MIRLN --- 29 June - 19 July 2014 (v17.10) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)
CLE | NEWS | RESOURCES | DIFFERENT | LOOKING BACK | NOTES
- US National Archives enshrines Wikipedia in Open Government Plan, plans to upload all holdings to Commons
- Massachusetts high court orders suspect to decrypt his computers
- Can nondisparagement clauses silence negative online reviews?
- What your cell phone can't tell the police
- US oil & gas industry establishes information sharing center
- Active malware operation let attackers sabotage US energy industry
- Austrian TOR exit node operator found guilty as an accomplice because someone used his node to commit a crime
- US privacy panel backs NSA's Internet tapping
- Flawed oversight Board report endorses general warrants
- Privacy Board report strongly suggests attorney-client communications subject to NSA spying
- Why more start-ups are sharing ideas without legal protection
- Reduce legal research costs with Google Scholar
- Google blocks access to email to prevent 'needless and massive' Goldman Sachs breach
- ICSI works with Yahoo Labs and Lawrence Livermore lab to offer analytics tools for over 100 million Flickr images and videos
- Is your Android device telling the world where you've been?
- What legal protections apply to e-mail stored outside the US?
- Hacked companies face SEC scrutiny over disclosure
- Recent developments concerning cybersecurity disclosure for public companies
- Cybersecurity now tops boardroom concerns
- Law firm files defamation action against former client who posted unflattering review on Yelp---and didn't pay fees
- FCC sets new rules for online video clips
- Suing file-sharers doesn't work, lawyers warn
- Annual review of social media policies may not address regulatory risks, says expert
- Project 18F: "Delivery is the Strategy"
- Chinese hackers extending reach to smaller US agencies
- "Hidden from Google" shows sites censored under EU's right-to-be-forgotten law
UPCOMING CLE
ABA Cybersecurity Series (ABA, July 2014) - Join the authors of the best-selling ABA Cybersecurity Handbook as they offer practical cyber-threat information, guidance, and strategies for lawyers, law firm attorneys, in-house counsel, government attorneys, and public interest attorneys. [Y]ou can register for each webinar individually or you can register for one of three webinar packages specifically tailored to your practice area and receive a 20% discount as well as a Certificate of Completion.
New ABA Value Pass provides lawyers with yearlong CLE subscription (ABA, 25 June 2014) - Lawyers seeking to create their own personal continuing legal education portfolio directly from the American Bar Association can now obtain a Continuing Legal Education Value Pass , which provides yearlong access to hundreds of ABA distance-learning programs for one price. "We are delighted to provide the legal profession with a flat-rate annual subscription to much of our live distance learning and recorded online programming," ABA Executive Director Jack Rives said. "This further demonstrates the breadth, depth and quality of the content our many entities create for America's lawyers." ABA members can subscribe at the special introductory rate of $575 annually. The pass is also available to nonmembers for $795 annually. The pass provides access to * * *
NEWS
US National Archives enshrines Wikipedia in Open Government Plan, plans to upload all holdings to Commons (Wikipedia, 25 June 2014) - The US National Archives and Record Administration (NARA) have committed to engaging with Wikimedia projects in their newest Open Government Plan. The biannual effort is a roadmap for how the agency will accomplish its goals in the digital age. In the first plan, issued in 2010, Archivist of the United States David Ferriero wrote "the cornerstone of the work that we do every day is the belief that citizens have the right to see, examine, and learn from the records that document the actions of their Government. But in this digital age, we have the opportunity to work and communicate more efficiently, effectively, and in completely new ways." * * * [V]olunteers are working with NARA on a new upload script to port images to Commons; the work in progress is posted on Github . At NARA itself, an API is in development that will make it easier to extract the metadata of the images. Given these efforts, McDevitt-Parks says that they will "allow us to more easily upload all of our existing digitized holdings to Wikimedia Commons and similar third-party platforms, and also that in the future upload to platforms like Commons will be the end of all digitization. Looking at it this way, I would say that in a way all of our digitization efforts are also for upload to Wikimedia Commons."
Massachusetts high court orders suspect to decrypt his computers (ArsTechnica, 25 June 2014) - Massachusetts' top court ruled, in a 5-2 decision on Wednesday, that a criminal suspect can be ordered to decrypt his seized computer. The Massachusetts Supreme Judicial Court (MSJC) ruling only applies to the state. Various other courts at the state and federal level have disagreed as to whether being forced to type in a decryption password is a violation of the Fifth Amendment right to protect against self-incrimination and its state equivalents (such as Article Twelve of the Massachusetts Declaration of Rights). For example, more than two years ago, the 11th Circuit Court of Appeals ruled that a defendant was not obliged to decrypt his hard drive, as doing so would violate his Fifth Amendment rights. However, that ruling only took effect in the 11th Circuit, which covers parts of the southeastern United States. Just last year, a federal judge refused to force a Wisconsin child pornography suspect to decrypt his laptop. Overall, cases involving decryption are still relatively new and rare. The first known one only dates back to 2007 . [ Polley : In fact, there's applicable case-law going back much further; the facts in this case are interesting.]
Can nondisparagement clauses silence negative online reviews? (Legal Intelligencer, 26 June 2014) - What do dentists, wedding photographers, moving companies, locksmiths and online retailers all have in common? Answer: They have each tried to limit negative online customer reviews via nondisparagement clauses in their service agreements. Traditionally found in negotiated settlement or employee severance agreements, nondisparagement (or "no review") clauses are now making their way into non-negotiated service contracts and the oft-ignored terms and conditions of online retailers. With scant decisional case law on point, courts have yet to directly address the fairness (read: enforceability) of these clauses. Recently, legislators in Pennsylvania and elsewhere have entered the fray by introducing bills to curb parties from chilling public speech-or even deeming such clauses illegal, absent voluntary waivers of the right to opine. So the question becomes: Are nondisparagement clauses the wave of the future, or simply the next battleground in the war for online consumer rights? * * * [ Polley : Eric Goldman has blogged extensively about this subject over the last 5 years or so, e.g., here ; there are several MIRLN stories about this, too.]
What your cell phone can't tell the police (The New Yorker, 26 June 2014) - On May 28th, Lisa Marie Roberts, of Portland, Oregon, was released from prison after serving nine and a half years for a murder she didn't commit. A key piece of overturned evidence was cell-phone records that allegedly put her at the scene. Roberts pleaded guilty to manslaughter in 2004, after her court-appointed attorney persuaded her that she had no hope of acquittal. The state's attorney had told him that phone records had put Roberts at the scene of the crime, and, to her lawyer, that was almost as damning as DNA. But he was wrong, as are many other attorneys, prosecutors, judges, and juries, who overestimate the precision of cell-phone location records. Rather than pinpoint a suspect's whereabouts, cell-tower records can put someone within an area of several hundred square miles or, in a congested urban area, several square miles. Yet years of prosecutions and plea bargains have been based on a misunderstanding of how cell networks operate. No one knows how often this occurs, but each year police make more than a million requests for cell-phone records. "We think the whole paradigm is absolutely flawed at every level, and shouldn't be used in the courtroom," Michael Cherry, the C.E.O. of Cherry Biometrics, a consulting firm in Falls Church, Virginia, told me. "This whole thing is junk science, a farce." The paradigm is the assumption that, when you make a call on your cell phone, it automatically routes to the nearest cell tower, and that by capturing those records police can determine where you made a call-and thus where you were-at a particular time. That, he explained, is not how the system works. When you hit "send" on your cell phone, a complicated series of events takes place that is governed by algorithms and proprietary software, not just by the location of the cell tower. First, your cell phone sends out a radio-frequency signal to the towers within a radius of up to roughly twenty miles-or fewer, in urban areas-depending on the topography and atmospheric conditions.
US oil & gas industry establishes information sharing center (InfoSecurity, 26 June 2014) - As part of a voluntary effort, the oil and natural gas industry is launching the Oil and Natural Gas Information Sharing and Analysis Center ( ONG-ISAC ), dedicated to protecting critical energy infrastructure from computer-based attacks. The ONG-ISAC will serve as a unified, central reservoir of cyber intelligence and a virtual pipeline that facilitates the secure sharing of vetted, actionable and timely cyber intelligence to members. "Cyber-based attacks are one of the fastest-growing threats to America's infrastructure," said David Frazier, chairman of the ONG-ISAC, in a statement. "ONG-ISAC will help our industry to quickly identify and respond to threats against refineries, pipelines and other distribution systems that serve US consumers and businesses. It also will provide industry participants a secure way to share information and stay connected with law enforcement agencies." An industry-owned and operated organization, the ONG-ISAC will facilitate the exchange of information, evaluate risks, and provide up-to-date security guidance to US companies. Participants can submit incidents either anonymously or with attribution via a secure web portal; circulate information on threats and vulnerabilities among ONG-ISAC members, other ISACs, vendors and the US government; provide industry participants with access to cybersecurity experts; alert participants of cyber-threats deemed 'urgent' or 'elevated' in near real-time, within 60 minutes; coordinate industry-wide responses to computer-based attacks; and ensure compliance with all antitrust and federal disclosure guidelines.
- and -
Active malware operation let attackers sabotage US energy industry (ArsTechnica, 30 June 2014) - Researchers have uncovered a malware campaign that gave attackers the ability to sabotage the operations of energy grid owners, electricity generation firms, petroleum pipelines, and industrial equipment providers. Called Dragonfly, the hacking group managed to install one of two remote access trojans (RATs) on computers belonging to energy companies located in the US and at least six European countries, according to a research report published Monday by Symantec. One of the RATs, called Havex , was spread by hacking the websites of companies selling software used in industrial control systems (ICS) and waiting for companies in the energy and manufacturing industries to install booby-trapped versions of the legitimate apps. "This campaign follows in the footsteps of Stuxnet, which was the first known major malware campaign to target ICS systems," the Symantec report stated. "While Stuxnet was narrowly targeted at the Iranian nuclear program and had sabotage as its primary goal, Dragonfly appears to have a much broader focus with espionage and persistent access as its current objective with sabotage as an optional capability if required." Dubbed Energetic Bear by other researchers, Dragonfly has been in operation since at least 2011. It initially targeted US and Canadian companies in the defense and aviation industries before shifting its focus to energy concerns. The group bears the hallmarks of a state-sponsored operation, mainly in its organization and high degree of technical sophistication. Its primary motive appears to be espionage, although additional capabilities suggest that sabotage is also of interest. Fingerprints left inside the malware show the attackers mostly worked Monday through Friday during a nine-hour period that corresponded to 9am to 6pm in Eastern Europe, leading Symantec researchers to theorize that was the region where the most Dragonfly members worked.
Austrian TOR exit node operator found guilty as an accomplice because someone used his node to commit a crime (TechDirt, 2 July 2014) - Three years ago we wrote about how Austrian police had seized computers from someone running a Tor exit node. This kind of thing happens from time to time, but it appears that folks in Austria have taken it up a notch by... effectively now making it illegal to run a Tor exit node . * * * It's pretty standard to name criminal accomplices liable for "aiding and abetting" the activities of others, but it's a massive and incredibly dangerous stretch to argue that merely running a Tor exit node makes you an accomplice that "contributes to the completion" of a crime. Under this sort of thinking, Volkswagen would be liable if someone drove a VW as the getaway car in a bank robbery. It's a very, very broad interpretation of accomplice liability, in a situation where it clearly does not make sense. Tragically, this comes out the same day that the EFF is promoting why everyone should use Tor . While it accurately notes that no one in the US has been prosecuted for running Tor, it may want to make a note about Austria. Hopefully there is some way to fight back on this ruling and take it to a higher court -- and hopefully whoever reviews it will be better informed about how Tor works and what it means to run an exit node.
US privacy panel backs NSA's Internet tapping (NYT, 2 July 2014) - The federal privacy board that sharply criticized the collection of the phone records of Americans by the National Security Agency has come to a starkly different conclusion about the agency's exploitation of Internet connections in the United States to monitor foreigners communicating with one another abroad. That program, according to the Privacy and Civil Liberties Oversight Board, is largely in compliance with both the Constitution and a surveillance law that Congress passed six years ago. [T]he most recent report, adopted by the board on Wednesday, deals with what the agency calls "702 collection," a reference to Section 702 of the Foreign Intelligence Surveillance Act, which was amended in 2008 after The New York Times revealed a program of warrantless wiretapping that the Bush administration started after the Sept. 11, 2001, attacks. "The Section 702 program has enabled the government to acquire a greater range of foreign intelligence than it otherwise would have been able to obtain - and to do so quickly and effectively," the report said. While it found little value in the bulk collection of Americans' telephone data, the board said that the 702 program, aimed at foreigners, "has proven valuable in the government's efforts to combat terrorism as well as in other areas of foreign intelligence." The program is also used to track nuclear proliferation and to monitor the calls and emails of foreign governments and their leaders. The report concluded that "monitoring terrorist networks under Section 702 has enabled the government to learn how they operate, and to understand their priorities, strategies and tactics." In a sign of the Obama administration's relief about the report's conclusion, it was praised by James R. Clapper Jr., the director of national intelligence, who refused to talk publicly about the 702 programs before the Snowden disclosures. Mr. Clapper cited a section of the report that said the board was "impressed with the rigor of the government's efforts to ensure that it acquires only those communications it is authorized to collect, and that it targets only those persons it is authorized to target."
- and -
Flawed oversight Board report endorses general warrants (EFF, 1 July 2014) - The Privacy and Civil Liberties Oversight Board (PCLOB) issued a legally flawed and factually incomplete report late Tuesday that endorses Section 702 surveillance. Hiding behind the "complexity" of the technology, it gives short shrift to the very serious privacy concerns that the surveillance has rightly raised for millions of Americans. The board also deferred considering whether the surveillance infringed the privacy of many millions more foreigners abroad. The board skips over the essential privacy problem with the 702 "upstream" program: that the government has access to or is acquiring nearly all communications that travel over the Internet. The board focuses only on the government's methods for searching and filtering out unwanted information. This ignores the fact that the government is collecting and searching through the content of millions of emails, social networking posts, and other Internet communications, steps that occur before the PCLOB analysis starts. This content collection is the centerpiece of EFF's Jewel v. NSA case, a lawsuit battling government spying filed back in 2008. The board's constitutional analysis is also flawed. The Fourth Amendment requires a warrant for searching the content of communication. Under Section 702, the government searches through content without a warrant. Nevertheless, PCLOB's analysis incorrectly assumes that no warrant is required. The report simply says that it "takes no position" on an exception to the warrant requirement when the government seeks foreign intelligence. The Supreme Court has never found this exception. PCLOB findings rely heavily on the existence of government procedures. But, as Chief Justice Roberts recently noted: "the Founders did not fight a revolution to gain the right to government agency protocols." Justice Roberts' thoughts are on point when it comes to NSA spying-mass collection is a general warrant that cannot be cured by government's procedures. The PCLOB's proposed reforms for Section 702 are an anemic set of recommendations that will do little to stop excessive surveillance. For example, rather than rein in government communications searches, the PCLOB simply asks the NSA to study the issue. The PCLOB report provides the public with much needed information about how the 702 program works. But the legal analysis is incorrect and the report fails to offer effective reforms.
- and -
Privacy Board report strongly suggests attorney-client communications subject to NSA spying (Center for Constitutional Rights, 2 July 2014) - In response to a new report that addresses warrantless NSA searches made possible by a particular section of the Foreign Intelligence Surveillance Amendments Act (FISA), the Center for Constitutional Rights issued the statement below. The Privacy and Civil Liberties Oversight Board (PCLOB) had previously addressed the collection of communications metadata, and here looked at the implications of collection of communications content under Section 702 of FISA. The Privacy Board's report is disappointingly superficial with respect to the main constitutional concerns raised here. The board includes no mention whatsoever of free speech, due process, and right to counsel when analyzing the legality of the NSA's collection of the content of communications between U.S. residents and persons of interest abroad. Deeply troubling, the report found that attorneys' legally-privileged communications are used and shared by the NSA, CIA and FBI unless they are communications directly with a client who has already been indicted in U.S. courts, which strongly suggests that the contents of privileged attorney-client communications at Guantanamo are subject to NSA warrantless surveillance. This raises serious concerns about the fairness of the military commission system and would seem to violate court orders entered in Guantanamo habeas cases that protect attorney-client privilege.
Why more start-ups are sharing ideas without legal protection (NYT, 2 July 2014) - In 2011, Andy Moeck was looking for investors for Moeo, a Los Angeles start-up he was building that makes mobile gaming apps based on real-time sporting events. A friend introduced Mr. Moeck to a partner at the Silicon Valley venture capital firm Kleiner Perkins Caufield Byers, and at their first meeting, Mr. Moeck asked the partner to sign a nondisclosure agreement. Such agreements, known as N.D.A.s, are intended to prevent an idea or technology from being stolen and copied. Mr. Moeck was especially concerned because the venture capital firm was already backing Zynga, another gaming company. "We knew they didn't have a mobile or sports strategy," he said of Zynga. "I didn't want to pitch Kleiner about what we were doing and have them go back and say to Zynga, 'This is how Moeo does it.'" But the Kleiner Perkins investor refused to sign an N.D.A., leaving Mr. Moeck to decide whether to proceed with his pitch. It is a common quandary, and not just in Silicon Valley. Ten years ago, it was not unusual for entrepreneurs to request and potential investors to sign nondisclosure agreements. But today the agreements are largely considered a thing of the past. In fact, some investors say they walk away from a founder who even suggests signing one. This cultural shift, which began in the late 1990s and accelerated during the early 2000s, began in Silicon Valley, said Victor W. Hwang, chief executive of T2 Venture Creation, an investment firm in Portola Valley, Calif. "One of the most advantageous things an entrepreneur can do is talk about their company to anyone who will listen," Mr. Hwang said. * * * Below are some guidelines to consider. They apply when engaging not just investors, but also manufacturers, partners and even customers. * * *
Reduce legal research costs with Google Scholar (Lawyerist, 3 July 2014) - Clients have been increasingly reluctant to pay for legal research. In this age of bundled services, they think that research costs should be included with an attorney's hourly or flat-rate fee. If you are seeking ways to reduce research costs, here is one good option: Google Scholar . It is an online research service that you should use to find cases and secondary sources-for free. This article first explains the primary benefits of Google Scholar. But before you cancel your subscription to LexisNexis or Westlaw, read the second part of this article on its limitations. * * *
Google blocks access to email to prevent 'needless and massive' Goldman Sachs breach (PC Magazine, 3 July 2014) - American multinational investment banking firm Goldman Sachs Group, Inc. said on Wednesday that Google has complied with a request to block access to an email containing confidential client data , which was mistakenly sent by a contractor to a stranger's Gmail account, according to Reuters . The information included "highly confidential brokerage account information," Reuters reported, citing a complaint filed on Friday in a New York state court in Manhattan. Goldman Sachs had been seeking a court order imploring Google to block access to the email. A Goldman Sachs spokesperson told Reuters that no client information has been breached because the recipient had not accessed the Gmail account between the time the email was sent - on June 23 - and the time Google blocked access. The contractor was testing changes to Goldman Sachs's internal processes when the incident transpired.
ICSI works with Yahoo Labs and Lawrence Livermore lab to offer analytics tools for over 100 million Flickr images and videos (Marketwired, 3 July 2014) - The International Computer Science Institute (ICSI), a leading center for computer science research, today announced a collaboration with Yahoo Labs and Lawrence Livermore National Laboratory to process and analyze the recently released Yahoo Flickr Creative Commons 100 Million (YFCC100M) dataset , a publicly available corpus of user-generated content comprising more than 100 million images and videos. ICSI has developed a number of research tools to extract meaning from the vast amounts of multimedia data freely available online, giving researchers the ability to draw powerful conclusions from the data. Such work includes: (a) Audio and visual recognition techniques that can reliably identify the geographic location of a video or photo's origin point. (b) Video concept detection, which uses acoustic analysis and segmentation of similar sounds to treat sounds like keywords, making it possible to reliably search abstract concepts like "baby catching a ball" or "animal dancing to music." ICSI is collaborating directly with Lawrence Livermore Lab to process the massive dataset using the lab's supercomputer, the Cray Catalyst. "The media that people choose to upload with a Creative Commons License are full of information: they tell us about the people in them, where they are and what is happening, even if none of that is explicitly laid out," said Gerald Friedland, research director of Audio and Multimedia at ICSI. "ICSI's sophisticated computing tools help us make sense of that data at scale, and there is so much we can learn by fully leveraging the rich Creative Commons dataset that Flickr has amassed over the past decade."
Is your Android device telling the world where you've been? (EFF, 3 July 2014) - Do you own an Android device? Is it less than three years old? If so, then when your phone's screen is off and it's not connected to a Wi-Fi network, there's a high risk that it is broadcasting your location history to anyone within Wi-Fi range that wants to listen. This location history comes in the form of the names of wireless networks your phone has previously connected to. These frequently identify places you've been, including homes ("Tom's Wi-Fi"), workplaces ("Company XYZ office net"), churches and political offices ("County Party HQ"), small businesses ("Toulouse Lautrec's house of ill-repute"), and travel destinations ("Tehran Airport wifi"). This data is arguably more dangerous than that leaked in previous location data scandals because it clearly denotes in human language places that you've spent enough time to use the Wi-Fi.1 Normally eavesdroppers would need to spend some effort extracting this sort of information from the latitude/longitude history typically discussed in location privacy analysis. But even when networks seem less identifiable, there are ways to look them up . We briefly mentioned this problem during our recent post about Apple deciding to randomize MAC addresses in iOS 8 . As we pointed out there, Wi-Fi devices that are not actively connected to a network can send out messages that contain the names of networks they've joined in the past in an effort to speed up the connection process.2 But after writing that post we became curious just how many phones actually exhibited that behavior, and if so, how much information they leaked. To our dismay we discovered that many of the modern Android phones we tested leaked the names of the networks stored in their settings (up to a limit of fifteen). And when we looked at these network lists, we realized that they were in fact dangerously precise location histories. Aside from Android, some other platforms also suffer from this problem and will need to be fixed, although for various reasons, Android devices appear to pose the greatest privacy risk at the moment.
What legal protections apply to e-mail stored outside the US? (Orin Kerr on Volokh Conspiracy, 7 July 2014) - A federal magistrate judge in New York recently handed down an opinion on an important and novel question: If the government serves a warrant for a customer's e-mails on a U.S.-based Internet provider, but the e-mails happen to be located on a server outside the U.S., does the provider have to comply with the warrant? The magistrate judge held that the answer is "yes." The provider, Microsoft, recently filed objections to the magistrate's decision in the District Court. A slew of major Internet providers filed amicus briefs in support of Microsoft: Apple/Cisco's is here , AT&T's is here , and Verizon's is here . EFF filed a brief in support of Microsoft, too. The case is now pending before Chief Judge Loretta Preska of the Southern District of New York. In this post, I wanted to run through the complicated legal issues raised by the challenges. As I emphasized in a recent article , the Stored Communications Act just wasn't drafted with the problem of territoriality in mind. It assumed a U.S. Internet with U.S. servers and U.S. users. However the Microsoft challenges goes, Congress needs to amend the statute to deal expressly with the complex problems raised by the global Internet. In this post, though, I'll take the current statute as a given, and I'll run through the constitutional and statutory issues raised by access to e-mail located abroad under current law. My bottom line: I don't think Microsoft can challenge the warrant on Fourth Amendment grounds, and I think it's a close call on whether the warrant is valid on statutory grounds. If Microsoft wins, though, I think the DOJ may be able to get foreign e-mails with a U.S. subpoena, which wouldn't be much of a victory for privacy or sovereignty.
Hacked companies face SEC scrutiny over disclosure (Bloomberg, 7 July 2014) - The U.S. Securities and Exchange Commission has opened investigations of multiple companies in recent months examining whether they properly handled and disclosed a growing number of cyberattacks. The investigations are focused on whether the companies adequately guarded data and informed investors about the impact of breaches, according to two people familiar with the matter who asked not to be named because the probes aren't public. Target Corp. (TGT) , the victim of a breach last year that allowed hackers to access payment data for 40 million of its customers' debit and credit cards, is one of the companies facing SEC scrutiny, according to company filings. The prospect of enforcement actions against the targets of cyberattacks marks a new front in the agency's efforts to combat the rising threat hackers pose to public companies, brokerages and financial markets. Previously, the SEC had focused on guiding public companies on how to disclose those risks and making sure financial companies have adequate defenses against hackers. "The SEC issues subpoenas when they believe the disclosure is either incomplete or misleading," said Linda Griggs, a partner at Morgan, Lewis & Bockius LLP who previously worked at the SEC as chief counsel to the agency's chief accountant. "It's totally consistent for them to be looking at this kind of thing." The SEC is also investigating companies' internal controls in cases where the value of assets could have been affected by a breach, one of the people said.
- and -
Recent developments concerning cybersecurity disclosure for public companies (Hunton & Williams, June 2014) - Cyber incidents have become more common - and more severe - in recent years. Like other federal agencies, the Securities and Exchange Commission (Commission) has recently been analyzing the applicability of its existing regulations relating to cybersecurity risks. The Commission's efforts are focused on maintaining the integrity of market systems, protecting customer data and the disclosure of material information. We provide an overview of recent developments in public company cybersecurity disclosure of particular interest to public companies.
- and -
Cybersecurity now tops boardroom concerns (FierceCIO, 11 July 2014) - If data security and privacy aren't front and center on your radar, they better get there quick. A new study finds that data security is now the number one concern in the corporate boardroom. FTI Consulting has just released its Law in the Boardroom Study, and shared highlights of the study in an email to FierceCIO . Nearly 500 directors and general counsel participated in the study. "Data security topped both directors' and general counsels' lists of worries, outranking 2013's top concern of succession and leadership transition," FTI Consulting said. "As hackers get better at their exploits, corporate security is failing to keep up, resulting in the main thing keeping directors up at night." Results of the study were also summarized this week in the FTI Journal, in an article entitled "Managing Cyber Risk: Job #1 for Directors and General Counsel." The study was conducted with New York Stock Exchange Governance Services, and led by Tom Brown, senior managing director and Neal Hochberg, global practice leader of forensic and litigation counseling, both at FTI Consulting. "The risks that come along with the digitation of business (and everything else) are multiplying, as are the costs of protecting against and remediating the impact of cyber-attacks and data breaches," the study says. "This year, information technology cyber risk oversight was chosen by 41 percent of directors and 33 percent of general counsel as an issue upon which they will spend significant time, appreciably more than last year's 28 percent for directors and 27 percent for general counsel." The report also cites data from the Ponemon Institute's 2013 Cost of Cyber Crime Study: United States, which reported that the average annualized cost of cybercrime in 2013 was $11.6 million per company studied, with a range from $1.3 million to $58 million. To put that in context, the average annualized cost in 2012 was $8.9 million.
Law firm files defamation action against former client who posted unflattering review on Yelp---and didn't pay fees (MLPB, 8 July 2014) - A Texas law firm has filed a defamation lawsuit in response to the disparaging review of its services a former client posted on Yelp. The client, Joseph A. Browning, claims that the content of his post is accurate and has refused to pay the firm's fees. The firm, Grissom & Thompson, of Austin, says it has no recourse now that Mr. Browning refuses to pay, but also wants him to remove the post. More here in an article in the Texas Lawyer. Read the firm's complaint here. For interested readers, the Browning review is still available on Yelp, but I won't link to it; you can easily find it by searching for it online. Mr. Browning is not the first person to be sued over a Yelp review. Last February, both a woman who reviewed a local contractor's work, and the contractor who then responded to her review, were found liable for defamation.
FCC sets new rules for online video clips (The Hill, 11 July 2014) - Regulators are establishing new rules requiring closed captions for online video clips. The Federal Communications Commission (FCC) voted unanimously Friday to approve the rules from Chairman Tom Wheeler. Wheeler - signing along in American Sign Language - repeated a pledge he made at another closed captioning vote earlier this year. "This is just the beginning in dealing with our responsibility to make sure that individuals with special needs are in the front of the technology train, not the back of the technology train," he said. Friday's vote sets requirements for online video clips that have aired on television with closed captions, mimicking current requirements for full-length online videos that originally were broadcast with captions on television. The new requirements apply to video distributors like broadcasters and cable and satellite companies. Under the 2010 Twenty-First Century Communications and Video Accessibility Act, the FCC has the authority to require closed captions for online videos. In 2012, the agency created rules under that law that requires closed captions on full-length online videos that aired with captions on television. The rules approved Friday set staggered deadlines between 2016 and 2017 for clips taken straight from television, montages containing multiple clips and clips of live and near-live programming, like sports and news.
Suing file-sharers doesn't work, lawyers warn (TorrentFreak, 13 July 2015) - For more than a decade copyright holders and the U.S. Government have been trying to find the silver bullet to beat piracy. This week the American Bar Association joined the discussion with a 113-page white paper . With their "call for action" the lawyers encourage Congress to draft new anti-piracy legislation and promote voluntary agreements between stakeholders. Among the options on the table is the filing of lawsuits against individual file-sharers, something the RIAA did extensively in the past. Interestingly, the lawyers advise against this option as it's unlikely to have an impact on current piracy rates. According to the lawyers these type of lawsuits are also financially ineffective, oftentimes costing more than they bring in. In addition, they can create bad PR for the copyright holders involved. "While it is technically possible for trademark and copyright owners to proceed with civil litigation against the consuming public who [...] engage in illegal file sharing, campaigns like this have been expensive, do not yield significant financial returns, and can cause a public relations problem for the plaintiff in addressing its consuming public," the lawyers write. [ Polley : see RIAA story below in " Looking Back "]
Annual review of social media policies may not address regulatory risks, says expert (Out-Law.com, 14 July 2014) - Technology law specialist Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said that businesses that only conduct a review of social media strategy once a year may be exposing themselves to legal risks. "There have been a number of recent changes to the law and the way that regulators are approaching the law as well as number of forthcoming changes that highlight the need for companies to conduct a more regular review of their social media use than just annually," Scanlon said. "For instance, enforcement action by the Financial Conduct Authority last month indicates the approach the regulator is willing to take against financial services companies that breach rules on financial promotions. Rulings by the Court of Justice of the EU have also raised the prospect of firms having to think more carefully about how they process personal data, even if published elsewhere. Both of these examples raise compliance issues in a social media setting," he said. Scanlon also pointed to changes to defamation laws in England and Wales which came into force earlier this year as an issue that could impact on social media use, and further identified existing copyright and communication laws , as well as advertising and consumer protection rules , that must be adhered to by companies publishing on social media. "There are many issues that organisations must be aware could affect them as a result of engaging with customers via social media," Scanlon said. "Most organisations will likely be aware of their basic obligations, such as those to do with data protection and defamation, but there are some legal changes that may go unnoticed unless there are regular reviews of social media strategy scheduled."
Project 18F: "Delivery is the Strategy" (Cebe IT, 15 July 2014) - Project 18F is part of the US General Services Administration, the procurement arm of the federal government, feared by suppliers and not quite famous for its ability to innovate or move fast. But 18F is different. Staffed from the ground up by a lean team of (mostly young) technologists, including the Presidential Innovation Fellows, it "builds effective, user-centric digital services focused on the interaction between government and the people and businesses it serves." Their slogan is "delivery is the strategy." For example, it took them just 17 days (in government terms, that's a nanosecond) to deliver from scratch a Web site, notalone.gov, designed to track reports of sexual assault on campuses. Another project, myusa.gov, is a sort of "social API" for e-gov applications. The idea is that a citizen will create a profile once, and government applications that use the API will no longer need to ask people to re-enter their data each time they fill a form online; once the user logs in, the required data will be pulled from his or her profile.
Chinese hackers extending reach to smaller US agencies (NYT, 15 July 2014) - After years of cyberattacks on the networks of high-profile government targets like the Pentagon, Chinese hackers appear to have turned their attention to far more obscure federal agencies. Law enforcement and cybersecurity analysts in March detected intrusions on the computer networks of the Government Printing Office and the Government Accountability Office, senior American officials said this week. The printing office catalogs and publishes information for the White House, Congress and many federal departments and agencies. It also prints passports for the State Department. The accountability office, known as the congressional watchdog, investigates federal spending and the effectiveness of government programs. The attacks occurred around the same time Chinese hackers breached the networks of the Office of Personnel Management , which houses the personal information of all federal employees and more detailed information on tens of thousands of employees who have applied for top-secret security clearances. Some of those networks were so out of date that the hackers seemed confused about how to navigate them, officials said. But the intrusions puzzled American officials because hackers have usually targeted offices that have far more classified information.
"Hidden from Google" shows sites censored under EU's right-to-be-forgotten law (GigaOM, 16 July 2014) - News stories about a child rapist, a shoplifter and a financial scandal have all gone missing from Google search results in recent weeks - but now links to the stories have reappeared on " Hidden from Google ," a website that is archiving examples of internet censorship that are taking place under a controversial new law. The law allows EU citizens to force search engines to remove links to websites that they believe display outdated or irrelevant information. The law, which took effect in May in response to a court ruling , has led to an avalanche of "delete me" requests to Google, including many from rogues and criminals . The law has already led search results from major news outlets like the BBC and the Guardian to disappear , which is what led U.S. web developer Afaq Tariq to create the "Hidden from Google" page. The site provides a link to the story removed from Google, along with the relevant search term and the source that revealed the missing information. Censored pages include a BBC story about Carlos Silvano, a Portuguese pedophile, and a Daily Mail story about Gregory Sim, who had sex on a crowded train in 2008. Tariq told the BBC that the list is now very short because he wants to ensure that "an article is being censored consistently across European domains" before he includes it. Overall, the "Hidden from Google" page is likely to add to the ongoing alarm and confusion over the new European law. Implementation of the law has been chaotic as a result of vague instructions from the European Court of Justice, which declared in May that EU citizens could tell Google to delete search results under a 20-year-old data law, but that results in the public interest could remain.
RESOURCES
"Loopholes for Circumventing the Constitution: Warrantless Bulk Surveillance on Americans by Collecting Network Traffic Abroad" (PET Symposium, July 2014) Abstract: In this multi-disciplinary paper, we reveal interdependent legal and technical loopholes that intelligence agencies of the U.S. government could use to circumvent constitutional and statutory safeguards for U.S. persons. We outline known and new circumvention techniques that can leave the Internet traffic of Americans as vulnerable to surveillance, and as unprotected by U.S. law, as the Internet traffic of foreigners.
Steptoe launches data breach toolkit (Steptoe, 17 July 2014) - Data breaches can have a devastating effect on a company's revenue and reputation. The true financial impact of a breach includes not just the expense of responding to the incident and the potential loss of invaluable trade secrets, but also the costs of defending the company in litigation and investigations by state, federal, and possibly foreign regulators. We are therefore pleased to announce our Data Breach Toolkit , a new resource to help companies minimize the chances of a breach, evaluate a company's level of preparation for a breach, and respond quickly and effectively to any breach that does occur despite the best preparation. It will help put companies in a strong position to defend against the second round of attacks - this time by plaintiffs' lawyers and regulators. The toolkit also includes a useful outline of U.S. federal and state breach notification laws.
DIFFERENT
@congress-edits (activated 11 July 2014) - I'm a bot that tweets anonymous Wikipedia edits that are made from IP addresses in the US Congress. You can find the code at https://github.com/edsu/anon
LOOKING BACK - MIRLN TEN YEARS AGO
(note: link-rot has affected about 50% of these original URLs)
Music downloads decline after RIAA lawsuits (CNET, 4 Jan 2004) -- The music industry's controversial lawsuits against online song swappers appear to have forced U.S. computer users to severely curb their free music downloading habit, according to new research released Sunday. The percentage of Americans who downloaded music from the Internet fell to 14 percent over the four weeks ended Dec. 14, from 29 percent in a 30-day sample conducted in March, April and May, according to a telephone survey of 1,358 Internet users conducted by the Pew Internet & American Life Project. Since September, the Recording Industry Association of America (RIAA) has filed about 400 lawsuits against music downloaders, claiming "egregious" copyright infringement and seeking up to $150,000 per violation. About half of the people hit with such lawsuits have settled out of court, usually for $5,000 or less, while others have mounted fierce legal challenges to the lawsuits. The number of downloaders fell to about 18 million people in the winter period, from 35 million in the spring, the Pew study found. The steepest drops in usage were found among women, people with some college education and parents with children living at home. Students and broadband users also showed large drops in downloading. In addition, the research showed that the use of peer-to-peer file sharing programs, which allow users to swap music for free, fell significantly in November from the year earlier. The user base of leading platform Kazaa shrank by 15 percent while Grokster's declined 59 percent, according to comScore Media Metrix, Pew's data partner for the study.
Livewire: web unites and divides legal profession (Reuters, 27 Dec 2003) -- California prosecutors took the unusual step of setting up a Web site on the Michael Jackson case to alleviate a media frenzy and, in doing so, triggered a debate on use of the Web within the legal community. Some legal experts said that posting documents detailing the criminal charges against the 45-year-old entertainer was a breakthrough for public access. Others countered that it would undermine the spirit of the law and court proceedings, creating even more of a circus-like atmosphere. Over the last five years, the Web has often been used to spin the views of one side or another in sensational civil cases, like the Microsoft class-action case. But lawyers and law professors said it was rare for a governmental prosecuting attorney's office to set up a Web site devoted entirely to a particular criminal case. Many said they expect it to become a trend, and, while a specialized Web site appears to be an anomaly in criminal cases, media-hounded prosecutors in other high-profile cases like the Kobe Bryant rape case and the upcoming Scott Peterson (news - web sites) murder trial have also put links on their Web sites to documents. "The Web has been such a driver of information in civil cases, it has really changed defense tactics. The legal battles that now go on over the Web are not insubstantial," said Katrina Dewey, editor of the LA Daily Journal legal newspaper. "And now, this (trend) just moved it into the criminal arena," she said, referring to the Jackson Web site set up by the Santa Barbara County District Attorney Tom Sneddon at (http://www.sbscpressinfo.org).
NOTES
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.
Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu
2. InsideHigherEd - http://www.insidehighered.com/
3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/
4. NewsScan and Innovation, http://www.newsscan.com
5. Aon's Technology & Professional Risks Newsletter
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html
7. McGuire Wood's Technology & Business Articles of Note
8. Steptoe & Johnson's E-Commerce Law Week
9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/
10. The Benton Foundation's Communications Headlines
11. Readers' submissions, and the editor's discoveries
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top