- Agencies need to improve cyber incident response practices - GAO
- The SEC'S cybersecurity assessment: a roadmap for companies nationwide
- Discussion paper: Lawyers professional liability insurance versus cyber liability insurance
- Target, Gap, other retailers join to share cyberthreat data
- NLRB strikes down disclaimer language in social media policy
- You can learn a lot about America from each state's internet search history
- PTO: Business method patent in 100 days
- Car-hacking goes viral in London
- Schneier on hoarding v. patching vulnerabilities
- California urges websites to disclose online tracking
- US companies hacked by Chinese didn't tell investors
- Investors couldn't care less about data breaches
- Cybersecurity securities class actions are coming: predictions, analysis, and practical guidance
- Gates: French cyber spies stealing U.S. technology
- Disney decides to 'Let It Go' when it comes to copyright infringement
- The NYTimes innovation report and higher ed
- Laying out the role of the computer forensics neutral expert
- Advisory group opposes re-election of most of Target's board
- Target gives a defense of its efforts on security
- US companies seek cyber experts for top jobs, board seats
- Cybercrime is on the rise, survey says
- BYOD? No problem
- Disconnect? File-sharing security survey highlights
- Public.resource.org sued (again) for publication of a document incorporated into federal regulations
- Who owns the law? Technology reignites the war over just how public documents should be
- Quantifying privacy: A week of location data may be an 'unreasonable search'
- NSA collecting millions of faces from web images
- India's big brother project
- Who has your back? Protecting your data from government requests
- Here's the first US Ambassador to take the oath of office on an e-reader
- FCC comment page buckles to its knees after John Oliver asks everyone to comment
- DMLP announcement: A new report on media credentialing in the United States
Agencies need to improve cyber incident response practices - GAO (GAO, April 2014) - From the highlights of a newly released GAO report: Twenty-four major federal agencies did not consistently demonstrate that they are effectively responding to cyber incidents (a security breach of a computerized system and information). Based on a statistical sample of cyber incidents reported in fiscal year 2012, GAO projects that these agencies did not completely document actions taken in response to detected incidents in about 65 percent of cases (with 95 percent confidence that the estimate falls between 58 and 72 percent). For example, agencies identified the scope of an incident in the majority of cases, but frequently did not demonstrate that they had determined the impact of an incident. In addition, agencies did not consistently demonstrate how they had handled other key activities, such as whether preventive actions to prevent the reoccurrence of an incident were taken. Although all 6 selected agencies that GAO reviewed in depth had developed parts of policies, plans, and procedures to guide their incident response activities, their efforts were not comprehensive or fully consistent with federal requirements. In addition, the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) conduct CyberStat reviews, which are intended to help federal agencies improve their information security posture, but the reviews have not addressed agencies' cyber incident response practices. Without complete policies, plans, and procedures, along with appropriate oversight of response activities, agencies face reduced assurance that they can effectively respond to cyber incidents. * * * Although US-CERT receives feedback from agencies to improve its services, it has not yet developed performance measures for evaluating the effectiveness of the assistance it provides to agencies. Without results-oriented performance measures, US-CERT will face challenges in ensuring it is effectively assisting federal agencies with preparing for and responding to cyber incidents.
- and -
The SEC'S cybersecurity assessment: a roadmap for companies nationwide (Aiken Gump, 14 May 2014) - The U.S. Securities & Exchange Commission (SEC) provided cybersecurity guidance to the securities industry in the form of a Risk Alert issued by the SEC's Office of Compliance Inspections and Examinations (OCIE) on April 15, 2014. The guidance, which is neither a rule nor a regulation, outlines a series of questions that the SEC is sending to approximately 50 registered broker-dealers and investment advisers. According to one SEC official, the OCIE decided to issue a Risk Alert and publish the questions in an attempt to encourage widespread diligence on cybersecurity. The Risk Alert notes that it "is intended to empower compliance professionals in the industry with questions and tools they can use to assess their firms' level of preparedness, regardless of whether they are included in OCIE's examinations." Although the Risk Alert applies specifically to the securities industry, the questions will likely serve as a model for companies nationwide and provide a framework for discussing cybersecurity best practices.
Discussion paper: Lawyers professional liability insurance versus cyber liability insurance (Stuart Pattison, May 2014) - Over the last few years, law firms have been making significant investments in network hardware and software for the operation of their business, including the protection of client data. There is now also increased interest by law firms in purchasing Cyber Liability Insurance, primarily in response to increased scrutiny by clients as to what steps they are taking to improve security of data. In some cases, clients will even audit law firms to ensure compliance with their required standards. Buying Cyber Insurance can provide clients comfort that data security issues are being addressed since insurers have an interest in learning what steps are being taken to mitigate the risk for claims that could fall within the terms of the policy. In addition, Cyber Insurance provides a source of recovery in the event the client incurs financial loss due to a data breach emanating from the law firm. A second driver for these investments is reputational risk and the belief by law firms that loss of client confidence could have significant negative consequences. Of course, law firms have always had an ethical obligation to keep their clients information confidential and secure; indeed it is the cornerstone of the attorney-client relationship and the advent of the internet has not changed those duties. What has changed is the ease by which large amounts of data can be stored, managed and transmitted, and the increased opportunities for third parties to steal information. [ Polley : Interesting paper. Stuart has been involved in the evolution of cyberinsurance-for-lawyers from the very beginning.]
Target, Gap, other retailers join to share cyberthreat data (Computerworld, 15 May 2014) - Some of the biggest U.S. retailers have banded together to share information about cyberthreats, in a bid to avert breaches like that suffered by Target last holiday season. Target, The Gap, Walgreens and J.C. Penney are among the members of the group, which will share real-time threat information with each other and with the Department of Homeland Security, Secret Service, FBI and other "public and private stakeholders," they said Wednesday. They'll share information about new strains of malware, activity on underground forums and potential software vulnerabilities, which they said will be translated into "actionable intelligence." They'll also share anonymized information with the U.S. government. The goal of the organization, called the Retail Cyber Intelligence Sharing Center, or R-CISC, is to help the retailers get out in front of emerging threats. Education and training are part of the program, but the success of the effort hinges on the amount of information retailers can gather and their willingness to share it.
NLRB strikes down disclaimer language in social media policy (McLane, 19 May 2014) - An administrative law judge ("ALJ") writing on behalf of the National Labor Relations Board ("NLRB") reviewed the social media/on line communications policy of The Kroger Co. of Michigan, a retail grocery chain, in the context of an unfair labor practices complaint. In the decision issued on April 22, 2014, the ALJ ruled that portions of Kroger's policy were unlawfully broad and in violation of Section 7 of the National Labor Relations Act. What was the offending language?: " If you identify yourself as an associate of the Company and publish any work-related information online, you must use this disclaimer: "The postings on this site are my own and do not necessarily represent the postings, strategies or opinions of The Kroger Co. family of stores." In striking down the disclaimer language the ALJ stated that "Given the breadth of online communications to which the rule applies, it would be extremely burdensome to have to post the disclaimer in each instance or on each new page, and this would have a reasonable tendency to chill Section 7 activity in this regard." The Decision itself is worth the read in that it gives startling insight into the reasoning of at least this one ALJ.
You can learn a lot about America from each state's internet search history (Estately.com, 19 May 2014) - America's fifty states have a lot in common, but if their internet search histories are any indication they also have significant differences. Estately ran hundreds of search queries through Google Trends to determine which words, terms, and questions each state was searching for more than any other. The results ranged from mildly amusing to completely disturbing. No doubt this information will come in handy for anyone trying to decide which state they want to buy a home in, especially for those curious how their potential neighbors spend their time online. The results on the map above are just the tip of the online search iceberg. Check out what other search queries each state performed more of than any other in the list below… [ Polley : Spotted by MIRLN reader Elizabeth Polley = @ebpolley]
PTO: Business method patent in 100 days (Patently-O, 19 May 2014) - A couple of weeks ago, the USPTO issued U.S. Patent No. 8,712,797 to the drug-price-shopping company named GoodRX. The patent appears to be a typical business-method type invention based on the idea that automated internet communications can help solve consumer information problems. Here, the basics are to obtain a price list from two different pharmacy benefit managers and then display "at least a portion" of those prices through a user interface. What is unusual is that the patent issued only 98 days after its filing date. The notice-of-allowance was mailed 44 days after filing. (Note - this is not a continuation or divisional but it does claim priority to a provisional application.) The application included a track-one request ($2,000 for small entity) filed by Knobbe. This is an incredibly short timeline for issuing a broad business-method patent that is very likely invalid.
Car-hacking goes viral in London (Forbes, 20 May 2014) - The days when thieves used clothes hangers to break into cars may soon be a thing of the past. Nearly half the 89,000 vehicles broken into in London last year were hacked with electronic gadgets, according to London's Metropolitan Police . The hackers appear to be targeting higher-end cars, which commonly have more than 50 low-powered computers installed on board. "Car crime is no longer the preserve of the opportunist but a more targeted activity towards prestige brands which are stolen to order," said Andrew Smith, managing director at Cobra UK . Thieves are hacking into these on-board computers using cell-phone-sized electronic devices originally designed for locksmiths. One of the most prevalent of these devices can trick a car - "spoofing" - into thinking the owner's electronic key is present by using radio transmitters that intercept key signals. Another type of hacking device can gain access to a car's on-board diagnostic unit remotely, which allows thieves to program a blank key to control the engine control unit. The whole operation takes less than 10 seconds. The devices can apparently be purchased on the internet, primarily from websites located in Bulgaria, according to Sky News . Video tutorials for using the device are also available online.
Schneier on hoarding v. patching vulnerabilities (Jack Goldsmith in Lawfare, 20 May 2014) - Bruce Schneier has a very good piece on whether the USG should "stockpile Internet vulnerabilities or disclose and fix them." Part of his answer: If vulnerabilities are sparse, then it's obvious that every vulnerability we find and fix improves security. We render a vulnerability unusable, even if the Chinese government already knows about it. We make it impossible for criminals to find and use it. We improve the general security of our software, because we can find and fix most of the vulnerabilities. If vulnerabilities are plentiful-and this seems to be true-the ones the U.S. finds and the ones the Chinese find will largely be different. This means that patching the vulnerabilities we find won't make it appreciably harder for criminals to find the next one. We don't really improve general software security by disclosing and patching unknown vulnerabilities, because the percentage we find and fix is small compared to the total number that are out there. But while vulnerabilities are plentiful, they're not uniformly distributed. There are easier-to-find ones, and harder-to-find ones. Tools that automatically find and fix entire classes of vulnerabilities, and coding practices that eliminate many easy-to-find ones, greatly improve software security. And when person finds a vulnerability, it is likely that another person soon will, or recently has, found the same vulnerability. Heartbleed, for example, remained undiscovered for two years, and then two independent researchers discovered it within two days of each other. This is why it is important for the government to err on the side of disclosing and fixing.
California urges websites to disclose online tracking (NYT, 21 May 2014) - Every major Internet browser has a feature that lets you tell a website that you don't want it to collect personal information about you when you visit. And virtually every website ignores those requests. Tracking your online activities - and using that data to tailor marketing pitches - is central to how Internet companies make money. Now California's attorney general, Kamala D. Harris, wants every site to tell you - in clear language - if and how it is respecting your privacy preferences. The guidelines , published on Wednesday, are intended to help companies comply with a new state privacy law that went into effect on Jan. 1. That law requires sites to prominently disclose all their privacy practices, including how they respond to "do not track" requests. The California guidelines for the Jan. 1 privacy law are voluntary. Other efforts to establish more binding privacy protections - either through federal or state laws or through industry self-regulation - have failed to win enough support to pass. Jeff Rabkin, special assistant attorney general on technology and privacy matters, said that Ms. Harris's office would review companies' privacy policies and work with them to make sure they followed the new law. Those who don't comply will receive 30-day warnings before facing potential litigation from the state.
US companies hacked by Chinese didn't tell investors (Bloomberg, 21 May 2014) - Three U.S. public companies identified as Chinese hacking victims didn't report the theft of trade secrets and other data to investors, despite rules designed to disclose significant events. Two of the companies -- aluminum maker Alcoa Inc. (AA) and metals supplier Allegheny Technologies Inc. (ATI) -- said the thefts weren't "material" to their businesses and therefore don't have to be disclosed under Securities and Exchange Commission rules designed to give investors information that may affect share prices. "The question is would an investor have cared if Chinese hackers broke into a company and were messing around the place?" Jacob Olcott, a principal focusing on cybersecurity at Good Harbor Security Risk Management LLC in Washington, said in a phone interview. "As an investor, show me the evidence that you reviewed this thoroughly." Scott Kimpel, a lawyer who previously worked on disclosure rules as a member of the SEC's executive staff, said there is "a gray area where a lot of the companies are not perfectly clear on what they should be disclosing." [ Polley : In early 2011 at least one oilfield company also decided that a cyberattack wasn't "material" - see Exxon, Shell, BP Said to Have Been Hacked Through Chinese Internet Servers in Mirln 14.03 ]
- and -
Investors couldn't care less about data breaches (Bloomberg, 23 May 2014) - On May 21, EBay revealed that it had suffered a cyber attack and data security breach, and users' information-names, account passwords, e-mail addresses, physical addresses, phone numbers, and birth dates-was exposed to hackers. While security experts, the news media, and actual EBay users may have all been alarmed, the stock investors weren't. EBay's stock finished trading virtually unchanged that day, dropping all of 8 pennies to $51.88. That's been the trend among companies that have suffered cyber attacks-the stock market practically ignores them. Consider Target and its own well-publicized data breach that happened back in December. Target's stock didn't really move at all. Investors sent a clear message they didn't care. The stock fell several weeks later, in January, only after the company cut its earnings forecast. Even so, the stock rebounded in the next six weeks. Target shares have been falling since last year, for a lot of reasons unrelated to the data breach. Poonam Goyal, an analyst for Bloomberg Industries, says: "There is softness in the industry. Lower-income customers are struggling, and you're seeing weakness with competitors like Wal-Mart and other department stores." She also points out that Target isn't the hot company it was a few years ago, as a lot of other companies have adjusted their tactics-focusing on price, rotating smart designers, and being a haven for treasure hunters. "Target was different before, but what about now?" In addition, its Canadian expansion "has a long, long way to go. They have issues in consumer perception there." Goyal's analysis suggests Target would have been under pressure-regardless of the data breach. Compare that with T.J.Maxx, which had a data breach affecting 94 million customers in 2007. Its stock similarly dropped about 12 percent in two months, only to completely recover a couple of months later. In fact, that bottoming out turned out to be a great buying opportunity in the stock. There was no long-term damage to the company's fortunes-in the years following, share prices surged to five times the pre-breach levels. Another big company with a recent problem was JPMorgan Chase, which revealed in December that 465,000 customers were at risk of having their data compromised. Despite being such a large number in absolute terms, it only represented 2 percent of the 25 million who had that particular UCard product-barely enough to move the needle on the overall business or reputation of the bank. Not surprisingly, JPM stock was back to flat in two weeks. Adobe Systems announced a data breach in October that affected 38 million users-including 3 million encrypted customer credit card records. The stock kept moving like nothing happened. It was at $52 then, and now it's at $62. Punishment? No.
- contra view -
Cybersecurity securities class actions are coming: predictions, analysis, and practical guidance (Lane Powell, 20 May 2014) - Last fall, I wrote about board oversight of cybersecurity and derivative litigation in the wake of cybersecurity breaches. I plan to update my thoughts later this year, after we see developments in the recently filed Target and Wyndham derivative actions, and learn the results of the 2014 installment of Carnegie Mellon's bi-annual CyLab Governance of Enterprise Security Survey , which explores oversight of cybersecurity by boards of directors and senior management. In this post, I'd like to focus on cybersecurity disclosure and the inevitable advent of securities class actions following cybersecurity breaches. In all but one instance (Heartland Payment Systems), cybersecurity breaches, even the largest, have not caused a stock drop big enough to trigger a securities class action. But there appears to be a growing consensus that stock drops are inevitable when the market better understands cybersecurity threats, the cost of breaches, and the impact of threats and breaches on companies' business models. When the market is better able to analyze these matters, there will be stock drops. When there are stock drops, the plaintiffs' bar will be there. And when plaintiffs' lawyers arrive, what will they find? They will find companies grappling with cybersecurity disclosure. Understandably, most of the discussion about cybersecurity disclosure focuses on the SEC's October 13, 2011 "CF Disclosure Guidance: Topic No. 2" (" Guidance ") and the notorious failure of companies to disclose much about cybersecurity, which has resulted in a call for further SEC action by Senator Rockefeller and follow-up by the SEC , including an SEC Cybersecurity Roundtable on March 24, 2014. But, as the SEC noted in the Guidance, and Chair White reiterated in October 2013, the Guidance does not define companies' disclosure obligations. Instead, disclosure is governed by the general duty not to mislead, along with more specific disclosure obligations that apply to specific types of required disclosures. * * *
Gates: French cyber spies stealing U.S. technology (Politico, 22 May 2014) - Washington made clear this week that China is America's biggest cyber nemesis, at least in terms of the theft of U.S. intellectual property. So who's next? Not Russia, nor North Korea, according to former Defense Secretary Robert Gates. It's France - one of America's closest allies. "There are probably a dozen or 15 countries that steal our technology in this way," Gates said in an interview the Council on Foreign Relations posted online Thursday. "In terms of the most capable, next to the Chinese, are the French - and they've been doing it a long time." "For years," Gates said, "French intelligence services have been breaking into the hotel rooms of American businessmen and surreptitiously downloading their laptops, if they felt those laptops had technological information or competitive information that would be useful for French companies. But the U.S. government doesn't do that kind of thing, Gates said, although he acknowledged that "it's hard for people to believe this. You'll have to take my word for it. We are nearly alone in the world in not using our intelligence services for competitive advantage for our businesses."
Disney decides to 'Let It Go' when it comes to copyright infringement (InsideCounsel, 23 May 2014) - If you have kids - or a pair of ears, I suppose - you have likely heard the infectious song "Let It Go" from the mega-hit movie "Frozen." The animated movie, based on the Hans Christian Andersen tale "The Snow Queen," has won Academy Awards, raked in hundreds of billions of dollars worldwide, and sent toes-a-tappin' with an Oscar-winning song. These days, though, whenever something in popular culture is well known, it becomes fuel for the content creation fire. People from all over the world have taken copyrighted content from "Frozen," like the hit song, and posted images and videos that infringe on Disney's intellectual property. On YouTube, one can find versions of "Let It Go" that are sing-alongs, mashups, covers and parodies. Some of these videos have racked up millions of pageviews. So, why isn't the Mouse House apoplectic over the clear infringement of its intellectual property ? There was a time when Disney's leadership viewed YouTube as an opportunity for fans to engage in mass piracy. Disney's own efforts to establish an online presence have been lukewarm until recently. In March of this year, it purchased Maker Studios, a company that produces YouTube videos, tapping into amateur creators to provide content. This acceptance of the popularity of fan-created content as a way to expand the brand and engage fans does not mean that Disney's position on copyright infringement has softened completely. The company has fought to extend the copyright of its most iconic creation, Mickey Mouse, lobbying Congress to extend the copyright protection period another 20 years.
The NYTimes innovation report and higher ed (InsideHigherEd, 26 May 2014) - Perhaps the most important document that we should read and discuss on campus says nothing at all about higher ed. It is the leaked 96 page New York Times Innovation report , called Strengthening Our Newsroom: Digital First, written by 10 Times employees. From what I can tell the Times has not published the report on its website, or released it in an easy to ready e-book format. This is a shame, as the report demonstrates a company culture that is secure and resilient enough to critique its own organizational structure and honest enough own up to some critical weaknesses and shortcomings. Releasing the report would have been the smartest thing to do in the face of the Jill Abramson firing and the leadership shuffle at the paper. The authors of the report argue that the Times is failing in its mission to serve its readers because it has not embraced the potential of digital platforms. That the print first culture and organizational structure at the Times has resulted in digital journalism being a "bolt on" to a paper driven organizational structure. That the world's best journalism is only one part of the equation, as journalism that does not reach a critical mass of citizens due to a failure to embrace digital platforms and to practice best digital practices will ultimately have little positive social impact. We can argue about both the diagnosis and the recommendations found in the Times Innovation Report.
Laying out the role of the computer forensics neutral expert (InsideCounsel, 27 May 2014) - When discovery in litigation involves the inspection of computer systems, setting out reasonable and effective protocols often involves a neutral expert in computer evidence. Working for the court, oftentimes at the direction of a special master, the neutral expert will engage with both parties, and often with computer forensics experts, to craft a reasonable inspection protocol. The challenge is to achieve consensus on the approach to preserving, performing analysis and review, and then producing relevant data. Protecting the producing party's privacy/privilege while identifying only data that is responsive to the inspection demand must be balanced with the requesting party's goal of finding all relevant evidence. Considering technology, discovery and forensic tools, and any agreements by the parties, the neutral expert must propose or assist with crafting an inspection protocol the parties to the litigation can agree to. Depending on the type of litigation, a company's most sensitive data may be at issue and subject to discovery. Adequate review is hindered if full access to the relevant sources of data is not provided. Establishing the provenance of important documents, examining versions of source code, recovering evidence of the use of external media or the transfer of proprietary data can only be accomplished through the proper preservation and analysis of the right data sources. Conference calls to meet and confer to identify relevant sources and confirm preservation are crucial early in the inspection process. The neutral expert can work with the party's IT administrators or consulting computer forensics expert(s) to map the sources of potentially relevant data. The potential evidence sought may inform what type of analysis is relevant. Some issues will involve common data sources, such as laptop and desktop user computers, email and shared network data. Other issues may require the examination of other sources of data, such as client relationship management (CRM) data or a source code revision control system. Whether the issue in the litigation involves allegations stemming from the use of a former employer's client list or the alleged theft of IP, the neutral expert may need to take into account these additional data sources and prepare a reasonable review protocol. In cases involving the review and production of sensitive data, the consulting and neutral experts sometimes need to come up with a more elaborate protocol to address all the parties' concerns. On a number of occasions, setting up a "clean room" with restricted access, no outside network connectivity and computer workstations for experts from both sides has been necessary. Protocols for the review and identification of relevant data are established. Procedures for turning over responsive data and the work product of subject matter experts are also spelled out. In these cases, the neutral expert will facilitate the work of other experts and the production of data among the parties.
Advisory group opposes re-election of most of Target's board (NYT, 28 May 2014) - An influential shareholder advisory group said that most of Target's board did not deserve to be re-elected, directly linking what it said was a lack of adequate oversight by the board to the extensive breach of customer data late last year. The move was unusual for the advisory group, Institutional Shareholder Services, which said that seven of Target's 10 board members deserved to be voted against. An I.S.S. spokesman said that so far this year, the firm has recommended shareholders vote against the majority of board members only 11 times - out of 421 companies it has assessed in the Standard & Poor's 500-stock index. In outlining its reasons this week for seeking to overturn much of the board's composition, I.S.S. said that members of the board's audit committee and corporate responsibility committees had failed to provide adequate risk oversight, and that changes the committees made since the breach were "largely reactionary in nature." "The data breach revealed that the company was inadequately prepared for the significant risks of doing business in today's electronic commerce environment," the I.S.S. report said. "It appears that failure of the committees to ensure appropriate management of these risks set the stage for the data breach, which has resulted in significant losses to the company and its shareholders." On Wednesday, Target called risk oversight "a full board responsibility," rather than the purview of just a few members. It also defended its data security standards before its system was breached - despite the fact that many experts have said the company failed to put in place certain important security measures, and even ignored the warnings of its own security system during the breach.
- and -
Target gives a defense of its efforts on security (NYT, 2 June 2014) - In advance of next week's annual shareholders' meeting, Target on Monday defended its management and oversight of customer data despite the extensive hacking it experienced last year. In a letter to shareholders filed with the Securities and Exchange Commission, Roxanne Austin, the interim chairwoman of Target's board, listed steps the company had taken toward increasing information security since the breach last year, and she described the security apparatus in place before the attack. "Breaches are occurring across the economy and are affecting a wide range of victims including the U.S. government, the technology and defense industries and more traditional companies, like retailers," the letter said. "Your board fully recognizes the importance of its oversight responsibilities in this area. Under the board's leadership and oversight, Target took significant action to address evolving cybercrime risks before the breach."
- and -
US companies seek cyber experts for top jobs, board seats (Reuters, 30 May 2014) - Some of the largest U.S. companies are looking to hire cybersecurity experts in newly elevated positions and bring technologists on to their boards, a sign that corporate America is increasingly worried about hacking threats. JPMorgan Chase & Co, PepsiCo Inc, Cardinal Health Inc, Deere & Co and The United Services Automobile Association (USAA) are among the Fortune 500 companies seeking chief information security officers (CISOs) and other security personnel to shore up their cyber defenses, according to people with knowledge of the matter. While a CISO typically reports to a company's chief information officer (CIO), some of the hiring discussions now involve giving them a direct line to the chief executive and the board, consultants and executives said. "The trend that we are seeing is that organizations are elevating the position of the CISO to be a peer of the CIO and having equal voice associated with resource priorities and risk decisions," said Barry Hensley, executive director at Dell SecureWorks' Counter Threat Unit. As companies look for CISOs, many boards are seeking directors with technology know-how so that they can better understand cyber risks. Matt Aiello, co-head of the cyber practice at Heidrick & Struggles, said he is seeing "unprecedented" demand for CIOs to serve on boards. "Boards don't feel they have the right expertise to draw upon. It is not that they don't understand it is a risk; they don't want to blunder uninformed into it," said David DiBari, managing partner at the law firm Clifford Chance in Washington.
Cybercrime is on the rise, survey says (LA Daily News, 28 May 2014) - The hackers are winning, according to a survey of 500 executives of U.S. businesses, law enforcement services and government agencies released Wednesday. The 12th annual survey of cybercrime trends found that online attackers determined to break into computers, steal information and interfere with business are more technologically advanced than those trying to stop them. The survey was co-sponsored by San Jose, California-based business consulting firm PwC, the U.S. Secret Service, the CERT Division of Carnegie Mellon University's Software Engineering Institute and CSO security news magazine. Three out of four respondents said they had detected a security breach in the past year, and the average number of security intrusions was 135 per organization, the survey found. "Despite substantial investments in cybersecurity technologies, cyber criminals continue to find ways to circumvent these technologies in order to obtain sensitive information that they can monetize," Ed Lowery, who heads the U.S. Secret Service's criminal investigative division, said in a written statement. Lowery said companies and the government need to take "a radically different approach to cybersecurity," which goes beyond antivirus software, training employees, working closely with contractors and setting up tighter processes. The top five cyberattack methods reported in the survey were malware, phishing, network interruption, spyware and denial-of-service attacks. And 28 percent of respondents said the attackers were insiders, either contractors or current and former employees or service providers, according to the survey.
BYOD? No problem. (InsideHigherEd, 29 May 2014) - Forget the device -- protect the data. That's the core of Temple University's new data policy, which some chief information officers are praising for emphasizing security in the bring-your-own-device era. "All members of the University community have a responsibility to protect the confidentiality, integrity, and availability of data generated, accessed, modified, transmitted, stored or used by the University, irrespective of the medium on which the data resides and regardless of format (e.g., in electronic, paper or other physical form)," the policy , enacted this January, reads. At Temple, IT officers are less concerned with protecting the myriad devices on campus than the data they access. The policy splits data into three categories -- unrestricted, sensitive and confidential, designated by green, yellow and red lights -- and creates a set of protocols to ensure the information is accessed responsibly based on its classification. Larry Brandolph, chief information security officer and an associate vice president at Temple, said the policy change was brought on by a rush of faculty members, researchers and staffers asking which cloud services they could use for which purposes. "We started looking at this saying, 'Where should people really be allowed to store data?'" Brandolph said. "Then it became more of a conversation not about where to store data, but what type of data we can store where."
Disconnect? File-sharing security survey highlights (Attorney at Work, 29 May 2014) - It's no surprise that small firms are the most vulnerable when it comes to online risk. Less time, less money and less staff to keep abreast of threats. What's surprising, though, is how little law firms do to protect clients' privileged information when collaborating electronically. Recently released results from the LexisNexis Law Firm File Sharing in 2014 survey show that despite a growing awareness of new collaboration tools - along with the dangers of compromising client data- there is a real "disconnect" between security fears and the measures law firms actually take to secure confidential information. The smaller the firm, the more vulnerable - or lax. "Law firms are caught in a bit of a bind because their clients demand a simple way to collaborate, but the risks, as this survey found, are exceptionally high," says Christopher T. Anderson , Sr. Product Manager with LexisNexis.
Public.resource.org sued (again) for publication of a document incorporated into federal regulations (TechDirt, 29 May 2014) - Carl Malamud's project -- the freeing of laws, codes and regulations via Public Resource -- has seen him and his site sued multiple times for copyright infringement. This includes lawsuits brought by state governments who somehow believe state laws can't be distributed without their permission. Other entities, like air conditioning contractors and sheet metal manufacturers, have also gone to court to defend their "right" to keep rules and regulations that impact millions of Americans safely locked up behind high-priced paywalls. Malamud's response has been to point out that a) state laws shouldn't be locked up, even the annotated versions stocked by LexisNexis, and b) federally mandated standards that apply to contractors shouldn't be either, even if those creating the documents are commercial enterprises. In the latter case, federal mandates make these documents of public interest, seeing as they apply to millions of Americans, even if somewhat more indirectly. Now, Malamud is being sued by the three organizations (two of which are nonprofits) behind the "Standards for Educational and Psychological Testing." Here's what these standards are designed to do, according to the filing: The Standards are designed to apply to professional test developers, sponsors, publishers, and users by providing criteria for the evaluation of tests, testing practices, and the effects of test use. The Standards have been used to develop testing guidelines for such activities as college admissions, personnel selection, test translations, test user qualifications, and computer-based testing.
- and -
Who owns the law? Technology reignites the war over just how public documents should be (ABA Journal, 1 June 2014) - These days the smallest and most exclusive piece of real estate in Washington, D.C., is the sliver of common ground that exists between congressional Democrats and Republicans. But during a January hearing before the U.S. House of Representatives Judiciary Committee on the scope of copyright protection laws, Democrats and Republicans were in broad agreement on an issue that was seemingly settled long ago: No one can own the law. But technology and a growing privatization of the law-making process have stirred up the debate once again. Huge amounts of formerly stored-in-print material-including laws, court and administrative rulings, and regulations from governments, standards bodies and myriad other organizations-are now digitized, which means printing costs and access issues should be minimal. Many of these documents are legally enforceable; some are standards that are legally binding; and others provide information that would normally be publicly available, though in the past you might have had to go to a clerk's office or library and pay for copies. But the end of print and ink does not mean the end of all costs. And the debate has divided those who call for free access for all in all cases and the legal research firms (established and startup) who say legal documents can be misleading or meaningless without the context, organization and analysis that someone has to be paid to provide. These issues have set off battles between legal information giants like West and LexisNexis and upstart competitors seeking access to court records. And they have inspired lawsuits, including a fight between three professional standards organizations and one crusader for free access to public information. Sitting at the witness table at the House committee meeting was that crusader, Carl Malamud . He is an open-source activist and the founder of Public.Resource.org . His group is funded through donations and grants, and it recently turned to crowdfunding through Kickstarter to support the conversion of 28,040 public safety standards into HTML files. Malamud was on hand to detail the latest skirmishes in his 20-year fight for free and open access to the law.
Quantifying privacy: A week of location data may be an 'unreasonable search' (NYT, 31 May 2014) - When does the simple digital tracking of your location and movements - the GPS bleeps from most of our smartphones - start to be truly revealing? When do the data points and inferences that can be drawn from it strongly suggest, say, trips to a psychiatrist, a mosque, an abortion clinic, a strip club or an AIDS treatment center? The answer, according to a new research paper , is about a week, when the data portrait of a person becomes sufficiently detailed to qualify as an "unreasonable search" and a potential violation of an individual's Fourth Amendment rights. The research paper, a collaboration of computer scientists and lawyers, wades into the debate over the legal and policing implications of modern data collection and analysis technology. It explores what in legal circles is called the "mosaic theory" of the Fourth Amendment, which essentially states that when linked and analyzed by software, a much richer picture emerges from combined information than from discrete data points. "It's not the direct observation," said Steven M. Bellovin, one of the paper's co-authors and a computer science professor at Columbia University, a computer security and privacy expert and a former chief technologist of the Federal Trade Commission. "It's what can be inferred." The 74-page paper, "When Enough Is Enough: Location Tracking, Mosaic Theory, and Machine Learning," has been published in the current edition of the New York University Journal of Law and Liberty. Its co-authors, in addition to Mr. Bellovin, are: Renee M. Hutchins, an associate professor at the University of Maryland Carey School of Law; Tony Jebara, an associate professor of computer science at Columbia, and a machine learning expert; and Sebastian Zimmeck, a Ph.D. candidate in computer science at Columbia, who is also a lawyer. [ Polley : "mosaic" authority Orin Kerr offers this response: No, machine learning doesn't resolve how the mosaic theory applies (Volokh Conspiracy, 3 June 2014)]
NSA collecting millions of faces from web images (NYT, 31 May 2014) - The National Security Agency is harvesting huge numbers of images of people from communications that it intercepts through its global surveillance operations for use in sophisticated facial recognition programs, according to top-secret documents. The spy agency's reliance on facial recognition technology has grown significantly over the last four years as the agency has turned to new software to exploit the flood of images included in emails, text messages, social media, videoconferences and other communications, the N.S.A. documents reveal. Agency officials believe that technological advances could revolutionize the way that the N.S.A. finds intelligence targets around the world, the documents show. The agency intercepts "millions of images per day" - including about 55,000 "facial recognition quality images" - which translate into "tremendous untapped potential," according to 2011 documents obtained from the former agency contractor Edward J. Snowden. While once focused on written and oral communications, the N.S.A. now considers facial images, fingerprints and other identifiers just as important to its mission of tracking suspected terrorists and other intelligence targets, the documents show. It is not clear how many people around the world, and how many Americans, might have been caught up in the effort. Neither federal privacy laws nor the nation's surveillance laws provide specific protections for facial images. Because the agency considers images a form of communications content, the N.S.A. would be required to get court approval for imagery of Americans collected through its surveillance programs, just as it must to read their emails or eavesdrop on their phone conversations, according to an N.S.A. spokeswoman. Cross-border communications in which an American might be emailing or texting an image to someone targeted by the agency overseas could be excepted. Vanee M. Vines, the agency spokeswoman * * * added that the N.S.A. did not have access to photographs in state databases of driver's licenses or to passport photos of Americans, while declining to say whether the agency had access to the State Department database of photos of foreign visa applicants. She also declined to say whether the N.S.A. collected facial imagery of Americans from Facebook and other social media through means other than communications intercepts. The N.S.A. achieved a technical breakthrough in 2010 when analysts first matched images collected separately in two databases - one in a huge N.S.A. database code-named Pinwale, and another in the government's main terrorist watch list database, known as Tide - according to N.S.A. documents. That ability to cross-reference images has led to an explosion of analytical uses inside the agency. The agency has created teams of "identity intelligence" analysts who work to combine the facial images with other records about individuals to develop comprehensive portraits of intelligence targets. The agency has developed sophisticated ways to integrate facial recognition programs with a wide range of other databases. It intercepts video teleconferences to obtain facial imagery, gathers airline passenger data and collects photographs from national identity card databases created by foreign countries, the documents show. They also note that the N.S.A. was attempting to gain access to such databases in Pakistan, Saudi Arabia and Iran. The documents suggest that the agency has considered getting access to iris scans through its phone and email surveillance programs. But asked whether the agency is now doing so, officials declined to comment. The documents also indicate that the N.S.A. collects iris scans of foreigners through other means. The N.S.A. can now compare spy satellite photographs with intercepted personal photographs taken outdoors to determine the location. One document shows what appear to be vacation photographs of several men standing near a small waterfront dock in 2011. It matches their surroundings to a spy satellite image of the same dock taken about the same time, located at what the document describes as a militant training facility in Pakistan.
- and -
India's big brother project (Boston Review, 19 May 2014) - India's Unique Identity (UID) project is already the world's largest biometrics identity program, and it is still growing. Almost 600 million people have been registered in the project database, which collects all ten fingerprints, iris scans of both eyes, a photograph, and demographic information for each registrant. Supporters of the project tout the UID, which is run by a government agency, as a societal game changer. The extensive biometric information collected, they argue, will establish the uniqueness of each individual, eliminate fraud, and provide the identity infrastructure needed to develop solutions for a range of problems. Detractors see these claims as hype , pointing out that despite the potential benefits, critical concerns remain about the UID's legal and physical architecture as well as about unforeseen risks associated with the linking and analysis of personal data.
Who has your back? Protecting your data from government requests (EFF, June 2014) - In this fourth-annual report, EFF examines the publicly-available policies of major Internet companies-including Internet service providers, email providers, mobile communications tools, telecommunications companies, cloud storage providers, location-based services, blogging platforms, and social networking sites-to assess whether they publicly commit to standing with users when the government seeks access to user data. The purpose of this report is to allow users to make informed decisions about the companies with whom they do business. It is also designed to incentivize companies to adopt best practices, be transparent about how data flows to the government, and to take a stand for their users' privacy in Congress and in the courts whenever it is possible to do so. Full report here . Reports for 2011 , 2012 , and 2013 .
Here's the first US Ambassador to take the oath of office on an e-reader (Business Insider, 2 June 2014) - Suzi LeVine, the new U.S. Ambassador to Switzerland and Liechtenstein, became the first ambassador to take the oath of office on an E-reader last week. The State Department released on Monday a photo of LeVine's swearing-in ceremony, during which she took the oath of office through a copy of the U.S. Constitution on an E-reader. The State Department said LeVine chose to take the oath of office on an E-reader. She was sworn in by Vice President Joe Biden during a White House ceremony.
FCC comment page buckles to its knees after John Oliver asks everyone to comment (TechDirt, 3 June 2014) - On Monday morning, we wrote about John Oliver's brilliant report on net neutrality, which ended with a stirring "call to action" for internet commenters to tell the FCC why it should preserve a free and open internet. Many of our commenters noted that the FCC comment page that Oliver pointed to, FCC.gov/comments , appeared to be down for most of the day, either suggesting wonderful irony or that Oliver's call to action has been monumentally successful. The FCC has put up some tweets in which it apologizes for technical difficulties, without explaining why they were occurring beyond "heavy traffic." Some of us quickly speculated that the two things were related, while some publications have simply assumed without question that it was Oliver's pleas that brought the system down . To some extent I hope that's the case, though I do fear a bit the kinds of comments people might be leaving. Either way, the irony of the FCC having trouble under heavy loads concerning net neutrality was not lost on many people, who didn't miss the opportunity to tweet some replies mocking the whole net neutrality proposal. [ Polley : If you haven't seen it, watch the 13minute Oliver clip - before it gets taken down. Substantive and funny - fabulous!]
DMLP announcement: A new report on media credentialing in the United States (Berkman's DMLP, 3 June 2014) - The Digital Media Law Project at Harvard University's Berkman Center for Internet & Society and the Journalist's Resource project at Harvard's Shorenstein Center on Media, Politics and Public Policy are pleased to release a new report: Who Gets a Press Pass? Media Credentialing Practices in the United States . Media credentials have long played a critical role in newsgathering in the United States, allowing journalists to gain special access to places and events denied to the general public. There are, however, many inconsistencies among regulatory standards for the issuance of credentials, and many circumstances where the decision of whether and how to issue credentials is left up to individual agencies with no regulatory guidance at all. Moreover, upheaval in the journalism industry has introduced new actors in the journalism ecosystem, complicating decisions by government agencies and private gatekeepers about who should be entitled to special access. Who Gets a Press Pass? presents a first-of-its-kind analysis of this complex environment, exploring media credentialing practices in the United States through a nationwide survey of more than 1,300 newsgatherers.
Apocalyptic Planet: field guide to the everending Earth (Craig Childs at the Long Now Foundation, July 2013; 90 minutes) - "This Earth is a story teller," Childs began. "And it is not a stable place to live. It is always ending. We think of endings as sudden, but it is always a process." For his book Apocalyptic Planet he sought out some of the world's most terminal-feeling places, where everything is reduced to fundamental elements in total upheaval or total stasis, and a visitor is overwhelmed by the scale and power of a planet going about its planetary business. [ Polley : this has nothing to do with the law, or IT. But it's staggering in scope and language and experience. Well worth your time.]
Sexting, Social Media, and the Law (MLPB, 20 May 2014) - JoAnne Sweeny, University of Louisville School of Law has published Sexting and Freedom of Expression: A Comparative Approach in volume 102 of the Kentucky Law Journal (2013/2014). Here is the abstract: According to a recent poll, one in four American teens could be legally labeled a child pornographer. Nearly thirty percent of teens in this poll admitted to engaging in "sexting," which may expose them to criminal prosecution under existing child pornography laws. "Sexting" is the modern term given to "the practice of sending or posting sexually suggestive text messages and images, including nude or semi-nude photographs, via cellular telephones or over the Internet." It is an increasingly popular practice in the United States and abroad and, according to current child pornography laws, can result in teens serving long prison sentences and having to register as sex offenders. Download the text from SSRN at the link.
Copyright and Privacy (MLPB, 30 May 2014) - Pamela Samuelson, University of California, Berkeley, School of Law, is publishing Protecting Privacy Through Copyright Law? in Visions of Privacy in the Modern Age (Marc Rotenberg, ed.; 2014). Here is the abstract: A quartet of recent copyright cases have extended protection to privacy and other personal interests of individuals depicted in copyrighted works. Victims of so-called revenge porn are also relying on copyright to protect their privacy interests. This short essay revisits the seminal Warren and Brandeis article on "The Right to Privacy," which relied heavily on copyright cases to support the notion that privacy interests were and should be legally protectable. It asks whether Warren and Brandeis would have approved of this renewed direction for copyright law.
Framing the Law & Policy Picture: A Snapshot of K-12 Cloud-Based Ed Tech & Student Privacy in Early 2014 (Harvard, 3 June 2014) - Abstract: A growing number of primary and secondary (K-12) school systems nationwide are adopting cloud-based educational technologies ("ed tech"), tools which "enable the transition of computing resources-including information processing, collection, storage, and analysis-away from localized systems (i.e., on an end user's desktop or laptop computer) to shared, remote systems (i.e., on servers located at a data center away from the end user accessible through a network)" in the course of educational and / or academic administrative work. Cloud-based ed tech possesses unique innovative potential that can best be unlocked when the opportunities it presents are considered alongside the importance of protecting student privacy. This paper, building upon findings of the ongoing Student Privacy Initiative under the auspices of the Berkman Center for Internet & Society at Harvard University, provides a snapshot of key aspects of a diverse-and heated-law, policy, and implementation debate that is taking place in the rapidly evolving cloud-based ed tech landscape. It aims to provide policy and decision-makers at the school district, local government, state government, and federal government levels with greater information about and clarity around the avenues available to them in evaluating privacy options. This analysis focuses on three overarching questions: who in the educational system should make cloud-based ed tech decisions; when is parental consent needed for the adoption of these technologies; and how can data transferred, stored, and analyzed through these products be kept secure and, as necessary, de-identified?
A beginner's guide to Bitcoin (Boing Boing, 4 June 2014) - Bitcoin is a peer-to-peer network, a set of protocols (standards for interoperability), client interfaces (called wallets) and a currency that operates on top of all of those technologies. The bitcoin system allows any person to send or receive a fraction of a bitcoin (the currency unit) to another person, anywhere in the world. The bitcoin system operates on the Internet without the need for banks or bank accounts and allows people to send money like they send email. * * * [ Polley : useful explication, spotted by MIRLN reader Mike McGuire ]
LOOKING BACK - MIRLN TEN YEARS AGO
(note: link-rot has affected about 50% of these original URLs)
A move to block Gmail service (Wired, 13 April 2004) -- A California state senator said Monday that she was drafting legislation to block Google's free e-mail service, Gmail, because it would place advertising in personal messages after searching them for keywords. "We think it's an absolute invasion of privacy. It's like having a massive billboard in the middle of your home," said Sen. Liz Figueroa (D-Fremont). "We are asking them to rethink the whole product." In late March, the world's leading Web search company announced plans to launch Gmail -- a service that would offer users 1 GB of free storage, more than 100 times the storage offered by other free services from Yahoo and Microsoft. But in return for the extra storage, users would agree to let Google's technology scan their incoming e-mail, then deliver targeted ads based on keywords in the messages. For instance, a user receiving a message about a friend's flu symptoms might also receive ads for cold and flu remedies. Gmail is now being tested with a limited number of users. Privacy advocates are assailing Gmail even before its formal launch. Google faces heavy opposition in Europe, where privacy laws are stricter than they are in the United States.
A quiet revolt puts costly journals on web (New York Times, 26 June 2004) - When Dr. Miguel Nicolelis, a neurobiologist at Duke University, decided to release a groundbreaking study in an upstart online journal, his colleagues were flabbergasted. The research, demonstrating how brain implants enabled monkeys to operate a robotic arm, was a shoo-in for acceptance in premier journals like Nature or Science. "Usually you want to publish your best work in well-established journals to have the widest possible penetration," Dr. Nicolelis said. "My idea was the opposite. We need to open up the dissemination of scientific results." The journal Dr. Nicolelis chose - PLoS Biology, a publication of the Public Library of Science - aims to do just that by putting peer-reviewed scientific papers online free, at the Web site www.plosbiology.org. The high subscription cost of prestigious peer-reviewed journals has been a running sore point with scholars, whose tenure and prominence depend on publishing in them. But since the Public Library of Science, which was started by a group of prominent scientists, began publishing last year, this new model has been gaining attention and currency within academia.
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:firstname.lastname@example.org?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu
2. InsideHigherEd - http://www.insidehighered.com/
3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/
4. NewsScan and Innovation, http://www.newsscan.com
5. Aon's Technology & Professional Risks Newsletter
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html
7. McGuire Wood's Technology & Business Articles of Note
8. Steptoe & Johnson's E-Commerce Law Week
9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/
10. The Benton Foundation's Communications Headlines
11. Readers' submissions, and the editor's discoveries
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top