- The SEC Will Require Greater Disclosure Related to Data Security Risks and Breaches
- Cyber-Insurance: Not One-Size-Fits-All
- Concerns Over Cyber Risks Grow, Says Zurich
- Spy Agency ASIO Wants Powers to Hack into Personal Computers
- Singapore Beefs Up Cybersecurity Law to Allow Preemptive Measures
- Chicago Mayor Appoints First Ever Diversity Tech Council
- Measuring the Success of Online Education
- "Social Media and Trademarks" Presentation at AALS
- Should a Judge Recuse Due to Facebook Friendship with Prosecutor? Florida Supremes Asked to Decide
- 3rd Circuit: Covenant not to Sue is a License and therefore Not Dischargeable in Bankruptcy
- EFF Urges Court to Protect Transformative Uses and Permit News Search Engine
- Red October Espionage Platform Unplugged Hours After Its Discovery
- Law of Armed Conflict Applied to Autonomous Weapon Systems
- Even if It Enrages Your Boss, Social Net Speech Is Protected
- Social Media Coverage of Conferences a Windfall for Legal Associations
- The HIPAA-HITECH Regulation, the Cloud, and Beyond
- Lawyer Advertising and Marketing Ethics Today
- FFIEC Proposes Social Media Guidance
- Yahoo, Like Google, Demands Warrants for User E-Mail
- Will Virginia Law Blogger's Challenge to Discipline Deprive Other Blogs of First Amendment Protection?
- Who Owns, Controls Social Media Activity?
- Audit Concerns Over Cybersecurity Threats
- So, What is the Deal with Copyright and 3D Printing?
- Publication Agreements
- How Secure Are Your Skype Calls?
- Standards for Technology-Enabled Learning
- Whose Law Governs Communication Intercepts?
- CRS Report on Domestic Drones
- It's Google, But is it Art? Museums Wonder Whether they Should Open their Galleries to Digitizing
The SEC Will Require Greater Disclosure Related to Data Security Risks and Breaches (Mintz Levin, 3 Jan 2013) - The amount of personal and confidential information maintained electronically by public companies increases every day. As a consequence of this increase, the likelihood that a given public company will suffer a data breach and that such breach will have a material adverse effect on the company's business also increases. In response to this ever-increasing risk, the Securities and Exchange Commission (the "SEC") is requiring greater disclosure related to data security and this trend will likely increase in 2013. The SEC issued guidance relating to public company disclosure of data security in the end of 2011. Soon after the SEC issued this guidance, Facebook, Inc. (NASDAQ: FB) filed its Form S-1 Registration Statement and became one of the pioneers in data security and privacy disclosure . Since then, public and soon-to-be public companies have followed suit and more companies are including disclosure related to data security risks and breaches. The disclosure does not only effect companies dependent on technology as a core part of its business. Two recent examples of this increased disclosure can be found in the risk factors of a prospectus filed by Michaels Stores, Inc. and that filed by . Specifically, Michaels Stores, Inc., a craft specialty retailer, included the following risk factor: "Failure to adequately maintain security and prevent unauthorized access to electronic and other confidential information and data breaches could materially adversely affect our financial condition and operating results." This type of risk factor is becoming more and more common among public company filings, both in registration statements and annual and quarterly filings. Interestingly, Michaels was the victim of a large-scale hack attack on its POS system in 2011 and given that, and the resulting class action suits, we might have expected to see expanded disclosure. SeaWorld, the owner/operator of SeaWorld, Busch Gardens, Sesame Place , and other theme parks, filed its registration statement just after Christmas and includes the following risk factor * * *
Cyber-Insurance: Not One-Size-Fits-All (InfoRisk, 10 Jan 2013) - Despite headline-grabbing data breaches that have proven costly to organizations in many sectors, the purchase of cyber-insurance to cover potential costs remains relatively rare. Cyber-insurance policies vary widely, but they often cover notification expenses, credit-monitoring services, and, in many cases, legal defense costs and even government penalties. "Cyber-insurance is viewed as much more of a discretionary purchase, and risk managers really have to be educated on the need to purchase the coverage and what the coverage actually provides," says David Bradford , who published a 2012 survey that addresses cyber-insurance for RIMS, the risk information management society (see Coming of Age of Cyber Insurance ). A 2012 survey of more than 100 global Forbes 2000 corporations by Carnegie Mellon CyLab shows that many board members and executives incorrectly believe that other types of corporate liability insurance cover losses due to data breaches, says lab official Jody Westby. "That's pretty stunning because most corporations, especially large global corporations, should understand that cyber-risks generally are not within property and general corporate liability policies," Westby says. Bradford estimates that 40 insurers offer cyberliability coverage. By comparison, about 5,000 companies provide property and casualty insurance in the United States. Because the cyber-insurance industry continues to mature, its offerings aren't as consistent from provider to provider as they are with other types of insurance. "There are so many material differences between the coverages available that there is no real one-size-fits-all approach," says Richard Bortnick, an attorney at the law firm Cozen O'Connor.
- and -
Concerns Over Cyber Risks Grow, Says Zurich (Insurance Age, 24 Jan 2013) - More than three in four (76%) organisations say they have become more concerned about information security and privacy over the past three years - but only 19% have purchased insurance designed to cover these exposures, according to new research commissioned by Zurich. The provider noted that only 16% of companies surveyed had designated a chief information security officer to oversee cyber risk and fewer than half (44%) had increased their budget to tackle the problem. The findings came in 'Meeting the Cyber Risk Challenge', a survey by Harvard Business Review Analytic Services of 152 respondents across Europe involved in risk management. [Polley: see also this WSJ posting - WSJ BLOG: Cybercrime Insurance Takes Off As Providers Target Smaller Businesses ]
Spy Agency ASIO Wants Powers to Hack into Personal Computers (NewsAU, 13 Jan 2013) - The [Australian] Attorney-General's Department is pushing for new powers for the Australian Security Intelligence Organisation to hijack the computers of suspected terrorists. But privacy groups are attacking the "police state" plan as "extraordinarily broad and intrusive". A spokesman for the Attorney-General's Department said it was proposing that ASIO be authorised to "use a third party computer for the specific purpose of gaining access to a target computer". "The purpose of this power is to allow ASIO to access the computer of suspected terrorists and other security interests," he told News Limited.
- and -
Singapore Beefs Up Cybersecurity Law to Allow Preemptive Measures (ZDnet, 14 Jan 2013) - Singapore's Parliament has passed the amended Computer Misuse Act, which enables the government to thwart potential cyberattacks on critical infrastructure. According to a statement by The Ministry of Home Affairs (MHA) on Monday , the government organization is now allowed to order a person or organization to act against any cyberattack before it has begun. The law has also been renamed as the "Computer Misuse and Cybersecurity Act". However, due to the severity of the threat cyberattacks can pose to the country, non-compliance with this direction, or obstructing a person from complying with the Minister's directions to him, will be made an offense which may result in a jail term of up to 10 years and a fine of S$50,000 (US$40,753). "The proposed legislative amendments will provide the government with greater ability to work with our stakeholders to take timely actions against cyber threats to our critical information infrastructure (CII)," the statement read. It adds these enhanced powers come with important safeguards to ensure they are used in an effective and responsible manner to protect our national interests.
Chicago Mayor Appoints First Ever Diversity Tech Council (Gov't Technology, 16 Jan 2013) - To help integrate Chicago minorities into the city's technology economy, Mayor Rahm Emanuel has appointed Chicago's first-ever technology industry diversity council. The 12-member council will be responsible for helping to increase the percentage of minority employees for technology firms, increase the percentage of minority-owned and -operated technology firms, and helping find ways to transition students who attend Chicago public schools and city colleges into the technology economy, according to the mayor's office. Everyone on the council is a member of a minority group and has demonstrated leadership in promoting diversity in Chicago's technology community. The council has been given an initial four-month period to create recommendations, after which Emanuel will develop policies based on those recommendations. CTO John Tolva said the individuals on the council represent the African American and Latino communities, and some representatives are women, since women are often a minority in the technology industry, though their working in tech startups is becoming more common. Tolva also said one of the driving factors for emphasizing the importance of diversity in technology is that public schools and colleges are currently going through a transformation -- they're integrating more science, technology, engineering and math (STEM) fields into education to better prepare students for the modern workforce.
Measuring the Success of Online Education (NYT, 17 Jan 2013) - One of the dirty secrets about MOOCs - massive open online courses - is that they are not very effective, at least if you measure effectiveness in terms of completion rates. If as few as 20 percent of students finishing an online course is considered a wild success and 10 percent and lower is standard, then it would appear that MOOCs are still more of a hobby than a viable alternative to traditional classroom education. Backers reason that the law of large numbers argues in favor of the online courses that have rapidly come to be seen as the vehicle for the Internet's next big disruption - colleges. If 100,000 students take a free online course and only 5,000 complete it, that is still a significant number. Udacity, along with other MOOC designers, is moving rapidly away from the video lecture model of teaching toward an approach that is highly interactive and based on frequent quizzes and human "mentors" to provide active online support for students. Moreover, there are early indications that the high interactivity and personalized feedback of online education might ultimately offer a learning structure that can't be matched by the traditional classroom. Duolingo, a free Web-based language learning system that grew out of a Carnegie Mellon University research project, is not an example of a traditional MOOC. However, the system, which now teaches German, French, Portuguese, Italian, Spanish and English, has roughly one million users and about 100,000 people spend time on the site daily. The firm's business is based on the possibility of using students to translate documents in a crowd-sourced fashion. Seventy-five percent of the students are outside of United States, and Carnegie Mellon computer scientist Luis von Ahn notes that the foreign students are significantly more motivated and have a higher completion rate than their American counterparts.
"Social Media and Trademarks" Presentation at AALS (Eric Goldman, 17 Jan 2013) - Earlier this month, I spoke at the AALS IP Section meeting in New Orleans on the topic of "trademarks and social media." My slides . Though I've written in this area (see, e.g., my Online Word of Mouth paper from 2007), I didn't have any new academic research to report. As a result, I decided to take an anthropological approach to the subject material by recounting some of the interesting things I see in social media from a trademark perspective:
- Instabrands. Brands that, like the mayfly, are born, live and die within a matter of days. I gave the example of the @FiredBigBird Twitter account. Trademark law isn't well-equipped to deal with such evanescent brands.
- Large-scale non-commercial activity. Trademark law tries to distingtuish [sic] between commercial and non-commercial activity (like many other areas of law), but it doesn't really contemplate that non-commercial defendants can be using third-party brands at a commercial scale. I gave the example of @BPGlobalPR Twitter account as an example of massive non-commercial activity where the investment and distribution costs are zero and the labor is provided on a purely voluntary basis--although this isn't an ideal example as the BPGlobalPR operators does sell T-shirts, and trademark law does know how to deal with that.
- Brand Self-Sabotage. Brand managers are so used to having their conversation filtered through third party editors and gatekeepers that they can make embarrassing gaffes when they actually talk directly to their consumers. I gave the infamous Kenneth Cole/Arab Spring tweet as an example, but there are many in this genre.
- Bashtags. Brands also aren't used to having their consumers able to talk to each other directly. Brands are even less prepared for the fact that they can't steer those conversations. Bashtags are an example, where malcontents and vandals can coopt a conversation between brands and their loyal customers. I gave the #McDStories hashtag as the example. * * *
Should a Judge Recuse Due to Facebook Friendship with Prosecutor? Florida Supremes Asked to Decide (ABA Journal, 17 Jan 2013) - A Florida appeals court wants guidance on an ethics issue: Should judges recuse from cases when they are Facebook friends with the prosecutor? The 4th District Court of Appeal said on Wednesday that the matter is of great importance, and the Florida Supreme Court should decide the issue, the Palm Beach Post reports. The appeals court removed Judge Andrew Siegel of Broward County from a case in September because he was Facebook friends with the prosecutor. Its decision (PDF) cited a judicial ethics opinion that judges should not friend lawyers who appear before them. According to the appeals court, the ethics pinion recognized that friending could undermine confidence in a judge's neutrality.
3rd Circuit: Covenant not to Sue is a License and therefore Not Dischargeable in Bankruptcy (Patently-O, 18 Jan 2013) - A recent Third Circuit decision focuses on the impact that a bankruptcy has on a patent license. In 2009, Spansion and Apple settled a patent dispute with Spansion agreeing to end its case at the ITC and to refrain from suing in district court. The agreement stated: "Provided that neither Spansion nor any successor in interest to any of the patents being asserted in the referenced ITC action do not bring an action of any nature asserting any such patent before any legal, judicial, arbitral, administrative, executive or other type of body or tribunal that has, or claims to have, authority to adjudicate such action in whole or in part against Apple or any Apple product, Apple agrees Spansion will not be disbarred as an Apple supplier as a result of the referenced ITC action." Later that year, Spansion filed for bankruptcy and the trustee moved to reject the settlement as an executory contract. The normal rule in bankruptcy (under 11 U.S.C. § 365(a)) is that the debtor (here Spansion) can unilaterally reject executory contracts if it so chooses. Any resulting contract damages will be unsecured debts that are unlikely to receive any payout. IP law has a special exception codified in 11 U.S.C. § 365(n). Under that rule, a licensee can elect to retain its license rights despite a debtor's rejection. On appeal, the question is whether the contract between Spansion and Apple is a license or instead merely a promise not to sue. The bankruptcy court initially held that Apple's § 365(n) election did not apply because the agreement was not a license. Reviewing that decision, the Delaware District Court found that the agreement was a license "because it was a promise not to sue." Now, the Third Circuit has affirmed the District Court with quotation from the Supreme Court's 1927 decision in De Forest Radio .
EFF Urges Court to Protect Transformative Uses and Permit News Search Engine (EFF, 18 Jan 2013) - The Electronic Frontier Foundation (EFF) urged a federal judge today to protect fair use of news coverage and reject the Associated Press' (AP's) dangerously narrow view of what is "transformative" in a copyright court battle over a news-tracking service. In Associated Press v. Meltwater, AP claims its copyrights are infringed when Meltwater, an electronic news clipping service, includes excerpts of AP stories in search results for its clients seeking reports of news coverage based on particular keywords. In its argument, AP asks the court to accept an extraordinarily narrow view of fair use - the doctrine that allows for the use of copyrighted material for purposes of commentary, criticism, or other transformative uses - by claiming that Meltwater's use of copyrighted excerpts cannot be "transformative" fair use unless they are also "expressive." In an amicus brief filed today, EFF argues that AP's theory would restrict the use and development of services that allow users to find, organize, and share public information. "There are lots of examples of important fair uses that wouldn't fit under AP's cramped definition of a 'transformative' use," said EFF Senior Staff Attorney Kurt Opsahl. "Time-shifting - like what you do when you record something on your DVR to watch later - isn't 'expressive,' but courts have found it a clear fair use. Because fair use plays such an essential role in facilitating online innovation and expression, we're asking the court to follow the law and reject this flawed theory from AP." For the full amicus brief: https://www.eff.org/document/amicus-brief-14
Red October Espionage Platform Unplugged Hours After Its Discovery (ArsTechnica, 18 Jan 2013) - Key parts of the infrastructure supporting an espionage campaign that targeted governments around the world reportedly have been shut down in the days since the five-year operation was exposed. The so-called Red October campaign came to light on Monday in a report from researchers from antivirus provider Kaspersky Lab. It reported that the then-ongoing operation was targeting embassies as well as governmental and scientific research organizations in a wide variety of countries. The research uncovered more than 60 Internet domain names used to run the sprawling command and control network that funneled malware and received stolen data to and from infected machines. In the hours following the report, many of those domains and servers began shutting down, according to an article posted Friday by Kaspersky news service Threatpost. "It's clear that the infrastructure is being shut down," Kaspersky Lab researcher Costin Raiu told the service. "Not only the registers killing the domains and the hosting providers killing the command-and-control servers but perhaps the attackers shutting down the whole operation." One of Red October's innovations is a command infrastructure that uses multiple layers of servers and domains that act as proxies to camouflage the core functions in the operation. Mashable reporter Lorenzo Franceschi-Bicchierai quoted Raiu as describing the design as an " onion with multiple skins " with a mothership at its center that collects all the stolen data. Raiu said most of the unplugged domains and disconnected servers seen so far represent first-level proxies. He speculated the operation may go dormant for a while and then come back using different servers or domains, or even different malware altogether. Raiu said the full extent of the infrastructure likely hasn't been uncovered yet. He estimated the campaign may use several dozen more servers. If correct, the total number would rival the command infrastructure used by Flame, the state-sponsored malware campaign that targeted sensitive networks in Iran.
Law of Armed Conflict Applied to Autonomous Weapon Systems (Lawfare, 19 Jan 2013) - The American Society of International Law has released a new "ASIL Insight" on law applicable to autonomous weapon systems. (ASIL Insights are short, descriptive pieces on topical issues meant as non-technical "backgrounders" for journalists, the general public, and anyone looking for a quick path into an international law topic; they represent solely the author's views, but are written to give an understanding of the background legal issues.) "The Law That Applies to Autonomous Weapon Systems" is written by Jeffrey S. Thurnher, a JAG officer on faculty at the Naval War College; it is short, crisp, and a useful guide to understanding the legal issues raised by the possibility of increasingly automated weapon systems that might one day be fully autonomous. (Also recommended is Major Thurnher's more detailed October 2012 article in Joint Force Quarterly (National Defense University, Washington DC, Vol. 67, No. 4, Oct. 2012), "No One at the Controls: Legal Implications of Fully Autonomous Targeting." )
Even if It Enrages Your Boss, Social Net Speech Is Protected (NYT, 21 Jan 2013) - As Facebook and Twitter become as central to workplace conversation as the company cafeteria, federal regulators are ordering employers to scale back policies that limit what workers can say online. Employers often seek to discourage comments that paint them in a negative light. Don't discuss company matters publicly, a typical social media policy will say, and don't disparage managers, co-workers or the company itself. Violations can be a firing offense. But in a series of recent rulings and advisories, labor regulators have declared many such blanket restrictions illegal. The National Labor Relations Board says workers have a right to discuss work conditions freely and without fear of retribution, whether the discussion takes place at the office or on Facebook. In addition to ordering the reinstatement of various workers fired for their posts on social networks, the agency has pushed companies nationwide, including giants like General Motors, Target and Costco, to rewrite their social media rules. "Many view social media as the new water cooler," said Mark G. Pearce, the board's chairman, noting that federal law has long protected the right of employees to discuss work-related matters. "All we're doing is applying traditional rules to a new technology." The decisions come amid a broader debate over what constitutes appropriate discussion on Facebook and other social networks. Schools and universities are wrestling with online bullying and student disclosures about drug use. Governments worry about what police officers and teachers say and do online on their own time. Even corporate chieftains are finding that their online comments can run afoul of securities regulators. The labor board's rulings, which apply to virtually all private sector employers, generally tell companies that it is illegal to adopt broad social media policies - like bans on "disrespectful" comments or posts that criticize the employer - if those policies discourage workers from exercising their right to communicate with one another with the aim of improving wages, benefits or working conditions. But the agency has also found that it is permissible for employers to act against a lone worker ranting on the Internet. Several cases illustrate the differing standards. * * * As part of the labor board's stepped-up role, its general counsel has issued three reports concluding that many companies' social media policies illegally hinder workers' exercise of their rights. The general counsel's office gave high marks to Wal-Mart's social policy, which had been revised after consultations with the agency. It approved Wal-Mart's prohibition of "inappropriate postings that may include discriminatory remarks, harassment and threats of violence or similar inappropriate or unlawful conduct." But in assessing General Motors's policy, the office wrote, "We found unlawful the instruction that 'offensive, demeaning, abusive or inappropriate remarks are as out of place online as they are offline.' " It added, "This provision proscribes a broad spectrum of communications that would include protected criticisms of the employer's labor policies or treatment of employees." A G.M. official said the company has asked the board to reconsider. In a ruling last September, the board also rejected as overly broad Costco's blanket prohibition against employees' posting things that "damage the company" or "any person's reputation." Costco declined to comment.
Social Media Coverage of Conferences a Windfall for Legal Associations (Kevin O'Keefe, 22 Jan 2013) - Defense lawyers used to kid me that I would go to my state trial lawyer's association and the American Association of Trial Lawyers conferences to get religion. Their point being that I learned new ideas, networked with other plaintiff's trial lawyers and came back all enthused. I didn't disagree. Those conferences, and what I gained by attending them, were the single biggest reason I joined the associations and continued to pay the substantial dues and conference fees. I came back telling other lawyers about the conferences and what they could gain by becoming a member. Associations no longer have to rely on members like me spreading the word about their conferences and the benefits of membership. Social media has become a powerful medium to not only make conferences more meaningful to attendees, but to also broaden a conference's reach beyond the conference walls. Social media such as video, audio (soundcloud), blogging, Twitter, and Facebook engage an association's target audience in real time and in a very cost effective fashion. The outcome: membership retention; more attendees at upcoming conferences; and happy exhibitors and sponsors.
The HIPAA-HITECH Regulation, the Cloud, and Beyond (Daniel Solove, 23 Jan 2013) - The new HIPAA-HITECH regulation is here. Officially titled " Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules ," this new regulation modifies HIPAA in accordance with the changes mandated by the HITECH Act of 2009. After years of waiting and many false alarms that the regulation was going to be released imminently, prompting joking references to Samuel Beckett's play Waiting for Godot, HHS unleashed 563 pages upon the world. According to Office for Civil Rights (OCR) director Leon Rodriguez, the rule "marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented." I agree with his dramatic characterization of the regulation, for it makes some very big changes and very important ones too. The most important changes involve expanding HIPAA's scope of coverage, to regulate business associates (BAs) and subcontractors of BAs. The regulation applies the HIPAA Security Rule and parts of the Privacy Rule to BAs, which are now directly subject to HIPAA enforcement. Subcontractors of BAs are also deemed to be BAs, and there must be a business associate agreement (BAA) between a BA and a subcontractor. In this post, I will discuss these particular changes and their implications for a wide array of businesses and cloud computing in healthcare. Before I focus on the issue of scope, I want to point out some other key changes that the regulation makes. The regulation strengthens people's rights to receive electronic copies of their protected health information (PHI). The Breach Notification Rule is changed to presume that any impermissible access, use, or disclosure of PHI is a breach unless a covered entity or business associate can demonstrate a low probability PHI has been compromised. Instead of focusing on harm to the individual, the focus is on the likelihood PHI has been improperly accessed or exposed. Decedent PHI is protected for 50 years after death. Previously, HIPAA protected PHI after death without any time limitation. For patients who pay for treatment out-of-pocket, patients have a right to restrict insurance companies from accessing the PHI. And as directed by the HITECH Act, the regulations provide for much stronger penalties for violations. There are many other changes too - I'm only hitting a few highlights. [Polley: Hogan Lovells also has a good analysis here .]
Lawyer Advertising and Marketing Ethics Today (Attorney At Work, 23 Jan 2013) - At the start of the new year, we asked Will Hornsby, Staff Counsel at the American Bar Association, what lawyers need to know about changes made in ethics rules regarding marketing in 2012-and what to expect in 2013. The following feature article is excerpted from Attorney at Work's new e-guide, Really Good Marketing Ideas: How to (Really) Get More Clients This Year . The legal profession constantly struggles to set advertising policies that strike the balance between consumer protection and access to justice. What are the boundaries we impose on ourselves to make certain that people are not subject to over-reaching when lawyers are seeking clients, yet still enable people to get the information needed to make decisions about representation? We all agree on the objective, but we don't often agree on the means to get there. In the past year, rule-makers, committees drafting ethics opinions and disciplinary agencies have all weighed in, but frequently not with the same results. Here's an overview.
FFIEC Proposes Social Media Guidance (BankInfoSecurity, 24 Jan 2013) - The Federal Financial Institutions Examination Council has issued proposed risk management guidance for the use of social media . "Social Media: Consumer Compliance Risk Management Guidance," was posted on the Federal Register Jan. 23. It provides an overview of the impact social media sites have on compliance with consumer protection and other applicable laws, especially when interactions between institutions and consumers take place on social media sites such as Facebook and Twitter. George Tubin, a financial fraud and security expert at anti-malware vendor Trusteer, says the guidance will likely be welcomed by security and privacy officers, who have struggled to keep social media risks in check. "Employees could be using social media from different devices or from home at night," Tubin says. "If their accounts are taken over, then a criminal could be posting on that site, giving advice to steer customers to do something they shouldn't, or posting a link that leads them to a malicious site. There certainly are a lot risks banks need to think about when they start to use social media." The FFIEC will accept comments on the proposed guidance through March 25. It will publish a final version once it reviews comments received.
Yahoo, Like Google, Demands Warrants for User E-Mail (Wired, 25 Jan 2013) - Yahoo demands probable-cause, court-issued warrants to divulge the content of messages inside its popular consumer e-mail brands - Yahoo and Ymail, the web giant said Friday. The Sunnyvale, California-based internet concern's exclusive comments came two days after Google revealed to Wired that it demands probable-cause warrants to turn over consumer content stored in its popular Gmail and cloud-storage Google Drive services - despite the Electronic Communications Privacy Act not always requiring warrants. "Yes, we require a probable cause warrant for e-mail content," said Yahoo spokeswoman Lauren Armstrong, in an e-mail interview. "That is more than ECPA requires." The nation's other major consumer-facing e-mail provider - Microsoft - which markets the Hotmail and Outlook brands, declined comment for this story. In short, Yahoo and Google are granting their customers more privacy than the four corners of the ECPA. There's been a string of conflicting court opinions on whether warrants are required for data stored on third-party servers longer than 180 days. The Supreme Court has never ruled on the issue. Federal and state law enforcement officials are seemingly abiding by Yahoo's and Google's own rules to avoid a showdown before the Supreme Court. "No, we don't get any pushback from authorities," Armstrong said, adding that Yahoo began the practice in "early 2011." [Polley: Twitter also requires probably-cause warrants.]
Will Virginia Law Blogger's Challenge to Discipline Deprive Other Blogs of First Amendment Protection? (MyShingle.com, 28 Jan 2013) - In October 2011, I blogged about a Virginia lawyer Horace Hunter's challenge to a disciplinary charge for failing to include a disclaimer on his blog stating that results in past cases handled by the firm (and reported on the blog) are unique to the facts and do not guarantee a similar outcome in other cases. Hunter refused, arguing that his blog constituted First Amendment protected speech and therefore, a disclaimer limiting his speech rights was unconstitutional. I felt compelled to support the Hunter's fight, though I was skeptical: to me, his blog, which was nothing more than a cherry-picked newsfeed of his firm's highlight, seemed much more like advertising than protected speech. But I feared that if the Hunter's blog was classified as advertising, the door would open to increased regulation even for legitimate, information-rich or opinion-based law blogs. Hunter won his case before a three judge panel which overturned the Virginia disciplinary committee's ruling. Now, via Ben Glass and John Cord , I've learned that the case has made its way up to the Virginia Supreme Court. Hunter's failure to include the disclaimer is still at issue, but as Ben Glass notes in his summary, the Virginia regulators also seek sanction because Hunter's publication of case summaries revealed information embarrassing to his clients, without their consent. Hunter's brief argues that his blog was First Amendment protected speech. Trouble is, there's little that Hunter's lawyer could do to back up that claim. Hunter's so-called blog was basically a newsfeed (later supplemented with a few opinion pieces when the regulators came calling) of his victories; there's no opinion or in depth analysis on the order of these criminal defense bloggers or even basic information or FAQs or how-tos to educate readers about their rights. I fear that based on the record in the case, the Virginia Supreme Court will find, as a matter of law, that blogs are commercial speech (read advertising) or at best, a hybrid of protected and commercial speech, instead of being pure First Amendment content. I'm also fully not comfortable with lawyers posting about any matters - even those of public record - without client consent. I don't think that Hunter ought to be sanctioned (particularly when the prohibition is far from clear) or that writing about matters of public record ought to be a disciplinary offense. Rather, this is one of those types of matters where lawyers need to exert some self-control and keep in mind their obligation to protect client privacy.
Who Owns, Controls Social Media Activity? (TVNewsCheck, 29 Jan 2013) - Now that the use of social media is part of the TV newsroom norm, the industry is wrestling with the next wave of issues associated with the medium - hashing out matters ranging from who owns on-air personalities' Facebook accounts to delineating between professional and personal tweets. Individuals on all sides of the equation, from station group owners to newsroom staffers, are pushing to add more structure to the use of social media both on and off the job, primarily so the practice doesn't come back to bite them, industry watchers say. The lack of industrywide standards regulating social media practices also is starting to create unexpected problems, particularly for anchors and reporters who, to some degree, are winging it. Just last week, for example, Rachel Barnhart, a reporter at WHAM Rochester, N.Y. (DMA 79) who spent years building a robust Facebook following on a personally created page, publically raised one such issue when she told fans that she would start using new social media accounts during work hours in keeping with new station owner Sinclair Broadcasting's policy of "owning" such accounts of its on-air personalities. "This raises a lot of questions for journalists about who owns your online presence and identity," Barnhart says. Barnhart says she understands Sinclair's rationale for requiring talent to have station-related social media accounts, as well as owning the content that's on them. (Sinclair's attorney was not available to discuss the matter). But having invested countless hours in personal Facebook and Twitter accounts, which together have about 20,000 followers, Barnhart says she is concerned that stations will ultimately be able to "own" their talents' followers as well, much like a company owns a salesperson's rolodex. Barnhart says she could see the day when those sorts of questions will be hammered out in contract talks.
Audit Concerns Over Cybersecurity Threats (FT, 29 Jan 2013) - Company audit committee members are concerned about the quality of information that they receive on cybersecurity and believe risk management programmes need to become more "dynamic", according to a KPMG survey. The survey, based on the results of a survey of some 1,800 audit committee members in 21 countries undertaken by KPMG's Audit Committee Institute, asked whether they were satisfied with the quality of information they receive from their company on a range of issues. Only 26 per cent of respondents said they were fully satisfied with information on cybersecurity. In the UK, just one in five respondents said they were satisfied, compared to satisfaction levels of more than 70 per cent on legal and regulatory compliance issues. The results echo those of other studies that have suggested many companies and their boards remain complacent about cybersecurity or lack detailed understanding of the threats they face. It could also help fuel demands that cybersecurity risk assessment should be part of the formal audit procedure or addressed specifically in company annual reports. Nearly half of survey respondents said their company's risk management programme requires "substantial work", and only a third of UK-based audit committee members said they are fully satisfied that their company's risk management process is dynamic enough to cope with a rapidly changing environment including new technology and social media risks.
So, What is the Deal with Copyright and 3D Printing? (Public Knowledge, 30 Jan 2013) - Today Public Knowledge is happy to announce a new whitepaper: What's the Deal with Copyright and 3D Printing? This paper is something of a follow up to our previous 3D printing whitepaper It Will Be Awesome if They Don't Screw It Up: 3D Printing, Intellectual Property, and the Fight Over the Next Great Disruptive Technology . Unlike It Will Be Awesome , which focused on the broad connection between intellectual property law and 3D printing, What's the Deal? takes a deeper dive into the relationship between copyright and 3D printing. A lot has changed since we released It Will Be Awesome. News outlets have discovered 3D printing. Rightsholders are issuing takedown notices. And Congress has started to take a look. At the same time, a lot has stayed the same. People are continuing to innovate to make home 3D printers better. Creators are pushing the limits as they design even more intricate 3D printed objects. And we are beginning to see the beginnings of physical remix artists. But throughout this, people seem to keep coming back to copyright. As we note in the paper, part of this is a result of years of conditioning. Years of creating music, movies, and articles on computers have trained us all to automatically associate "digital" with "copyright," and "disruptive digital" with "potential copyright problem." But one of the gifts of 3D printing is that it brings digital into the physical world, where its connection to copyright is weaker. While this fraying may very well lead us to a new age of innovation, first we will need to retrain ourselves to stop assuming that everything is protected by copyright. Of course, the first step in understanding what is not protected by copyright is recognizing what is protected by copyright. What's the Deal? is designed to help mark those boundaries and draw focus to the hard - and easy - questions that the boundaries raise. Like It Will Be Awesome, What's the Deal? is intended more as a conversation starter than a final word. Hopefully it will be a useful resource to the rapidly growing 3D printing community.
Publication Agreements (MLPB, 30 Jan 2013) - Harold Anthony Lloyd, Wake Forest University School of Law, has published Publish and Perish? Handling the Unreasonable Publication Agreement. Here is the abstract: "Using hypothetical publication agreement drafts, this article explores copyright, warranty, representation, indemnity and other traps awaiting unwary authors. Exploring legitimate concerns of both authors and publishers, this article outlines parameters of reasonable agreements." Article here .
How Secure Are Your Skype Calls? (RideTheLightning, 30 Jan 2013) - Lawyers, especially solo and small firm lawyers, have flocked to Skype as a great way to save money. But how secure are your Skype calls? The BBC recently reported that Reporters Without Borders, the Electronic Frontier Foundation and 43 other groups have signed a letter asking Microsoft (which owns Skype) to reveal details about what information is stored and government efforts to access it. Google and Twitter have been fairly transparent on this subject, but not Microsoft - which is considering the request. Skype last referenced privacy issues last July saying that calls between two parties did not flow through its datacenters meaning it would not have access to the video or audio. Those calls are also encrypted which would make it hard for anyone listening to make sense of the data. But Microsoft did say that group calls using more than two computers do pass through its servers (to aggregate the media streams) and that text-based messages were also stored on its computers for up to 30 days in order to make sure they were synchronized across users' devices. Based on what we KNOW today, most experts have signed off on one-to-one calls via Skype. But I would be wary of group calls - once data is stored on a company's servers, I am leery of statements about when it is removed (and whether it might be shared at the legal request of a government). Lawyers in particular should avoid group calls involving client information.
Standards for Technology-Enabled Learning (ITU, 30 Jan 2013 - Education is a prerequisite to using information and communication technologies (ICT) - and in return, these same technologies can facilitate learning processes, taking education beyond classrooms as we know them. A Technology Watch report "Standards for technology-enabled learning," published by ITU in September 2012, surveys emerging technologies, which, if applied in an educational context, will contribute to more efficient and more affordable education and training for all. For a number of years now, standardization bodies have been defining standards and guidelines for ICT-enhanced distance-learning. Their output is taken up in this report with a view to exploring and identifying new applications and directions for this work.
Whose Law Governs Communication Intercepts? (Steptoe, 31 Jan 2013) - The law governing the interception of customer or employee communications is only getting more muddled. Not only do different states have different laws, but courts are applying different tests to decide which state's law should apply when there's a conflict. A federal court in Arizona has ruled, in Xcentric Ventures, LLC v. Borodkin, that Arizona's wiretap law, not California's, governs a lawsuit brought by a California resident against an Arizona corporation that recorded his phone call without his consent. While California law prohibits such recordings unless all parties to the communication consent, Arizona courts have allowed interceptions where only one party consents. The ruling conflicts with an earlier decision by the California Supreme Court under similar facts, further clouding the legal picture for communications companies, websites, and employers that monitor consumer or employee communications or Internet activity.
CRS Report on Domestic Drones (Lawfare, 1 Feb 2013) - Over at Secrecy News , Steve Aftergood has posted a new Congressional Research Service report entitled, " Integration of Drones into Domestic Airspace: Selected Legal Issues ." The summary of the report, by Alissa M. Dolan and Richard M. Thompson II, reads: "Under the FAA Modernization and Reform Act of 2012, P.L. 112-95, Congress has tasked the Federal Aviation Administration (FAA) with integrating unmanned aircraft systems (UASs), sometimes referred to as unmanned aerial vehicles (UAVs) or drones, into the national airspace system by September 2015. Although the text of this act places safety as a predominant concern, it fails to establish how the FAA should resolve significant, and up to this point, largely unanswered legal questions. For instance, several legal interests are implicated by drone flight over or near private property. Might such a flight constitute a trespass? A nuisance? If conducted by the government, a constitutional taking? In the past, the Latin maxim cujus est solum ejus est usque ad coelum (for whoever owns the soil owns to the heavens) was sufficient to resolve many of these types of questions, but the proliferation of air flight in the 20th century has made this proposition untenable. Instead, modern jurisprudence concerning air travel is significantly more nuanced, and often more confusing. Some courts have relied on the federal definition of "navigable airspace" to determine which flights could constitute a trespass. Others employ a nuisance theory to ask whether an overhead flight causes a substantial impairment of the use and enjoyment of one's property. Additionally, courts have struggled to determine when an overhead flight constitutes a government taking under the Fifth and Fourteenth Amendments."
It's Google, But is it Art? Museums Wonder Whether they Should Open their Galleries to Digitizing (ABA Journal, 1 Feb 2013) - Google's mission to digitize artwork from around the world is testing the bounds of copyright protection and the fairness of licensing contracts. Launched in February 2011, the Google Art Project provides access to more than 30,000 high-resolution images of paintings, sculptures and photographs from more than 180 museums and institutions in 40 countries, including the Metropolitan Museum of Art in New York City, the Uffizi Gallery in Florence, the de Young Museum in San Francisco and the Van Gogh Museum in Amsterdam. With the ability to zoom in to see precision details up close, the Google Art Project was designed to make artwork more widely available and to promote popular interest. But museums, while appreciating the attention, are wary about which art they share. And their lawyers are treading carefully. Troy Klyber, intellectual property manager at the Art Institute of Chicago, saw participating in the Google Art Project as a way to fulfill the museum's mission, which is to share its works with the public. But because ownership of an art object doesn't necessarily include ownership of the object's copyright, the Art Institute could only include works for which it had been assigned the copyright through gift or contract, or works by artists dead for more than 70 years. As a result, the Google Art Project features fewer examples of modern and contemporary art. Protecting the Art Institute's nonpermissioned works was labor-intensive, particularly when it came to the project's "museum view," in which cameras panned full galleries. In those cases, nonpermissioned artworks had to be blurred. "It was someone's job to go through and blur the other works from every angle. In all, we had more than 6,000 blurs," Klyber says. According to Adrienne Fields, associate counsel of the Artists Rights Society-which represents the IP rights of more than 50,000 artists and artists' estates, including those of Picasso, Matisse and Rothko-Google has also been unwilling to enter into a working agreement with the ARS on behalf of its members. Instead, Google has placed the administrative and financial burdens on individual museums, requiring them to obtain rights from the ARS.
Copyright tor Librarians - the Essential Handbook ( Berkman, 11 Jan 2013) - "Copyright for Librarians" (CFL) is an online open curriculum on copyright law that was developed jointly with Harvard's Berkman Center for Internet and Society. Re-designed as a brand new textbook, "Copyright for Librarians: the essential handbook" can be used as a stand-alone resource or as a companion to the online version which contains additional links and references for students who wish to pursue any topic in greater depth. Delve into copyright theory, understand the public domain or explore enforcement. With a new index and a handy Glossary , the Handbook is concise reading for librarians who want to hone their skills in 2013, and for anyone learning about or teaching copyright law in the information field. Free download here .
LOOKING BACK - MIRLN TEN YEARS AGO
(note: link-rot has affected about 50% of these original URLs)
Court Rejects FCC Cable Ruling (CNET, 6 Oct 2003) -- A federal appeals court has rejected the Federal Communications Commission's opinion that cable broadband services should not be regulated like phone companies, according to a court filing released Monday. The 9th U.S. Circuit Court of Appeals said the FCC incorrectly ruled in March 2002 that cable broadband networks are an "information service" rather than a "telecommunications service." This is an important distinction because telecommunications services can be forced by governments to open their broadband lines to third parties. Information services, however, are not subject to regulations that force them to resell their lines to outsiders. In a statement released late Monday, FCC Chairman Michael Powell said he plans to appeal the ruling, adding that he was "disappointed" that the court stuck to its original opinion. He then tried to turn the court's ruling on its head. "Unfortunately, as noted by (9th Circuit) Judge O'Scannlain, the ruling 'effectively stops a vitally important policy debate in its tracks,' producing 'a strange result' which will throw a monkey wrench into the FCC's efforts to develop a vitally important national broadband policy," Powell said in his statement. It is unclear whether the court's ruling would add judicial pressure for cable companies to open their lines to third parties. Cable companies such as Comcast and Time Warner Cable currently run broadband services without needing to offer part of their network to third-party services. Decision at http://caselaw.findlaw.com/data2/circs/9th/0270518P.pdf
NSA Proposes Backdoor Detection Center (SecurityFocus, 8 August 2003) -- Declaring hidden malware to be "a growing threat," the National Security Agency's cybersecurity chief is calling on Congress to fund a new National Software Assurance Center dedicated to developing advanced techniques for detecting backdoors and logic bombs in large software applications. In prepared testimony before the House Select Committee on Homeland Security's cybersecurity subcommittee last month, NSA information assurance director Daniel Wolf bemoaned an absence of tools capable of scouring program source code and executables for evidence of tampering. "Beyond the matter of simply eliminating coding errors, this capability must find malicious software routines that are designed to morph and burrow into critical applications in an attempt to hide," said Wolf. The proposed solution: a federally funded think-tank that would include representatives from academia, industry, government, national laboratories and "the national security community," said Wolf, "all working together and sharing techniques." While accidental security holes dominate the work-a-day security world, government spooks periodically fret over more exotic danger of corrupt software engineers, saboteurs and spies slipping malicious code into commercial software applications used in critical infrastructures and sensitive governmental functions. In 1999, then-FBI cybercop Michael Vatis warned that cyberterrorists posing as law-abiding programmers could be planting logic bombs in U.S. software while performing Y2K remediation -- a theory that never panned out. More recently, U.S. programmers have raised similar security concerns over American companies outsourcing programming work to India, China and other countries. Cybersecurity thinkers express reserved support for Wolf's proposed national center. "It's not a bad idea," says John Pescatore, research director for Internet security at Gartner. "It would not take a lot of funding to do. I think the more complicated issue is what do they do with the information. Are they just providing it to the vendors of that software, do they make it public?"
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:email@example.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu
2. InsideHigherEd - http://www.insidehighered.com/
3. SANS Newsbites, firstname.lastname@example.org
4. NewsScan and Innovation, http://www.newsscan.com
5. Aon's Technology & Professional Risks Newsletter
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html
7. McGuire Wood's Technology & Business Articles of Note
8. Steptoe & Johnson's E-Commerce Law Week
9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/
10. The Benton Foundation's Communications Headlines
11. Readers' submissions, and the editor's discoveries
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top