Saturday, April 26, 2014

MIRLN --- 6-26 April 2014 (v17.06)

MIRLN --- 6-26 April 2014 (v17.06) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | LOOKING BACK | NOTES

Update: Cybersecurity and internal control over financial reporting (Morgan Lewis, 31 March 2014) - We have two clarifications and two updates to our March 17 blog post , which noted that customer data is an asset that is covered by the definition of internal control over financial reporting (ICFR) in Rule 13a-15(f) under the Exchange Act. First, there are many forms of customer data, and not all of those are assets. Since neither Section 13(b)(2)(B)(iii) nor Rule 13a-15(f) of the Exchange Act defines "asset," however, it is possible that the term may include items that do not appear on a company's balance sheet. Therefore, we think that it is incumbent on companies to analyze the various forms of customer data to determine whether they are assets within the scope of ICFR. Second, just because a company concludes that controls over assets are necessary for purposes of ICFR does not mean that deficient controls could constitute a material weakness. A material weakness relates to controls necessary to the preparation of financial statements. Assets that are not on a company's balance sheet would not have controls that would affect the preparation of financial statements. The updates to our March 17 blog are that the SEC held a cybersecurity roundtable on March 26 and PCAOB Board Member Steven B. Harris gave a speech in which he discussed cybersecurity issues. The participants in the roundtable discussed cybersecurity and the issues and challenges it raises for market participants and public companies. For more information, please see our Securities LawFlash , which describes the roundtable and recommends various additional steps that companies should take to address the risks of cyber attacks. And, in Harris's March 20 speech, he indicated that he "support[s] the Board's focus on the role of the auditor with respect to cybersecurity and ha[s] suggested the Board consider forming an internal task force on the subject or issuing an audit alert related to cybersecurity risks and their potential impact on audits."

- and -

KKR adds cyber-risk score to its assessment of companies (Bloomberg, 11 April 2014) - How important is cybersecurity to investors? The private equity firm KKR (KKR) just provided its own answer to that, adding a cyber-risk score to its assessment of the companies in its portfolio. About a year ago, KKR officials decided they needed to find a way to understand the current state of security at the companies they were invested in, as Chief Information Office Ed Brandman tells it. That goal might sound simple, but how to get there wasn't obvious for a diverse set of 90 companies across a range of industries and regions. KKR worked with BitSight Technologies to come up with what amounts to a credit score for cyber risk. BitSight, based in Cambridge, Mass., collects Internet traffic flowing to and from tens of thousands of companies. Its staff members analyze risky behavior, such as communications with spam networks or servers known to be controlled by hackers and cybercriminals, to come up with a score for cyber risk on a scale from 250 (worst) to 900 (best). Subscribers to the service use it to help assess the security at third parties with whom they may share sensitive data and to benchmark their own performance, says Stephen Boyer, chief technology officer at BitSight. Bitsight did the same for 70 of KKR's private equity holdings-excluding some in the portfolio that KKR was about to sell or had just bought.

- and -

US SEC releases cyber security examination blueprint (Reuters, 16 April 2014) - U.S. securities regulators have unveiled a road map that lays out how they plan to make sure Wall Street firms are prepared to detect and prevent cyber security attacks. The nine-page document, posted April 15, contains examples of the questions Securities and Exchange Commission examiners might ask brokerages and asset managers during inspections. The document puts firms on alert to be prepared, for instance, to provide a comprehensive list of when they detected malware, suffered a "denial of service" attack or discovered a network breach since January 2013. The SEC also plans examinations of more than 50 firms that will focus on cyber security-specific issues. The document's release comes several months after Jane Jarcho, an associate director in the SEC's investment adviser examination program, announced in a speech the agency planned to scrutinize whether firms have policies to prevent cyber attacks. The SEC subsequently followed up with a March 26 roundtable where experts debated how public companies, brokerages, asset managers and exchanges can protect themselves from cyber threats, and what role the U.S. government should play to ensure such attacks are adequately disclosed. John Reed Stark, the SEC's former chief of Internet enforcement and now a managing director with digital risk management consultancy Stroz Friedberg, said the SEC's detailed list of questions is both unusual and "forward-thinking." "With the public disclosure of this questionnaire, the SEC is giving up the surprise of one aspect of their exam program and opting to provide to SEC-registered financial firms a rare chance to prepare," he said. [ Polley : the SEC "National Exam Program" alert is here .]

Dutch government pays millions to extend Microsoft XP support (ZDnet, 7 April 2014) - The government of the Netherlands has struck a multimillion Euro deal with Microsoft to secure continued support for its Windows XP systems, according to a report published on 4 April in Dutch News . According to the report, the deal will provide support for around 34,000 and 40,000 Dutch national government civil servants still using Windows XP machines until next January, when all government PCs are scheduled to be migrated to a new system. Microsoft is ceasing all security updates and technical support for its Windows XP system on 8 April, leaving those still using the platform potentially exposed to security threats. The move by the Dutch government follows a similar deal the software giant struck with the United Kingdom government. It was announced last week that the UK government agreed to pay more than £5.6 million to Microsoft to continue its support for Windows XP by one year. [ Polley : IRS also paying for support - see here .]

Hackers lurking in vents and soda machines (NYT, 7 April 2014) - Unable to breach the computer network at a big oil company, hackers infected with malware the online menu of a Chinese restaurant that was popular with employees. When the workers browsed the menu, they inadvertently downloaded code that gave the attackers a foothold in the business's vast computer network. Security experts summoned to fix the problem were not allowed to disclose the details of the breach, but the lesson from the incident was clear: Companies scrambling to seal up their systems from hackers and government snoops are having to look in the unlikeliest of places for vulnerabilities. Hackers in the recent Target payment card breach gained access to the retailer's records through its heating and cooling system. In other cases, hackers have used printers , thermostats and videoconferencing equipment. Companies have always needed to be diligent in keeping ahead of hackers - email and leaky employee devices are an old problem - but the situation has grown increasingly complex and urgent as countless third parties are granted remote access to corporate systems. This access comes through software controlling all kinds of services a company needs: heating, ventilation and air-conditioning; billing, expense and human-resources management systems; graphics and data analytics functions; health insurance providers; and even vending machines. Break into one system, and you have a chance to break into them all. Data on the percentage of cyberattacks that can be tied to a leaky third party is difficult to come by, in large part because victims' lawyers will find any reason not to disclose a breach. But a survey of more than 3,500 global I.T. and cybersecurity practitioners conducted by a security research firm, the Ponemon Institute, last year found that roughly a quarter - 23 percent - of breaches were attributable to third-party negligence. Security experts say that figure is low. Arabella Hallawell, vice president of strategy at Arbor Networks, a network security firm in Burlington, Mass., estimated that third-party suppliers were involved in some 70 percent of breaches her company reviewed.

Role reversal: CIO reports to CISO (Gov Info Security, 7 April 2014) - In many if not most enterprises, the chief information security officer reports to the chief information officer. After all, enterprises cannot function without IT, and security is a support function to safeguard data and systems. Or is it? Today, when cyberthreats are pervasive, should securing critical information assets be put above the operation and managing of information technology? Booz Allen Hamilton, the business, military and government management consultancy, seems to thinks so. Its CIO reports to its CISO.

Wyndham decision affirms FTC jurisdiction and assertive role on "thorny" cyber and data security issues (Wiley Rein, 8 April 2014) - The Federal Trade Commission (FTC) has just won the first major round of its fight with Wyndham Hotels over data security. In FTC v. Wyndham Worldwide Corp., et al., No. 13-1887 (D.N.J.), the FTC's jurisdiction to punish companies for allegedly lax data security practices was challenged when Wyndham moved to dismiss the FTC's unfair and deceptive practices claims. On April 7, 2014, after briefing, oral argument, and several amicus submissions, federal judge Esther Salas rejected all of Wyndham's arguments and affirmed the FTC's jurisdiction. In doing so, she noted that the case highlights "a variety of thorny legal issues that Congress and the courts will continue to grapple with for the foreseeable future." The court affirmed the FTC's jurisdiction and its discretion to proceed by enforcement action, rejecting Wyndham's argument that 'the FTC's "'failure to publish any interpretive guidance whatsoever' violates fair notice principles and "bedrock principles of administrative law.'" (quoting briefing). The court found the unfairness proscriptions in Section 5 to be flexible and noted that the FTC had brought "unfairness actions in a variety of contexts without preexisting rules or regulations." In this sense, the Court found "inapposite" Wyndham's reference to evolving frameworks at the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) as examples of what the FTC should be expected to do. (See February 13, 2014 Client Alert ). The court analogized the FTC's enforcement action to case-by-case approaches used by the National Labor Relations Board (NLRB) and Occupational Safety and Health Administration (OSHA), despite Wyndham's argument that the "rapidly-evolving nature of data security" made those agencies' actions poor examples. The court also rejected the challenge to the deceptive practices claim, finding that the FTC had adequately pled it under whatever standard applied.

Article 29 WP Opinion on anonymization (Opinion 05/2140, 10 April 2014) - (from Executive Summary): In this Opinion, the WP analyses the effectiveness and limits of existing anonymisation techniques against the EU legal background of data protection and provides recommendations to handle these techniques by taking account of the residual risk of identification inherent in each of them. The WP acknowledges the potential value of anonymisation in particular as a strategy to reap the benefits of 'open data' for individuals and society at large whilst mitigating the risks for the individuals concerned. However, case studies and research publications have shown how difficult it is to create a truly anonymous dataset whilst retaining as much of the underlying information as required for the task. In the light of Directive 95/46/EC and other relevant EU legal instruments, anonymisation results from processing personal data in order to irreversibly prevent identification. In doing so, several elements should be taken into account by data controllers, having regard to all the means "likely reasonably" to be used for identification (either by the controller or by any third party). * * *

When can you tweet a celebrity photo? (GigaOM, 10 April 2014) - Katherine Heigl, a former star on Grey's Anatomy , is not happy that New York drugstore chain Duane Reade tweeted a picture of her leaving its store. Now, she is suing the company for $6 million in damages, which Heigl says she will donate to a charity named for her late brother. The conflict, which raises interesting questions about endorsements in the age of social media, began after gossip site JustJared posted pictures of Heigl leaving a store with her mother, carrying shopping bags. Soon after, Duane Reade tweeted the photo along with a gleeful caption. Normally, celebrities can't do much about people taking their picture in public place - it's just part and parcel of the whole rich and famous thing. And, indeed, Heigl's lawsuit, embedded below, suggests that JustJared had a right to post the photos since they were "news" (it's not clear why anyone going to the drugstore is ever "news" - but that's another story.) According to Heigl, Duane Reade crossed the line by adding the captions. In her view, this was an unauthorized endorsement in violation of federal trademark rules and the personality rights laws of New York state. She appears to have a case in that celebrities have a right to control the way their images are used for endorsement. You can't, for instance, take a photo of Heigl walking by your donut shop and then use the snap to plaster billboards around the city that suggest she likes your donuts. The Duane Reade case is a little more nuanced, however, in that it involves Twitter which, by its nature, is often associated with fleeting news events. If JustJared had tweeted the original photo and Duane Reade has retweeted it with its own caption, the company would be in a stronger position to say it a fair use right to share the photo. Instead, Duane Reade's behavior looks more like a calculated decision to use an authorized endorsement rather than any form of news reporting - a claim Heigl's lawyers make repeatedly in the complaint. (It's also not clear if the drugstore bought the rights for the photo from JustJared - if not, it could be facing a copyright case too).

2 regulators issue guidelines on sharing cyber security information (NYT, 10 April 2014) - Sharing information between companies about threats to cybersecurity is not likely to raise antitrust concerns, the Justice Department and the Federal Trade Commission said Thursday. In a new policy document that describes their stance, the regulators outlined ways in which the sharing of cyber-threat information differs from the sharing of competitive information, such as pricing data and business plans. "Cyber threats are increasing in number and sophistication, and sharing information about these threats, such as incident reports, indicators and threat signatures, is something companies can do to protect their information systems," said Bill Baer, an assistant attorney general in charge of Justice's antitrust division. The regulators previously issued guidelines on the sharing of information about cyber threats in October 2000 in a business review letter to the Electric Power Research Institute. The regulators have relied on that opinion ever since, but only now turned it into a formal policy.

- and -

Cyber threat information and the antitrust canard (Joel Brenner on LawFare, 11 April 2014) - Those of us who tried to do big things in government have learned to be grateful for small things. Yesterday, the Justice Department's Antitrust Division and the Federal Trade Commission jointly declared, "they do not believe that antitrust is-or should be-a roadblock to legitimate cybersecurity information sharing." The business press immediately jumped on this as a giant step forward, removing a big impediment to the sharing of cyber threat information among private parties. In fact, when it comes to that kind of sharing, "antitrust" was always a red herring. Threat reports, indicators, malware signatures, and the like are highly technical and have nothing to do with prices, terms of sale, territories, or other price- and output-related subjects that can create antitrust concerns. The Antitrust Division reached this conclusion in a business review letter 14 years ago, and both agencies say that analysis then "remains very current" now. Any competent antitrust counsel has known this all along. Any counsel who worried about it could have sought a business review letter from the Division and would have received the same advice. So what explains the persistence of the antitrust roadblock to information sharing? Corporate counsel are an understandably conservative lot. In their release yesterday, the agencies noted that some companies "have been counseled that sharing of information among competitors may raise antitrust concerns." Insofar as it was true, that advice in these circumstances was beyond conservative. It was unsound.

FBI to have 52 million photos in its NGI face recognition database by next year (ArsTechnica, 14 April 2014) - New documents released by the FBI show that the Bureau is well on its way toward its goal of a fully operational face recognition database by this summer. The EFF received these records in response to our Freedom of Information Act lawsuit for information on Next Generation Identification (NGI) -the FBI's massive biometric database that may hold records on as much as one-third of the US population. The facial recognition component of this database poses real threats to privacy for all Americans. NGI builds on the FBI's legacy fingerprint database-which already contains well over 100 million individual records-and has been designed to include multiple forms of biometric data, including palm prints and iris scans in addition to fingerprints and face recognition data. NGI combines all these forms of data in each individual's file, linking them to personal and biographic data like name, home address, ID number, immigration status, age, race, etc. This immense database is shared with other federal agencies and with the approximately 18,000 tribal, state, and local law enforcement agencies across the United States. The records we received show that the face recognition component of NGI may include as many as 52 million face images by 2015. By 2012, NGI already contained 13.6 million images representing between 7 and 8 million individuals, and by the middle of 2013, the size of the database increased to 16 million images. The new records reveal that the database will be capable of processing 55,000 direct photo enrollments daily and of conducting tens of thousands of searches every day. One of our biggest concerns about NGI has been the fact that it will include non-criminal as well as criminal face images. We now know that FBI projects that by 2015, the database will include 4.3 million images taken for non-criminal purposes.

Botched e-discovery can be an ethics violation, proposed opinion says (ABA Journal, 14 April 2014) - A proposed ethics opinion says California's duty of competence requires lawyers to have a basic understanding of e-discovery issues and could require greater technical knowledge in certain cases. The proposed opinion (PDF) by the California State Bar's Standing Committee on Professional Responsibility and Conduct says lawyers without the necessary competence have three options. They can acquire sufficient skill, they can seek out technical consultants or competent counsel, or they can decline the representation. The committee is accepting comments on the proposed opinion through June 24. The proposed ethics opinion is based on a hypothetical situation in which a lawyer agrees to opposing counsel's search terms for a search of his client's database. The lawyer instructs his client to allow the opposing counsel's database search, wrongly assuming a clawback agreement would allow for recovery of anything inadvertently produced. After the search results are turned over to the opposing counsel without the lawyer's review, the lawyer learns the search produced privileged information and showed that his client had deleted some potentially relevant documents as part of a regular document retention policy. The lawyer in the hypothetical not only breached his duty of competence, he also breached a duty to maintain client confidences and to protect privileged information, the proposed opinion says. In addition, the proposed opinion says, the lawyer should have assisted the client in placing a litigation hold on potentially relevant documents as part of the ethical duty not to suppress evidence.

Public officials in a wired world: How much privacy should they get? (LA Times editorial, 15 April 2014) - New technology often challenges society's long-standing assumptions and standards, but sometimes courts - and others - lose sight of common sense as they grapple with the changes. That's the case in a recent decision of California's 6th Appellate District, which found that text messages and emails between public officials are beyond the reach of the Public Records Act if they are sent on private devices rather than ones owned by public agencies. The three-judge panel said that electronic communications between council members and the mayor of San Jose, even those regarding city business, should not be considered "public" records if they are not "used" or "retained" by the city government (the language cited comes from California's Public Records Act, written long before smartphones existed). Accordingly, the 6th Circuit overturned the decision of the trial court judge and ruled that the city need not turn over the communications to interested members of the public, even though both sides conceded that they involved official business. That decision hews to the narrow language of the act, but it distorts the act's larger purpose, which is to ensure that the public can scrutinize the actions of its employees when they are doing public work.

When 'liking' a brand online voids the right to sue (NYT, 16 April 2014) - Might downloading a 50-cent coupon for Cheerios cost you legal rights? General Mills, the maker of cereals like Cheerios and Chex as well as brands like Bisquick and Betty Crocker, has quietly added language to its website to alert consumers that they give up their right to sue the company if they download coupons, "join" it in online communities like Facebook, enter a company-sponsored sweepstakes or contest or interact with it in a variety of other ways. Instead, anyone who has received anything that could be construed as a benefit and who then has a dispute with the company over its products will have to use informal negotiation via email or go through arbitration to seek relief, according to the new terms posted on its site. In language added on Tuesday after The New York Times contacted it about the changes, General Mills seemed to go even further, suggesting that buying its products would bind consumers to those terms. "We've updated our privacy policy," the company wrote in a thin, gray bar across the top of its home page. "Please note we also have new legal terms which require all disputes related to the purchase or use of any General Mills product or service to be resolved through binding arbitration." The change in legal terms, which occurred shortly after a judge refused to dismiss a case brought against the company by consumers in California, made General Mills one of the first, if not the first, major food companies to seek to impose what legal experts call "forced arbitration" on consumers.

- oops -

General Mills reverses itself on consumers' right to sue (NYT, 20 April 2014) - General Mills, one of the country's largest food companies, on Saturday night announced in a stunning about-face that it was withdrawing its controversial plans to make consumers give up their right to sue it. In an email sent after 10 p.m. on Saturday, the company said that due to concerns that its plans to require consumers to agree to informal negotiation or arbitration had raised among the public, it was taking down the new terms it had posted on its website. "Because our terms and intentions were widely misunderstood, causing concerns among our consumers, we've decided to change them back to what they were," Mike Siemienas, a company spokesman, wrote in the email. "As a result, the recently updated legal terms are being removed from our websites, and we are announcing today that we have reverted back to our prior legal terms, which contain no mention of arbitration." [ Polley : Seems like an idiotic first move, and a chaotic second move.]

Expanding your online pedagogy toolkit (InsideHigherEd, 22 April 2014) - Next-generation online learning differs from last generation e-learning in six distinct ways. First , it is scalable. New instructional support models-including coaches and peer mentors- allow online courses that are not MOOCs to effectively reach many more students in the past. Second , it is personalized. It offers multiple learning pathways tailored to student learning styles, needs, and interests. Just-in-time remediation and enrichment are embedded and content reflects students' learning goals. Third , it is outcomes-oriented. Mastery of explicit learning objectives, including content and skills, represents its aim. Fourth , it is data-driven. Learning analytics provide students, instructors, coaches, and advisers with dashboards that signal student progress and problems in real time. Fifth , it is social and interactive. Building on the notion of learning as a social process, next-generation online courses encourage student involvement in communities of practice and in personal learning networks, where they have opportunities to collaborate, test ideas, and motivate and assist one another. Six[th] , and perhaps most importantly, it is activity oriented. Next-generation online learning involves challenges, inquiry, and problem solving. Students, individually and in small groups, have opportunities to learn by doing. Depending on the nature of the course, they might engage in hypothesis formulation and testing, data analysis, or constructing and applying rubrics. Simulations, in particular, give students opportunities to mimic professional practice and exercise real-world skills. Here are a series of techniques that you might use to build essential student skills, promote social interaction, and encourage active learning in an online environment * * *

Look what happened to Amazon's revenues when a sales tax was imposed (Business Insider, 22 April 2014) - Amazon's sales are taking a hit in states that have recently started making the company pay taxes. New research out of Ohio State University found that Amazon shoppers reduced their spending by 10% in states where the company has had to start charging sales tax. Purchases of more than $300 also fell by 24%, according to the study. But the study also revealed that the introduction of taxes led to a 61% increase in spending for expensive products on Amazon Marketplace. On Marketplace, merchants pay Amazon a fee to offer products through its website but do not have to collect taxes. Indirectly, Amazon still benefits, even if it's not selling its own products.

The art of hiring (Corporate Counsel, 23 April 2014) - How do law departments hire and train their new lawyers? We'd never really examined this issue, but conversations with top managers at several companies in recent years had piqued our interest. It seemed clear that some very successful departments had adopted very different approaches-yet each seemed to be yielding the desired results. So we asked the general counsel at International Business Machines Corporation, Google Inc. and Microsoft Corporation if we could interview some of the people involved in the process. We found one law department that focuses on developing global lawyers; another that hires lawyers for jobs that can change radically in just a few months; and a third that seems intent on preparing theirs for the long haul. [ Polley : pretty interesting. I led the professional development process when in-house at Schlumberger; much of these reports resonates with me.]

Lost Warhol works uncovered from old Amiga floppy disks (ArsTechnica, 24 April 2014) - A collection of Warhol works were uncovered in March on a set of old Amiga floppy disks, according to a press release by the Studio for Creative Inquiry (via BoingBoing ). The files were eased off of the disks with help from the Carnegie Mellon Computer Club, a collective that specializes in dealing with old computer hardware. The works were obtained from hardware that was sitting dormant in the Warhol Museum, including "two Amiga 1000 computers in pristine condition," an "early drawing tablet," and "a large collection of floppy diskettes comprised of mostly commercial software." The fact that the floppy disks contained commercial software as opposed to saved works initially disappointed the team. However, they soon discovered some original and signed works on a GRAPHICRAFT floppy after using a Kickstart ROM to boot the emulator. The images included drawings of flowers, a soup can, a self-portrait, and portraits of other individuals. "Much of the software of the era defaulted to (and in some cases only supported) saving files on the same disk as the software itself," the Carnegie Mellon Computer Club wrote in its technical report .

Lawyers can probe jurors on social media but can't connect with them there, ABA ethics opinion says (ABA Journal, 24 April 2014) - Lawyers who want to pick through troves of public information that jurors or potential jurors put on the Internet about themselves may do so, but they may not communicate directly with the jurors, such as asking to "friend" them on Facebook, according to a formal ethics opinion issued today by the ABA Standing Committee on Ethics and Professionalism. Formal Opinion 466 (PDF) mentions websites and examples of Internet-based electronic social media such as Facebook, MySpace, LinkedIn and Twitter, but notes that because their capabilities change so frequently, the opinion deals only generically with someone's control over access to their information on websites and ESM or their ability to know who has viewed what is publicly available. Formal opinions are based on the ABA's Model Rules of Professional Conduct, which have been adopted by all states except California. The rules are not binding but serve as models that can be adopted or modified. Formal Opinion 466 addresses three situations concerning lawyer review of the Internet footprints of jurors or potential jurors.

  • Looking at information available to everyone on a juror's social media accounts or website when the juror doesn't know it's being done. The opinion says the "mere act of observing" is not improper ex parte conduct, much as driving down a juror's street to get a sense of his or her environs isn't.
  • Asking a juror for access to the his or her social media. The opinion says that is improper, much like stopping the car to ask the juror's permission to look inside the juror's house for a better view.
  • When a juror finds out, through a notification feature of the social media platform or website, that the lawyer reviewed publicly available information. The formal opinion says the social media provider, not the lawyer, is communicating with the juror, the same as if a neighbor saw the lawyer's car pass by and told the juror. On that last point, the formal opinion recommends that lawyers read social media platforms' terms of agreement for information about matters such as automatic subscriber notification features, and to be aware that this information changes frequently.

Oxford English Dictionary: killed and saved by the Internet (TechDirt, 25 April 2014) - The Oxford English Dictionary (OED) describes itself -- with somewhat un-British immodesty -- as "the definitive record of the English language." It's certainly big: The 20 volume Oxford English Dictionary is an unrivalled guide to the meaning, history, and pronunciation of over half a million words. The Dictionary traces the evolution of over 600,000 words from across the English-speaking world through 2.4 million quotations. This is all yours for a mere £750 (about $1250). But if you're keen to adorn your bookshelves with its hefty volumes, you'd better hurry: The Telegraph reports that this may be the last edition sold as physical books .

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

CIOs and the law (CRM Daily, 12 Jan 2004) - The job of the CIO got tougher on July 30, 2002 -- the day the Sarbanes-Oxley Act was signed. The legislation requires significant changes to financial practices and corporate governance, and touches all corporate areas -- including technology. This new law calls CIOs, along with other top-level executives, to account. "The CIO has to sign off on issues they never had to in the past. For the first time ever, the CFO and CEO can look me in the eye and say, 'Guess what, you're on the hook with me.' That kind of gets your attention," John G. Bruno, CIO and senior vice president of business development, Symbol Technologies, told NewsFactor's CIO Today Magazine. While CIOs at a variety of Fortune 1000 companies told NewsFactor's CIO Today that Sarbanes-Oxley, along with and other recent legislation, has sharpened their awareness of governance issues, it has not dramatically changed the way a CIO operates. The new laws mandate sound business practices that many CIOs already have been putting in place. But just the same, ensuring compliance has kept many CIOs -- and their staffs -- very busy.

TIVO watchers uneasy after post-super bowl reports (CNET, 5 Feb 2004) -- Janet Jackson's Super Bowl flash dance was shocking in more ways than one: Some TiVo users say the event brought home the realization that their beloved digital video recorders are watching them, too. On Monday, TiVo said the exposure of Jackson's breast during her halftime performance was the most-watched moment to date on its device, which, when combined with the TiVo subscription service, lets viewers pause and "rewind" live television broadcasts, among other features. TiVo said users had watched the skin-baring incident nearly three times more than any other moment during the Super Bowl broadcast, sparking headlines that dramatically publicized the power of the company's longstanding data-gathering practices. "It's just sort of creepy," longtime TiVo subscriber Sandra Munozshe wrote in an e-mail to CNET News.com. A TiVo spokesman said the company operates well within established privacy standards. For years, TiVo has disclosed its data-gathering practices in user agreements, saying it strips out any information that could be traced back to an individual viewer.

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose.

Saturday, April 05, 2014

MIRLN --- 16 March – 5 April 2014 (v17.05)

MIRLN --- 16 March - 5 April 2014 (v17.05) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

SeyfarthLean consulting unveils Disclosure Dragon software to "jumpstart" crowdfunding offerings (Seyfarth, 25 Feb 2014) - SeyfarthLean Consulting LLC, a subsidiary of law firm Seyfarth Shaw LLP, announced today its Disclosure Dragon software, designed specifically for the crowdfunding industry. Disclosure Dragon is the first advanced document automation solution that helps companies and online portals efficiently and effectively prepare the necessary legal and financial disclosure to conduct crowdfunding offerings. For small businesses and early stage companies, Disclosure Dragon automates, expedites and standardizes the development of a private placement memorandum (PPM) (or other required disclosure documents depending on the type of offering) and supporting exhibits required to satisfy the U.S. Securities & Exchange Commission's regulations pursuant to the Jumpstart Our Business Startups (JOBS) Act of 2012. Traditionally handled by lawyers, consultants and other advisers, PPM development is typically an expensive and arduous process that proves insurmountable for many small companies. With its advanced user-populated engine, Disclosure Dragon's interactive and adaptive framework auto-generates a draft PPM at a fraction of the cost and time, guiding users step by step through a detailed series of questions related to their businesses. PPM's produced by Disclosure Dragon are expected to reduce the time and cost of preparing legal documentation by up to 80%. Importantly, further legal review will be required by the issuer's counsel to finalize the PPM and is not provided by Disclosure Dragon. Disclosure Dragon will debut on Poliwogg, the leading life sciences funding platform, which expects that many of its funding clients will be attracted to Disclosure Dragon's time and cost savings, as well as the standardization it provides. For these reasons, one such client, Insero Health, a clinical stage healthcare company developing novel therapeutics for the treatment of epilepsy, is already adopting Disclosure Dragon. This also marks one of first collaborations between Poliwogg and the Epilepsy Foundation, which announced in January their partnership to encourage investment and support for new therapies to help people living with recurrent seizures.

top

A harvest of company details, all in one basket (NYT, 15 March 2014) - Trolling government records for juicy details about companies and their executives can be a ponderous task. I often find myself querying the websites of multiple federal agencies, each using its own particular terminology and data forms, just for a glimpse of one company's business. But a few new services aim to reduce that friction not just for reporters, but also for investors and companies that might use the information in making business decisions. One site, rankandfiled.com , is designed to make company filings with the Securities and Exchange Commission more intelligible. It also offers visitors an instant snapshot of industry relationships, in a multicolored "influence" graph that charts the various companies in which a business's officers and directors own shares. According to the site, pooh-bahs at Google, for example, have held shares in Apple, Netflix, LinkedIn, Zynga, Cisco, Amazon and Pixar. Another site, Enigma.io , has obtained, standardized and collated thousands of data sets - including information on companies' lobbying activities and their contributions to state election campaigns - made public by federal and state agencies. Starting this weekend, the public will be able to use it, at no charge, to seek information about a single company across dozens of government sources at once. Five years ago, to encourage research studies and app development, the Obama administration introduced data.gov, a site that catalogs data held by federal agencies. Last May, President Obama issued an executive order requiring agencies to make the information they generate available in computer-readable formats. Publishing and analytics start-ups are now tapping those resources to develop products for consumers and businesses. Among them, Enigma hopes to become what Mr. DaCosta describes as "a Google for public data." Ask Enigma for facts about Lockheed Martin , for example, and here are some of the disparate details that surface: Last year, this military contractor entered into agreements with the government worth about $40.7 billion. Another interesting tidbit about the company is that in 2013, Marillyn A. Hewson , the chief executive, visited the White House five times; on two of those occasions the "visitee" was "POTUS," meaning the president of the United States, the logs indicate. And company employees reported giving about $51,000 to the presidential campaign committees Obama for America and the Obama Victory Fund. Although these details may be unrelated, together they depict a politically influential and connected contractor. In fact, that kind of serendipitous information amalgam is one of Enigma's aims. Mr. DaCosta says he believes that "there's a huge amount you can learn about the world by putting these data sources in conversation with one another."

top

Can you sue a robot for defamation? (Ryan Calo at Forbes, 17 March 2014) - Life moves pretty fast. Especially for journalists. When an earthquake aftershock shakes America's second largest city, news outlets scramble to be the first to cover the story. Today the news itself made news when various outlets picked up on a curious byline over at the Los Angeles Times : "this post was created by an algorithm written by the author." The rise of algorithmically generated content is a great example of a growing reliance on "emergence." Steven Johnson in his book by this title sees the essence of emergence as the movement of low-level rules to tasks of apparently high sophistication. Johnson gives a number of examples, from insects to software programs. As I see it, the text of the earthquake story likewise "emerged" from a set of simple rules and inputs; the "author" in question at the Los Angeles Times, Ken Schwencke, did not simply write the story in advance and cut and paste it. I imagine Schwencke had a pretty good sense of what story the algorithm would come up with were there an earthquake. This is not always the case. Even simple algorithms can create wildly unforeseeable and unwanted results. Thus, for instance, a bidding war between two algorithms led to a $23.6 million dollar book listing on Amazon. And who can forget the sudden "flash crash" of the market caused by high speed trading algorithms in 2010. I explore the challenges emergence can pose for law in my draft article Robotics and the New Cyberlaw . I hope you read it and let me know what you think. I'll give you one example: Imagine that Schwencke's algorithm covered arrests instead of earthquakes and his program "created" a story suggesting a politician had been arrested when in fact she had not been. Can the politician sue Schwencke for defamation? Recall that, in order to overcome the First Amendment, the politician would have to show "actual malice" on the part of the defendant. Which is missing. But, in that case, are we left with a victim with no perpetrator? If this seems far fetched, recall that Stephen Colbert's algorithm @RealHumanPraise -which combines the names of Fox News anchors and shows with movie reviews on Rotten Tomatoes-periodically refers to Sarah Palin as " a party girl for the ages " or has her " wandering the nighttime streets trying to find her lover ." To the initiated, this is obviously satire. But one could readily imagine an autonomously generated statement that, were it said by a human, would be libel per se .

top

Support for Khan Academy's effectiveness in new study (InsideHigherEd, 17 March 2014) - A two-year-long study of Khan Academy's effect on K-12 students' math skills suggests the online lessons may help boost performance and confidence, even if the materials play only a supplemental role. The study , funded by the Bill & Melinda Gates Foundation and developed by SRI International, involved 2,000 students in grades 5 through 10 between 2011 and 2013. The students were scattered across nine different schools, all of which used the materials from Khan Academy to varying degrees. At the end of the study, 85 percent of teachers said they thought Khan Academy had a positive impact on students' learning. Among students, 71 percent said they liked the Khan Academy lessons, while 32 percent said they liked math more as a result of using the materials.

top

New French law authorizes the CNIL to conduct online inspections (Hunton & Williams, 18 March 2014) - On March 18, 2014, a new French consumer law (Law No. 2014-344) was published in the Journal Officiel de la République Franҫaise. The new law strengthens the investigative powers of the French Data Protection Authority (the "CNIL") by giving the CNIL the ability to conduct online inspections. Currently, the CNIL may conduct three types of investigations: (1) On-site inspections - the CNIL may visit a company's facilities and access anything that stores personal data ( e.g. , servers, computers, applications). On-site inspections currently represent the vast majority of the inspections conducted by the CNIL; (2) Document reviews - these inspections allow the CNIL to require an entity to disclose documents or files (upon written request); and (3) Hearings - the CNIL may summon representatives of organizations to appear for questioning and to provide other necessary information. Further to its new online inspection authority, now the CNIL also may identify violations of the French Data Protection Act through remote investigations. For example, this new investigative power will enable the CNIL to check whether online privacy notices comply with French data protection law, and to verify whether entities obtain users' prior consent before sending electronic marketing communications. The CNIL emphasized that the new online investigations will concern only publicly available data, and that the law does not give the CNIL the right to circumvent security measures to gain access to information systems.

top

When MOOC profs move (InsideHigherEd, 18 March 2014) - When faculty members move from one institution to the next, so do their courses, but after having spent hundreds of thousands of dollars to prepare those courses to a massive audience, are universities entitled to a share of the rights? The question has so far gone unanswered (though not undiscussed) even at some of the earliest entrants into the massive open online course market, including Harvard University and the Massachusetts Institute of Technology. Since MOOC providers have gotten out of the intellectual property rights debate by saying they will honor whatever policy their institutional partners have in place, it falls on the universities to settle the matter. Almost two years after Harvard and MIT jointly launched the MOOC provider edX, Sanjay E. Sarma, director of digital learning at MIT, said his institution has "figured it out." "Faculty have always had certain expectations and rights, and we want to respect them," Sarma said. "In other words, we don't want any new policy to change any rights they have right now." Instead, Sarma said, MIT will introduce an interpretation of its intellectual property policy -- which appears to support both the faculty members' and the institution's position -- in the coming months.

top

Los Angeles cops argue all cars in LA are under investigation (EFF, 19 March 2014) - Do you drive a car in the greater Los Angeles Metropolitan area? According to the L.A. Police Department and L.A. Sheriff's Department, your car is part of a vast criminal investigation. The agencies took a novel approach in the briefs they filed in EFF and the ACLU of Southern California's California Public Records Act lawsuit seeking a week's worth of Automatic License Plate Reader (ALPR) data. They have argued that " All [license plate] data is investigatory ." The fact that it may never be associated with a specific crime doesn't matter.

top

Illinois Supreme Court strikes down broad ban on audiorecording conversations (Eugene Volokh, 20 March 2014) - Under Illinois law, any person who "knowingly and intentionally uses an eavesdropping device for the purpose of hearing or recording all or any part of any conversation" is committing a crime "unless he does so … with the consent of all of the parties to such conversation or electronic communication." This isn't limited to conversations that the parties reasonably intend to be private: "conversation" is defined as "any oral communication between 2 or more persons regardless of whether one or more of the parties intended their communication to be of a private nature under circumstances justifying that expectation." DeForest Clark was indicted for violating this law; here's how the ACLU of Illinois amicus brief describes the facts: [The] charges arose from a September 17, 2010 child support hearing before Judge Robert Janes in Kane County Circuit Court. Mr. Clark represented himself pro se at the hearing. The hearing was conducted in open court and no court reporter was present. Mr. Clark recorded the hearing in order to preserve a true and accurate record of public proceedings in which he was representing himself without the assistance of counsel and without the benefit of a court reporter. For the same reason, Mr. Clark also allegedly recorded a conversation between himself and opposing counsel, Colleen Thomas, prior to the hearing in a public hallway in the Kane County Judicial Center. Thursday, the Illinois Supreme Court held that the statute violates the First Amendment ( People v. Clark (Ill. Mar. 20, 2014) )

top

Treasury Dept. issues license on exchange with Iran (InsideHigherEd, 21 March 2014) - The U.S. Department of Treasury on Thursday issued a general license allowing accredited U.S. universities to enter into academic exchange agreements with Iranian universities and permitting the export of some educational services, including university entrance examinations. The guidance also permits American universities and their contractors to enroll Iranian students in certain online undergraduate-level courses, including massive open online courses, or MOOCs. In January, Inside Higher Ed reported that the U.S. government had blocked access to the MOOC provider Coursera for individuals in Iran and other economically sanctioned nations.

top

Revelations of NSA spying cost US tech companies (NYT, 21 March 2014) - Microsoft has lost customers, including the government of Brazil. IBM is spending more than a billion dollars to build data centers overseas to reassure foreign customers that their information is safe from prying eyes in the United States government. And tech companies abroad, from Europe to South America, say they are gaining customers that are shunning United States providers, suspicious because of the revelations by Edward J. Snowden that tied these providers to the National Security Agency 's vast surveillance program. Even as Washington grapples with the diplomatic and political fallout of Mr. Snowden's leaks, the more urgent issue, companies and analysts say, is economic. Tech executives, including Eric E. Schmidt of Google and Mark Zuckerberg of Facebook, are expected to raise the issue when they return to the White House on Friday for a meeting with President Obama. It is impossible to see now the full economic ramifications of the spying revelations - in part because most companies are locked in multiyear contracts - but the pieces are beginning to add up as businesses question the trustworthiness of American technology products. Despite the tech companies' assertions that they provide information on their customers only when required under law - and not knowingly through a back door - the perception that they enabled the spying program has lingered. "It's clear to every single tech company that this is affecting their bottom line," said Daniel Castro, a senior analyst at the Information Technology and Innovation Foundation, who predicted that the United States cloud computing industry could lose $35 billion by 2016 . Forrester Research, a technology research firm, said the losses could be as high as $180 billion , or 25 percent of industry revenue, based on the size of the cloud computing, web hosting and outsourcing markets and the worst-case scenario for damages.

top

Law firm notifies employees after vendor's server accessed (Databreaches.net, 21 March 2014) - So here's another case where a vendor's database was accessed by someone who was able to acquire a client's login credentials. The international law firm of McKenna Long & Aldridge notified the Maryland Attorney General's Office on February 26 that 441 current and former employees' W-2 information and other information were involved: As a result of that investigation and further information provided by the vendor, it appears that some information related to current and former employees was accessed on November 28, 2013 (Thanksgiving Day), December 11, 2013, and December 12, 2013 and that such access was obtained through the malicious and unauthorized access to the user identification and password of an account administrator. MLA has since reset all passwords for each user and asked all users to establish a new password. We are also working with our vendor to ensure that this does not occur again. Regrettably, our investigation appears to show that your personal information was accessed without authorization during this incident, including Federal Wage and Tax Statement Form W-2 name, address, wages, taxes and Social Security number information; date of birth, age, gender, ethnicity; and Visa, Passport or Federal Form I 9 documents numbers.

top

The tepid NSA-American Bar Association "dialogue" around spying on lawyers (EFF, 21 March 2014) - It's another troubling example in a frustrating trend: despite repeated and pointed calls for answers, the NSA is still relying on word games and equivocation to avoid answering recent questions surrounding potential surveillance of privileged attorney-client communications. The New York Times reported in late February that an American law firm's privileged attorney-client communications were monitored by the Australian Signals Directorate and potentially shared with the NSA. A few weeks ago, we wrote about the legal community's response to this issue, highlighting a February 20 letter from the president of the American Bar Association (ABA), James Silkenat, to outgoing NSA director General Keith Alexander and NSA General Counsel Raj De. On March 10, General Alexander wrote back, but the NSA's letter can hardly be called a response. We hope that the conversation is not over, because experience has shown that when the NSA has the last word, civil liberties lose. The ABA has been deferential to the NSA's authority to conduct surveillance, and its letter requested only the information necessary to be able to effectively represent clients. Mr. Silkenat underscored that the ability to communicate without fear of surveillance is essential to the attorney-client relationship, and that without it our legal system cannot function. In order to help avoid this, he asked the NSA to "further clarify the principles and policies" regarding the NSA's handling of potentially privileged information. The NSA's response was underwhelming; of course they're collecting privileged communications but, trust them, they're not peeking (except when they need to). The entire legal community should view the NSA's response as an insult. When the ABA asked for clarification on what procedures are undertaken to uphold the attorney-client privilege, the NSA's answer was the following: Such steps could include requesting that certain collection or reporting be limited; that intelligence reports be written so as to prevent or limit the inclusion of privileged material and to exclude U.S. identities, and that dissemination of such reports be limited and subject to appropriate warnings or restrictions on their use. More disappointing than the NSA's letter, however, is the ABA's response. Mr. Silkenat released a paragraph long response on March 11, in which he stated: The American Bar Association appreciates the NSA's expression of respect for the attorney-client privilege and looks forward to continuing a constructive dialogue with the NSA to ensure that American lawyers and their clients have confidence that their privileged communications are appropriately protected. The attorney-client privilege is fundamental to our system of justice and critical to the work of lawyers, who rely on the candor of their clients. The NSA's letter to the ABA was not an expression of respect, nor was it the beginning of a constructive dialogue. Instead, the ABA meekly accepted the NSA's nonchalant non-denial of unconstitutional behavior by that aggressively unconstitutional spy agency. Mr. Silkenat may look forward to continuing a constructive dialogue, but the rest of us are left asking, "What dialogue?" Will the ABA and Mr. Silkenat be content to quietly accept the NSA's assurances, or will the ABA make a follow-up statement that the NSA must provide more information?

top

- and -

Lawyer sues to learn whether the FBI accessed his law firm's computers (ABA Journal, 26 March 2014) - A Virginia lawyer wants to know whether the FBI obtained access to his law firm's computers as part of an investigation into his possession of three classified documents. Kel McClanahan filed a federal suit last Friday in Washington, D.C., seeking records under the Freedom of Information Act that would answer his questions, McClatchy News reports. McClanahan says his computer and email accounts developed technical problems shortly after he met with FBI agents who asked permission to search his office and to take possession of his computer. McClanahan refused, though he did agree to delete the documents in the presence of FBI officials. The FBI accepted the offer last year. At issue were three documents, the story says. Two were articles in a CIA in-house journal about another FOIA case McClanahan had filed against the CIA. McClanahan says the articles were faxed to him, and he contacted a Justice Department official involved in the case when he realized the articles were not public. The third document was an FBI account of an interview with an American citizen jailed in Yemen for alleged links to al-Qaida. McClanahan is handling FOIA litigation in that case, and he got the unredacted document, filed in a Yemeni court, from lawyers for the suspect in Yemen. McClanahan says he compared the unredacted document with a redacted version he received from the FBI, and he believes information was blacked out to hide FBI misconduct. McClanahan emailed a Justice Department lawyer to ask if he could use the unredacted version in court. "I don't have definitive proof that the FBI read my emails," McClanahn told McClatchy. "I have, however, a large stack of circumstantial evidence that they did, . . . specifically, unexplained problems with my email accounts only days before they showed up unannounced at my door to try to strong-arm me into giving them unrestricted access to my records. … It could be a huge coincidence . . . but it would be a huge coincidence."

top

US notified 3,000 companies in 2013 about cyberattacks (Washington Post, 24 March 2013) - Federal agents notified more than 3,000 U.S. companies last year that their computer systems had been hacked, White House officials have told industry executives, marking the first time the government has revealed how often it tipped off the private sector to cyberintrusions. The alerts went to firms large and small, from local banks to major defense contractors to national retailers such as Target, which suffered a breach last fall that led to the theft of tens of millions of Americans' credit card and personal data, according to government and industry officials. "Three thousand companies is astounding," said James A. Lewis, a senior fellow and cyberpolicy expert at the Center for Strategic and International Studies. "The problem is as big or bigger than we thought." The number reflects only a fraction of the true scale of cyberintrusions into the private sector by criminal groups and foreign governments and their proxies, particularly in China and Eastern Europe. The estimated cost to U.S. companies and consumers is up to $100 billion annually, analysts say. In most cases, the company had no idea it had been breached, officials say. According to Verizon, which compiles an annual data-breach survey, in seven out of 10 cases, companies learn from an external party - usually a government agency - that they've been victimized.

top

- and -

Law firms are pressed on security for data (NYT, 26 March 2014) - A growing number of big corporate clients are demanding that their law firms take more steps to guard against online intrusions that could compromise sensitive information as global concerns about hacker threats mount. Wall Street banks are pressing outside law firms to demonstrate that their computer systems are employing top-tier technologies to detect and deter attacks from hackers bent on getting their hands on corporate secrets either for their own use or sale to others, said people briefed on the matter who spoke on the condition of anonymity. Some financial institutions are asking law firms to fill out lengthy 60-page questionnaires detailing their cybersecurity measures, while others are doing on-site inspections. In some cases, banks and companies are threatening to withhold legal work from law firms that balk at the increased scrutiny or requesting that firms add insurance coverage for data breaches to their malpractice policies. The vulnerability of American law firms to online attacks is a particular concern to law enforcement agencies because the firms are a rich repository of corporate secrets, business strategies and intellectual property. One concern is the potential for hackers to access information about potential corporate deals before they get announced. Law enforcement has long worried that law firms are not doing enough to guard against intrusions by hackers. Despite the concern, it's hard to gauge just how vulnerable law firms are to attacks from hackers. There are few rules requiring firms to make public any breaches, and because the firms have little direct interaction with consumers, there is no need for them to publicly report a hacking incident the way a bank or a retailer would. In 2012, Mandiant, a security consulting firm, put out a report estimating that 80 percent of the 100 largest American law firms had some malicious computer breach in 2011. Actual reports of confidential information hacked from a law firm computer system and later winding up on some overseas server are rare, however. Representatives for several large law firms, all of whom declined to discuss the topic publicly, said privately that the threat assessments from the F.B.I. and consulting firms were overstated. The law firm representatives said hacker attacks were usually email "phishing" schemes seeking to access personal information or account passwords, the kind of intrusions that have become commonplace and are easily contained. But Vincent I. Polley, a lawyer and co-author of recent book for the American Bar Association on cybersecurity, said many law firms were not even aware they had been hacked. He said a lot of law firm managers were in denial about the potential threat. "A lot of firms have been hacked, and like most entities that are hacked, they don't know that for some period of time," said Mr. Polley. "Sometimes, it may not be discovered for a minute or months and even years." [ Polley : The referenced book is "The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals", available here .]

top

Cities reluctant to reveal whether they're using fake cell tower devices (ArsTechnica, 25 March 2014) - For some time now, the American Civil Liberties Union (ACLU) has been on a quest to better understand the use and legality of "stingrays." These devices, which are also known as international mobile subscriber identity (IMSI) catchers, or fake cell towers, can be used to track phones or, in some cases, intercept calls and text messages. The "Stingray" itself is a trademarked product manufactured by a Florida-based company, the Harris Corporation. (It has since come to be used as a generic term, like Xerox or Kleenex.) Harris is notoriously secretive about the capabilities of its devices and generally won't talk to the press about their capabilities or deployments. Earlier in March, the ACLU filed a motion for public access request , requesting documents and information related to stingray use by nearly 30 Florida police and sheriff's departments. Among the responses published for the first time on Tuesday was the curious reply from the city of Sunrise, Florida, a town of about 88,000 people, just northwest of Miami. Through its lawyers, Sunrise officially denied the request , noting that the city would neither confirm nor deny "whether any records responsive to the Request exist and, if any responsive records do exist, cannot and will not public disclose those records." (In a footnote, the lawyers also cited this Ars story from September 2013 detailing stingrays and other related surveillance devices.) The ACLU published its response to the city's denial on Tuesday. As the ACLU points out in a Tuesday blog post , the city of Sunrise has already published an invoice from Harris on its own website dated March 13, 2013, showing that the city paid over $65,000 for a stingray. That document clearly states, in all-caps on each page, that "disclosure of this document and the information it contains are strictly prohibited by Federal Law."

top

Target missed many warning signs leading to breach: US Senate report (Reuters, 25 March 2014) - Target Corp missed multiple opportunities to thwart the hackers responsible for the unprecedented holiday shopping season data breach, U.S. Senate staffers charged in a committee report released on Tuesday. There was no indication the No. 3 U.S. retailer responded to warnings that malware was being installed on Target's system. Other automated warnings the company ignored revealed how the attackers would carry data out of Target's network, according to the report. "This analysis suggests that Target missed a number of opportunities along the kill chain to stop the attackers and prevent the massive data breach," according to the Commerce, Science and Transportation Committee report. The staff report, "A 'Kill Chain' Analysis of the 2013 Target Data Breach," looked at previously reported information and used an analytical tool called an "intrusion kill chain" framework used widely by information security field. The staff report said Target "failed to respond to multiple automated warnings from the company's anti-intrusion software" that 1) the attackers were installing malicious software and 2) they were planning escape routes for the information they planned to steal from the retailer's network. It also said Target gave access to its network to a third-party vendor that did not follow accepted information security practices. The report is here .

top

Cloud-based e-discovery can mean big savings for smaller firms (ABA Journal, 26 March 2014) - Smaller law firms may be able to save a significant amount of money by 'renting' e-discovery applications in the cloud rather than bringing a full-fledged hardware and software solution in-house. "Only a few years ago, e-discovery in the cloud wasn't even available," said Gareth Evans, an Irvine, Calif.-based partner at Gibson, Dunn & Crutcher, adding that these days, even the smallest law firms have a wide variety of e-discovery firms they can source. Evans spoke as part of a panel at LegalTech New York 2014 in February. Panelist Alan Winchester, a partner at the New York City firm Harris Beach, agreed: "For firms without robust IT departments, it grants them the experts to manage the technology operations and security." While renting e-discovery services a sliver at a time may cause some firms to worry about the security of their data offsite, the panelists advised that with a good contract, those concerns can be minimized. [ Polley : Interesting story that sounds about right. This might just be a first step.]

top

Pitfalls and complications in running a new-media promotion (Information Law Group, 26 March 2014) - Administering a sweepstakes or contest online can be a great way to attract traffic and engage with consumers. Not surprisingly, many companies routinely utilize sweepstakes and contests (which are referenced collectively in this article as "promotions") as part of their overall online marketing push. Administering promotions, however, can get complicated when operating them on third-party platforms, such as social media sites. Many of you are no doubt familiar with the basic laws applicable to running an online promotion. This article does not discuss those laws, but rather describes some of the more detailed or latent issues and complications that need to be considered and addressed when running a promotion on certain social-media platforms. * * *

top

Ethics rulings tell lawyers to seek security when in the cloud (ABA Journal, 28 March 2014) - New ethics rules require lawyers to be technologically competent and aware of the ethical implications of cloud computing. But what exactly constitutes technological competence? And how far must a lawyer who stores date in the cloud go to protect client confidences from inadvertent or unauthorized access or disclosure? Those two questions were at the heart of an ABA Techshow presentation Thursday on "Ethics 20/20, Security and Cloud Computing." Co-presenters Catherine Sanders Reach, director of law practice management and technology for the Chicago Bar Association, and Kevin A. Thompson, who practices trademark, copyright and Internet law at the Chicago firm Davis McGrath, walked attendees through recent changes in the ethics rules and what state ethics authorities have had to say so far about lawyers' use of the cloud. To date, 18 states have weighed in with ethics opinions on the use of cloud computing by lawyers, either directly or indirectly, according to Reach. And all 18 have said it is OK, as long as the lawyer investigates the products and methods he or she uses and keeps up with any changes made by the provider. A list of those opinions, maintained by the ABA Legal Technology Resource Center, can be found at www.lawtechnology.org .

top

Death to "link rot": here's where the Internet goes to live forever (Fast Company, 28 March 2014) - The phrase "link rot" probably summons many images for you--none of them good. And while clicking on a dead link isn't quite as physically unpleasant as, say, touching a piece of slimy, disintegrating wood, bad links are weakening the web as surely as bad beams can compromise a building. When websites disappear or change, any piece of work--be it a blog post, book, or scholarly dissertation--that linked to those resources no longer makes quite as much sense. And some of these now-moldering links are structurally important to the fragile, enduring edifice of human knowledge: in fact, according to one recent study , half of the links in Supreme Court decisions either lead to pages with substantially altered content or no longer go anywhere, at all. In the face of this decay, the authors of that paper, the legal scholars Jonathan Zittrain, Kendra Albert, and Lawrence Lessig, floated one possible fix: create "a caching solution" that would help worthy links last forever. Now, this idea is being in practice by Perma.cc, a startup based out of the Harvard Law Library. Old-school institutions like law school libraries, it turns out, may be perfectly positioned to fight against the new-school problem of link rot. Libraries, after all, are "really good at archiving things," as Perma's lead developer, Matt Phillips, puts it. "We have quite a history of storing things safely that are important to people for a really long time," says Phillips, a member of Harvard's Library Innovation Lab. "It's a failure if we're not preserving what's being created online." To start with, Perma.cc's small team of developers, librarians, and lawyers has designed an archiving tool that's as easy to use as any link shortener. Stick in a link, and you'll get a new Perma-link--along with an archive of all the information on the page that link leads to. Anyone can sign up as a user, and create links with a shelf life of two years, with an option to renew. A select group of users, though, can "vest" links--committing Perma.cc to store their contents indefinitely. Since launching last fall, the project has grown rapidly, signing up a couple thousand users and recruiting 45 libraries and dozens of law journals as partners. But only a fourth of Perma.cc's users--472 "vesting members" and 113 "vesting managers," at current count--have the power to grant links immortality (or as close to it as Perma.cc can manage). "The problem is, in practice, it's a very serious commitment to say this will be kept forever," says Jack Cushman, who started contributing to Perma.cc as volunteer, before joining formally as a Harvard Law School Library fellow. "It's not something that we can promise to everyone in the world to begin with."

top

Nature publishing group requires faculty authors to waive 'moral rights' (Chronicle of Higher Ed, 31 March 2014) - Faculty authors who contract to write for the publisher of Nature, Scientific American, and many other journals should know that they could be signing away more than just the economic rights to their work, according to the director of the Office of Copyright and Scholarly Communication at Duke University. Kevin Smith, the Duke official, said he stumbled across a clause in the Nature Publishing Group's license agreement last week that states that authors waive or agree not to assert "any and all moral rights they may now or in the future hold" related to their work. In the context of scholarly publishing, "moral rights" include the right of the author always to have his or her name associated with the work and the right to have the integrity of the work protected such that it is not changed in a way that could result in reputational harm. "In many countries, you can't waive them as an author," Mr. Smith said. "But in the Nature publishing agreement you are required to waive them, and if you are in a country where a waiver is not allowed, you have to assert in the contract you won't insist on those rights." Mr. Smith first questioned the details of the Nature Publishing Group's license agreement on his blog on Thursday. Calling the moral-rights stipulation "bizarre" and an attack "on core academic values," he wrote that in some countries authors are forbidden to waive those rights. "The United States is something of an outlier in that we do not have a formal recognition of moral rights in our copyright law, although we always assert that these values are protected by other laws," he wrote. His comments were part of a longer post noting that the powerful scholarly publisher has apparently begun enforcing at Duke a requirement that authors at institutions with open-access policies secure waivers exempting their work from those policies.

top

Back in business (InsideHigherEd, 1 April 2014) - Arizona covers less than 1 percent of the budget for the Maricopa Community College District. The 10-college system, which enrolls 265,000 students, now receives an annual state contribution of $8 million. One upside to Arizona's near-complete disinvestment in its community colleges, Maricopa's leaders say, is that the years of budget cuts have forced the two-year system to get more entrepreneurial. They are particularly excited about the money-making potential of the new Maricopa Corporate College, which landed Marriott International as a client in its first year of existence. One reason for the college's early success, said Rufus Glasper, the district's chancellor, is that corporate CEOs have picked up on a shift at Maricopa. "We're starting to market ourselves as a business," he said. Corporate colleges cater to the training needs of companies, including recent hires and workers who need to learn new skills. Programs are typically non-credit and customized based on the employer's needs. They can be online or in person, and taught either on a college campus or taken directly to a company. Some of the most common programs are in management training, English as a second language, information technology, advanced manufacturing and welding. The training centers can be lucrative, with companies typically footing the bill rather than students. As a result, the corporate-college field is getting more crowded. For-profit chains have long done job training. And Udacity, an online course provider, now wants to get in the game . Several community colleges also have a solid track record with corporate training. Experts said Cuyahoga Community College (Tri-C), located in Ohio, North Carolina's Central Piedmont College and the Lone Star College System in Texas are pioneers of corporate colleges.

top

Court rules that kids can be bound by Facebook's member agreement (Venkat Balasubramani, 4 April 2014) - The status of kids' ability to form contracts via online terms of service was somewhat uncertain over the last several years, with a few Facebook-related rulings raising questions. A group of minor plaintiffs who opted out of the Fraley v. Facebook Sponsored Stories settlement brought suit for violation of their publicity rights under an Illinois statute. A recent ruling shuts out their claims, and gives some clarity to the online contracting landscape for minors. The key question in front of Judge Seeborg was whether the contract at issue between minors and Facebook - essentially granting a publicity rights release -- was one of the narrow types of contracts with minors that were void, or if the contract was merely voidable under California Family Code 6701, et seq. * * * With the caveat that this is just a district court ruling, and plaintiffs will continue to attack these terms in far-flung jurisdictions, this is a very helpful ruling for Facebook in that it removes some uncertainty as to a big category of potentially lucrative users: users who are old enough to not pose COPPA-problems but those who haven't yet reached the age of majority. Networks for the most part took a don't-ask/don't-tell type of approach with this group, but were hesitant to enter into deeper economic and legally uncertain relationships.

top

RESOURCES

Before rolling blackouts begin: briefing Boards on cyber attacks that target and degrade the Grid (by Roland Trope and Stephen Humes, in Wm Mitchell L.R.; April 2014) - "The Electric Power grid makes an attractive target because it is the foundational critical infrastructure that underlies all others. A successful attack on the power grid causing a wide-area long-term outage would have significant national security . . . consequences."

top

Governments and cloud computing: roles, approaches, and policy considerations (Harvard's Berkman Center, 17 March 2014) - Abstract: Governments from Bogota to Beijing are engaging with emerging cloud computing technologies and its industry in a variety of overlapping contexts. Based on a review of a representative number of advanced cloud computing strategies developed by governments from around the world, including the United States, United Kingdom, the European Union, and Japan, we observed that these governments - mostly implicitly - have taken on several different "roles" with respect to their approaches to cloud computing. In particular, we identify six distinguishable but overlapping roles assumed by governments: users, regulators, coordinators, promoters, researchers, and service providers. In this paper, we describe and discuss each of these roles in detail using examples from our review of cloud strategies, and share high-level observations about the roles as well as the contexts in which they arise. The paper concludes with a set of considerations for policymakers to take into account when developing approaches to the rapidly evolving cloud computing technologies and industry.

top

Cloud innovation and the law: issues, approaches, and interplay (Harvard's Berkman Center, 17 March 2014) - Abstract: We live in a quicksilver technological environment where one innovation in information and communication technology (ICT) follows the other. From a user's perspective, the speed of innovation in the Internet age becomes particularly visible when looking at ever-changing hardware devices that enable instant access to information, knowledge, and entertainment, or when navigating the rapidly evolving social media space where new platforms and powerful services emerge periodically, like Instagram, Pinterest, and Quora. Many of today's trends and developments in the ICT space are powered by a less visible and arguably more evolutionary innovation at the lower layers of the ICT infrastructure: cloud computing. It describes a multi-faceted technological phenomenon in which important aspects of computing (such as information processing, communication, networking, data acquisition, storage, and analysis) move from local systems to more efficient, outsourced systems where third parties provide aggregated computational resources and services on an as-needed basis from remote locations. Cloud computing is arguably responsible, at least in part, for the speed at which new social platforms are being developed and brought to market. This paper starts with a brief introduction to and framing of cloud computing as both a technological innovation and innovation-enabling technology - in short: cloud innovation. It then focuses on one particular aspect of the emerging cloud computing ecosystem by describing and discussing the legal and regulatory responses to cloud technology. It ends with general observations regarding the design of interfaces between cloud innovation as an example of an innovative and innovation-enabling technology and the legal and regulatory system. The paper builds upon and aims to synthesize previous contributions by the author and his collaborators on cloud law and policy issues on the one hand and pattern recognition in ICT regulation on the other hand. Against this backdrop, the paper seeks not only to distill and share insights about the interplay between cloud computing technology and the legal and regulatory system, but also contribute to a broader understanding of and emerging analytical framework for technology regulation in digitally networked environments.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

UN wants to slam spam (SiliconValley.com, 6 July 2004) -- The United Nations is aiming to bring a ``modern day epidemic" of junk e-mail under control within two years by standardizing legislation to make it easier to prosecute offenders, a leading expert said Tuesday. ``(We have) an epidemic on our hands that we need to learn how to control," Robert Horton, the acting chief of the Australian communications authority, told reporters. ``International cooperation is the ultimate goal." The International Telecommunications Union is hosting a meeting on spam in Geneva this week that brings together regulators from 60 countries as well as various international organizations, including the Council of Europe and the World Trade Organization. The U.N. agency said it would put forward examples of anti-spam legislation which countries can adopt to make cross-border cooperation easier. Many states currently have no anti-spamming laws in place, making it difficult to prosecute the international phenomenon. Top priority is ``pornographic material ... that may come to the attention of children," said Horton, who is running the meeting. ``I think it's time we did something formally about this. We will have to come to some sort of general understanding." As much as 85 percent of all e-mail may be categorized as spam, the ITU said, compared to an estimated 35 percent just one year ago. The vast majority is generated by a few hundred people, but authorities are not able to prosecute many of them under current legislation. Spam and anti-spam protection cost computer users some $25 billion last year, according to the United Nations.

top

Google unveils service for academics (NewsFactor.com, 18 Nov 2004) -- Google has unveiled a new search service designed specifically for scientists and academic researchers. Currently in beta release, Google Scholar allows users to search specifically for scholarly literature, including peer-reviewed papers, books, technical reports, theses, abstracts and preprints. The resource spans a wide variety of academic disciplines, and includes a large number of professional societies and publishers, according to Google. The search tool also finds scholarly articles that are scattered across the Web. Unique to the Scholar service is a way to handle search of academic citations. The tool automatically analyzes and extracts citations and presents them as separate results, even if the documents they refer to are not online. This gives academics and researchers the ability to peruse citations of older articles that appear only in books or print-only publications. Because the site is in beta, it is likely that other additions and changes will be made as scholars use the service. Google has requested that users send in suggestions, questions and comments. In its information pages, Google notes that additions to its index will be forthcoming, and urges authors to contact their publishers and scholarly societies to expand the available content.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top