Saturday, April 26, 2014

MIRLN --- 6-26 April 2014 (v17.06)

MIRLN --- 6-26 April 2014 (v17.06) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)



Update: Cybersecurity and internal control over financial reporting (Morgan Lewis, 31 March 2014) - We have two clarifications and two updates to our March 17 blog post , which noted that customer data is an asset that is covered by the definition of internal control over financial reporting (ICFR) in Rule 13a-15(f) under the Exchange Act. First, there are many forms of customer data, and not all of those are assets. Since neither Section 13(b)(2)(B)(iii) nor Rule 13a-15(f) of the Exchange Act defines "asset," however, it is possible that the term may include items that do not appear on a company's balance sheet. Therefore, we think that it is incumbent on companies to analyze the various forms of customer data to determine whether they are assets within the scope of ICFR. Second, just because a company concludes that controls over assets are necessary for purposes of ICFR does not mean that deficient controls could constitute a material weakness. A material weakness relates to controls necessary to the preparation of financial statements. Assets that are not on a company's balance sheet would not have controls that would affect the preparation of financial statements. The updates to our March 17 blog are that the SEC held a cybersecurity roundtable on March 26 and PCAOB Board Member Steven B. Harris gave a speech in which he discussed cybersecurity issues. The participants in the roundtable discussed cybersecurity and the issues and challenges it raises for market participants and public companies. For more information, please see our Securities LawFlash , which describes the roundtable and recommends various additional steps that companies should take to address the risks of cyber attacks. And, in Harris's March 20 speech, he indicated that he "support[s] the Board's focus on the role of the auditor with respect to cybersecurity and ha[s] suggested the Board consider forming an internal task force on the subject or issuing an audit alert related to cybersecurity risks and their potential impact on audits."

- and -

KKR adds cyber-risk score to its assessment of companies (Bloomberg, 11 April 2014) - How important is cybersecurity to investors? The private equity firm KKR (KKR) just provided its own answer to that, adding a cyber-risk score to its assessment of the companies in its portfolio. About a year ago, KKR officials decided they needed to find a way to understand the current state of security at the companies they were invested in, as Chief Information Office Ed Brandman tells it. That goal might sound simple, but how to get there wasn't obvious for a diverse set of 90 companies across a range of industries and regions. KKR worked with BitSight Technologies to come up with what amounts to a credit score for cyber risk. BitSight, based in Cambridge, Mass., collects Internet traffic flowing to and from tens of thousands of companies. Its staff members analyze risky behavior, such as communications with spam networks or servers known to be controlled by hackers and cybercriminals, to come up with a score for cyber risk on a scale from 250 (worst) to 900 (best). Subscribers to the service use it to help assess the security at third parties with whom they may share sensitive data and to benchmark their own performance, says Stephen Boyer, chief technology officer at BitSight. Bitsight did the same for 70 of KKR's private equity holdings-excluding some in the portfolio that KKR was about to sell or had just bought.

- and -

US SEC releases cyber security examination blueprint (Reuters, 16 April 2014) - U.S. securities regulators have unveiled a road map that lays out how they plan to make sure Wall Street firms are prepared to detect and prevent cyber security attacks. The nine-page document, posted April 15, contains examples of the questions Securities and Exchange Commission examiners might ask brokerages and asset managers during inspections. The document puts firms on alert to be prepared, for instance, to provide a comprehensive list of when they detected malware, suffered a "denial of service" attack or discovered a network breach since January 2013. The SEC also plans examinations of more than 50 firms that will focus on cyber security-specific issues. The document's release comes several months after Jane Jarcho, an associate director in the SEC's investment adviser examination program, announced in a speech the agency planned to scrutinize whether firms have policies to prevent cyber attacks. The SEC subsequently followed up with a March 26 roundtable where experts debated how public companies, brokerages, asset managers and exchanges can protect themselves from cyber threats, and what role the U.S. government should play to ensure such attacks are adequately disclosed. John Reed Stark, the SEC's former chief of Internet enforcement and now a managing director with digital risk management consultancy Stroz Friedberg, said the SEC's detailed list of questions is both unusual and "forward-thinking." "With the public disclosure of this questionnaire, the SEC is giving up the surprise of one aspect of their exam program and opting to provide to SEC-registered financial firms a rare chance to prepare," he said. [ Polley : the SEC "National Exam Program" alert is here .]

Dutch government pays millions to extend Microsoft XP support (ZDnet, 7 April 2014) - The government of the Netherlands has struck a multimillion Euro deal with Microsoft to secure continued support for its Windows XP systems, according to a report published on 4 April in Dutch News . According to the report, the deal will provide support for around 34,000 and 40,000 Dutch national government civil servants still using Windows XP machines until next January, when all government PCs are scheduled to be migrated to a new system. Microsoft is ceasing all security updates and technical support for its Windows XP system on 8 April, leaving those still using the platform potentially exposed to security threats. The move by the Dutch government follows a similar deal the software giant struck with the United Kingdom government. It was announced last week that the UK government agreed to pay more than £5.6 million to Microsoft to continue its support for Windows XP by one year. [ Polley : IRS also paying for support - see here .]

Hackers lurking in vents and soda machines (NYT, 7 April 2014) - Unable to breach the computer network at a big oil company, hackers infected with malware the online menu of a Chinese restaurant that was popular with employees. When the workers browsed the menu, they inadvertently downloaded code that gave the attackers a foothold in the business's vast computer network. Security experts summoned to fix the problem were not allowed to disclose the details of the breach, but the lesson from the incident was clear: Companies scrambling to seal up their systems from hackers and government snoops are having to look in the unlikeliest of places for vulnerabilities. Hackers in the recent Target payment card breach gained access to the retailer's records through its heating and cooling system. In other cases, hackers have used printers , thermostats and videoconferencing equipment. Companies have always needed to be diligent in keeping ahead of hackers - email and leaky employee devices are an old problem - but the situation has grown increasingly complex and urgent as countless third parties are granted remote access to corporate systems. This access comes through software controlling all kinds of services a company needs: heating, ventilation and air-conditioning; billing, expense and human-resources management systems; graphics and data analytics functions; health insurance providers; and even vending machines. Break into one system, and you have a chance to break into them all. Data on the percentage of cyberattacks that can be tied to a leaky third party is difficult to come by, in large part because victims' lawyers will find any reason not to disclose a breach. But a survey of more than 3,500 global I.T. and cybersecurity practitioners conducted by a security research firm, the Ponemon Institute, last year found that roughly a quarter - 23 percent - of breaches were attributable to third-party negligence. Security experts say that figure is low. Arabella Hallawell, vice president of strategy at Arbor Networks, a network security firm in Burlington, Mass., estimated that third-party suppliers were involved in some 70 percent of breaches her company reviewed.

Role reversal: CIO reports to CISO (Gov Info Security, 7 April 2014) - In many if not most enterprises, the chief information security officer reports to the chief information officer. After all, enterprises cannot function without IT, and security is a support function to safeguard data and systems. Or is it? Today, when cyberthreats are pervasive, should securing critical information assets be put above the operation and managing of information technology? Booz Allen Hamilton, the business, military and government management consultancy, seems to thinks so. Its CIO reports to its CISO.

Wyndham decision affirms FTC jurisdiction and assertive role on "thorny" cyber and data security issues (Wiley Rein, 8 April 2014) - The Federal Trade Commission (FTC) has just won the first major round of its fight with Wyndham Hotels over data security. In FTC v. Wyndham Worldwide Corp., et al., No. 13-1887 (D.N.J.), the FTC's jurisdiction to punish companies for allegedly lax data security practices was challenged when Wyndham moved to dismiss the FTC's unfair and deceptive practices claims. On April 7, 2014, after briefing, oral argument, and several amicus submissions, federal judge Esther Salas rejected all of Wyndham's arguments and affirmed the FTC's jurisdiction. In doing so, she noted that the case highlights "a variety of thorny legal issues that Congress and the courts will continue to grapple with for the foreseeable future." The court affirmed the FTC's jurisdiction and its discretion to proceed by enforcement action, rejecting Wyndham's argument that 'the FTC's "'failure to publish any interpretive guidance whatsoever' violates fair notice principles and "bedrock principles of administrative law.'" (quoting briefing). The court found the unfairness proscriptions in Section 5 to be flexible and noted that the FTC had brought "unfairness actions in a variety of contexts without preexisting rules or regulations." In this sense, the Court found "inapposite" Wyndham's reference to evolving frameworks at the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) as examples of what the FTC should be expected to do. (See February 13, 2014 Client Alert ). The court analogized the FTC's enforcement action to case-by-case approaches used by the National Labor Relations Board (NLRB) and Occupational Safety and Health Administration (OSHA), despite Wyndham's argument that the "rapidly-evolving nature of data security" made those agencies' actions poor examples. The court also rejected the challenge to the deceptive practices claim, finding that the FTC had adequately pled it under whatever standard applied.

Article 29 WP Opinion on anonymization (Opinion 05/2140, 10 April 2014) - (from Executive Summary): In this Opinion, the WP analyses the effectiveness and limits of existing anonymisation techniques against the EU legal background of data protection and provides recommendations to handle these techniques by taking account of the residual risk of identification inherent in each of them. The WP acknowledges the potential value of anonymisation in particular as a strategy to reap the benefits of 'open data' for individuals and society at large whilst mitigating the risks for the individuals concerned. However, case studies and research publications have shown how difficult it is to create a truly anonymous dataset whilst retaining as much of the underlying information as required for the task. In the light of Directive 95/46/EC and other relevant EU legal instruments, anonymisation results from processing personal data in order to irreversibly prevent identification. In doing so, several elements should be taken into account by data controllers, having regard to all the means "likely reasonably" to be used for identification (either by the controller or by any third party). * * *

When can you tweet a celebrity photo? (GigaOM, 10 April 2014) - Katherine Heigl, a former star on Grey's Anatomy , is not happy that New York drugstore chain Duane Reade tweeted a picture of her leaving its store. Now, she is suing the company for $6 million in damages, which Heigl says she will donate to a charity named for her late brother. The conflict, which raises interesting questions about endorsements in the age of social media, began after gossip site JustJared posted pictures of Heigl leaving a store with her mother, carrying shopping bags. Soon after, Duane Reade tweeted the photo along with a gleeful caption. Normally, celebrities can't do much about people taking their picture in public place - it's just part and parcel of the whole rich and famous thing. And, indeed, Heigl's lawsuit, embedded below, suggests that JustJared had a right to post the photos since they were "news" (it's not clear why anyone going to the drugstore is ever "news" - but that's another story.) According to Heigl, Duane Reade crossed the line by adding the captions. In her view, this was an unauthorized endorsement in violation of federal trademark rules and the personality rights laws of New York state. She appears to have a case in that celebrities have a right to control the way their images are used for endorsement. You can't, for instance, take a photo of Heigl walking by your donut shop and then use the snap to plaster billboards around the city that suggest she likes your donuts. The Duane Reade case is a little more nuanced, however, in that it involves Twitter which, by its nature, is often associated with fleeting news events. If JustJared had tweeted the original photo and Duane Reade has retweeted it with its own caption, the company would be in a stronger position to say it a fair use right to share the photo. Instead, Duane Reade's behavior looks more like a calculated decision to use an authorized endorsement rather than any form of news reporting - a claim Heigl's lawyers make repeatedly in the complaint. (It's also not clear if the drugstore bought the rights for the photo from JustJared - if not, it could be facing a copyright case too).

2 regulators issue guidelines on sharing cyber security information (NYT, 10 April 2014) - Sharing information between companies about threats to cybersecurity is not likely to raise antitrust concerns, the Justice Department and the Federal Trade Commission said Thursday. In a new policy document that describes their stance, the regulators outlined ways in which the sharing of cyber-threat information differs from the sharing of competitive information, such as pricing data and business plans. "Cyber threats are increasing in number and sophistication, and sharing information about these threats, such as incident reports, indicators and threat signatures, is something companies can do to protect their information systems," said Bill Baer, an assistant attorney general in charge of Justice's antitrust division. The regulators previously issued guidelines on the sharing of information about cyber threats in October 2000 in a business review letter to the Electric Power Research Institute. The regulators have relied on that opinion ever since, but only now turned it into a formal policy.

- and -

Cyber threat information and the antitrust canard (Joel Brenner on LawFare, 11 April 2014) - Those of us who tried to do big things in government have learned to be grateful for small things. Yesterday, the Justice Department's Antitrust Division and the Federal Trade Commission jointly declared, "they do not believe that antitrust is-or should be-a roadblock to legitimate cybersecurity information sharing." The business press immediately jumped on this as a giant step forward, removing a big impediment to the sharing of cyber threat information among private parties. In fact, when it comes to that kind of sharing, "antitrust" was always a red herring. Threat reports, indicators, malware signatures, and the like are highly technical and have nothing to do with prices, terms of sale, territories, or other price- and output-related subjects that can create antitrust concerns. The Antitrust Division reached this conclusion in a business review letter 14 years ago, and both agencies say that analysis then "remains very current" now. Any competent antitrust counsel has known this all along. Any counsel who worried about it could have sought a business review letter from the Division and would have received the same advice. So what explains the persistence of the antitrust roadblock to information sharing? Corporate counsel are an understandably conservative lot. In their release yesterday, the agencies noted that some companies "have been counseled that sharing of information among competitors may raise antitrust concerns." Insofar as it was true, that advice in these circumstances was beyond conservative. It was unsound.

FBI to have 52 million photos in its NGI face recognition database by next year (ArsTechnica, 14 April 2014) - New documents released by the FBI show that the Bureau is well on its way toward its goal of a fully operational face recognition database by this summer. The EFF received these records in response to our Freedom of Information Act lawsuit for information on Next Generation Identification (NGI) -the FBI's massive biometric database that may hold records on as much as one-third of the US population. The facial recognition component of this database poses real threats to privacy for all Americans. NGI builds on the FBI's legacy fingerprint database-which already contains well over 100 million individual records-and has been designed to include multiple forms of biometric data, including palm prints and iris scans in addition to fingerprints and face recognition data. NGI combines all these forms of data in each individual's file, linking them to personal and biographic data like name, home address, ID number, immigration status, age, race, etc. This immense database is shared with other federal agencies and with the approximately 18,000 tribal, state, and local law enforcement agencies across the United States. The records we received show that the face recognition component of NGI may include as many as 52 million face images by 2015. By 2012, NGI already contained 13.6 million images representing between 7 and 8 million individuals, and by the middle of 2013, the size of the database increased to 16 million images. The new records reveal that the database will be capable of processing 55,000 direct photo enrollments daily and of conducting tens of thousands of searches every day. One of our biggest concerns about NGI has been the fact that it will include non-criminal as well as criminal face images. We now know that FBI projects that by 2015, the database will include 4.3 million images taken for non-criminal purposes.

Botched e-discovery can be an ethics violation, proposed opinion says (ABA Journal, 14 April 2014) - A proposed ethics opinion says California's duty of competence requires lawyers to have a basic understanding of e-discovery issues and could require greater technical knowledge in certain cases. The proposed opinion (PDF) by the California State Bar's Standing Committee on Professional Responsibility and Conduct says lawyers without the necessary competence have three options. They can acquire sufficient skill, they can seek out technical consultants or competent counsel, or they can decline the representation. The committee is accepting comments on the proposed opinion through June 24. The proposed ethics opinion is based on a hypothetical situation in which a lawyer agrees to opposing counsel's search terms for a search of his client's database. The lawyer instructs his client to allow the opposing counsel's database search, wrongly assuming a clawback agreement would allow for recovery of anything inadvertently produced. After the search results are turned over to the opposing counsel without the lawyer's review, the lawyer learns the search produced privileged information and showed that his client had deleted some potentially relevant documents as part of a regular document retention policy. The lawyer in the hypothetical not only breached his duty of competence, he also breached a duty to maintain client confidences and to protect privileged information, the proposed opinion says. In addition, the proposed opinion says, the lawyer should have assisted the client in placing a litigation hold on potentially relevant documents as part of the ethical duty not to suppress evidence.

Public officials in a wired world: How much privacy should they get? (LA Times editorial, 15 April 2014) - New technology often challenges society's long-standing assumptions and standards, but sometimes courts - and others - lose sight of common sense as they grapple with the changes. That's the case in a recent decision of California's 6th Appellate District, which found that text messages and emails between public officials are beyond the reach of the Public Records Act if they are sent on private devices rather than ones owned by public agencies. The three-judge panel said that electronic communications between council members and the mayor of San Jose, even those regarding city business, should not be considered "public" records if they are not "used" or "retained" by the city government (the language cited comes from California's Public Records Act, written long before smartphones existed). Accordingly, the 6th Circuit overturned the decision of the trial court judge and ruled that the city need not turn over the communications to interested members of the public, even though both sides conceded that they involved official business. That decision hews to the narrow language of the act, but it distorts the act's larger purpose, which is to ensure that the public can scrutinize the actions of its employees when they are doing public work.

When 'liking' a brand online voids the right to sue (NYT, 16 April 2014) - Might downloading a 50-cent coupon for Cheerios cost you legal rights? General Mills, the maker of cereals like Cheerios and Chex as well as brands like Bisquick and Betty Crocker, has quietly added language to its website to alert consumers that they give up their right to sue the company if they download coupons, "join" it in online communities like Facebook, enter a company-sponsored sweepstakes or contest or interact with it in a variety of other ways. Instead, anyone who has received anything that could be construed as a benefit and who then has a dispute with the company over its products will have to use informal negotiation via email or go through arbitration to seek relief, according to the new terms posted on its site. In language added on Tuesday after The New York Times contacted it about the changes, General Mills seemed to go even further, suggesting that buying its products would bind consumers to those terms. "We've updated our privacy policy," the company wrote in a thin, gray bar across the top of its home page. "Please note we also have new legal terms which require all disputes related to the purchase or use of any General Mills product or service to be resolved through binding arbitration." The change in legal terms, which occurred shortly after a judge refused to dismiss a case brought against the company by consumers in California, made General Mills one of the first, if not the first, major food companies to seek to impose what legal experts call "forced arbitration" on consumers.

- oops -

General Mills reverses itself on consumers' right to sue (NYT, 20 April 2014) - General Mills, one of the country's largest food companies, on Saturday night announced in a stunning about-face that it was withdrawing its controversial plans to make consumers give up their right to sue it. In an email sent after 10 p.m. on Saturday, the company said that due to concerns that its plans to require consumers to agree to informal negotiation or arbitration had raised among the public, it was taking down the new terms it had posted on its website. "Because our terms and intentions were widely misunderstood, causing concerns among our consumers, we've decided to change them back to what they were," Mike Siemienas, a company spokesman, wrote in the email. "As a result, the recently updated legal terms are being removed from our websites, and we are announcing today that we have reverted back to our prior legal terms, which contain no mention of arbitration." [ Polley : Seems like an idiotic first move, and a chaotic second move.]

Expanding your online pedagogy toolkit (InsideHigherEd, 22 April 2014) - Next-generation online learning differs from last generation e-learning in six distinct ways. First , it is scalable. New instructional support models-including coaches and peer mentors- allow online courses that are not MOOCs to effectively reach many more students in the past. Second , it is personalized. It offers multiple learning pathways tailored to student learning styles, needs, and interests. Just-in-time remediation and enrichment are embedded and content reflects students' learning goals. Third , it is outcomes-oriented. Mastery of explicit learning objectives, including content and skills, represents its aim. Fourth , it is data-driven. Learning analytics provide students, instructors, coaches, and advisers with dashboards that signal student progress and problems in real time. Fifth , it is social and interactive. Building on the notion of learning as a social process, next-generation online courses encourage student involvement in communities of practice and in personal learning networks, where they have opportunities to collaborate, test ideas, and motivate and assist one another. Six[th] , and perhaps most importantly, it is activity oriented. Next-generation online learning involves challenges, inquiry, and problem solving. Students, individually and in small groups, have opportunities to learn by doing. Depending on the nature of the course, they might engage in hypothesis formulation and testing, data analysis, or constructing and applying rubrics. Simulations, in particular, give students opportunities to mimic professional practice and exercise real-world skills. Here are a series of techniques that you might use to build essential student skills, promote social interaction, and encourage active learning in an online environment * * *

Look what happened to Amazon's revenues when a sales tax was imposed (Business Insider, 22 April 2014) - Amazon's sales are taking a hit in states that have recently started making the company pay taxes. New research out of Ohio State University found that Amazon shoppers reduced their spending by 10% in states where the company has had to start charging sales tax. Purchases of more than $300 also fell by 24%, according to the study. But the study also revealed that the introduction of taxes led to a 61% increase in spending for expensive products on Amazon Marketplace. On Marketplace, merchants pay Amazon a fee to offer products through its website but do not have to collect taxes. Indirectly, Amazon still benefits, even if it's not selling its own products.

The art of hiring (Corporate Counsel, 23 April 2014) - How do law departments hire and train their new lawyers? We'd never really examined this issue, but conversations with top managers at several companies in recent years had piqued our interest. It seemed clear that some very successful departments had adopted very different approaches-yet each seemed to be yielding the desired results. So we asked the general counsel at International Business Machines Corporation, Google Inc. and Microsoft Corporation if we could interview some of the people involved in the process. We found one law department that focuses on developing global lawyers; another that hires lawyers for jobs that can change radically in just a few months; and a third that seems intent on preparing theirs for the long haul. [ Polley : pretty interesting. I led the professional development process when in-house at Schlumberger; much of these reports resonates with me.]

Lost Warhol works uncovered from old Amiga floppy disks (ArsTechnica, 24 April 2014) - A collection of Warhol works were uncovered in March on a set of old Amiga floppy disks, according to a press release by the Studio for Creative Inquiry (via BoingBoing ). The files were eased off of the disks with help from the Carnegie Mellon Computer Club, a collective that specializes in dealing with old computer hardware. The works were obtained from hardware that was sitting dormant in the Warhol Museum, including "two Amiga 1000 computers in pristine condition," an "early drawing tablet," and "a large collection of floppy diskettes comprised of mostly commercial software." The fact that the floppy disks contained commercial software as opposed to saved works initially disappointed the team. However, they soon discovered some original and signed works on a GRAPHICRAFT floppy after using a Kickstart ROM to boot the emulator. The images included drawings of flowers, a soup can, a self-portrait, and portraits of other individuals. "Much of the software of the era defaulted to (and in some cases only supported) saving files on the same disk as the software itself," the Carnegie Mellon Computer Club wrote in its technical report .

Lawyers can probe jurors on social media but can't connect with them there, ABA ethics opinion says (ABA Journal, 24 April 2014) - Lawyers who want to pick through troves of public information that jurors or potential jurors put on the Internet about themselves may do so, but they may not communicate directly with the jurors, such as asking to "friend" them on Facebook, according to a formal ethics opinion issued today by the ABA Standing Committee on Ethics and Professionalism. Formal Opinion 466 (PDF) mentions websites and examples of Internet-based electronic social media such as Facebook, MySpace, LinkedIn and Twitter, but notes that because their capabilities change so frequently, the opinion deals only generically with someone's control over access to their information on websites and ESM or their ability to know who has viewed what is publicly available. Formal opinions are based on the ABA's Model Rules of Professional Conduct, which have been adopted by all states except California. The rules are not binding but serve as models that can be adopted or modified. Formal Opinion 466 addresses three situations concerning lawyer review of the Internet footprints of jurors or potential jurors.

  • Looking at information available to everyone on a juror's social media accounts or website when the juror doesn't know it's being done. The opinion says the "mere act of observing" is not improper ex parte conduct, much as driving down a juror's street to get a sense of his or her environs isn't.
  • Asking a juror for access to the his or her social media. The opinion says that is improper, much like stopping the car to ask the juror's permission to look inside the juror's house for a better view.
  • When a juror finds out, through a notification feature of the social media platform or website, that the lawyer reviewed publicly available information. The formal opinion says the social media provider, not the lawyer, is communicating with the juror, the same as if a neighbor saw the lawyer's car pass by and told the juror. On that last point, the formal opinion recommends that lawyers read social media platforms' terms of agreement for information about matters such as automatic subscriber notification features, and to be aware that this information changes frequently.

Oxford English Dictionary: killed and saved by the Internet (TechDirt, 25 April 2014) - The Oxford English Dictionary (OED) describes itself -- with somewhat un-British immodesty -- as "the definitive record of the English language." It's certainly big: The 20 volume Oxford English Dictionary is an unrivalled guide to the meaning, history, and pronunciation of over half a million words. The Dictionary traces the evolution of over 600,000 words from across the English-speaking world through 2.4 million quotations. This is all yours for a mere £750 (about $1250). But if you're keen to adorn your bookshelves with its hefty volumes, you'd better hurry: The Telegraph reports that this may be the last edition sold as physical books .


(note: link-rot has affected about 50% of these original URLs)

CIOs and the law (CRM Daily, 12 Jan 2004) - The job of the CIO got tougher on July 30, 2002 -- the day the Sarbanes-Oxley Act was signed. The legislation requires significant changes to financial practices and corporate governance, and touches all corporate areas -- including technology. This new law calls CIOs, along with other top-level executives, to account. "The CIO has to sign off on issues they never had to in the past. For the first time ever, the CFO and CEO can look me in the eye and say, 'Guess what, you're on the hook with me.' That kind of gets your attention," John G. Bruno, CIO and senior vice president of business development, Symbol Technologies, told NewsFactor's CIO Today Magazine. While CIOs at a variety of Fortune 1000 companies told NewsFactor's CIO Today that Sarbanes-Oxley, along with and other recent legislation, has sharpened their awareness of governance issues, it has not dramatically changed the way a CIO operates. The new laws mandate sound business practices that many CIOs already have been putting in place. But just the same, ensuring compliance has kept many CIOs -- and their staffs -- very busy.

TIVO watchers uneasy after post-super bowl reports (CNET, 5 Feb 2004) -- Janet Jackson's Super Bowl flash dance was shocking in more ways than one: Some TiVo users say the event brought home the realization that their beloved digital video recorders are watching them, too. On Monday, TiVo said the exposure of Jackson's breast during her halftime performance was the most-watched moment to date on its device, which, when combined with the TiVo subscription service, lets viewers pause and "rewind" live television broadcasts, among other features. TiVo said users had watched the skin-baring incident nearly three times more than any other moment during the Super Bowl broadcast, sparking headlines that dramatically publicized the power of the company's longstanding data-gathering practices. "It's just sort of creepy," longtime TiVo subscriber Sandra Munozshe wrote in an e-mail to CNET A TiVo spokesman said the company operates well within established privacy standards. For years, TiVo has disclosed its data-gathering practices in user agreements, saying it strips out any information that could be traced back to an individual viewer.


MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at . Get supplemental information through Twitter: #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,

2. InsideHigherEd -

3. SANS Newsbites,

4. NewsScan and Innovation,

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram,

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog,

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose.

No comments: