Mandell explained that much of the anxiety about cybersecurity stems from "lawyers not generally being tech savvy by nature," and the fact that no one has found a perfect solution for protecting data. The report explained that a company's GC also must be aware of international regulatory requirements regarding digital security, while ensuring compliance and addressing breaches when they result in litigation or government action. The trend Mandell sees is for general counsel to increasingly explore the addition of tech-savvy attorneys, like those who handle intellectual property.

top

- and -

Serious Data Breaches Take Months to Spot, Analysis Finds (Network World, 13 Feb 2013) - More than six out of ten organisations hit by data breaches take longer than three months to notice what has happened with a few not uncovering attacks for years, a comprehensive analysis of global incidents by security firm Trustwave has found. During 2012, this meant that the average time to discover a data breach for the 450 attacks looked at was 210 days, 35 more than for 2011, the company reported in its 2013 Global Security Report (publically released on 20 February). Incredibly, 14 percent of attacks aren't detected for up to two years, with one in twenty taking even longer than that. Almost half - 45 percent - of breaches happened in retailers with cardholder data the main target. The food and beverage sector accounted for another 24 percent, hospitality 9 percent, and financial services 7 percent. Trustwave also puts it finger on a seeming paradox; investigators seem able to spot breaches that admins didn't. Why? The part-answer seems to be that too many organisations rely on automated protection such as antivirus or a firewall that don't fail gracefully. If attackers beat that security layer there is no other system to notice that something unusual has happened. Seventy percent of all client-side attacks were connected to the Blackhole Exploit Kit, the leviathan of the cybercrime world. Six in ten attacks targeted software flaws in Adobe's PDF Reader Seeing what's leaving the networks isn't necessarily going to be easy as a quarter of data is exfiltrated (i.e. stolen) using an encrypted channel designed to hide activity.

top

Live Stream of Special Event for Terry Fisher's Copyright Course: IP Protection for Fashion (Berkman, 13 Feb 2013) - Join us this evening and throughout the Spring 2013 semester for a series of special webcasts featuring discussions from Professor Terry Fisher's Copyright course, hosted on the edX online learning platform. HLS1x Copyright , an experimental course offered on edX, explores in depth the law, theory, and practice of copyright. Tonight's webcast will feature Jeannie Suk & Chris Sprigman on the issue of IP protection for fashion and will begin at 7PM ET. The public stream of the webcast for each event will be available at the date and time listed below and on the course website . Each of the events features a guest expert and examines a difficult issue growing out of, or adjacent to, copyright law. In the courses overall, and in the special events in particular, considerable attention is devoted to the relationship between copyright law and creative expression in a variety of fields: literature; music; film; photography; graphic art; software; comedy; fashion; and architecture.

You can read more about the course here .

top

Is a Twitter Handle a 'Must-Have' for Today's Lawyer? Not Yet (Law.com Legal Blog Watch, 15 Feb 2013) - Kevin O'Keefe kicked off an interesting discussion about Twitter this week in a post on his blog, Real Lawyers Have Blogs. O'Keefe argued that "your identity of record for now is your Twitter handle," and gave numerous examples of how he uses people's Twitter handles to identify them in his own blog posts, give credit to authors and otherwise acknowledge them online. O'Keefe says that this is important to him because he is trying to build relationships with people, not just have a "one-way street" where he is doing only the talking or only the listening. O'Keefe specifically urged lawyers to "get your Twitter handle out there. It's how I and many others will identify you when we want to cite you, on or off Twitter. It's also how your target audience can get to know you and begin to trust you.... You've got to have one." I am a fan of Twitter, and I definitely agree with Kevin that it is important to have a Twitter handle if you want to be identified, acknowledged or engaged by others online. But I think the Futurelawyer post pushes the argument too far, as the benefit of a Twitter handle today is a far cry from the benefit of being a lawyer in the 1980s who can actually communicate by telephone with his or her actual clients, colleagues, courts, etc. Particularly with respect to the "big law firm" world that I used to work in and that I still interact with daily, I just don't believe that having (or not having) a Twitter handle really has much of an impact yet. It may be different in the world of the solo practitioner, which I'm not very familiar with, but I seriously doubt even the "best" individual lawyer-Twitterers from big law firms would suffer too much if they walked away from Twitter tomorrow.

top

Miami Herald Ends Anonymous Comments (USA Today, 15 Feb 2013) - It's something that editors at The Miami Herald heard often, far too often. Readers would say that they'd like to comment on an article they had read on miamiherald.com. But they didn't want to face the abuse and the name-calling they were likely to encounter from anonymous commenters who disagreed with them. "People would say, 'I don't want to stand up in front of people who throw eggs,' " says Rick Hirsch, the Herald's managing editor, adding, "We had a big group of trolls who would do nasty things." And so the Herald became the latest news outlet to ban anonymous comments. Starting Feb. 11, visitors to miamiherald.com have to sign in through their Facebook accounts before they can weigh in on the news of the day. It's a dilemma that has plagued America's newsrooms for quite a while. To use the popular buzzword, news organizations everywhere want to strengthen "engagement" with their readers. Many are making extensive use of social media to deepen the relationship. And they very much want feedback on and conversation about the content they post. Trouble is, the dialogue on many sites has been poisoned from the get-go by the ugly, mean-spirited verbiage of a small but often prolific band of anonymous posters. It's a lot easier to call names and pick fights when nobody knows who you are. "The debate quickly devolves into rants," says Steve Doig, the Knight Chair in Journalism at the Walter Cronkite School of Journalism and Mass Communication at Arizona State University. "It spirals down the drain." Newspapers have long required those writing letters to the editor to provide their names and addresses - for good reason. If you are going to take a stand, you should take responsibility for it. And while anonymous sources are used too often in news stories, many outlets have policies forbidding these ghosts from making personal attacks without attaching their names to them.

top

With Its Australian Court Victory, Google Moves Closer to Legitimizing Keyword Advertising Globally (Eric Goldman, 19 Feb 2013) - Google's keyword advertising program, AdWords, has been subject to constant legal challenges for the past decade. After an initial period of legal uncertainty, AdWords' legal fortunes recently have brightened in the United States and Europe. Earlier this month, AdWords notched another strong win in court, this time in Australia. Considering these developments as a whole, Google has effectively gotten a clean legal bill of health for its AdWords service around the globe. Google's impressive accomplishment also provides a useful cautionary tale about overregulating technological innovations. [Polley: good, thorough analysis - read the entire post if this area is of interest.]

top

Europe Issues Its Own Cybersecurity Plan (Steptoe, 21 Feb 2013) - The European Commission has published a proposed Directive on network and information security (NIS) that aims to enhance the EU's policies and framework for dealing with cyberattacks, and has also published a cybersecurity strategy. The Directive sets out measures that affect both Member States and critical infrastructure operators, while the strategy presents an overview of how the EU plans to prevent and deal with cyberattacks in the long-term. The Directive's measures would require certain companies that have activities or systems in the EU to manage risks and report significant cyberattacks to national authorities, even if not headquartered in the EU. The Directive's broad language will significantly affect global companies that do not have to comply with such strict disclosure requirements in their home countries. Along with Executive Order 13636 on cybersecurity in the U.S., the EC's action underscores the significant attention governments are finally giving to cybersecurity and the prospect for eventual security mandates on critical industries.

top

What (Legally) Happens to Our Social Media Accounts When We Die? (Volokh Conspiracy, 21 Feb 2013) - Not all legal scholarship is irrelevant twaddle; some of it addresses emerging legal questions that will indeed require answers in the real world. This student Comment, "What Happens to Our Facebook Accounts When We Die?: Probate Versus Policy and the Fate of Social-Media Assets Postmortem," by Kristina Sherry, appears in the December 2012 Pepperdine Law Review (40 Pepp. L. Rev. 185 (2012). Given how much commerce now takes place through social media - Facebook, LinkedIn, Twitter, etc. - the legal questions are not just about dear old Mom or Dad and their photos of the grandkids (though those personal accounts also raise issues). Here is the abstract (HT @GregoryMcNeal, via ... Twitter): "More than 580,000 Facebook users in the U.S. will die this year, raising numerous legal questions as to the disposition of their Facebook pages and similar "digital assets" left in a state of legal limbo. While access to and ownership of decedents' email accounts has been philosophized for nearly a decade, this Comment focuses on the additional legal uncertainties posed by "digital death" in the more amorphous realm of "social media." Part II explores the implications of digital death by conceptualizing digital assets and surveying the underlying legal principles of contractual policies, probate, property, and privacy concerns. Part III surveys current law surrounding digital death, emphasizing a 2010 Oklahoma statute granting executors and administrators power over decedents' "social networking" accounts. Parts III and IV consider what the current state of the law means for individuals facing death (i.e. everyone) as social media interacts with both (1) probate law and (2) social-media services' policies as reflected in their terms of service. Part V explores how the law and proposed solutions may address the salient policy goals of honoring decedents' postmortem wishes while meanwhile respecting privacy; preserving digital assets; and minimizing probate, litigation and other paperwork-type hassles. Ultimately this Comment suggests while state or even federal legislation may call attention to the importance of digital estate planning, a better solution likely lies between the two extremes of the probate-versus-policy power struggle, and that social-media services themselves may be in the better position to quell the perfect storm of legal uncertainty that looms."

top

More US Lawyers Move into the Boardroom (FT, 21 Feb 2013) - Are lawyers taking over the world? That is a question many investors and bankers might ponder these days. After all, the 2008 financial crisis and ensuing mess has created a deluge of work for the legal profession. And regulatory reform is likely to keep lawyers busy for many years to come. But aside from the financial sphere, there is another, less-noticed, area where lawyers are increasingly in evidence: corporate boards. In recent months, a group of American law and finance professors have conducted the first comprehensive analysis of how American companies performed between 2000 and 2009 - depending on whether they had lawyers on their boards or not. The results make interesting reading. Most notably, the analysis found that lawyers have become increasingly prevalent on boards; though only 24 per cent of US companies had lawyer directors in 2000, 43 per cent did so in 2009. Moreover, having a lawyer on board apparently goes hand in hand with differences in corporate performance. Companies with lawyer directors seemed to pay their chief executives more, but have less volatility in pay, due to lower levels of corporate risk-taking and default. Litigation risk declines too: stock option backdating litigation, for example, was 94 per cent lower at companies with legal directors. Conversely, when there were no lawyers on the board, there was "a 308 per cent increase in the effect of accounting malpractice litigation on firm value". As a result, the authors calculate that corporate value (measured by Tobin's Q, the ratio of market value to replacement value of assets), is typically 9.5 per cent higher when a lawyer is on the board. This could potentially force a rethink of some cherished business school ideas, they argue. Until now, "the accepted wisdom has been that lawyers should steer clear of public company boards", in case that creates value-destroying conflicts. And while regulators and investors increasingly demand that boards have external directors, they have not previously seemed to care where those directors hail from. They should pay more attention to this factor, the report argues, particularly with regard to lawyers. For getting lawyers on board both helps diminish external legal risks and improves internal governance. [Polley: Spotted by MIRLN reader Roland Trope of Trope & Schramm LLP.]

top

RESOURCES

Harvard-Berkman's Cybersecurity Wiki (February 2013) - This Cybersecurity wiki provides a set of evolving resources on cybersecurity, broadly defined , and includes an annotated list of relevant articles and literature, which can be searched in a number of ways. Please see below. It is intended as a tool/resource for researchers, technologists, students, policy-makers and others who are interested in cybersecurity issues more broadly. For more information about this first phase of the project, including the team, methodology, and opportunities to contribute, please see About the Project . If you have feedback, comments, or suggested additional readings/resources, please contact: cybersecurity-feedback@cyber.law.harvard.edu .

top

FUN

The Google Store Experience (Tapastic cartoon, 21 Feb 2013) [Polley: Spotted by MIRLN reader Corinne Cooper of Professional Presence .]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

STUDY: MANY COMPANIES LACK DISASTER, CONTINUITY PLANS (ComputerWorld, 4 March 2003) -- A U.S.-led war in Iraq that could spawn new terrorist attacks in the U.S. could be less than two weeks away, but that hasn't prompted many companies in the U.S. to invest adequately in disaster recovery, according to a new study released today by Dataquest Inc. The study, "Investment Decisions: Preparing for Organizational Disasters," warns that unless companies invest immediately in disaster preparedness planning, as many as one in three could lose critical data or operational capability if a disaster occurred. IT managers from 205 end-user companies representing eight vertical industries in the U.S., including government, aren't investing appropriately in disaster plans because they don't have the money to reach their required readiness levels, said Tony Adams, principal analyst in Dataquest's IT services group. "Budget constraints are forcing an average of 40% of respondents to rely on a best guess to determine potential risk rather than obtaining formal assessments, which would be too costly," he said. Still, 53% of the respondents have implemented crisis management plans, and another 30% that do not yet have plans are considering developing them, according to the Dataquest study. The remaining 17% said they aren't developing crisis management plans. http://www.idg.net/ic_1192210_9677_1-5046.html

top

BLOGGING GOES CORPORATE (EcommerceTimes, 12 March 2003) -- Weblogs, which enable multiple users to post text easily to a Web site, with the most recent post appearing on top, have been around for years but have gained rampant popularity only recently. This immense interest in Weblogs -- "blogs" for short -- now is carrying over to the corporate world. A few companies already are deploying blogs for internal and external communications. Though the trend has been tentative so far -- only a handful of companies are putting out public blogs authored by their employees -- it seems likely that the number of corporate blogs will skyrocket in the near future. Are enterprises ready for this new technology? One of the first companies to embrace blogging was Macromedia. Tom Hale, senior vice president of business strategy, said blogs are part of the company's overall enterprise plan. "Macromedia is very customer-focused, and we have our collective corporate 'ear to the ground' in many different ways," he told NewsFactor. "Blogs seem like another channel for what we already do and for what our customers already value about us." Technology research firm Gartner also has begun to dabble in Weblogs. French Caldwell, vice president and research director at the firm, said Gartner's "Emerging Storm" Weblog is "an experiment." However, he added, the company "sees a lot of future in blogs." In fact, Searls told NewsFactor that blogs might be a better way for companies to tell customers about their products. http://www.ecommercetimes.com/perl/story/20975.html

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/ 10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, February 02, 2013

MIRLN --- 13 January – 2 February 2013 (v16.02)

MIRLN --- 13 January - 2 February 2013 (v16.02) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

The SEC Will Require Greater Disclosure Related to Data Security Risks and Breaches (Mintz Levin, 3 Jan 2013) - The amount of personal and confidential information maintained electronically by public companies increases every day. As a consequence of this increase, the likelihood that a given public company will suffer a data breach and that such breach will have a material adverse effect on the company's business also increases. In response to this ever-increasing risk, the Securities and Exchange Commission (the "SEC") is requiring greater disclosure related to data security and this trend will likely increase in 2013. The SEC issued guidance relating to public company disclosure of data security in the end of 2011. Soon after the SEC issued this guidance, Facebook, Inc. (NASDAQ: FB) filed its Form S-1 Registration Statement and became one of the pioneers in data security and privacy disclosure . Since then, public and soon-to-be public companies have followed suit and more companies are including disclosure related to data security risks and breaches. The disclosure does not only effect companies dependent on technology as a core part of its business. Two recent examples of this increased disclosure can be found in the risk factors of a prospectus filed by Michaels Stores, Inc. and that filed by . Specifically, Michaels Stores, Inc., a craft specialty retailer, included the following risk factor: "Failure to adequately maintain security and prevent unauthorized access to electronic and other confidential information and data breaches could materially adversely affect our financial condition and operating results." This type of risk factor is becoming more and more common among public company filings, both in registration statements and annual and quarterly filings. Interestingly, Michaels was the victim of a large-scale hack attack on its POS system in 2011 and given that, and the resulting class action suits, we might have expected to see expanded disclosure. SeaWorld, the owner/operator of SeaWorld, Busch Gardens, Sesame Place , and other theme parks, filed its registration statement just after Christmas and includes the following risk factor * * *

top

Cyber-Insurance: Not One-Size-Fits-All (InfoRisk, 10 Jan 2013) - Despite headline-grabbing data breaches that have proven costly to organizations in many sectors, the purchase of cyber-insurance to cover potential costs remains relatively rare. Cyber-insurance policies vary widely, but they often cover notification expenses, credit-monitoring services, and, in many cases, legal defense costs and even government penalties. "Cyber-insurance is viewed as much more of a discretionary purchase, and risk managers really have to be educated on the need to purchase the coverage and what the coverage actually provides," says David Bradford , who published a 2012 survey that addresses cyber-insurance for RIMS, the risk information management society (see Coming of Age of Cyber Insurance ). A 2012 survey of more than 100 global Forbes 2000 corporations by Carnegie Mellon CyLab shows that many board members and executives incorrectly believe that other types of corporate liability insurance cover losses due to data breaches, says lab official Jody Westby. "That's pretty stunning because most corporations, especially large global corporations, should understand that cyber-risks generally are not within property and general corporate liability policies," Westby says. Bradford estimates that 40 insurers offer cyberliability coverage. By comparison, about 5,000 companies provide property and casualty insurance in the United States. Because the cyber-insurance industry continues to mature, its offerings aren't as consistent from provider to provider as they are with other types of insurance. "There are so many material differences between the coverages available that there is no real one-size-fits-all approach," says Richard Bortnick, an attorney at the law firm Cozen O'Connor.

top

- and -

Concerns Over Cyber Risks Grow, Says Zurich (Insurance Age, 24 Jan 2013) - More than three in four (76%) organisations say they have become more concerned about information security and privacy over the past three years - but only 19% have purchased insurance designed to cover these exposures, according to new research commissioned by Zurich. The provider noted that only 16% of companies surveyed had designated a chief information security officer to oversee cyber risk and fewer than half (44%) had increased their budget to tackle the problem. The findings came in 'Meeting the Cyber Risk Challenge', a survey by Harvard Business Review Analytic Services of 152 respondents across Europe involved in risk management. [Polley: see also this WSJ posting - WSJ BLOG: Cybercrime Insurance Takes Off As Providers Target Smaller Businesses ]

top

Spy Agency ASIO Wants Powers to Hack into Personal Computers (NewsAU, 13 Jan 2013) - The [Australian] Attorney-General's Department is pushing for new powers for the Australian Security Intelligence Organisation to hijack the computers of suspected terrorists. But privacy groups are attacking the "police state" plan as "extraordinarily broad and intrusive". A spokesman for the Attorney-General's Department said it was proposing that ASIO be authorised to "use a third party computer for the specific purpose of gaining access to a target computer". "The purpose of this power is to allow ASIO to access the computer of suspected terrorists and other security interests," he told News Limited.

top

- and -

Singapore Beefs Up Cybersecurity Law to Allow Preemptive Measures (ZDnet, 14 Jan 2013) - Singapore's Parliament has passed the amended Computer Misuse Act, which enables the government to thwart potential cyberattacks on critical infrastructure. According to a statement by The Ministry of Home Affairs (MHA) on Monday , the government organization is now allowed to order a person or organization to act against any cyberattack before it has begun. The law has also been renamed as the "Computer Misuse and Cybersecurity Act". However, due to the severity of the threat cyberattacks can pose to the country, non-compliance with this direction, or obstructing a person from complying with the Minister's directions to him, will be made an offense which may result in a jail term of up to 10 years and a fine of S$50,000 (US$40,753). "The proposed legislative amendments will provide the government with greater ability to work with our stakeholders to take timely actions against cyber threats to our critical information infrastructure (CII)," the statement read. It adds these enhanced powers come with important safeguards to ensure they are used in an effective and responsible manner to protect our national interests.

top

Chicago Mayor Appoints First Ever Diversity Tech Council (Gov't Technology, 16 Jan 2013) - To help integrate Chicago minorities into the city's technology economy, Mayor Rahm Emanuel has appointed Chicago's first-ever technology industry diversity council. The 12-member council will be responsible for helping to increase the percentage of minority employees for technology firms, increase the percentage of minority-owned and -operated technology firms, and helping find ways to transition students who attend Chicago public schools and city colleges into the technology economy, according to the mayor's office. Everyone on the council is a member of a minority group and has demonstrated leadership in promoting diversity in Chicago's technology community. The council has been given an initial four-month period to create recommendations, after which Emanuel will develop policies based on those recommendations. CTO John Tolva said the individuals on the council represent the African American and Latino communities, and some representatives are women, since women are often a minority in the technology industry, though their working in tech startups is becoming more common. Tolva also said one of the driving factors for emphasizing the importance of diversity in technology is that public schools and colleges are currently going through a transformation -- they're integrating more science, technology, engineering and math (STEM) fields into education to better prepare students for the modern workforce.

top

Measuring the Success of Online Education (NYT, 17 Jan 2013) - One of the dirty secrets about MOOCs - massive open online courses - is that they are not very effective, at least if you measure effectiveness in terms of completion rates. If as few as 20 percent of students finishing an online course is considered a wild success and 10 percent and lower is standard, then it would appear that MOOCs are still more of a hobby than a viable alternative to traditional classroom education. Backers reason that the law of large numbers argues in favor of the online courses that have rapidly come to be seen as the vehicle for the Internet's next big disruption - colleges. If 100,000 students take a free online course and only 5,000 complete it, that is still a significant number. Udacity, along with other MOOC designers, is moving rapidly away from the video lecture model of teaching toward an approach that is highly interactive and based on frequent quizzes and human "mentors" to provide active online support for students. Moreover, there are early indications that the high interactivity and personalized feedback of online education might ultimately offer a learning structure that can't be matched by the traditional classroom. Duolingo, a free Web-based language learning system that grew out of a Carnegie Mellon University research project, is not an example of a traditional MOOC. However, the system, which now teaches German, French, Portuguese, Italian, Spanish and English, has roughly one million users and about 100,000 people spend time on the site daily. The firm's business is based on the possibility of using students to translate documents in a crowd-sourced fashion. Seventy-five percent of the students are outside of United States, and Carnegie Mellon computer scientist Luis von Ahn notes that the foreign students are significantly more motivated and have a higher completion rate than their American counterparts.

top

"Social Media and Trademarks" Presentation at AALS (Eric Goldman, 17 Jan 2013) - Earlier this month, I spoke at the AALS IP Section meeting in New Orleans on the topic of "trademarks and social media." My slides . Though I've written in this area (see, e.g., my Online Word of Mouth paper from 2007), I didn't have any new academic research to report. As a result, I decided to take an anthropological approach to the subject material by recounting some of the interesting things I see in social media from a trademark perspective:

  • Instabrands. Brands that, like the mayfly, are born, live and die within a matter of days. I gave the example of the @FiredBigBird Twitter account. Trademark law isn't well-equipped to deal with such evanescent brands.
  • Large-scale non-commercial activity. Trademark law tries to distingtuish [sic] between commercial and non-commercial activity (like many other areas of law), but it doesn't really contemplate that non-commercial defendants can be using third-party brands at a commercial scale. I gave the example of @BPGlobalPR Twitter account as an example of massive non-commercial activity where the investment and distribution costs are zero and the labor is provided on a purely voluntary basis--although this isn't an ideal example as the BPGlobalPR operators does sell T-shirts, and trademark law does know how to deal with that.
  • Brand Self-Sabotage. Brand managers are so used to having their conversation filtered through third party editors and gatekeepers that they can make embarrassing gaffes when they actually talk directly to their consumers. I gave the infamous Kenneth Cole/Arab Spring tweet as an example, but there are many in this genre.
  • Bashtags. Brands also aren't used to having their consumers able to talk to each other directly. Brands are even less prepared for the fact that they can't steer those conversations. Bashtags are an example, where malcontents and vandals can coopt a conversation between brands and their loyal customers. I gave the #McDStories hashtag as the example. * * *
top

Should a Judge Recuse Due to Facebook Friendship with Prosecutor? Florida Supremes Asked to Decide (ABA Journal, 17 Jan 2013) - A Florida appeals court wants guidance on an ethics issue: Should judges recuse from cases when they are Facebook friends with the prosecutor? The 4th District Court of Appeal said on Wednesday that the matter is of great importance, and the Florida Supreme Court should decide the issue, the Palm Beach Post reports. The appeals court removed Judge Andrew Siegel of Broward County from a case in September because he was Facebook friends with the prosecutor. Its decision (PDF) cited a judicial ethics opinion that judges should not friend lawyers who appear before them. According to the appeals court, the ethics pinion recognized that friending could undermine confidence in a judge's neutrality.

top

3rd Circuit: Covenant not to Sue is a License and therefore Not Dischargeable in Bankruptcy (Patently-O, 18 Jan 2013) - A recent Third Circuit decision focuses on the impact that a bankruptcy has on a patent license. In 2009, Spansion and Apple settled a patent dispute with Spansion agreeing to end its case at the ITC and to refrain from suing in district court. The agreement stated: "Provided that neither Spansion nor any successor in interest to any of the patents being asserted in the referenced ITC action do not bring an action of any nature asserting any such patent before any legal, judicial, arbitral, administrative, executive or other type of body or tribunal that has, or claims to have, authority to adjudicate such action in whole or in part against Apple or any Apple product, Apple agrees Spansion will not be disbarred as an Apple supplier as a result of the referenced ITC action." Later that year, Spansion filed for bankruptcy and the trustee moved to reject the settlement as an executory contract. The normal rule in bankruptcy (under 11 U.S.C. § 365(a)) is that the debtor (here Spansion) can unilaterally reject executory contracts if it so chooses. Any resulting contract damages will be unsecured debts that are unlikely to receive any payout. IP law has a special exception codified in 11 U.S.C. § 365(n). Under that rule, a licensee can elect to retain its license rights despite a debtor's rejection. On appeal, the question is whether the contract between Spansion and Apple is a license or instead merely a promise not to sue. The bankruptcy court initially held that Apple's § 365(n) election did not apply because the agreement was not a license. Reviewing that decision, the Delaware District Court found that the agreement was a license "because it was a promise not to sue." Now, the Third Circuit has affirmed the District Court with quotation from the Supreme Court's 1927 decision in De Forest Radio .

top

EFF Urges Court to Protect Transformative Uses and Permit News Search Engine (EFF, 18 Jan 2013) - The Electronic Frontier Foundation (EFF) urged a federal judge today to protect fair use of news coverage and reject the Associated Press' (AP's) dangerously narrow view of what is "transformative" in a copyright court battle over a news-tracking service. In Associated Press v. Meltwater, AP claims its copyrights are infringed when Meltwater, an electronic news clipping service, includes excerpts of AP stories in search results for its clients seeking reports of news coverage based on particular keywords. In its argument, AP asks the court to accept an extraordinarily narrow view of fair use - the doctrine that allows for the use of copyrighted material for purposes of commentary, criticism, or other transformative uses - by claiming that Meltwater's use of copyrighted excerpts cannot be "transformative" fair use unless they are also "expressive." In an amicus brief filed today, EFF argues that AP's theory would restrict the use and development of services that allow users to find, organize, and share public information. "There are lots of examples of important fair uses that wouldn't fit under AP's cramped definition of a 'transformative' use," said EFF Senior Staff Attorney Kurt Opsahl. "Time-shifting - like what you do when you record something on your DVR to watch later - isn't 'expressive,' but courts have found it a clear fair use. Because fair use plays such an essential role in facilitating online innovation and expression, we're asking the court to follow the law and reject this flawed theory from AP." For the full amicus brief:
 https://www.eff.org/document/amicus-brief-14

top

Red October Espionage Platform Unplugged Hours After Its Discovery (ArsTechnica, 18 Jan 2013) - Key parts of the infrastructure supporting an espionage campaign that targeted governments around the world reportedly have been shut down in the days since the five-year operation was exposed. The so-called Red October campaign came to light on Monday in a report from researchers from antivirus provider Kaspersky Lab. It reported that the then-ongoing operation was targeting embassies as well as governmental and scientific research organizations in a wide variety of countries. The research uncovered more than 60 Internet domain names used to run the sprawling command and control network that funneled malware and received stolen data to and from infected machines. In the hours following the report, many of those domains and servers began shutting down, according to an article posted Friday by Kaspersky news service Threatpost. "It's clear that the infrastructure is being shut down," Kaspersky Lab researcher Costin Raiu told the service. "Not only the registers killing the domains and the hosting providers killing the command-and-control servers but perhaps the attackers shutting down the whole operation." One of Red October's innovations is a command infrastructure that uses multiple layers of servers and domains that act as proxies to camouflage the core functions in the operation. Mashable reporter Lorenzo Franceschi-Bicchierai quoted Raiu as describing the design as an " onion with multiple skins " with a mothership at its center that collects all the stolen data. Raiu said most of the unplugged domains and disconnected servers seen so far represent first-level proxies. He speculated the operation may go dormant for a while and then come back using different servers or domains, or even different malware altogether. Raiu said the full extent of the infrastructure likely hasn't been uncovered yet. He estimated the campaign may use several dozen more servers. If correct, the total number would rival the command infrastructure used by Flame, the state-sponsored malware campaign that targeted sensitive networks in Iran.

top

Law of Armed Conflict Applied to Autonomous Weapon Systems (Lawfare, 19 Jan 2013) - The American Society of International Law has released a new "ASIL Insight" on law applicable to autonomous weapon systems. (ASIL Insights are short, descriptive pieces on topical issues meant as non-technical "backgrounders" for journalists, the general public, and anyone looking for a quick path into an international law topic; they represent solely the author's views, but are written to give an understanding of the background legal issues.) "The Law That Applies to Autonomous Weapon Systems" is written by Jeffrey S. Thurnher, a JAG officer on faculty at the Naval War College; it is short, crisp, and a useful guide to understanding the legal issues raised by the possibility of increasingly automated weapon systems that might one day be fully autonomous. (Also recommended is Major Thurnher's more detailed October 2012 article in Joint Force Quarterly (National Defense University, Washington DC, Vol. 67, No. 4, Oct. 2012), "No One at the Controls: Legal Implications of Fully Autonomous Targeting." )

top

Even if It Enrages Your Boss, Social Net Speech Is Protected (NYT, 21 Jan 2013) - As Facebook and Twitter become as central to workplace conversation as the company cafeteria, federal regulators are ordering employers to scale back policies that limit what workers can say online. Employers often seek to discourage comments that paint them in a negative light. Don't discuss company matters publicly, a typical social media policy will say, and don't disparage managers, co-workers or the company itself. Violations can be a firing offense. But in a series of recent rulings and advisories, labor regulators have declared many such blanket restrictions illegal. The National Labor Relations Board says workers have a right to discuss work conditions freely and without fear of retribution, whether the discussion takes place at the office or on Facebook. In addition to ordering the reinstatement of various workers fired for their posts on social networks, the agency has pushed companies nationwide, including giants like General Motors, Target and Costco, to rewrite their social media rules. "Many view social media as the new water cooler," said Mark G. Pearce, the board's chairman, noting that federal law has long protected the right of employees to discuss work-related matters. "All we're doing is applying traditional rules to a new technology." The decisions come amid a broader debate over what constitutes appropriate discussion on Facebook and other social networks. Schools and universities are wrestling with online bullying and student disclosures about drug use. Governments worry about what police officers and teachers say and do online on their own time. Even corporate chieftains are finding that their online comments can run afoul of securities regulators. The labor board's rulings, which apply to virtually all private sector employers, generally tell companies that it is illegal to adopt broad social media policies - like bans on "disrespectful" comments or posts that criticize the employer - if those policies discourage workers from exercising their right to communicate with one another with the aim of improving wages, benefits or working conditions. But the agency has also found that it is permissible for employers to act against a lone worker ranting on the Internet. Several cases illustrate the differing standards. * * * As part of the labor board's stepped-up role, its general counsel has issued three reports concluding that many companies' social media policies illegally hinder workers' exercise of their rights. The general counsel's office gave high marks to Wal-Mart's social policy, which had been revised after consultations with the agency. It approved Wal-Mart's prohibition of "inappropriate postings that may include discriminatory remarks, harassment and threats of violence or similar inappropriate or unlawful conduct." But in assessing General Motors's policy, the office wrote, "We found unlawful the instruction that 'offensive, demeaning, abusive or inappropriate remarks are as out of place online as they are offline.' " It added, "This provision proscribes a broad spectrum of communications that would include protected criticisms of the employer's labor policies or treatment of employees." A G.M. official said the company has asked the board to reconsider. In a ruling last September, the board also rejected as overly broad Costco's blanket prohibition against employees' posting things that "damage the company" or "any person's reputation." Costco declined to comment.

top

Social Media Coverage of Conferences a Windfall for Legal Associations (Kevin O'Keefe, 22 Jan 2013) - Defense lawyers used to kid me that I would go to my state trial lawyer's association and the American Association of Trial Lawyers conferences to get religion. Their point being that I learned new ideas, networked with other plaintiff's trial lawyers and came back all enthused. I didn't disagree. Those conferences, and what I gained by attending them, were the single biggest reason I joined the associations and continued to pay the substantial dues and conference fees. I came back telling other lawyers about the conferences and what they could gain by becoming a member. Associations no longer have to rely on members like me spreading the word about their conferences and the benefits of membership. Social media has become a powerful medium to not only make conferences more meaningful to attendees, but to also broaden a conference's reach beyond the conference walls. Social media such as video, audio (soundcloud), blogging, Twitter, and Facebook engage an association's target audience in real time and in a very cost effective fashion. The outcome: membership retention; more attendees at upcoming conferences; and happy exhibitors and sponsors.

top

The HIPAA-HITECH Regulation, the Cloud, and Beyond (Daniel Solove, 23 Jan 2013) - The new HIPAA-HITECH regulation is here. Officially titled " Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules ," this new regulation modifies HIPAA in accordance with the changes mandated by the HITECH Act of 2009. After years of waiting and many false alarms that the regulation was going to be released imminently, prompting joking references to Samuel Beckett's play Waiting for Godot, HHS unleashed 563 pages upon the world. According to Office for Civil Rights (OCR) director Leon Rodriguez, the rule "marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented." I agree with his dramatic characterization of the regulation, for it makes some very big changes and very important ones too. The most important changes involve expanding HIPAA's scope of coverage, to regulate business associates (BAs) and subcontractors of BAs. The regulation applies the HIPAA Security Rule and parts of the Privacy Rule to BAs, which are now directly subject to HIPAA enforcement. Subcontractors of BAs are also deemed to be BAs, and there must be a business associate agreement (BAA) between a BA and a subcontractor. In this post, I will discuss these particular changes and their implications for a wide array of businesses and cloud computing in healthcare. Before I focus on the issue of scope, I want to point out some other key changes that the regulation makes. The regulation strengthens people's rights to receive electronic copies of their protected health information (PHI). The Breach Notification Rule is changed to presume that any impermissible access, use, or disclosure of PHI is a breach unless a covered entity or business associate can demonstrate a low probability PHI has been compromised. Instead of focusing on harm to the individual, the focus is on the likelihood PHI has been improperly accessed or exposed. Decedent PHI is protected for 50 years after death. Previously, HIPAA protected PHI after death without any time limitation. For patients who pay for treatment out-of-pocket, patients have a right to restrict insurance companies from accessing the PHI. And as directed by the HITECH Act, the regulations provide for much stronger penalties for violations. There are many other changes too - I'm only hitting a few highlights. [Polley: Hogan Lovells also has a good analysis here .]

top

Lawyer Advertising and Marketing Ethics Today (Attorney At Work, 23 Jan 2013) - At the start of the new year, we asked Will Hornsby, Staff Counsel at the American Bar Association, what lawyers need to know about changes made in ethics rules regarding marketing in 2012-and what to expect in 2013. The following feature article is excerpted from Attorney at Work's new e-guide, Really Good Marketing Ideas: How to (Really) Get More Clients This Year . The legal profession constantly struggles to set advertising policies that strike the balance between consumer protection and access to justice. What are the boundaries we impose on ourselves to make certain that people are not subject to over-reaching when lawyers are seeking clients, yet still enable people to get the information needed to make decisions about representation? We all agree on the objective, but we don't often agree on the means to get there. In the past year, rule-makers, committees drafting ethics opinions and disciplinary agencies have all weighed in, but frequently not with the same results. Here's an overview.

top

FFIEC Proposes Social Media Guidance (BankInfoSecurity, 24 Jan 2013) - The Federal Financial Institutions Examination Council has issued proposed risk management guidance for the use of social media . "Social Media: Consumer Compliance Risk Management Guidance," was posted on the Federal Register Jan. 23. It provides an overview of the impact social media sites have on compliance with consumer protection and other applicable laws, especially when interactions between institutions and consumers take place on social media sites such as Facebook and Twitter. George Tubin, a financial fraud and security expert at anti-malware vendor Trusteer, says the guidance will likely be welcomed by security and privacy officers, who have struggled to keep social media risks in check. "Employees could be using social media from different devices or from home at night," Tubin says. "If their accounts are taken over, then a criminal could be posting on that site, giving advice to steer customers to do something they shouldn't, or posting a link that leads them to a malicious site. There certainly are a lot risks banks need to think about when they start to use social media." The FFIEC will accept comments on the proposed guidance through March 25. It will publish a final version once it reviews comments received.

top

Yahoo, Like Google, Demands Warrants for User E-Mail (Wired, 25 Jan 2013) - Yahoo demands probable-cause, court-issued warrants to divulge the content of messages inside its popular consumer e-mail brands - Yahoo and Ymail, the web giant said Friday. The Sunnyvale, California-based internet concern's exclusive comments came two days after Google revealed to Wired that it demands probable-cause warrants to turn over consumer content stored in its popular Gmail and cloud-storage Google Drive services - despite the Electronic Communications Privacy Act not always requiring warrants. "Yes, we require a probable cause warrant for e-mail content," said Yahoo spokeswoman Lauren Armstrong, in an e-mail interview. "That is more than ECPA requires." The nation's other major consumer-facing e-mail provider - Microsoft - which markets the Hotmail and Outlook brands, declined comment for this story. In short, Yahoo and Google are granting their customers more privacy than the four corners of the ECPA. There's been a string of conflicting court opinions on whether warrants are required for data stored on third-party servers longer than 180 days. The Supreme Court has never ruled on the issue. Federal and state law enforcement officials are seemingly abiding by Yahoo's and Google's own rules to avoid a showdown before the Supreme Court. "No, we don't get any pushback from authorities," Armstrong said, adding that Yahoo began the practice in "early 2011." [Polley: Twitter also requires probably-cause warrants.]

top

Will Virginia Law Blogger's Challenge to Discipline Deprive Other Blogs of First Amendment Protection? (MyShingle.com, 28 Jan 2013) - In October 2011, I blogged about a Virginia lawyer Horace Hunter's challenge to a disciplinary charge for failing to include a disclaimer on his blog stating that results in past cases handled by the firm (and reported on the blog) are unique to the facts and do not guarantee a similar outcome in other cases. Hunter refused, arguing that his blog constituted First Amendment protected speech and therefore, a disclaimer limiting his speech rights was unconstitutional. I felt compelled to support the Hunter's fight, though I was skeptical: to me, his blog, which was nothing more than a cherry-picked newsfeed of his firm's highlight, seemed much more like advertising than protected speech. But I feared that if the Hunter's blog was classified as advertising, the door would open to increased regulation even for legitimate, information-rich or opinion-based law blogs. Hunter won his case before a three judge panel which overturned the Virginia disciplinary committee's ruling. Now, via Ben Glass and John Cord , I've learned that the case has made its way up to the Virginia Supreme Court. Hunter's failure to include the disclaimer is still at issue, but as Ben Glass notes in his summary, the Virginia regulators also seek sanction because Hunter's publication of case summaries revealed information embarrassing to his clients, without their consent. Hunter's brief argues that his blog was First Amendment protected speech. Trouble is, there's little that Hunter's lawyer could do to back up that claim. Hunter's so-called blog was basically a newsfeed (later supplemented with a few opinion pieces when the regulators came calling) of his victories; there's no opinion or in depth analysis on the order of these criminal defense bloggers or even basic information or FAQs or how-tos to educate readers about their rights. I fear that based on the record in the case, the Virginia Supreme Court will find, as a matter of law, that blogs are commercial speech (read advertising) or at best, a hybrid of protected and commercial speech, instead of being pure First Amendment content. I'm also fully not comfortable with lawyers posting about any matters - even those of public record - without client consent. I don't think that Hunter ought to be sanctioned (particularly when the prohibition is far from clear) or that writing about matters of public record ought to be a disciplinary offense. Rather, this is one of those types of matters where lawyers need to exert some self-control and keep in mind their obligation to protect client privacy.

top

Who Owns, Controls Social Media Activity? (TVNewsCheck, 29 Jan 2013) - Now that the use of social media is part of the TV newsroom norm, the industry is wrestling with the next wave of issues associated with the medium - hashing out matters ranging from who owns on-air personalities' Facebook accounts to delineating between professional and personal tweets. Individuals on all sides of the equation, from station group owners to newsroom staffers, are pushing to add more structure to the use of social media both on and off the job, primarily so the practice doesn't come back to bite them, industry watchers say. The lack of industrywide standards regulating social media practices also is starting to create unexpected problems, particularly for anchors and reporters who, to some degree, are winging it. Just last week, for example, Rachel Barnhart, a reporter at WHAM Rochester, N.Y. (DMA 79) who spent years building a robust Facebook following on a personally created page, publically raised one such issue when she told fans that she would start using new social media accounts during work hours in keeping with new station owner Sinclair Broadcasting's policy of "owning" such accounts of its on-air personalities. "This raises a lot of questions for journalists about who owns your online presence and identity," Barnhart says. Barnhart says she understands Sinclair's rationale for requiring talent to have station-related social media accounts, as well as owning the content that's on them. (Sinclair's attorney was not available to discuss the matter). But having invested countless hours in personal Facebook and Twitter accounts, which together have about 20,000 followers, Barnhart says she is concerned that stations will ultimately be able to "own" their talents' followers as well, much like a company owns a salesperson's rolodex. Barnhart says she could see the day when those sorts of questions will be hammered out in contract talks.

top

Audit Concerns Over Cybersecurity Threats (FT, 29 Jan 2013) - Company audit committee members are concerned about the quality of information that they receive on cybersecurity and believe risk management programmes need to become more "dynamic", according to a KPMG survey. The survey, based on the results of a survey of some 1,800 audit committee members in 21 countries undertaken by KPMG's Audit Committee Institute, asked whether they were satisfied with the quality of information they receive from their company on a range of issues. Only 26 per cent of respondents said they were fully satisfied with information on cybersecurity. In the UK, just one in five respondents said they were satisfied, compared to satisfaction levels of more than 70 per cent on legal and regulatory compliance issues. The results echo those of other studies that have suggested many companies and their boards remain complacent about cybersecurity or lack detailed understanding of the threats they face. It could also help fuel demands that cybersecurity risk assessment should be part of the formal audit procedure or addressed specifically in company annual reports. Nearly half of survey respondents said their company's risk management programme requires "substantial work", and only a third of UK-based audit committee members said they are fully satisfied that their company's risk management process is dynamic enough to cope with a rapidly changing environment including new technology and social media risks.

top

So, What is the Deal with Copyright and 3D Printing? (Public Knowledge, 30 Jan 2013) - Today Public Knowledge is happy to announce a new whitepaper: What's the Deal with Copyright and 3D Printing? This paper is something of a follow up to our previous 3D printing whitepaper It Will Be Awesome if They Don't Screw It Up: 3D Printing, Intellectual Property, and the Fight Over the Next Great Disruptive Technology . Unlike It Will Be Awesome , which focused on the broad connection between intellectual property law and 3D printing, What's the Deal? takes a deeper dive into the relationship between copyright and 3D printing. A lot has changed since we released It Will Be Awesome. News outlets have discovered 3D printing. Rightsholders are issuing takedown notices. And Congress has started to take a look. At the same time, a lot has stayed the same. People are continuing to innovate to make home 3D printers better. Creators are pushing the limits as they design even more intricate 3D printed objects. And we are beginning to see the beginnings of physical remix artists. But throughout this, people seem to keep coming back to copyright. As we note in the paper, part of this is a result of years of conditioning. Years of creating music, movies, and articles on computers have trained us all to automatically associate "digital" with "copyright," and "disruptive digital" with "potential copyright problem." But one of the gifts of 3D printing is that it brings digital into the physical world, where its connection to copyright is weaker. While this fraying may very well lead us to a new age of innovation, first we will need to retrain ourselves to stop assuming that everything is protected by copyright. Of course, the first step in understanding what is not protected by copyright is recognizing what is protected by copyright. What's the Deal? is designed to help mark those boundaries and draw focus to the hard - and easy - questions that the boundaries raise. Like It Will Be Awesome, What's the Deal? is intended more as a conversation starter than a final word. Hopefully it will be a useful resource to the rapidly growing 3D printing community.

top

Publication Agreements (MLPB, 30 Jan 2013) - Harold Anthony Lloyd, Wake Forest University School of Law, has published Publish and Perish? Handling the Unreasonable Publication Agreement. Here is the abstract: "Using hypothetical publication agreement drafts, this article explores copyright, warranty, representation, indemnity and other traps awaiting unwary authors. Exploring legitimate concerns of both authors and publishers, this article outlines parameters of reasonable agreements." Article here .

top

How Secure Are Your Skype Calls? (RideTheLightning, 30 Jan 2013) - Lawyers, especially solo and small firm lawyers, have flocked to Skype as a great way to save money. But how secure are your Skype calls? The BBC recently reported that Reporters Without Borders, the Electronic Frontier Foundation and 43 other groups have signed a letter asking Microsoft (which owns Skype) to reveal details about what information is stored and government efforts to access it. Google and Twitter have been fairly transparent on this subject, but not Microsoft - which is considering the request. Skype last referenced privacy issues last July saying that calls between two parties did not flow through its datacenters meaning it would not have access to the video or audio. Those calls are also encrypted which would make it hard for anyone listening to make sense of the data. But Microsoft did say that group calls using more than two computers do pass through its servers (to aggregate the media streams) and that text-based messages were also stored on its computers for up to 30 days in order to make sure they were synchronized across users' devices. Based on what we KNOW today, most experts have signed off on one-to-one calls via Skype. But I would be wary of group calls - once data is stored on a company's servers, I am leery of statements about when it is removed (and whether it might be shared at the legal request of a government). Lawyers in particular should avoid group calls involving client information.

top

Standards for Technology-Enabled Learning (ITU, 30 Jan 2013 - Education is a prerequisite to using information and communication technologies (ICT) - and in return, these same technologies can facilitate learning processes, taking education beyond classrooms as we know them. A Technology Watch report "Standards for technology-enabled learning," published by ITU in September 2012, surveys emerging technologies, which, if applied in an educational context, will contribute to more efficient and more affordable education and training for all. For a number of years now, standardization bodies have been defining standards and guidelines for ICT-enhanced distance-learning. Their output is taken up in this report with a view to exploring and identifying new applications and directions for this work.

top

Whose Law Governs Communication Intercepts? (Steptoe, 31 Jan 2013) - The law governing the interception of customer or employee communications is only getting more muddled. Not only do different states have different laws, but courts are applying different tests to decide which state's law should apply when there's a conflict. A federal court in Arizona has ruled, in Xcentric Ventures, LLC v. Borodkin, that Arizona's wiretap law, not California's, governs a lawsuit brought by a California resident against an Arizona corporation that recorded his phone call without his consent. While California law prohibits such recordings unless all parties to the communication consent, Arizona courts have allowed interceptions where only one party consents. The ruling conflicts with an earlier decision by the California Supreme Court under similar facts, further clouding the legal picture for communications companies, websites, and employers that monitor consumer or employee communications or Internet activity.

top

CRS Report on Domestic Drones (Lawfare, 1 Feb 2013) - Over at Secrecy News , Steve Aftergood has posted a new Congressional Research Service report entitled, " Integration of Drones into Domestic Airspace: Selected Legal Issues ." The summary of the report, by Alissa M. Dolan and Richard M. Thompson II, reads: "Under the FAA Modernization and Reform Act of 2012, P.L. 112-95, Congress has tasked the Federal Aviation Administration (FAA) with integrating unmanned aircraft systems (UASs), sometimes referred to as unmanned aerial vehicles (UAVs) or drones, into the national airspace system by September 2015. Although the text of this act places safety as a predominant concern, it fails to establish how the FAA should resolve significant, and up to this point, largely unanswered legal questions. For instance, several legal interests are implicated by drone flight over or near private property. Might such a flight constitute a trespass? A nuisance? If conducted by the government, a constitutional taking? In the past, the Latin maxim cujus est solum ejus est usque ad coelum (for whoever owns the soil owns to the heavens) was sufficient to resolve many of these types of questions, but the proliferation of air flight in the 20th century has made this proposition untenable. Instead, modern jurisprudence concerning air travel is significantly more nuanced, and often more confusing. Some courts have relied on the federal definition of "navigable airspace" to determine which flights could constitute a trespass. Others employ a nuisance theory to ask whether an overhead flight causes a substantial impairment of the use and enjoyment of one's property. Additionally, courts have struggled to determine when an overhead flight constitutes a government taking under the Fifth and Fourteenth Amendments."

top

It's Google, But is it Art? Museums Wonder Whether they Should Open their Galleries to Digitizing (ABA Journal, 1 Feb 2013) - Google's mission to digitize artwork from around the world is testing the bounds of copyright protection and the fairness of licensing contracts. Launched in February 2011, the Google Art Project provides access to more than 30,000 high-resolution images of paintings, sculptures and photographs from more than 180 museums and institutions in 40 countries, including the Metropolitan Museum of Art in New York City, the Uffizi Gallery in Florence, the de Young Museum in San Francisco and the Van Gogh Museum in Amsterdam. With the ability to zoom in to see precision details up close, the Google Art Project was designed to make artwork more widely available and to promote popular interest. But museums, while appreciating the attention, are wary about which art they share. And their lawyers are treading carefully. Troy Klyber, intellectual property manager at the Art Institute of Chicago, saw participating in the Google Art Project as a way to fulfill the museum's mission, which is to share its works with the public. But because ownership of an art object doesn't necessarily include ownership of the object's copyright, the Art Institute could only include works for which it had been assigned the copyright through gift or contract, or works by artists dead for more than 70 years. As a result, the Google Art Project features fewer examples of modern and contemporary art. Protecting the Art Institute's nonpermissioned works was labor-intensive, particularly when it came to the project's "museum view," in which cameras panned full galleries. In those cases, nonpermissioned artworks had to be blurred. "It was someone's job to go through and blur the other works from every angle. In all, we had more than 6,000 blurs," Klyber says. According to Adrienne Fields, associate counsel of the Artists Rights Society-which represents the IP rights of more than 50,000 artists and artists' estates, including those of Picasso, Matisse and Rothko-Google has also been unwilling to enter into a working agreement with the ARS on behalf of its members. Instead, Google has placed the administrative and financial burdens on individual museums, requiring them to obtain rights from the ARS.

top

RESOURCES

Copyright tor Librarians - the Essential Handbook ( Berkman, 11 Jan 2013) - "Copyright for Librarians" (CFL) is an online open curriculum on copyright law that was developed jointly with Harvard's Berkman Center for Internet and Society. Re-designed as a brand new textbook, "Copyright for Librarians: the essential handbook" can be used as a stand-alone resource or as a companion to the online version which contains additional links and references for students who wish to pursue any topic in greater depth. Delve into copyright theory, understand the public domain or explore enforcement. With a new index and a handy Glossary , the Handbook is concise reading for librarians who want to hone their skills in 2013, and for anyone learning about or teaching copyright law in the information field. Free download here .

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Court Rejects FCC Cable Ruling (CNET, 6 Oct 2003) -- A federal appeals court has rejected the Federal Communications Commission's opinion that cable broadband services should not be regulated like phone companies, according to a court filing released Monday. The 9th U.S. Circuit Court of Appeals said the FCC incorrectly ruled in March 2002 that cable broadband networks are an "information service" rather than a "telecommunications service." This is an important distinction because telecommunications services can be forced by governments to open their broadband lines to third parties. Information services, however, are not subject to regulations that force them to resell their lines to outsiders. In a statement released late Monday, FCC Chairman Michael Powell said he plans to appeal the ruling, adding that he was "disappointed" that the court stuck to its original opinion. He then tried to turn the court's ruling on its head. "Unfortunately, as noted by (9th Circuit) Judge O'Scannlain, the ruling 'effectively stops a vitally important policy debate in its tracks,' producing 'a strange result' which will throw a monkey wrench into the FCC's efforts to develop a vitally important national broadband policy," Powell said in his statement. It is unclear whether the court's ruling would add judicial pressure for cable companies to open their lines to third parties. Cable companies such as Comcast and Time Warner Cable currently run broadband services without needing to offer part of their network to third-party services. Decision at http://caselaw.findlaw.com/data2/circs/9th/0270518P.pdf

top

NSA Proposes Backdoor Detection Center (SecurityFocus, 8 August 2003) -- Declaring hidden malware to be "a growing threat," the National Security Agency's cybersecurity chief is calling on Congress to fund a new National Software Assurance Center dedicated to developing advanced techniques for detecting backdoors and logic bombs in large software applications. In prepared testimony before the House Select Committee on Homeland Security's cybersecurity subcommittee last month, NSA information assurance director Daniel Wolf bemoaned an absence of tools capable of scouring program source code and executables for evidence of tampering. "Beyond the matter of simply eliminating coding errors, this capability must find malicious software routines that are designed to morph and burrow into critical applications in an attempt to hide," said Wolf. The proposed solution: a federally funded think-tank that would include representatives from academia, industry, government, national laboratories and "the national security community," said Wolf, "all working together and sharing techniques." While accidental security holes dominate the work-a-day security world, government spooks periodically fret over more exotic danger of corrupt software engineers, saboteurs and spies slipping malicious code into commercial software applications used in critical infrastructures and sensitive governmental functions. In 1999, then-FBI cybercop Michael Vatis warned that cyberterrorists posing as law-abiding programmers could be planting logic bombs in U.S. software while performing Y2K remediation -- a theory that never panned out. More recently, U.S. programmers have raised similar security concerns over American companies outsourcing programming work to India, China and other countries. Cybersecurity thinkers express reserved support for Wolf's proposed national center. "It's not a bad idea," says John Pescatore, research director for Internet security at Gartner. "It would not take a lot of funding to do. I think the more complicated issue is what do they do with the information. Are they just providing it to the vendors of that software, do they make it public?"

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top