MIRLN --- 10-30 August 2014 (v17.12) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)
NEWS | PODCASTS | RESOURCES | LOOKING BACK | NOTES
- L.A. county fire department links dispatch system to PulsePoint CPR app
- Cybersecurity: What Directors need to know in an era of increased scrutiny
- Cybersecurity in M&A
- Study: government blocks specific journalists from accessing information
- UK's Information Commissioner Voices Concerns About Data Security in Legal Profession
- ABA House urges all organizations to develop cybersecurity programs
- ABA: Throwing stones in glass houses?
- Google opens Classroom to all apps for education users
- Judge bans live tweets by opposing counsel during deposition
- Get the GC plugged in to cybersecurity
- Military companies brace for rules on monitoring hackers
- Cyber risk and the captive market
- Court says search results and suggested search terms protected by CDA immunity
- Box announces new alliances in legal
- Cell phone guide for US protesters, updated 2014 edition
- Lower your car insurance bill, at the price of some privacy
- Can pseudonyms make better online citizens?
- Cybersecurity is hard to ensure or insure
- Law firm leaders - value of outside perspective
- 2014 ABA Tech Survey shows more attorneys using iPhones, but iPad use holds steady
- Big win for Amazon: First provider authorized to handle sensitive DoD workloads in Cloud
- Taking a selfie inside the National Gallery: a copyright infringement?
- US universities at greater risk for security breaches than retail and healthcare
- Giving email a holiday
- 'Hackcess to Justice' winners look to increase the reach of their apps
- Surveillance Law
- NIH tells genomic researchers: 'You must share data'
L.A. county fire department links dispatch system to PulsePoint CPR app (LA Times, 6 August 2014) - Hoping to turn regular cellphone-toting Angelenos into rapid responders, the Los Angeles County Fire Department has linked its dispatch system to a cellphone app that will notify CPR-trained good Samaritans when someone in a public place nearby is having a cardiac arrest. The app, called PulsePoint, sends Fire Department alerts to mobile phone users at the same time that dispatchers send the official messages to emergency crews - increasing the possibility that a cardiac arrest victim could get lifesaving cardiopulmonary resuscitation from a bystander while medical responders are still on the way, department officials said Wednesday. The program also provides CPR instruction and the location of defibrillators nearby.
Cybersecurity: What Directors need to know in an era of increased scrutiny (Alston & Bird, 6 August 2014) - "[B]oards that choose to ignore, or minimize, the importance of cybersecurity responsibility do so at their own peril." SEC Commissioner Luis A. Aguilar, Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus , Speech at the New York Stock Exchange (June 10, 2014). Since the financial crisis, corporate governance has increased the focus on risk management. And, in recent years, cybersecurity has increasingly become a key issue in risk management due in large part to the growing realization that most companies' assets are digital, and that most systems are networked and connected to the Internet, leaving such assets subject to any number of targeted cyberattacks from increasingly sophisticated threat actors, including state actors with unlimited resources to conduct such attacks. In this era of increased cybersecurity scrutiny and litigation, it is imperative that directors educate themselves on the risks the company may face related to cybersecurity, as well as those risks that any director may face individually. Board members must also involve themselves in the company's cybersecurity strategy before and after a data breach. This advisory will discuss the developing cyber risk landscape, the increased regulator interest in cybersecurity, particularly from the SEC, and the impact on potential director liability for cybersecurity deficiencies (or perceived deficiencies). This advisory will conclude with practical guidance to help board members navigate the all-too-unfamiliar cyber risk and cybersecurity landscape. * * * [ Polley : Useful and actionable.]
- and -
Cybersecurity in M&A (Freshfields, July 2014) - A survey of global deal-makers by Freshfields Bruckhaus Deringer reveals a growing awareness of the cyber threat. But it also shows respondents are yet to evaluate it in the same way as other risks that can undermine corporate value. Freshfields surveyed 214 global deal-makers from corporates, financial institutions, investors and legal services providers (63 per cent from North America, 34 per cent from Europe and 3 per cent from the rest of the world) on their awareness of cyber risk and how it affects their working practices. The results show that 78 per cent of respondents believe cyber security is not analysed in great depth or specifically quantified as part of the M&A due diligence process, despite 83 per cent saying they believe a deal could be abandoned if previous cyber security breaches were identified and 90 per cent saying such breaches could reduce the value of a deal. Cyber security in the M&A process is about more than just keeping sensitive data safe. Acquirers must assess whether their target carries an acceptable level of cyber risk in the same way they would analyse its financial position. A thorough knowledge of a business's cyber security is equally important during the integration phase; as a former deputy assistant attorney general at the US Department of Justice who supervised cyber crime investigations has said: 'when you buy a company, you're buying its data - and you could be buying its data security problems'.
Study: government blocks specific journalists from accessing information (International Business Times, 7 August 2014) - As states move to hide details of government deals with Wall Street and as politicians come up with new arguments to defend secrecy, it was revealed this week that many government information officers block specific journalists they don't like from accessing information. The news comes as 47 federal inspectors general sent a letter to lawmakers criticizing "serious limitations on access to records" that they say have "impeded" their oversight work. The data about public information officers was compiled over the past few years by Kennesaw State University professor Carolyn Carlson. Her surveys found that 4 in 10 public information officers say "there are specific reporters they will not allow their staff to talk to due to problems with their stories in the past." Carlson has conducted surveys of journalists and public information officers since 2012 . In her most recent survey of 445 working journalists, four out of five reported that "their interviews must be approved" by government information officers, and "more than half of the reporters said they had actually been prohibited from interviewing [government] employees at least some of the time by public information officers." Those revelations foreshadowed this week's letter from more than half of the federal government's inspectors general saying that government agencies' move to hide information from them represents a "potentially serious challenge to the authority of every Inspector General and our ability to conduct our work thoroughly, independently, and in a timely manner."
UK's Information Commissioner Voices Concerns About Data Security in Legal Profession (August 5, 2014) - The UK Information Commissioner's Office (ICO) has received reports of 15 incidents in the past three months involving mishandling of client data by those in the legal profession. The ICO is warning that barristers and solicitors who do not take adequate precautions to protect their clients' data would face fines of up to GBP 500,000 (US $840,000). - http://www.v3.co.uk/v3-uk/news/2358882/ico-sounds-the-alarm-over-legal-professions-shoddy-data-handling [SANS Editor's Note (Paller): I have first hand evidence that US law firms have lost huge troves of their clients' data; the FBI disclosed that US law firms were targets of nation-state attacks in 2009; and the head of MI5 made it clear that the same was happening in the UK in a disclosure the year before. Nation states (as well as economic competitors) have figured out that organizations run by lawyers (as well as the consulting companies run by ex Federal officials) are the most cost-effective way to steal intellectual property from companies seeking to do business in their countries because those companies share the crown jewels with their lawyers and consultants and think they will protect the information. ]
- and -
ABA House urges all organizations to develop cybersecurity programs (ABA Journal, 12 August 2014) - The ABA House of Delegates has adopted a policy encouraging private and public sector organizations to develop, implement and maintain an appropriate cybersecurity program. Such programs would need to comply with applicable ethical and legal obligations. They would also need to be tailored to the nature and scope of the organization, and to the data systems which need protecting. The threat of cyberattacks on law firms is fast growing, and Resolution 109 was drafted to allow flexibility for small businesses, small law firms and solo practitioners. Last year the association published the ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals. It presents practical guidance and strategies and addresses the relationship and legal obligations between lawyers and clients when cyberattacks occur.
- and -
ABA: Throwing stones in glass houses? (CorporateCounsel.net, 26 August 2014) - At the ABA's 2014 annual meeting earlier this month, delegates approved a resolution that "encourages all private and public sector organizations to develop, implement and maintain an appropriate cybersecurity program." When you consider that some pundits characterize lawyers as technology Luddites and law firms as "the soft underbelly" of data security in corporate America, it may seem odd for the legal industry to be lecturing other organizations about getting their cyber houses in order. The ABA Cybersecurity Legal Task Force report accompanying the draft resolution warns that "the threat of cyber attacks against law firms is growing." It notes that law firms collect and store large amounts of critical, highly valuable corporate records. The report points out that "lawyers and law offices have a responsibility to protect confidential records from unauthorized access and disclosure, whether malicious or unintentional, by both insiders and hackers." Unfortunately, many lawyers don't fully appreciate the scope of that responsibility, particularly as it applies to data transmitted via the internet or stored in the Cloud. A survey conducted in March 2014 by LexisNexis found that 89% of law firms use email daily for business purposes, but only 22% of law firms are encrypting email. A recent post in Law Technology News urges that It's Time to Secure Privileged Communications . The post notes that "attorneys should be concerned about the general uncertainty of privacy expectations for email." Those risks to email confidentiality are not merely a theoretical concern. For example, in February the New York Times reported that a foreign spy agency intercepted email messages between a large U.S. law firm and its foreign government client and then shared the information with the U.S. National Security Agency. In a carefully worded statement , the law firm said: "There is no indication, either in the media reports or from our internal systems and controls, that the alleged surveillance occurred at the firm." The statement misses the point, because unencrypted email is intercepted, undetectably, while it is being transmitted or stored outside the firm's internal network. That news report prompted the ABA to ask the NSA to explain how the agency deals with attorney-client privileged communications. As discussed in the post, Law Firm Email Security Questions The ABA Should Be Asking , the ABA was conflating legal privilege with client confidentiality and asking the wrong questions of the wrong organization. The fundamental question is whether the firm's lawyers were taking reasonable steps in the circumstances in order to secure sensitive email communications. The ABA report acknowledges that "law firms are businesses and should take special care to ensure that they have a strong security posture and a well-implemented security program." Many lawyers say the NIST Cybersecurity Framework can serve as a general guide for information security oversight and risk assessments, in order to establish that reasonable care was taken. The NIST Cybersecurity Framework includes an assessment of whether "data-in-transit is protected." Email fundamentally is a convenient but unsecure method of transmitting and storing data in the Cloud. There are many simple steps that lawyers can take to protect sensitive data that they exchange with clients and third parties, including email encryption. State bar associations, however, continue to draw an unfounded distinction between the data security measures required when transmitting and storing data "in the Cloud" versus those required for email.
Google opens Classroom to all apps for education users (InsideHigherEd, 13 August 2014) - Google Classroom , the search giant's lightweight learning management system, is now available to any institution that uses the company's Apps for Education. Classroom launched as a limited preview in May and adds a layer of course management on top of Google's productivity suite, which includes apps such as Gmail and Docs.
Judge bans live tweets by opposing counsel during deposition (ABA Journal, 13 August 2013) - Convicted for his role in a money-laundering conspiracy involving election contributions from a drug trafficker, a former South Texas sheriff got five years in federal prison. After his sentencing last month, KGBT reported on tweets of what disgraced ex-Hidalgo County Sheriff Lupe Treviño was saying during the federal court hearing. But an attempt to share with the public what Treviño said during a recent deposition in one of the civil suits the former sheriff is now facing was soon shut down. In a Wednesday hearing in Edinburg, a state-court judge banned further tweets by attorney Javier Peña, reports another KGBT article. Peña represents a former candidate for the sheriff's job in a lawsuit against Treviño. Judge Rudy Delgado rejected an attempt by Treviño's lawyer, Preston Henrichson, to limit the scope of Peña's questioning in the ongoing 93rd State District Court deposition but nixed live updates from Peña's Twitter account, the station reports. "Our technology is far outpacing ability to formulate rules," the judge commented.
Get the GC plugged in to cybersecurity (Corporate Counsel, 13 August 2014) - As more countries try to create rules to deal with cybersecurity and data privacy, general counsel need to become more engaged participants in the conversation, said Kaye Scholer partner Adam Golodner, because those rules will affect future business. Recent incidents, including the massive hacking of data by a Russian gang revealed last week and the theft of customer financial data from Target Corp. in December, only accelerate the process. So GCs should "engage in those discussions now," Golodner told CorpCounsel.com this week. Cybersecurity is a fundamental issue for general counsel and corporate counsel, Golodner said, and it now has escalated to a board of directors' issue. "We've seen significant change over the past three years where it has matured to a top-level risk management issue," he explained. Proposed legislation in the EU, he noted, will set cybersecurity standards for all enterprises. The proposal affects network and information security separate from the EU's data privacy directive. Before these standards become final, Golodner said, there's still a chance for multinational companies to participate in what the rules will look like.
Military companies brace for rules on monitoring hackers (Bloomberg, 13 August 2014) - Companies that do business with the Defense Department are bracing for new U.S. rules requiring them to report computer breaches to the Pentagon and give the government access to their networks to analyze the attacks. Groups representing the contractors are raising concern about the Pentagon rooting around their data, and say smaller companies may not even have the cybersecurity protections needed to comply. A report that was to be released today on the rules has been pushed back until Sept. 24, according to a person familiar with the matter who isn't authorized to speak publicly. The pending rule change marks an escalation of efforts to understand the scale of hacking as the Defense Department plans to spend $23 billion through fiscal year 2018 on cybersecurity. The crux of the rule is designed to ensure companies handling classified data quickly inform the Pentagon of hacking attacks. The effort "has the potential to become too onerous" if it requires contractors to report minor breaches and allows the Pentagon access to trade secrets or personal information on their networks, said Mike Hettinger, senior vice president for the public sector at TechAmerica, a trade association based in Arlington, Virginia, that represents Lockheed Martin Corp. (LMT), Northrop Grumman Corp. (NOC) and other defense contractors.
Cyber risk and the captive market (AON, August 2014) - The associated costs of cyber threats are increasing for entities in every industry sector. The legal exposure, reputational harm and business interruptions that may result can wreak havoc on a company's bottom line. This was made clear in Aon's 2014 Underrated Threats Report, where 83% of respondents (Captive Directors) felt that the ranking of #18 in Aon's Global Risk Management Survey 2013 for cyber risks (computer crimes/hacking /viruses/malicious codes) was severely underrated, a finding that was consistent along regional and revenue categories. In Aon's Global Risk Management Survey 2013 , 7% of respondents (Captive Owners) indicated interest in underwriting cyber risk in a captive over the subsequent five years. Most cited the lack of appropriate cover in the commercial market place as the reason. However, in Aon's 2014 Captive Benchmarking Tool , which captured data from over 1,000 Aon managed captive clients, the number of captives writing cyber currently, is reported at 1%, a number which has remained static since 2012. The reluctance for many organisations appears to derive from the challenge of gaining an estimation of the cyber risk exposure and quantification of consequences of cyber events, a challenge equally reflected in the reluctance of organisations to purchase cyber insurance from the insurance market.
Court says search results and suggested search terms protected by CDA immunity (Steptoe, 14 August 2014) - The U.S. District Court for the District of New Jersey has found that search engines are immune from liability for publishing search results and suggesting search terms that contain allegedly defamatory information. In Obado v. Magedson, the court held that Google, Yahoo!, and other sites were protected by Section 230 of the Communications Decency Act for publishing content provided by third parties. Even though the search engines themselves determine what is displayed on their pages, and in that sense "create" the content, the court appeared to reason that the search engines did not create the content because the results and search terms were determined by an algorithm based on the content contained on third-party sites, and not by some purposeful act of the search engines to create the content. While other U.S. courts have reached similar conclusions, the decision is in stark contrast to foreign court rulings holding Google liable for search results or "autocomplete" search suggestions. For example, a Hong Kong court recently ruled that a corporate executive could sue Google for defamation because its suggested search terms linked his name to organized crime. And last year, Germany's highest civil court ruled that once Google becomes aware that its suggested search terms are defamatory, it is obligated to remove them.
Box announces new alliances in legal (Bob Ambrogi, 14 August 2014) - In two posts last year, I wrote about Box , the file sharing and collaboration platform, making a push into the legal industry through integrations with several mobile and web legal platforms ( here and here ). Today, two weeks before its major BoxWorks2014 user conference in San Francisco and just a few days before the International Legal Technology Association conference in Nashville, the company announced major new clients in the legal field and new law-related partnerships and integrations. In today's announcement, Box said that the law firms DLA Piper, Hinshaw & Culbertson, Perkins Coie and Stoel Rives have chosen Box to manage, access and share information for various purposes. Box also announced a new relationship with HBR Consulting , a firm that provides strategic, technology and information management consulting services to the legal sector. Through the relationship, Box and HBR Consulting will work together to offer custom-built cloud-based storage and collaboration tools for law firms.
Cell phone guide for US protesters, updated 2014 edition (EFF, 15 August 2014) - With major protests in the news again, we decided it's time to update our cell phone guide for protestors . A lot has changed since we last published this report in 2011, for better and for worse. On the one hand, we've learned more about the massive volume of law enforcement requests for cell phone-ranging from location information to actual content-and widespread use of dedicated cell phone surveillance technologies. On the other hand, strong Supreme Court opinions have eliminated any ambiguity about the unconstitutionality of warrantless searches of phones incident to arrest, and a growing national consensus says location data, too, is private. Protesters want to be able to communicate, to document the protests, and to share photos and video with the world. So they'll be carrying phones, and they'll face a complex set of considerations about the privacy of the data those phones hold. We hope this guide can help answer some questions about how to best protect that data, and what rights protesters have in the face of police demands. See also, the ACLU's Know Your Rights: Photographers (updated July 2014).
Lower your car insurance bill, at the price of some privacy (NYT, 15 August 2014) - An increasing number of the nation's auto insurance companies have a new proposition: Let them track every second of your driving in exchange for an annual discount that can reach into the hundreds of dollars if you behave yourself on the road. In theory, everyone wins here. Progressive, Allstate and State Farm - among the most aggressive of the larger companies that are pursuing this strategy - attract better drivers who crash less often. Customers who sign up for the optional programs can pay premiums based more on how they drive and less on their age, gender or credit history. But usage-based insurance , as the program is known, generates vast amounts of data. While insurance companies are pledging to keep it to themselves for now, some experts believe that we're only a few years away from companies' contributing complete driver histories into a central industry database. Then, we'd all have driver scores like the numbers that FICO helps creditors calculate, which would follow us around whenever we shopped for a new auto insurance policy.
Can pseudonyms make better online citizens? (Harvard Magazine, Sept 2014) - People socialize online more than ever: posting photos on Instagram, job-hunting on LinkedIn, joking about politics on Twitter, and sharing reviews of everything from hotels to running shoes. Judith Donath, a fellow at Harvard's Berkman Center for Internet and Society , argues against using real names for most of these Internet interactions and relying instead on pseudonyms. A made-up handle is essential to maintain privacy and manage one's online identity, she says. Her new book, The Social Machine: Designs for Living Online (MIT Press, 2014), also contends that well-managed pseudonyms can strengthen online communities, an idea that contradicts the conventional wisdom that fake names bring out the worst in people, allowing "trolls" to bully others or post hateful, destructive comments without consequences. Real names, such thinking goes, keep online conversations civil. But Donath often uses a pseudonym online, not because she wants to "anonymously harass people or post incendiary comments unscathed," as she explained in a commentary published on Wired.com this spring, but because she prefers to separate certain aspects of her life. In the age of Google, a quick search of a person's name gathers everything he or she has posted under that name, from résumés to college party photos. As a public figure who studies how people communicate online, Donath's academic writing can be found online under her real name. But when she writes product reviews on shopping sites such as Drugstore.com, or restaurant reviews on Yelp, she might use a pseudonym. [ Polley : Interesting ideas - this related to the podcast recommended below .]
Cybersecurity is hard to ensure or insure (Houston Chronicle, 17 August 2014) - A massive data breach into Target's computer systems last year claimed millions of customer credit card numbers, a CEO's job and $148 million so far to clean up the mess. If hackers ever manage to hit an oil and gas company with a major cyberattack -- compromising key systems at a deep-water platform or an oil refinery -- losses could dwarf the retailer's tab. Yet most U.S. energy companies have to scrape together a collection of insurance policies to protect themselves against property, environmental and other damages from cyber-attacks that could run into the billions of dollars. "Imagine what could happen if a large refinery or petrochemical facility's safety monitoring systems were hijacked near an urban area, or a subsea control module was no longer able to be controlled by the people who should be controlling it," Legge said. "As we've all seen from Deepwater Horizon, those risks and damages can be astronomical. It requires an immediate response." That deadly 2010 blowout and oil spill in the Gulf of Mexico was an accident, but London-based insurer Aon says energy companies are at particular risk for cyberattacks because hackers only began targeting them in recent years, so many are just beginning to develop effective security. ABI Research forecasts that the oil industry will pay $1.9 billion on cybersecurity defense systems by 2018. But less than a fifth of U.S. companies over all are covered for cyberdamages.
Law firm leaders - value of outside perspective (Layse LLC, 19 August 2014) - Quality decision-making has a great deal to do with shaping the fate of all law firms. Today's post focuses on the value of today's law firm leader engaging the insight and decision-making acumen of seasoned outside business professionals. * * * Edward Drummond is a UK based executive search firm that recently released the results of a study of the top 100 UK law firms over the last four years. It is telling that this study reports that about a quarter of the UK top 100 use a non-firm member to assist with decision making; and that the firms that utilized this approach realized a growth rate of about a third more than other firms. The author of the study suggests "To get someone in just for a few days a year often works well for both parties. Having someone with strong commercial experience - sometimes within the FTSE 100 - can really drive growth through commercial experience."
2014 ABA Tech Survey shows more attorneys using iPhones, but iPad use holds steady (iPhone JD, 20 August 2014) - Every year, the ABA Legal Technology Resource Center conducts a survey to gauge the use of legal technology by attorneys in the United States. My thoughts on the prior reports are located here: 2013 , 2012 , 2011 , 2010 . No survey is perfect, but the ABA tries hard to ensure that its survey has statistical significance, and every year this is one of the best sources of information on how attorneys use technology. Yesterday, the ABA released Volume VI of the report titled Mobile Lawyers. This year's report once again shows that a large number of attorneys are using iPhones and iPads. For those nine out of every ten attorneys who are using smartphones, 74% reported in 2014 that they were using a personally owned smartphone, and 28% used a smartphone permanently assigned by their law firm. Those numbers were closer to 66% and 36% in the prior three years, so it seems that in 2014, fewer law firms are buying smartphones for their attorneys and more attorneys are buying their own smartphones. Whether they buy it themselves or it is purchased by their law firm, what smartphones are those nine out of ten attorneys using in 2014? Last year, the big news was that over half of all attorneys were using an iPhone. This year, that number increases even more: 60.8% of all attorneys are using an iPhone (66.8% of the 91% of attorneys who use a smartphone). So if you can imagine a row of ten attorneys, this year one of them doesn't use a smartphone at all, and six of them use an iPhone. What about the other three? Two of them are likely using an Android phone (24.5% of the 91% of attorneys who use a smartphone report using an Android phone in 2014, a small increase from 22% in 2013.) and that last attorney is probably using a Windows phone. Last year, based on the 2013 survey, I concluded that over 400,000 attorneys were using an iPad based on the survey numbers and the assumption that there are about one million attorneys in the U.S. This year, I still believe that there are over 400,000 attorneys using an iPad, but the 2014 survey results on lawyer tablet use were surprising to me in two respects. First, lawyer tablet use is not growing nearly as much as I had expected. In 2011, 15% of attorneys reported that they used a tablet device. In 2012, that more than doubled to 33%. In 2013, it increased to 48%. Thus, I would have guessed that more than half of attorneys would be using tablets in 2014. But that didn't happen. The number instead increased only from 48% to 49%. Have we reached the point where most attorneys who want to use a tablet already have one? After all, as useful as an iPad is, I often hear attorneys tell me that laptops such as the MacBook Air are so thin and light that they carry theirs almost everywhere, and when you always have a laptop with you there is less of a need for an iPad. Is it possible that even though almost half of all attorneys now use a tablet, the other half will never see the need to do so?
Big win for Amazon: First provider authorized to handle sensitive DoD workloads in Cloud (NextGov, 21 August 2014) - Amazon Web Services has become the first commercial cloud provider authorized to handle the Defense Department's most sensitive unclassified data. Today's announcement that AWS has achieved a provisional authority to operate under DOD's cloud security model at impact levels 3-5 is a major win for the company, as it allows DOD customers to provision commercial cloud services for the largest chunks of their data. In technical speak, the provisional ATO granted by the Defense Information Systems Agency means DOD customers can use AWS' GovCloud - an isolated region entirely for U.S. government customers - through a private connection routed to DOD's network. DOD customers can now secure AWS cloud services through a variety of contract vehicles. In layman's terms, AWS is the first company with the ability to take any and all of DOD's unclassified data to the cloud. AWS recently launched a private cloud for the Central Intelligence Agency to service the intelligence community , and other cloud providers have been busy picking up new business in the civilian government where billions of dollars are up for grabs. AWS was one of the first cloud providers to meet the Federal Risk and Authorization Management Program, the government's baseline security standards for cloud computing. The company was also one of three firms to meet DISA's cloud security requirements at impact levels 1-2, which govern the agency's least sensitive data. DISA's cloud security model includes many additional requirements on top of what is required by FedRAMP.
Taking a selfie inside the National Gallery: a copyright infringement? (IPKat, 21 August 2014) - A few days ago a number of UK newspapers reported that, following similar moves by a number of other UK institutions, also the National Gallery in London has changed its strict no-photos-(please) policy " after staff realised they were fighting a losing battle against mobile phones ", The Telegraph explains . In particular, this decision has been motivated by the difficulties that have arisen to distinguish between visitors using the free wi-fi provided by the Gallery " to research paintings " [of course, what else?] " and those trying to take pictures with mobile phones ." Since late July the new photography policy of this glorious cultural institution has quietly replaced the old one: visitors may now take photos of the Gallery's permanent collection on their own devices for personal, non-commercial purposes. Tripods remain off limits, and visitors will also be "discouraged" from blocking other people's views while taking pictures. In any case, similarly to the National Portrait Gallery and the Tate , the National Gallery "will maintain restrictions on members of the public photographing their temporary exhibitions, for reasons of copyright " [as well as, presumably, in some other cases for reasons of security or conservation]. So, would the taking of a picture of temporary exhibitions or displays with loans be really a potential copyright infringement? It might well be, provided of course that the particular work photographed is still protected by copyright [which might be the case also for works in the permanent collection, although for those paintings it is likely that the Gallery also owns the copyright]. The conclusion above is because the so called freedom of panorama under UK copyright does not apply to paintings. Section 62 ( Representation of certain artistic works on public display ) of the Copyright, Designs and Patents Act 1988 ('CDPA') states * * *
US universities at greater risk for security breaches than retail and healthcare (ZDnet, 21 August 2014) - The back-to-school season is a busy time for many, even hackers. According to a new report by the security rankings provider BitSight Technologies, higher education institutions experience an influx in malicious cyberattacks during the school year. But what's worse is that most of those universities are ill-equipped to prevent and handle such attacks, which, according to the report, results in cybersecurity rankings below that of retail and healthcare - two sectors plagued by near-constant security attacks that often result in successful breaches. The majority of attacks experienced by higher education institutions come from malware infections, with the most prevalent being Flashback, which targets Apple computers. Other prominent malware include Ad-ware and Conficker. BitSight said universities are the targets of so many attacks because they harbor a trove of sensitive and personal data, ranging from addresses and social security numbers to credit card numbers and intellectual property - and hackers are quick to notice the weak IT infrastructure in place to keep that data protected.
Giving email a holiday (NYT Editorial, 23 August 2014) - Daimler, the German automaker, has given new meaning to the escape command on workers' computers this summer by instituting an automatic program to delete incoming emails to employees on vacation, so they are not tempted to peek at business traffic at the seashore and can start with a clean slate when they return to work. The idea is to encourage a healthier balance in life and to cut down on workers' burnout - a condition that Daimler has concluded can't be good for business in the long run. The program, called Mail on Holiday, politely informs senders that their messages were instantly deleted, but they can contact a designated alternate worker if necessary. The email blackout is optional for the company's 100,000 workers, but "the response is basically 99 percent positive," a Daimler spokesman, Oliver Wihofszki, told BBC Radio. "Everybody says, 'That's a real nice thing.' " Well, of course it is. The new freedom - or is it basically a stroke of virtual mercy? - grows out of research by Daimler with psychologists at the University of Heidelberg. It is part of a "data detox" trend in European corporate life. Volkswagen and Deutsche Telekom have programs to cut back on evening and weekend emails to workers. Even Germany's Labor Ministry is pushing the go-easy button, encouraging managers to stop emailing workers outside of work hours. In France, employers and unions are pursuing an agreement so contract workers on long days might disconnect at given times from their babbling brooks of email. At Daimler, officials say they intend nothing more than emotional relief - a virtual sabbatical for their workers in what is proving to be a relentless digital age. And they issued assurances that no one was keeping lists of which vacationers did or did not resist the temptation of the inbox. [ Polley : Reminds me of the seminal email article by Amitai Etzioni in the NYT on 23 Nov 1997, " Some Privacy, Please, for E-Mail "]
'Hackcess to Justice' winners look to increase the reach of their apps (ABA Journal, 25 August 2014) - Award winners from the recent Hackcess to Justice legal hackathon are working hard to fulfill the main goal of the event: Improving access for all Americans to effective legal assistance. In the two weeks since the inaugural hackathon-in conjunction with the ABA Annual Meeting-took place at Suffolk University Law School in Boston, the programmers and lawyers behind the three winning entries have hardly sat back and rested on their laurels. Instead, they have all taken steps to try and increase the reach of their apps. For instance, all three apps are now available for the general public to use, and in some cases, the prize winners are speaking to nonprofit and state agencies to figure out ways their apps can be used to provide legal assistance to many more individuals. William Palin, a Somerville, Massachusetts, attorney who won first place with his health care proxy and living will generator PaperHealth , tells the ABA Journal that the app has already been approved by Apple and is now available in the App Store . He says that he is currently talking to a nonprofit legal network in Vermont in the hopes of increasing awareness of his app. "What I'm proposing is that, if the state will provide an attorney to review the legality of the app, then I'll adjust and customize it for the state, and then provide it for free, as long as they promote it," says Palin, who hopes to do this with every state in the country. The second-place winning app, disastr , which was created by Matthew Burnett, director of the Immigration Advocates Network, and Adam Friedl, program and special initiatives manager at Pro Bono Net, has been officially released for Android. The app provides information, resources, real-time news and alerts and legal representation forms for people affected by natural disasters Meanwhile, David Colarusso, staff attorney for the Massachusetts Committee for Public Counsel Services, has been busy talking to state officials about potential uses for his team's app, Due Processr . The app, which took third place and was developed by Colarusso and his teammates, David Zvenyach, a general counsel in Washington, D.C. and William Li, a computer science PhD student at the Massachusetts Institute of Technology, Hotmail.is an interactive tool that allows users to determine their eligibility for indigent legal services in Massachusetts, and for criminal defendants to calculate their state prison sentences.
Surveillance Law (Stanford MOOC, Fall 2014) - This website hosts content for Surveillance Law , a free online course offered by Stanford Law School . We encourage you to join the interactive course on Coursera. If you would like heightened privacy protection, you can view noninteractive material on this website. The server is configured to not log requests, and can be accessed using HTTPS ( details ) or as a Tor hidden service ( 7vrl523532rjjznj.onion ). It's easy to be cynical about government surveillance. In recent years, a parade of Orwellian disclosures have been making headlines. The FBI, for example, is hacking into computers that run anonymizing software. The NSA is vacuuming up domestic phone records. Even local police departments are getting in on the act, tracking cellphone location history and intercepting signals in realtime. Perhaps 2014 is not quite 1984, though. This course explores how American law facilitates electronic surveillance-but also substantially constrains it. You will learn the legal procedures that police and intelligence agencies have at their disposal, as well as the security and privacy safeguards built into those procedures. The material also provides brief, not-too-geeky technical explanations of some common surveillance methods. [ Polley : I love how they're using TOR, and giving out .onion addresses.]
NIH tells genomic researchers: 'You must share data' (Chronicle of Higher Ed, 28 August 2014) - Scientists who use government money to conduct genomic research will now be required to quickly share the data they gather under a policy announced on Wednesday by the National Institutes of Health. The data-sharing policy, which will take effect with grants awarded in January, will give agency-financed researchers six months to load any genomic data they collect-from human or nonhuman subjects-into a government-established database or a recognized alternative. NIH officials described the move as the latest in a series of efforts by the federal government to improve the efficiency of taxpayer-financed research by ensuring that scientific findings are shared as widely as possible. "We've gone from a circumstance of saying, 'Everybody should share data,' to now saying, in the case of genomic data, 'You must share data,'" said Eric D. Green, director of the National Human Genome Research Institute at the NIH. The NIH's plan to require data-sharing hasn't been entirely popular with the researchers themselves, at least not in the early stages. When it appeared last year, the initial version of the NIH's policy proposal drew criticism from the Federation of American Societies for Experimental Biology, the nation's largest coalition of biomedical researchers, and the Association of American Medical Colleges, whose members include all 141 accredited U.S. medical schools.
NOTED PODCASTS
Judith Donath on The Social Machine (Berkman, 26 May 2014; 71 minutes) - Online, interface designs fashion people's appearance, shape their communication and influence their behavior. Can we see another's face or do we know each other only by name? Do our words disappear forever once they leave the screen or are they permanently archived, amassing a history of our views and reactions? Are we aware of how public or private our surroundings are? In this talk Judith Donath - Berkman Faculty Fellow and former director of the MIT Media Lab's Sociable Media Group - discusses some of these questions and more from her new book "The Social Machine." [ Polley : I'm particularly interested in online meetings vs. IRL meetings; Ms. Donath has some interesting observations about how online meetings should be different , and can be richer.]
RESOURCES
Open Intellectual Property Casebook (Duke, August 2014) - Duke's Center for the Study of the Public Domain is announcing the publication of Intellectual Property: Law & the Information Society-Cases and Materials by James Boyle and Jennifer Jenkins. This book, the first in a series of Duke Open Coursebooks, is available for free download under a Creative Commons license. It can also be purchased in a glossy paperback print edition for $29.99, $130 cheaper than other intellectual property casebooks. * * * The book is intended to be a textbook for the basic Intellectual Property class, but because it is an open coursebook, which can be freely edited and customized, it is also suitable for an undergraduate class, or for a business, library studies, communications or other graduate school class. Each chapter contains cases and secondary readings and a set of problems or role-playing exercises involving the material. The problems range from a video of the Napster oral argument to counseling clients about search engines and trademarks, applying the First Amendment to digital rights management and copyright or commenting on the Supreme Court's new rulings on gene patents.
The 9 most useful Bitcoin data resources (Coindesk, 10 August 2014) - The days of pencil-pushing to gather and analyse data are numbered, and new tools have made gathering, sorting, analysing and visualising enormous amounts of data easier than ever. Bitcoin, of course, lends itself perfectly to these quantitatively-focused metric tools. Few things about the digital currency are subjective, and even though nobody knows for certain what drives bitcoin's price changes , plenty of people have tried their hand at using technical analysis to predict price trends. Luckily for us, there's no shortage of companies working with data to paint a picture of the ever-changing bitcoin ecosystem. These websites provide information on pricing, trading, market capitalisations, blockchain statistics and more. Here are nine of the most helpful bitcoin data resources * * * [ Polley : I'm still experimenting with my BTC wallets.]
LOOKING BACK - MIRLN TEN YEARS AGO
(note: link-rot has affected about 50% of these original URLs)
Controversial government data-mining research lives on (Information Week, 23 Feb 2004) -- The government is still financing research to create powerful tools that could mine millions of public and private records for information about terrorists despite an uproar last year over fears it might ensnare innocent Americans. Congress eliminated a Pentagon office developing the terrorist tracking technology because of the outcry over privacy implications. But some of those projects from retired Adm. John Poindexter's Total Information Awareness effort were transferred to U.S. intelligence offices, congressional, federal and research officials told The Associated Press. In addition, Congress left undisturbed a separate but similar $64 million research program run by a little-known office called the Advanced Research and Development Activity (ARDA) that has used some of the same researchers as Poindexter's program. ``The whole congressional action looks like a shell game,'' said Steve Aftergood of the Federation of American Scientists, which tracks work by U.S. intelligence agencies. ``There may be enough of a difference for them to claim TIA was terminated while for all practical purposes the identical work is continuing.''
NSA plots software center (FCW, 15 Oct 2004) -- The National Security Agency's top information security official disclosed plans this week for a government-funded research center devoted to improving the security of commercial software, calling the initiative a modern-day Manhattan Project. Comparing the proposed high-assurance software initiative to the famous atomic bomb research project of the 1940s, NSA's director for information assurance, Daniel Wolf, said the research would focus on tools and techniques for writing secure software and detecting malicious code hidden in software. Before NSA officials can create the center, the Defense secretary must approve the concept and find money for the project, Wolf said. He gave the keynote address at the Microsoft Corp. Security Summit East in Washington, D.C., earlier this week. The quality and trustworthiness of commercial software has become a matter of increasing concern to NSA officials, who are responsible for the security of Defense Department and intelligence software. NSA officials anticipate that many companies on whose software DOD and intelligence users rely will be moving significant portions of their commercial software development overseas within a few years. NSA officials cannot force companies to develop software a certain way, Wolf said, "but we would like to get them to a point where they are producing commercial products that meet the needs of our users." About 95 percent of the agency's desktop PCs run Microsoft's Windows operating system, Wolf said.
NOTES
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.
Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu
2. InsideHigherEd - http://www.insidehighered.com/
3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/
4. NewsScan and Innovation, http://www.newsscan.com
5. Aon's Technology & Professional Risks Newsletter
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html
7. Steptoe & Johnson's E-Commerce Law Week
8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/
9. The Benton Foundation's Communications Headlines
10. Readers' submissions, and the editor's discoveries
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top