MIRLN --- 3-23 February 2013 (v16.03) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)
ANNOUNCEMENT | NEWS | RESOURCES | LOOKING BACK | FUN | NOTES
- International eDiscovery: The IT/Legal Disconnect
- Your Employer May Share Your Salary, and Equifax Might Sell that Data
- Big Firms and Contingency Fee Struggles: Parallel Networks v. Jenner & Block
- FBI Again Warns Law Firms About the Threat From Hackers
- Law Firms, "the Soft Underbelly of American Cyber Security"
- Florida Bar Issues Ethics Opinion On Cloud Computing
- Why Google's Settlement with French Publishers is Bad for the Web
- Menu of [fedRAMP] Safety-Approved Cloud Products Grows to Three
- E-Discovery: 10 Strategic Steps for Defensible Search
- "Privacy Policies in the United States" Presentation Slides
- Yelp Defeats Legal Challenge to Its User Review Filter
- Privatized Lawmaking
- Coursera Classes for College Credit? Five Online Courses Approved for Credit Equivalency
- Docracy Tracks Changes In Terms of Service and Privacy Policies So You Don't Have To
- We're Getting There!
- It Will Be Hard To Stop The Rise Of Revenge Porn
- Demise of the Trial by Jury - Is Social Media to Blame?
- Feds Update Cybersecurity Compliance Handbook
- DHS Watchdog OKs 'Suspicionless' Seizure of Electronic Devices Along Border
- Speak Out and Get Sued
- Addressing The Problem: Keep Your Email Address Up To Date
- They Really Don't Know Clouds At All
- National Security Experts Discuss Options for 'Active' Cyber Defense
- Survey of GCs Sees Cybersecurity Risk, Anxiety
- Serious Data Breaches Take Months to Spot, Analysis Finds
- Live Stream of Special Event for Terry Fisher's Copyright Course: IP Protection for Fashion
- Is a Twitter Handle a 'Must-Have' for Today's Lawyer? Not Yet
- Miami Herald Ends Anonymous Comments
- With Its Australian Court Victory, Google Moves Closer to Legitimizing Keyword Advertising Globally
- Europe Issues Its Own Cybersecurity Plan
- What (Legally) Happens to Our Social Media Accounts When We Die?
- More US Lawyers Move into the Boardroom
ANNOUNCEMENT
ABA Cybersecurity Legal Task Force . ABA President Laurel Bellows launched this task force last August, and it's beginning to bear fruit. Three teams are addressing: (1) lawyers'/lawfirms' cybersecurity vulnerabilities and best-practices; (2) Critical Infrastructure legal issues; and (3) International law vis a vis cyberagression. With Jill Rhodes , I'm co-chairing the team looking at lawyers/lawfirms - we have twenty-one other ABA leaders helping build a guidebook on: (a) cyber basics; (b) the impact on attorneys and lawfirms (small firms, medium sized firms, large lawfirms, in-house environments, government attorneys, and public-interest entities); (c) the client impact (e.g., ethical obligations, disclosure of breach, etc.); and (d) incident response and insurance issues. The guidebook will be published in August; look for collateral materials also to emerge (e.g., CLE programming). See related MIRLN story below here .
NEWS
International eDiscovery: The IT/Legal Disconnect (IDG Connect, 31 Jan 2013) - Multinational corporations and cloud storage across the globe mean that eDiscovery (or eDisclosure depending on your jurisdiction) is a problem that is not going anywhere anytime soon. Governance and eDiscovery experts will be needed to help corporations deal with ever-increasing data volumes that are moving rapidly throughout global networks in the perfect storm of a compliance or eDiscovery nightmare. Of course, while we know there is a problem generally speaking, the larger challenge is to deconstruct the problem into a few discreet pieces. The following is in no way exhaustive of the challenges, but are a few of the ones I see as being the biggest culprits. In my mind, the greatest challenge associated with international eDiscovery and data governance issues stems from a very basic push-pull between globalization and balkanization when it comes to data. Globalization is a factor from the standpoint that data is moving around the world, quite rapidly I would add, in furtherance of global commerce and information exchanges. Truly the world has never been smaller at any point in human history. But at the same time, there is virtually no consensus internationally when it comes to data privacy issues, regulations regarding retention and destruction of data, and the like. Further complicating matters is the lack of any real international standards of conduct for retrieval of data in one country for use in legal proceedings in another country. Although there is something approaching consensus for EU member nations, the rules are still far from standardized. The most obvious implication for corporations is the tremendous financial pressures this creates when the issue becomes the focus of a legal investigation or request. Companies can quite literally find themselves between a rock and a hard place when a request for production in the United States can force them to have to process data that resides in another country. When this happens, the obligations to comply with discovery requests can be in direct conflict with the other country's rules concerning privacy. Of course, the issue is compounded because of the rapid proliferation of cloud storage. We can store data anywhere in the world for easy on demand access; however, with that convenience there is the appurtenant tradeoff that different countries, with different legal and regulatory regimes will require compliance with multiple obligations. That is a challenge that is fraught with peril. Of course, these are precisely some of the issues the Working Group 6 of the Sedona Conference tried to address in the International Principles Discovery, Disclosure & Data Protection (December 2011). Although it is focused "principally on the relationship between U.S. preservation and discovery obligations and the EU Data Protection Directive . . . [the principles are] intended to apply broadly wherever Data Protection Laws, regardless of national origin, conflict with U.S. preservation and discovery obligations." This is a vital primer for any company or law firm that deals with such issues. * * * [Polley: Spotted by MIRLN reader Claude Baudoin of Cebe/IT & Knowledge Management .]
Your Employer May Share Your Salary, and Equifax Might Sell that Data (NBC, 1 Feb 2013) - The Equifax credit reporting agency, with the aid of thousands of human resource departments around the country, has assembled what may be the most powerful and thorough private database of Americans' personal information ever created, containing 190 million employment and salary records covering more than one-third of U.S. adults. Some of the information in the little-known database, created through an Equifax-owned company called The Work Number, is sold to debt collectors, financial service companies and other entities. "It's the biggest privacy breach in our time, and it's legal and no one knows it's going on," said Robert Mather, who runs a small employment background company named Pre-Employ.com. "It's like a secret CIA." Despite all the information Americans now share on social media and websites, and all the data we know companies collect on us, one piece of information is still sacred to most people: their salaries. After all, who would post their salary as a status update on Facebook or in a tweet? But salary information is also for sale by Equifax through The Work Number. Its database is so detailed that it contains week-by-week paystub information dating back years for many individuals, as well as other kinds of human resources-related information, such as health care provider, whether someone has dental insurance and if they've ever filed an unemployment claim. In 2009, Equifax said the data covered 30 percent of the U.S. working population, and it now says The Work Number is adding 12 million records annually.
Big Firms and Contingency Fee Struggles: Parallel Networks v. Jenner & Block (Patently-O, 4 Feb 2013) - Joff Wild at IAM has posted some interesting reading in the ongoing dispute between the patent assertion entity, Parallel Networks and its former litigation counsel at Jenner & Block . According to the pleadings filed by Parallel Networks in Texas state court[link below], Jenner withdrew from its contingency-fee representation of Parallel Networks against Oracle after losing on summary judgment and determining that it was unlikely to win a large award. Parallel Networks then found new counsel and eventually settled the case for about $20 million. Once that case ended, Jenner returned asking for more than $10 million in attorney fees based upon its hourly rates through summary judgment. Under the representation agreement, both parties had agreed to arbitrate any dispute over fees and an arbitrator awarded Jenner with a $3 million fee. Parallel Networks has now asked the court to set aside the arbitration award - arguing that under Texas law, a contingent fee attorney cannot drop its client simply for economic reasons and then expect to receive any further compensation. The suit also alleges a host of other problems with Jenner & Block representation in both the Oracle litigation and the parallel case against QuinStreet. The bulk of those allegation stem from various internal communications at Jenner involving the risk and potential of the cases that were never communicated to Parallel Networks. The lawsuit will be interesting to follow because it offers a rare public glimpse inside big-firm contingency fee structures and the associated political struggle raised by many risk-averse firm leaders. Here, that attempted risk aversion may well cost the firm several million dollars in fees. I should note that Professor David Hricik testified on behalf of Parallel Networks in the Arbitration. Hricik is on leave from his Patently-O writing as he clerks at the Federal Circuit. I have not spoken with him about this case.
FBI Again Warns Law Firms About the Threat From Hackers (Ride The Lightning, 4 Feb 2013) - The FBI began warning law firms that they were being targeted by hackers back in 2009. That warning was repeated at LegalTech last week by the FBI's Mary Galligan, the special agent in charge of cyber and special operations for the FBI's New York Office. As Law Technology News reported , Galligan was blunt, saying, "We have hundreds of law firms that we see increasingly being targeted by hackers." The word "hundreds" should give law firms pause. Too many seem complacent even when faced with the unpleasant truth that their information security is sorely short of the mark. It might allay the fears of law firms to learn that the FBI does not tell people they've come to your firm and they don't come in raid jackets. There's no SWAT team and they don't unplug your servers. As Galligan noted, "You need to run your business."
- and -
Law Firms, "the Soft Underbelly of American Cyber Security" (Lawyerist.com, 6 Feb 2013) - At Above the Law, Joe Patrice calls law firms "the soft underbelly of American cyber security." And he is right. If you consider the sensitive nature of the information on most lawyers' computers, plus the proud Luddites making technology decisions at most law firms, this should come as no surprise. I know plenty of lawyers who can barely set up their email, much less encrypt their hard drives . More than a few law firms continue to fall for lame 419 scams . I wouldn't be surprised to find a few partners using their CD tray for a cup holder. Compromising the systems of lawyers like this is child's play for hackers who can remotely. compromise a mobile phone with a single misplaced click. Lawyers need to get their acts together, and soon. Think of the information you have about your clients, stored on your computers. For starters, you almost certainly have everything necessary to steal all your clients' identities and empty their financial accounts. If you represent businesses, you may have trade secrets. You definitely have volumes of confidential information that would make excellent extortion ammunition.
Florida Bar Issues Ethics Opinion On Cloud Computing (Future Lawyer, 4 Feb 2013) - Florida Bar Ethics Opinion 12-3 The Florida Bar has released a proposed Advisory Opinion on cloud computing. In summary, the opinion says that Florida lawyers may use cloud computing if they take "reasonable" precautions to ensure that confidentiality of client information is maintained. The lawyer should research the service provider to be used should ensure that the service provider maintains adequate security, should ensure that the lawyer has adequate access to the information stored remotely, and should consider backing up the data elsewhere as a precaution. The reasonableness standard is pretty vague, and it almost sounds like the lawyer is a guarantor of the security of the data. Whether lawyers will be comfortable enough with the language of the opinion to use cloud services for confidential data remains to be seen.
Why Google's Settlement with French Publishers is Bad for the Web (GigaOM, 4 Feb 2013) - After much diplomatic maneuvering and a series of face-saving gestures on both sides, Google finally signed an agreement with French newspaper publishers late Friday that puts to rest a long-standing legal battle over Google's behavior in excerpting stories on Google News, which the French have argued is copyright infringement . But while the search giant may be relieved to put the whole kerfuffle behind it, there's an argument to be made that it has actually done more harm than good - not only to its own interests, but to the interests of the open web as well. Veteran tech blogger Lauren Weinstein describes this risk well in a recent blog post, in which he calls what the government of France is doing "extortion," and warns of the long-term risk of Google acceding to such demands that it pay for the simple act of linking and excerpting content.
Menu of [fedRAMP] Safety-Approved Cloud Products Grows to Three (NextGov, 4 Feb 2013) - Federal agencies soon will have more options when shopping for certified cloud facilities that don't need security tests. Following the first-ever low-risk guarantee, which was granted to Autonomic Resources in late December 2012, the Web services supplier on Friday said private networks soon will be available for instant installation. And on Thursday, the government endorsed the safety of a second company's services - cloud rentals from CGI Federal. The offerings received seals of approval from the Federal Risk and Authorization Management Program after independent, government-approved auditors checked that the companies' data centers, staff and other support services met federal security standards. The CGI nod marks the second accreditation out of a pool of roughly 80 FedRAMP applicants. After a product passes a one-time inspection, any agency can subscribe to the vendor's services without expending time and money on an agency-specific assessment. Officials with Autonomic Resources, a North Carolina-based small business, said their first sanctioned service "has gained wide interest and acceptance" since the General Services Administration, which manages FedRAMP, signed off .
E- Discovery: 10 Strategic Steps for Defensible Search (BullsEye blog, 5 Feb 2013) - E-Discovery in litigation today presents a number of challenges in creating a defensible, efficient, and iterative search protocol. A defensible keyword search protocol should contain, at a minimum, the following ten strategic steps * * *
"Privacy Policies in the United States" Presentation Slides (Eric Goldman, 6 Feb 2013) - I recently guest lectured on drafting privacy policies in the United States. My presentation slides . One of my big-picture takeaway points is that privacy laws and associated industry self-regulation have gotten so extensive that drafting privacy policies is strictly for privacy experts. Unlike the good ol' days, the average competent lawyer--and even the sophisticated cyberlawyer who dabbles with privacy issues--may be unintentionally treading towards the malpractice line given the number and complexity of the applicable laws and technology. As a result, in all likelihood, I've already drafted the last privacy policy of my career.
Yelp Defeats Legal Challenge to Its User Review Filter (Forbes, 6 Feb 2013) - Yelp uses an automated review filter to suppress some user reviews of businesses. The review filter's criteria aren't publicly disclosed, and some businesses feel that legitimate positive reviews from happy customers are unfairly hidden. One business owner, an operator of three restaurants in Mammoth Lakes, California and a Yelp advertiser, got so frustrated with the review filter that he challenged Yelp's review filter in court. Recently, the court ruled decisively in favor of Yelp, confirming that Yelp isn't legally liable for filtering users' reviews as it sees fit. The restaurant owner didn't attack the review filter directly. Instead, he complained about Yelp's marketing descriptions of its review filter, claiming that Yelp falsely advertises its trustworthiness when it uses characterizations such as "remarkable filtering process" and "most trustworthy." Yelp responded that the lawsuit was a "SLAPP"-a lawsuit designed to suppress socially beneficial speech-and therefore should be dismissed per California's anti-SLAPP law. (See this post for more discussion about anti-SLAPP laws). The court agreed with Yelp, finding that "statements regarding the filtering of reviews on a social media site such as yelp.com are matters of public interest." The court also concluded that Yelp's laudatory statements about its review filter were " puffery ," not factual representations. Cf. Seaton v. TripAdvisor . As a result, if the anti-SLAPP dismissal survives a likely appeal, the restaurant owner will have to pay Yelp's legal defense costs. Case is Demetriades v. Yelp , Case No.: BC484055 (Cal. Superior Ct. Jan. 25, 2013).
Privatized Lawmaking (Volokh Conspiracy, 6 Feb 2013) - You might want to check out a new article by Dru Stevenson at South Texas Law called Costs of Codification . Dru writes the Privatization Blog - don't confuse it with the Reason Foundation's Privatization Blog ; I think either Dru or Reason should choose a catchier blog name. Here's the abstract to Dru's article, from SSRN: "Between the Civil War and World War II, every state and the federal government shifted toward codified versions of their statutes. Academia has so far ignored the systemic effects of this dramatic change. For example, the consensus view in the academic literature about rules and standards has been that precise rules present higher enactment costs for legislatures than would general standards, while vague standards present higher information costs for courts and citizens than do rules. Systematic codification - featuring hierarchical format and numbering, topical arrangement, and cross-references - inverts this relationship, lowering transaction costs for legislatures and increasing information costs for courts and citizens, as statutes proliferate. This Article takes a first look at this problem. On the legislative side, codification makes it easier for special interest groups to obtain their desired legislation. It facilitates Coasean bargaining between legislators, and encourages legislative borrowing, which diminishes the "laboratories of democracy" phenomenon. For the courts, codification changes how judges interpret statutes, prompting them to focus more on the meaning of individual words than on the overall policy goals of enactment, and to rely more on external sources, such as legislative history. For both legislators and courts, codification functions as a Hartian rule of recognition, signaling legality for enacted rules. For the citizenry, the reduced legislative costs mean increased legislative output, yielding rapid proliferation of statutes and unmanageable legal information costs. More disturbingly, codification also fosters overcriminalization. While it may not be appropriate to revert to the pre-codified regime now, reexamining the unintended effects of codification can inform present and future choices for our legal system."
Coursera Classes for College Credit? Five Online Courses Approved for Credit Equivalency (GigaOM, 6 Feb 2013) - Massive open online classes are moving ever closer to legitimacy. Last month, Udacity announced a partnership with San Jose State University to pilot three online classes for college credit. And on Wednesday, Coursera is set to announce that five of its courses have won approval from the American Council on Education (ACE) for credit equivalency. That doesn't mean students of those courses will be guaranteed credit by traditional universities - institutions have the option to accept or decline the credit - but it indicates that the courses meet ACE's standards. And, importantly, it creates the opportunity for Coursera students to not just use online classes to burnish a resume, but to potentially earn a degree.
Docracy Tracks Changes In Terms of Service and Privacy Policies So You Don't Have To (Lifehacker, 7 Feb 2013) - Few people bother to read an entire privacy policy or terms of service for every service they use. Even less bother with the changes services make to those terms over time. Docracy Terms of Service Tracker is a webapp that tracks when words change so you can keep up to date without reading the whole thing. Docracy uses a document change analysis to track when terms of service and privacy policies are updated, so anytime a site changes their terms, Docracy knows. In most cases, it's just a couple edits to change the language, but sometimes they're a lot more comprehensive . Terms of Service change all the time, and while companies usually notify you of the changes, you probably don't actually bother reading through them. This is an easy way to track what has changed so you can see if it matters to you. Of course, you'll need to have at least skimmed the Terms of Service to begin with. [Polley: Spotted by MIRLN reader Mike McGuire of Littler .]
We're Getting There! (InsideHigherEd, 7 Feb 2013) - Did anyone outside of New York City happen to catch this story about Baruch College? In the scope of international Internet policy it is a proverbial drop in the bucket. But for higher education information technology policy it is an important story. And a good step that administrators there made in how they handled a challenge that in the past has stymied administrators and angered students. Here is the story in a nutshell. Some students come up with software program for course registration. They do not run it by anyone in IT or Student Services, but they also do not intend for it to be destruction or shy away from identification with it. Some of student founders authenticated openly to it. Nonetheless, the program places a considerable load burden on servers, and possibly on bandwidth, as it pings over a million times to maintain current status of courses and selections. IT professionals register the spike, investigate and administrators contact the students. But instead of reading them the riot act (in the form of Responsible Use Policy), it would appear as if they educate … each other! The students to whom we will give the benefit of the doubt may not have appreciated the adverse impact that the program would have on the servers and network. The administrators to whom we will give credit did not throw the book at them. Together they learned more about students' needs, the complexity of technological operation of a network and IT policy. [Polley: EXACTLY! Policy promulgation in a vacuum is bad - instead, entities need to engage in dialogue with users to educate each other (users, of risk; regulators, of new practices; both, of opportunities for collaboration).]
It Will Be Hard To Stop The Rise Of Revenge Porn (Business Insider, 8 Feb 2013) - There is a seedy underbelly of the internet where people post nude or otherwise compromising photos of their ex-girlfriends or boyfriends for anyone to see, sometimes to get back at a lover who jilted them. These so-called "revenge porn" sites bring up a number of questions. Why aren't they illegal? How big is the "revenge porn" business? And what does the existence of these sites say about our culture in general? One of the more notorious of these sites in operation today is PinkMeth. The premise is pretty much identical to that of IsAnyoneUp -- users submit nude photographs of people to the site and they're posted for anyone to see. But PinkMeth seems to take this concept a step further, disclosing loads of personal data on the subjects in the photographs -- their names, their birth dates, their email addresses, and even links to their social networking profiles like Twitter and Facebook. Can PinkMeth do this and still operate within the bounds of the law? However intuitively wrong revenge porn might seem, sites operate in a legal gray area due to Section 230 of the Communications Decency Act, which states websites can't be held responsible for content submitted by a third party. We reached out to founder Robert Leshner and policy director Samantha Leland at privacy company Safe Shepherd to learn more. "Most of these sites rely exclusively on third party submissions," they told us, "and most of those submissions are at least nominally anonymous. The sites make money by posting these images, and thus have no incentive to create policies that make it easy for victims to remove the submitted photos ... Congress could try to narrowly define an exception that would protect victims of things like revenge porn and non-consensual pornography, but they'll likely get pushback from companies and organizations that want to keep content restrictions on the internet as minimal as possible. Striking that balance is important." But on the other hand, some see it as unambiguously illegal. We spoke to Jason van Dyke, a Texas attorney who has handled several revenge porn cases, and he says there's no doubt that "it's completely illegal" when published without accompanying documentation verifying the ages of the people in the photos.
Demise of the Trial by Jury - Is Social Media to Blame? (BullsEye blog, 8 Feb 2013) - Social media and the increasingly mobile nature of electronic technology may be upsetting the delicate balance found in the U.S. jury system. As in nature, introduction of an invasive species can threaten an ecosystem, forcing it to adapt or risk extinction. As an alien species, social media is no exception. Its growing presence in the legal system is reshaping modern litigation. To what extent is social media threatening the U.S. jury process? This topic has been the subject of intense scrutiny in recent months. Last June the ABA released Proposed Model Jury Instructions to address the growing concern over jurors' use of electronic technology to communicate about or research a case during trial. A prefatory note recommends that the instructions be provided to jurors at the end of each day prior to jurors returning home, (in addition to the beginning and close of a case), perhaps underscoring increasing tension over what transpires once jurors walk out of the courtroom. The legal community may have to come to grips with the fact that completely eliminating and regulating jurors' use of social media may not be entirely possible. The reason is simple - sharing everything via social media and electronic technology, which is increasingly mobile and sophisticated, has become a way of life for many. * * * Two recent articles, one appearing in JD Supra Law News and another academic piece published in the University of Illinois Law Review , have questioned the practical difficulties in preventing social media in the courtroom, pointing out how a juror's use of social media during trial can detrimentally affect the constitutional right to a jury trial.
Feds Update Cybersecurity Compliance Handbook (InformationWeek, 8 Feb 2013) - The federal government has nearly finalized its first major overhaul to the primary handbook to federal cybersecurity standards in nearly four years, and its most significant update since the initial release of that handbook in 2005. The National Institute of Standards and Technology (NIST) on Wednesday released the final public draft of the 455-page final public draft of NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, and announced that it was seeking comments on the document. Special Publication 800-53 is the definitive catalog of security controls necessary to meet the federal government's internal cybersecurity requirements such as the Federal Information Security Management Act (FISMA), and has begun to be adopted even by state and local governments and some private companies. Special Publication 800-53 is the product of a collaboration among NIST, the Department of Defense and the U.S. Intelligence Community, as well as the input of thousands of comments received from the general public after release of the first public draft of Revision 4 in February 2012.
DHS Watchdog OKs 'Suspicionless' Seizure of Electronic Devices Along Border (Wired, 8 Feb 2013) - The Department of Homeland Security's civil rights watchdog has concluded that travelers along the nation's borders may have their electronics seized and the contents of those devices examined for any reason whatsoever - all in the name of national security. The DHS, which secures the nation's border, in 2009 announced that it would conduct a "Civil Liberties Impact Assessment" of its suspicionless search-and-seizure policy pertaining to electronic devices " within 120 days ." More than three years later, the DHS office of Civil Rights and Civil Liberties published a two-page executive summary of its findings. "We also conclude that imposing a requirement that officers have reasonable suspicion in order to conduct a border search of an electronic device would be operationally harmful without concomitant civil rights/civil liberties benefits," the executive summary said . The DHS watchdog's conclusion isn't surprising, as the DHS is taking that position in litigation in which the ACLU is challenging the suspicionless, electronic-device searches and seizures along the nation's borders. But that conclusion nevertheless is alarming considering it came from the DHS civil rights watchdog, which maintains its mission is "promoting respect for civil rights and civil liberties." * * * The ACLU on Friday filed a Freedom of Information Act request demanding to see the full report that the executive summary discusses. Meantime, a lawsuit the ACLU brought on the issue concerns a New York man whose laptop was seized along the Canadian border in 2010 and returned 11 days later after his attorney complained.
Speak Out and Get Sued (InsideHigherEd, 10 Feb 2013) - In 2010 Dale Askey, a librarian at McMaster University in Canada, posted an essay on his personal blog referring to Edwin Mellen Press as a "vanity press." In due time Mr. Askey and McMaster University were sued by Edwin Mellen Press and the press founder, Herbert Richardson, for more than $3 million. The suits allege libel. The "offending" blog was removed from the web. Not too long ago, International Higher Education, a publication I edit, was threatened with a lawsuit by the owner of an institution that, by every measure is a degree mill, when said institution was referenced in an International Higher Education article critical of degree mills. On advice of the university's lawyers who were fearful of being entangled in a legal case (however questionable) in a British court where the suit was threatened, we removed the article from our website. The matter was soon forgotten. Perhaps a few anecdotes do not seem worth much attention but there are aspects of these examples that should be cause for concern. We are teetering on a very fine line between the right of scholars to express informed opinion and the right of enterprises to be protected from libel. Yet the increasing threats of lawsuits inhibit expression as scholars weigh risks before voicing opinions. There are serious consequences for academic freedom. There are some (emphasis on some ) for-profit enterprises that are involved in questionable academic endeavors. In the case of degree mills, this qualifies as fraud. In other cases, services are of substandard quality. In both cases these enterprises are "selling" a product or service in an academic marketplace where they will be judged by a range of constituents who have a vested interest in protecting the integrity of the academic enterprise. Yet the entrepreneurs who have found profit in higher education are often very touchy about any criticism at all. Sadly, they have found that threatening legal action can silence their critics who have neither the deep pockets for legal counsel to defend themselves or the inclination to become immersed in a lengthy legal proceeding. As the threat of lawsuits becomes more frequent, individuals and organizations may be more inclined to self-sensor. This will detract from important public debate that is fundamental in a free society. In the Askey case, his comments about the Edwin Mellen Press reflected his extensive experience reviewing academic journals. The observation was not capricious. Online petitions are circulating to defend his right to express this opinion. The matter has raised the question of whether the Edwin Mellen suit violates Askey's academic freedom.
Addressing The Problem: Keep Your Email Address Up To Date (Simple Justice blog, 10 Feb 2013) - Amid the hoopla surrounding every new shiny must-have toy in the lawyer's arsenal lurks a time bomb waiting to go off. Your email address. Most of us have a few of them, born of necessity from sources like Google, which demand the creation of an in-house email if you want to enjoy its functions. Then there are the new websites everyone has purchased because somebody, whether marketeer or youth, informed you that it's no longer cool to have an AOL email address and marks you as a social media dinosaur. So people switch emails with abandon, keeping up with the skirt height or tie width of the internet. It's all good fun, right? Not according to Judge Lewis Kaplan's opinion on appeal in the Worldcom bankruptcy case : "The rulings were entered on the electronic docket, and notice was automatically emailed to CNI's sole counsel of record, W. Mark Mullineaux, at the email address which he previously had registered with the clerk's office for the purpose of receiving such notifications. But that was an old email address. Mullineaux's new email address was listed in his motion to appear pro hac vice in the case, but he hadn't updated his profile in the electronic case files (ECF) system. As a result, Mullineaux didn't receive the court's notification and failed to file a timely notice of appeal." The district court wasn't overly concerned, and granted an extension of time to appeal, based upon the failure to get timely notice and lack of prejudice. The 2d Circuit, however, wasn't nearly as sympathetic. District Judge Lewis Kaplan, sitting by designation, wrote, "There is nothing in the history of the rules ... to suggest that the drafters sought to provide relief when the fault lies with the litigants themselves" and that "CNI's failure to receive Civil Rule 77(d) notice was entirely and indefensibly a problem of its counsel's making, and Rule 4(a)(6) was not designed to reward such negligence." Judge Kaplan makes plain that keeping transmittal information up to date is the lawyer's responsibility, and the client will pay a heavy price for our failure. The ABA says lawyers are ethically required to stay abreast of technology, and even I agree .
They Really Don't Know Clouds At All (Volokh Conspiracy, Stewart Baker, 11 Feb 2013) - Every new computing technology seems to bring with it a privacy flap. Cloud computing is going through that phase right now, at least outside the United States. Canadian and European elites fear that putting data in the cloud will somehow let the US government paw through it at will, a fear that usually centers on Section 215 of the USA PATRIOT Act. The debate has been fed by interest groups worried about their future in a world of cloud computing. It was first raised as part of a campaign by the British Columbia Government Employees Union against the outsourcing of British Columbia's health insurance data processing. (Full disclosure: I worked on the issue for clients both at the time and more recently.) After years of remission, the issue has recently returned even more virulently, when Europe's small cloud providers began using the Patriot Act as a marketing tool. In November of 2011, two European companies announced the creation of a European cloud offering that they advertised as providing a "safe haven from the reaches of the U.S. Patriot Act" in a press release that goes on to say, "Under the Patriot Act, data from EU users of U.S.-owned cloud-based services can currently be shared with U.S. law enforcement agencies without the need to tell the user." This is pretty clearly a reference to section 215 of the Patriot Act, which once allowed the FBI to "gag" recipients of 215 orders. (That authority was substantially cut back by Congress in 2005; now recipients may challenge gag orders in court annually until they are revoked. See 50 USC 1861(f)(2)(A).) As a competitive strategy, this line of attack has some problems. It assumes that, while US-owned companies can be compelled to produce data from around the world, European companies can safely refuse to comply. The argument that the US can compel global compliance is grounded in a line of cases ordering banks to produce records from foreign branches. Unfortunately for the European companies making this pitch, the line of cases is named after the unsuccessful party - the Bank of, uh, Nova Scotia - which is rather plainly not a US company and thus hardly the best case to cite if you're arguing that people can defeat American discovery orders by giving their records to companies headquartered outside the US. Nonetheless, the argument is still shaking up customers and officials in Europe, who are understandably not comforted by the response that even European cloud companies can be compelled to produce records. I think for several reasons that this risk has been severely hyped - there are only a couple of hundred section 215 orders a year, compared to tens of thousands of criminal subpoenas, and the Justice Department discourages foreign fishing expeditions. But those reasons have been discussed by others. Instead of digging into them, I'd like to explore a point that hasn't been discussed as widely: the utter uselessness of serving a section 215 order on a cloud computing company * * *
National Security Experts Discuss Options for 'Active' Cyber Defense (ABA, 11 Feb 2013) - If a cybercriminal hacks into your network and steals your files, what legal right do you have to track down the thief and perhaps hack into his network and recover or destroy the files? National security experts discussed the legality of varying degrees of such "active" cyber defense, as opposed to passive efforts to lock down information through conventional cybersecurity measures, during an ABA Midyear Meeting panel discussion Feb. 10 sponsored by the ABA Standing Committee on Law and National Security. The risk of cyber theft is faced not only by companies with valuable intellectual property and strategy documents, but also by the law firms that service such clients. Panelists agreed that while private-sector cybersecurity is as strong as ever, systems that are designed merely to keep out thieves are bound to be breached by those determined to steal information. "We have tried to defend our way out of this problem. It has failed," said Stewart Baker, a partner with Steptoe & Johnson in Washington, D.C., and former general counsel of the National Security Agency. This realization is why some companies are exploring the legality of more active security measures, whose legality are in question and may call for coordination between government and the private sector. As articulated by Stephen Chabinsky, chief risk officer at security firm CrowdStrike, the private sector has the technology and reach, but not the legal authority, to take an active role on cyber defense, whereas the government has the authority but not the technology or reach. Panelists agreed that such problems point to the value of the ABA Cybersecurity Legal Task Force , created by ABA President Laurel Bellows. The panelists noted that cybercrime raises a host of legal issues that the organized bar must help figure out and address. [Polley: video excerpts from the program here .]
Survey of GCs Sees Cybersecurity Risk, Anxiety (Corporate Counsel, 13 Feb 2013) - Despite the growing threat of computer security breaches, some 30 percent of general counsel in a recent survey said their companies were not prepared to deal with such a crisis. And experts say more GCs need to overcome their technophobia and help their firms face the increasing risk. "Among the most fearsome threats facing corporations in 2012 was an increasing proliferation of cybersecurity breaches of various orders of complexity and impact," according to the "2012 General Counsel Survey," by global consultants Consero Group. The survey, produced in partnership with Applied Discovery Inc., is based on responses from 48 general counsel in December 2012. Some 28 percent of the GCs surveyed indicated that their companies had experienced a cybersecurity breach over the last 12 months. And that figure may be low. "It's safe to assume that a breach is a source of great anxiety and embarrassment for large companies. So there is a natural disinclination to report it," explained attorney Paul Mandell, founder and chief executive of Consero. The group is located in Bethesda, Maryland. "But cybersecurity was clearly a very hot topic and a source of concern for the general counsel," Mandell added. The theft of company data by employees is also a growing concern, Mandell said, and "there was quite a bit of discussion [among general counsel] about employees bringing their own devices [BYOD] to work. It's a huge issue." So far there is very little understanding of what the best practices are in the BYOD area, he said. Mandell explained that much of the anxiety about cybersecurity stems from "lawyers not generally being tech savvy by nature," and the fact that no one has found a perfect solution for protecting data. The report explained that a company's GC also must be aware of international regulatory requirements regarding digital security, while ensuring compliance and addressing breaches when they result in litigation or government action. The trend Mandell sees is for general counsel to increasingly explore the addition of tech-savvy attorneys, like those who handle intellectual property.
- and -
Serious Data Breaches Take Months to Spot, Analysis Finds (Network World, 13 Feb 2013) - More than six out of ten organisations hit by data breaches take longer than three months to notice what has happened with a few not uncovering attacks for years, a comprehensive analysis of global incidents by security firm Trustwave has found. During 2012, this meant that the average time to discover a data breach for the 450 attacks looked at was 210 days, 35 more than for 2011, the company reported in its 2013 Global Security Report (publically released on 20 February). Incredibly, 14 percent of attacks aren't detected for up to two years, with one in twenty taking even longer than that. Almost half - 45 percent - of breaches happened in retailers with cardholder data the main target. The food and beverage sector accounted for another 24 percent, hospitality 9 percent, and financial services 7 percent. Trustwave also puts it finger on a seeming paradox; investigators seem able to spot breaches that admins didn't. Why? The part-answer seems to be that too many organisations rely on automated protection such as antivirus or a firewall that don't fail gracefully. If attackers beat that security layer there is no other system to notice that something unusual has happened. Seventy percent of all client-side attacks were connected to the Blackhole Exploit Kit, the leviathan of the cybercrime world. Six in ten attacks targeted software flaws in Adobe's PDF Reader Seeing what's leaving the networks isn't necessarily going to be easy as a quarter of data is exfiltrated (i.e. stolen) using an encrypted channel designed to hide activity.
Live Stream of Special Event for Terry Fisher's Copyright Course: IP Protection for Fashion (Berkman, 13 Feb 2013) - Join us this evening and throughout the Spring 2013 semester for a series of special webcasts featuring discussions from Professor Terry Fisher's Copyright course, hosted on the edX online learning platform. HLS1x Copyright , an experimental course offered on edX, explores in depth the law, theory, and practice of copyright. Tonight's webcast will feature Jeannie Suk & Chris Sprigman on the issue of IP protection for fashion and will begin at 7PM ET. The public stream of the webcast for each event will be available at the date and time listed below and on the course website . Each of the events features a guest expert and examines a difficult issue growing out of, or adjacent to, copyright law. In the courses overall, and in the special events in particular, considerable attention is devoted to the relationship between copyright law and creative expression in a variety of fields: literature; music; film; photography; graphic art; software; comedy; fashion; and architecture. You can read more about the course here .
Is a Twitter Handle a 'Must-Have' for Today's Lawyer? Not Yet (Law.com Legal Blog Watch, 15 Feb 2013) - Kevin O'Keefe kicked off an interesting discussion about Twitter this week in a post on his blog, Real Lawyers Have Blogs. O'Keefe argued that "your identity of record for now is your Twitter handle," and gave numerous examples of how he uses people's Twitter handles to identify them in his own blog posts, give credit to authors and otherwise acknowledge them online. O'Keefe says that this is important to him because he is trying to build relationships with people, not just have a "one-way street" where he is doing only the talking or only the listening. O'Keefe specifically urged lawyers to "get your Twitter handle out there. It's how I and many others will identify you when we want to cite you, on or off Twitter. It's also how your target audience can get to know you and begin to trust you.... You've got to have one." I am a fan of Twitter, and I definitely agree with Kevin that it is important to have a Twitter handle if you want to be identified, acknowledged or engaged by others online. But I think the Futurelawyer post pushes the argument too far, as the benefit of a Twitter handle today is a far cry from the benefit of being a lawyer in the 1980s who can actually communicate by telephone with his or her actual clients, colleagues, courts, etc. Particularly with respect to the "big law firm" world that I used to work in and that I still interact with daily, I just don't believe that having (or not having) a Twitter handle really has much of an impact yet. It may be different in the world of the solo practitioner, which I'm not very familiar with, but I seriously doubt even the "best" individual lawyer-Twitterers from big law firms would suffer too much if they walked away from Twitter tomorrow.
Miami Herald Ends Anonymous Comments (USA Today, 15 Feb 2013) - It's something that editors at The Miami Herald heard often, far too often. Readers would say that they'd like to comment on an article they had read on miamiherald.com. But they didn't want to face the abuse and the name-calling they were likely to encounter from anonymous commenters who disagreed with them. "People would say, 'I don't want to stand up in front of people who throw eggs,' " says Rick Hirsch, the Herald's managing editor, adding, "We had a big group of trolls who would do nasty things." And so the Herald became the latest news outlet to ban anonymous comments. Starting Feb. 11, visitors to miamiherald.com have to sign in through their Facebook accounts before they can weigh in on the news of the day. It's a dilemma that has plagued America's newsrooms for quite a while. To use the popular buzzword, news organizations everywhere want to strengthen "engagement" with their readers. Many are making extensive use of social media to deepen the relationship. And they very much want feedback on and conversation about the content they post. Trouble is, the dialogue on many sites has been poisoned from the get-go by the ugly, mean-spirited verbiage of a small but often prolific band of anonymous posters. It's a lot easier to call names and pick fights when nobody knows who you are. "The debate quickly devolves into rants," says Steve Doig, the Knight Chair in Journalism at the Walter Cronkite School of Journalism and Mass Communication at Arizona State University. "It spirals down the drain." Newspapers have long required those writing letters to the editor to provide their names and addresses - for good reason. If you are going to take a stand, you should take responsibility for it. And while anonymous sources are used too often in news stories, many outlets have policies forbidding these ghosts from making personal attacks without attaching their names to them.
With Its Australian Court Victory, Google Moves Closer to Legitimizing Keyword Advertising Globally (Eric Goldman, 19 Feb 2013) - Google's keyword advertising program, AdWords, has been subject to constant legal challenges for the past decade. After an initial period of legal uncertainty, AdWords' legal fortunes recently have brightened in the United States and Europe. Earlier this month, AdWords notched another strong win in court, this time in Australia. Considering these developments as a whole, Google has effectively gotten a clean legal bill of health for its AdWords service around the globe. Google's impressive accomplishment also provides a useful cautionary tale about overregulating technological innovations. [Polley: good, thorough analysis - read the entire post if this area is of interest.]
Europe Issues Its Own Cybersecurity Plan (Steptoe, 21 Feb 2013) - The European Commission has published a proposed Directive on network and information security (NIS) that aims to enhance the EU's policies and framework for dealing with cyberattacks, and has also published a cybersecurity strategy. The Directive sets out measures that affect both Member States and critical infrastructure operators, while the strategy presents an overview of how the EU plans to prevent and deal with cyberattacks in the long-term. The Directive's measures would require certain companies that have activities or systems in the EU to manage risks and report significant cyberattacks to national authorities, even if not headquartered in the EU. The Directive's broad language will significantly affect global companies that do not have to comply with such strict disclosure requirements in their home countries. Along with Executive Order 13636 on cybersecurity in the U.S., the EC's action underscores the significant attention governments are finally giving to cybersecurity and the prospect for eventual security mandates on critical industries.
What (Legally) Happens to Our Social Media Accounts When We Die? (Volokh Conspiracy, 21 Feb 2013) - Not all legal scholarship is irrelevant twaddle; some of it addresses emerging legal questions that will indeed require answers in the real world. This student Comment, "What Happens to Our Facebook Accounts When We Die?: Probate Versus Policy and the Fate of Social-Media Assets Postmortem," by Kristina Sherry, appears in the December 2012 Pepperdine Law Review (40 Pepp. L. Rev. 185 (2012). Given how much commerce now takes place through social media - Facebook, LinkedIn, Twitter, etc. - the legal questions are not just about dear old Mom or Dad and their photos of the grandkids (though those personal accounts also raise issues). Here is the abstract (HT @GregoryMcNeal, via ... Twitter): "More than 580,000 Facebook users in the U.S. will die this year, raising numerous legal questions as to the disposition of their Facebook pages and similar "digital assets" left in a state of legal limbo. While access to and ownership of decedents' email accounts has been philosophized for nearly a decade, this Comment focuses on the additional legal uncertainties posed by "digital death" in the more amorphous realm of "social media." Part II explores the implications of digital death by conceptualizing digital assets and surveying the underlying legal principles of contractual policies, probate, property, and privacy concerns. Part III surveys current law surrounding digital death, emphasizing a 2010 Oklahoma statute granting executors and administrators power over decedents' "social networking" accounts. Parts III and IV consider what the current state of the law means for individuals facing death (i.e. everyone) as social media interacts with both (1) probate law and (2) social-media services' policies as reflected in their terms of service. Part V explores how the law and proposed solutions may address the salient policy goals of honoring decedents' postmortem wishes while meanwhile respecting privacy; preserving digital assets; and minimizing probate, litigation and other paperwork-type hassles. Ultimately this Comment suggests while state or even federal legislation may call attention to the importance of digital estate planning, a better solution likely lies between the two extremes of the probate-versus-policy power struggle, and that social-media services themselves may be in the better position to quell the perfect storm of legal uncertainty that looms."
More US Lawyers Move into the Boardroom (FT, 21 Feb 2013) - Are lawyers taking over the world? That is a question many investors and bankers might ponder these days. After all, the 2008 financial crisis and ensuing mess has created a deluge of work for the legal profession. And regulatory reform is likely to keep lawyers busy for many years to come. But aside from the financial sphere, there is another, less-noticed, area where lawyers are increasingly in evidence: corporate boards. In recent months, a group of American law and finance professors have conducted the first comprehensive analysis of how American companies performed between 2000 and 2009 - depending on whether they had lawyers on their boards or not. The results make interesting reading. Most notably, the analysis found that lawyers have become increasingly prevalent on boards; though only 24 per cent of US companies had lawyer directors in 2000, 43 per cent did so in 2009. Moreover, having a lawyer on board apparently goes hand in hand with differences in corporate performance. Companies with lawyer directors seemed to pay their chief executives more, but have less volatility in pay, due to lower levels of corporate risk-taking and default. Litigation risk declines too: stock option backdating litigation, for example, was 94 per cent lower at companies with legal directors. Conversely, when there were no lawyers on the board, there was "a 308 per cent increase in the effect of accounting malpractice litigation on firm value". As a result, the authors calculate that corporate value (measured by Tobin's Q, the ratio of market value to replacement value of assets), is typically 9.5 per cent higher when a lawyer is on the board. This could potentially force a rethink of some cherished business school ideas, they argue. Until now, "the accepted wisdom has been that lawyers should steer clear of public company boards", in case that creates value-destroying conflicts. And while regulators and investors increasingly demand that boards have external directors, they have not previously seemed to care where those directors hail from. They should pay more attention to this factor, the report argues, particularly with regard to lawyers. For getting lawyers on board both helps diminish external legal risks and improves internal governance. [Polley: Spotted by MIRLN reader Roland Trope of Trope & Schramm LLP.]
RESOURCES
Harvard-Berkman's Cybersecurity Wiki (February 2013) - This Cybersecurity wiki provides a set of evolving resources on cybersecurity, broadly defined , and includes an annotated list of relevant articles and literature, which can be searched in a number of ways. Please see below. It is intended as a tool/resource for researchers, technologists, students, policy-makers and others who are interested in cybersecurity issues more broadly. For more information about this first phase of the project, including the team, methodology, and opportunities to contribute, please see About the Project . If you have feedback, comments, or suggested additional readings/resources, please contact: cybersecurity-feedback@cyber.law.harvard.edu .
FUN
The Google Store Experience (Tapastic cartoon, 21 Feb 2013) [Polley: Spotted by MIRLN reader Corinne Cooper of Professional Presence .]
LOOKING BACK - MIRLN TEN YEARS AGO
(note: link-rot has affected about 50% of these original URLs)
STUDY: MANY COMPANIES LACK DISASTER, CONTINUITY PLANS (ComputerWorld, 4 March 2003) -- A U.S.-led war in Iraq that could spawn new terrorist attacks in the U.S. could be less than two weeks away, but that hasn't prompted many companies in the U.S. to invest adequately in disaster recovery, according to a new study released today by Dataquest Inc. The study, "Investment Decisions: Preparing for Organizational Disasters," warns that unless companies invest immediately in disaster preparedness planning, as many as one in three could lose critical data or operational capability if a disaster occurred. IT managers from 205 end-user companies representing eight vertical industries in the U.S., including government, aren't investing appropriately in disaster plans because they don't have the money to reach their required readiness levels, said Tony Adams, principal analyst in Dataquest's IT services group. "Budget constraints are forcing an average of 40% of respondents to rely on a best guess to determine potential risk rather than obtaining formal assessments, which would be too costly," he said. Still, 53% of the respondents have implemented crisis management plans, and another 30% that do not yet have plans are considering developing them, according to the Dataquest study. The remaining 17% said they aren't developing crisis management plans. http://www.idg.net/ic_1192210_9677_1-5046.html
BLOGGING GOES CORPORATE (EcommerceTimes, 12 March 2003) -- Weblogs, which enable multiple users to post text easily to a Web site, with the most recent post appearing on top, have been around for years but have gained rampant popularity only recently. This immense interest in Weblogs -- "blogs" for short -- now is carrying over to the corporate world. A few companies already are deploying blogs for internal and external communications. Though the trend has been tentative so far -- only a handful of companies are putting out public blogs authored by their employees -- it seems likely that the number of corporate blogs will skyrocket in the near future. Are enterprises ready for this new technology? One of the first companies to embrace blogging was Macromedia. Tom Hale, senior vice president of business strategy, said blogs are part of the company's overall enterprise plan. "Macromedia is very customer-focused, and we have our collective corporate 'ear to the ground' in many different ways," he told NewsFactor. "Blogs seem like another channel for what we already do and for what our customers already value about us." Technology research firm Gartner also has begun to dabble in Weblogs. French Caldwell, vice president and research director at the firm, said Gartner's "Emerging Storm" Weblog is "an experiment." However, he added, the company "sees a lot of future in blogs." In fact, Searls told NewsFactor that blogs might be a better way for companies to tell customers about their products. http://www.ecommercetimes.com/perl/story/20975.html
NOTES
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.
Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu
2. InsideHigherEd - http://www.insidehighered.com/
3. SANS Newsbites, sans@sans.org
4. NewsScan and Innovation, http://www.newsscan.com
5. Aon's Technology & Professional Risks Newsletter
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html
7. McGuire Wood's Technology & Business Articles of Note
8. Steptoe & Johnson's E-Commerce Law Week
9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/ 10. The Benton Foundation's Communications Headlines
11. Readers' submissions, and the editor's discoveries
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top