- How IBM shrunk a complex contract down to 2 pages
- A 'partial win' for publishers
- Free hotel Wi-Fi coming, with strings attached
- Google, wireless industry not down with Marriott's Wi-Fi blocking plan
- Hack attack causes 'massive damage' at steel works
- A corporate counsel's guide to cyber insurance
- FBI on watch as hackers' victims weigh illegal retaliation
- Court permits banks' negligence claims against Target for data breach
- 9 maps that explained the Internet in 2014
- 100 years of law
- Senators question FBI's legal reasoning behind cell-tower spoofing
- Who's responsible when your semi-autonomous shopping bot purchases drugs online?
- Google's 'security princess' helped White House after hack
- Ford tries to shut down independent repair tool with copyright
- The drugs that companies promote to doctors are rarely breakthroughs
- Robert Half can't stop former employees from telling the world where they used to work
- Bank of America shifts compliance team out of legal unit after OCC pressure
- 'Family Law' is second in series of Uniform Law Commission apps
- Armed attacks in cyberspace: A reply to Admiral Stavridis
- LegalZoom gets OK to operate in UK
How IBM shrunk a complex contract down to 2 pages (Corporate Counsel, 16 Dec 2014) - To Neil Abrams, assistant general counsel at IBM, better service to his clients and the customers means keeping it simple. That's why a team spearheaded by Abrams earned international recognition for taking dozens of pages of complex contracts for cloud services and reducing them to a simple, two-page document. Abrams told CorpCounsel.com that the complex contracts for some 150 cloud services were creating a frustrating roadblock for customers last year. The contracts would end up in the hands of their lawyers, who would want to negotiate the wording, tying up lawyers on both sides. "We developed a plan to cover only those things we considered essential," Abrams said, "and we used concise, plain language." It took his team about two months to boil down all the key points into the two-page document, to work it through the business side and translate it into more than 20 languages. How did they do it? "That was challenging," he concedes. "We wouldn't reuse any preexisting contract clauses. And we had to avoid the common technique in contract drafting of cross-referencing or hyperlinking and incorporating other documents by reference." Most companies also require a separate "professional services" contract that gives a detailed description of what the company is going to do. But the simplified IBM contract also covers services. And Abrams' team included intellectual property indemnification in the contract-"though most cloud providers do not provide that," he said. "We learned that using a shorter contract takes a lot less time for the customers-and their lawyers," he explained. "And where there needs to be some negotiation, they can do that faster too." He said the response has been positive from customers and internal clients, including the IBM sales team. And the International Association for Contract and Commercial Management named the company a finalist for its 2014 Innovation Award for Operational Improvement for "boldly and rapidly transforming its cloud computing contract process." The success of this novel bit of contract work also earned Abrams something else. When he began the task, he was the head lawyer for software. Now he is an assistant GC assigned to look for ways to transform the client experience, including simplifying more contracts. His latest project: A four-page contract released a few months ago that covers IBM's entire product line. Such contracts once averaged about 30 pages. This one allows a customer to choose the parts that apply to the product he wants. [ Polley : I'd love to see a copy, if anybody has one.]
A 'partial win' for publishers (InsideHigherEd, 20 Dec 2014) - While academic publishers on Friday notched a rare win in the ongoing legal debate about digital access to copyrighted works, proponents of fair use said the opinion in Cambridge v. Patton recognizes that colleges and universities can legally create digital reserves of books in their collections. In a unanimous decision, a three-judge panel of the U.S. Court of Appeals for the 11th Circuit, which covers Alabama, Georgia and Florida, rejected a broad ruling on how to determine fair use. The decision guarantees the case has a long and litigious road ahead of it by reversing the district court's opinion and sending the case back for further deliberations. Rather than strike a decisive blow against fair use, the legal concept that places some limits on the rights of copyright holders, the appeals court instead issued a stern warning against quick-fix, one-size-fits-all solutions to legal disputes -- specifically, the idea that copying less than a chapter or 10 percent of a book automatically protects an institution from a lawsuit. The court also came away "persuaded" that the Copyright Act of 1976 contains specific protections for colleges and universities, noting that Congress "devoted extensive effort to ensure that fair use would allow for educational copying under the proper circumstances."
Free hotel Wi-Fi coming, with strings attached (LA Times, 21 Dec 2014) - Starwood Hotels & Resorts Worldwide Inc., with more than 1,200 properties including the brands W, Westin, Sheraton, Four Points and St. Regis, announced last week that standard in-room Internet will be free to all Starwood Preferred Guest members starting Feb. 2. The move mirrors a decision announced last month by Marriott International to offer free standard Wi-Fi to members of its loyalty rewards program, starting in January. With the Starwood offer, loyalty reward members get the Wi-Fi if they book through Starwood's online sites or the SPG app. Without a loyalty membership, guests pay up to $20 per day for basic Wi-Fi service, with even higher prices for Internet with premium speeds.
- but, on the other hand -
Google, wireless industry not down with Marriott's Wi-Fi blocking plan (Re/code, 22 Dec 2014) - Microsoft and Google don't agree on much, but they've presented a united front against the hotel industry, which is trying to convince government regulators to give them the option of blocking guests from using personal Wi-Fi hotspots. The tech companies recently joined the wireless industry's lobbying group and a handful of other parties in opposing the hotel industry's petition, which seeks the Federal Communications Commission's permission to block personal Wi-Fi networks on their properties. This summer, the American Hospitality & Lodging Association and Marriott International asked the FCC to declare that a hotel operator can use equipment to manage its network even if it "may result in 'interference with or cause interference' to a [wireless device] being used by a guest on the operator's property." "Wi-Fi network operators should be able to manage their networks in order to provide a secure and reliable Wi-Fi service to guests on their premises," they argued. At the time, Marriott was under investigation for a March 2013 consumer complaint for allegedly blocking guests from using their smartphones as personal Wi-Fi hotspots in the convention space at Opryland. The Marriott-owned Gaylord Opryland Hotel and Convention Center tech staff was using a monitoring system that de-authenticated guests' personal Wi-Fi hot spots. Meanwhile, the hotel was charging exhibitors and attendees anywhere from $250 to $1,000 for Wi-Fi service, the FCC said. In October, Marriott settled an FCC complaint about the practice for $600,000 but argued that it hadn't broken the law and was using technology to protect guests from "rogue wireless hotspots that can cause degraded service, insidious cyber attacks and identity theft."
Hack attack causes 'massive damage' at steel works (BBC, 22 Dec 2014) - A blast furnace at a German steel mill suffered "massive damage" following a cyber attack on the plant's network, says a report . Details of the incident emerged in the annual report of the German Federal Office for Information Security (BSI). It said attackers used booby-trapped emails to steal logins that gave them access to the mill's control systems. This led to parts of the plant failing and meant a blast furnace could not be shut down as normal. The unscheduled shutdown of the furnace caused the damage, said the report.
A corporate counsel's guide to cyber insurance (Davis Wright Tremaine, 29 Dec 2014) - On an almost daily basis, you are reminded of why you should worry about the security of your company's data and information systems. Whether it be from headlines in hard copy, broadcast, or online media, your senses have been slammed with one sensational story after another about increasingly massive data breaches. You may have even read about malware that continues to morph once it tunnels into a system, allowing it to evade detective software. You have seen serious economic and reputational damage done to businesses because cyber thugs launched an attack against their digital infrastructure. You have also seen class actions filed by consumers, derivative actions filed by investors, and enforcement actions taken by regulatory agencies. With each new headline and regulatory settlement, you have developed an increased sense of urgency to better protect the financial health of your business as it confronts increasingly dangerous cyber threats. Where do you begin? The obvious first steps will involve the development and implementation of strategies to mitigate the risk of harm by continuously strengthening the security of your company's information systems. Unfortunately, the technology behind the cyber threats has proven to be dangerously resilient, which means there will always be risk that cannot be mitigated by technology. What should you do about this risk? Consider transferring it to cyber insurance. * * * [ Polley : Nothing particularly new here, but a useful, workmanlike post.]
FBI on watch as hackers' victims weigh illegal retaliation (LA Times, 30 Dec 2014) - The hacked are itching to hack back. So say a dozen security specialists and former law enforcement officials who described an intensifying sense of unease inside many companies after the recent breach of Sony Corp.'s networks. U.S. officials have shown little appetite to intervene as banks, retailers, casinos, power companies and manufacturers have been targeted by foreign-based hackers. Private-sector companies doing business in the U.S. have few clear options for striking back on their own. That has led a growing number of companies to push the limits of existing laws to consider ways to break into hackers' networks to retrieve stolen data or even knock computers offline to stop attacks, the cybersecurity professionals said in interviews. Some companies are enlisting cybersecurity firms, many with military or government security ties, to walk them through options for disrupting hacker operations or peering into foreign networks to find out what intellectual property the hackers may have stolen. In one case, the FBI is looking into whether hackers working on behalf of any U.S. financial institutions disabled servers that were being used by Iran to attack the websites of major banks last year, according to two people familiar with the investigation. JPMorgan Chase & Co. advocated such a move in a closed meeting in February 2013, these people said. A bank spokeswoman said no action was ever taken. Federal investigators are still trying to determine who was responsible, the people said. "It's kind of a Wild West right now," said Rep Michael McCaul (R-Texas), chairman of the House Homeland Security Committee. Some victim companies may be conducting offensive operations "without getting permission" from the federal government, he said. [ Polley : "Permission"? The government can give permission to break the law?] After the Sony attacks, someone appears to have struck back. Fake copies of "Fury," "Annie" and other leaked films began appearing this month on file-sharing sites, slowing the computers of people trying to download the movies and crippling torrent sites disseminating the files, said Tal Klein, vice president of strategy at Adallom Inc., a Palo Alto, Calif., security company. The fake files have now largely been eliminated as file-sharing sites have used rating systems to blacklist the decoys, he said. Sony declined to comment on the fakes or on any steps the company is taking to recover from the breach. In February 2013, U.S officials met with bank executives in New York. There, a JPMorgan official proposed that the banks hit back from offshore locations, disabling the servers from which the attacks were being launched, according to a person familiar with the conversation, who asked not to be identified because the discussions were confidential.
Court permits banks' negligence claims against Target for data breach (Steptoe, 31 Dec 2014) - The U.S. District Court for the District of Minnesota has denied Target's motion to dismiss negligence claims alleged by five banks following the December 2013 hacking incident that compromised the personal and financial information of approximately 110 million customers. According to the class action complaint, filed in In re: Target Corporation Customer Data Security Breach Litigation on behalf of all financial institutions whose customers made Target purchases during the relevant period, the data breach caused the banks to suffer substantial losses such as the costs of reissuing credit and debit cards, notifying customers about the breach and addressing their complaints, monitoring accounts for fraud, and reimbursing customers affected by it. The court ruled that the banks had sufficiently alleged that Target had breached a duty of care under state law in that the harm to the banks was caused and exacerbated by Target's actions and inactions.
9 maps that explained the Internet in 2014 (Washington Post, 31 Dec 2014) - This was a big year for the Internet, from the U.S. debate over net neutrality to proposals to shift control of the worldwide Web to the global community. Here are maps that can help you understand how the Internet worked and how people used it in 2014 * * * See also Mapping the world's 4.3 billion Internet addresses (Washington Post, 7 Jan 2015)
100 years of law (ABA Journal, 1 January 2015) - It goes without saying that the world was a vastly different place in 1915 than it is today. But while the events of that year now carry the echoes of history, they also predicted some of the upheaval of the coming century. A year earlier, the outbreak of war in Europe, which quickly spread to the Middle East, Africa and parts of Asia, had shattered the last lingering vestiges of innocence that characterized the Victorian Age. But in 1915, World War I-called the Great War because no one imagined such a conflagration could happen again-unleashed the horrors of modern warfare. During that year, Germany introduced poison gas as a weapon, and 1,198 passengers died when the Lusitania was sunk on May 7 by a German submarine. By the end of the year, the British Army had begun testing the first prototype tanks. But 1915 carried hints of change, as well. In January, the first coast-to-coast telephone call was made by Alexander Graham Bell in New York City and his assistant Thomas Watson in San Francisco. In February, the first stone of the Lincoln Memorial was put into place. Babe Ruth hit his first major league home run. Ford rolled the millionth car off its assembly line at the River Rouge plant in Detroit. And on Oct. 25, Lyda Conley became the first Native American woman to be admitted to practice before the Supreme Court. The American Bar Association was perhaps thinking about the future as well at its 1914 annual meeting when the executive committee was authorized to provide for the publication of a journal with announcements and transactions of the association, including the work of various affiliated bodies. The committee "took favorable action, and the establishment of the quarterly, of which this constitutes the first number, is the result," states the foreword to the ABA Journal 's first issue, which was published in January 1915. "The Journal will henceforth be sent to every member of the American Bar Association, without any additional charge. He pays for it by paying his annual dues, which are now $6." The main articles in that first issue were committee reports to the Conference of Commissioners on Uniform State Laws. The issue carried one advertisement, a special offer to ABA members from the Lord Baltimore Press to purchase the Court of Claims Digest for $5.
Senators question FBI's legal reasoning behind cell-tower spoofing (Washington Post, 2 Jan 2015) - Two U.S. senators are questioning whether the FBI has granted itself too much leeway on when it can use decoy cellphone towers to scoop up data on the identities and locations of cellphone users. The lawmakers say the agency now says it doesn't need a search warrant when gathering data about people milling around in public spaces. Sen. Patrick Leahy (D-Vt.) and Chuck Grassley (R-Iowa), the chairman and ranking member on the Senate Judiciary Committee respectively, have written a letter to Attorney General Eric Holder and Department of Homeland Security Jeh Johnson about the use of the surveillance technology called an IMSI catcher, though also referred to by the trade name "Stingray." [ Polley : What wouldn't be a "public space"?
Who's responsible when your semi-autonomous shopping bot purchases drugs online? (Slashdot, 5 Jan 2015) - Who's responsible when a bot breaks the law? A collective of Swiss artists faced that very question when they coded the Random Darknet Shopper, an online shopping bot, to purchase random items from a marketplace located on the Deep Web, an area of the World Wide Web not indexed by search engines. While many of the 16,000 items for sale on this marketplace are legal, quite a few are not; and when the bot used its $100-per-week-in-Bitcoin to purchase a handful of illegal pills and a fake Hungarian passport, the artists found themselves in one of those conundrums unique to the 21st century: Is one liable when a bunch of semi-autonomous code goes off and does something bad? In a short piece in The Guardian, the artists seemed prepared to face the legal consequences of their software's actions, but nothing had happened yet-even though the gallery displaying the items is reportedly next door to a police station. In addition to the drugs and passport, the bot ordered a box set of The Lord of the Rings, a Louis Vuitton handbag, a couple of cartons of Chesterfield Blue cigarettes, sneakers, knockoff jeans, and much more. [ Polley : Spotted by MIRLN reader Mike McGuire ; see " Looking Back " below for a related Steptoe post 10 years ago.]
Google's 'security princess' helped White House after hack (Mashable, 6 Jan 2015) - After hackers breached its internal network in late October, the White House got the help of a Google security engineer, Parisa Tabriz, the company's self-proclaimed "security princess." Tabriz was tapped by the newly founded U.S. Digital Service, a tech task force for the government which launched in August, as a consultant for a "Top Secret / Classified project" to improve the network of the White House and the Executive Office of the President, according to an earlier version of her own resume , which has since been edited. Tabriz's work for the White House on computer security has not been publicly reported before. Her resume entry was spotted on Monday by American Civil Liberties Union Principal Technologist Christopher Soghoian, who in the past exposed the FBI hacking techniques scouring the LinkedIn profiles of government contractors. Hours after Soghoian's tweet, and after Mashable reached out for comment, Tabriz edited her resume removing the reference to the "Top Secret / Classified project." [ oops ]
Ford tries to shut down independent repair tool with copyright (EFF, 6 Jan 2015) - At EFF, we think people ought to be able to understand how their devices work and repair them without asking permission of the manufacturer. We also think independent repair companies should to be able to compete with manufacturers in the aftermarket. Simply put, you should be able to fix your stuff or choose someone you trust to do it for you. The Ford Motor Company, however, takes a different view. It recently sued Autel, a manufacturer of third-party diagnostics for automobiles, for creating a diagnostic tool that includes a list of Ford car parts and their specifications. Ford claims that it owns a copyright on this list of parts, the "FFData file," and thus can keep competitors from including it in their diagnostic tools. It also claims that Autel violated the anti-circumvention provisions of the Digital Millennium Copyright Act by writing a program to defeat the "encryption technology and obfuscation" that Ford used to make the file difficult to read.
The drugs that companies promote to doctors are rarely breakthroughs (NYT, 7 Jan 2015) - For more than five decades, the blood thinner Coumadin was the only option for millions of patients at risk for life-threatening blood clots. But now, a furious battle is underway among the makers of three newer competitors for the prescription pads of doctors across the country. The manufacturers of these drugs - Pradaxa, Xarelto and Eliquis - have been wooing physicians in part by paying for meals, promotional speeches, consulting gigs and educational gifts. In the last five months of 2013, the companies spent nearly $19.4 million on doctors and teaching hospitals, according to ProPublica's analysis of federal data released last fall. The information, from a database known as Open Payments, gives the first comprehensive look at how much money drug and device companies have spent working with doctors. What it shows is that the drugs most aggressively promoted to doctors typically aren't cures or even big medical breakthroughs. Some are top sellers, but most are not. Instead, they are newer drugs that manufacturers hope will gain a foothold, sometimes after failing to meet Wall Street's early expectations. * * * Largely absent from the top of the list were drugs that cure disease, such as a new class of hepatitis C treatments, or those that significantly extend life, particularly for cancer patients. If a drug is either the first to treat a disease or is much better than existing drugs, said Dr. Sidney Wolfe, the founder and now senior adviser to Public Citizen's Health Research Group, "they 'sell themselves' on the merits of their unique benefits." [ Polley : Thanks to open-data initiatives.]
Robert Half can't stop former employees from telling the world where they used to work (Eric Goldman, 7 Jan 2015) - As the saying goes, a business' most important asset is its people. That maxim applies with extra force in the staffing industry, where people literally are its business. Perhaps that explains why Robert Half, a leading staffing company, uses an unusually aggressive contract clause to hamper departed employees. A recent federal court decision rejected the overreaching contract clause, but the court ruling highlights the regulatory challenges to preserving employee mobility. Paragraph 13 of Robert Half's contract with its employees says: After termination of Employee's employment with Employer, Employee shall not indicate on any stationary, business card, advertising, solicitation or other business materials that Employee is or was formerly an employee of Employer, any of its divisions, or any of the RHI Companies except in the bona fide submission of resumes and the filling out of applications in the course of seeking employment. I don't believe this clause is typical for employment contracts. I didn't find similar clauses either in Westlaw's database of litigated cases or Google searches. There's a good reason paragraph 13 isn't common. Read literally, it seems to say that departed Robert Half employees can't tell prospective customers that they used to work for Robert Half. For example, this clause apparently applies to a former employee's LinkedIn profile and biography posted to a new employer's website. So what could the former Robert Half employee say about his or her work history? Maybe: "I worked at a leading staffing company for X years"? That's more mysterious than enlightening.
Bank of America shifts compliance team out of legal unit after OCC pressure (Reuters, 7 Jan 2015) - Under pressure from its U.S. regulator, Bank of America has shifted its compliance group from its legal department to its risk oversight group, a source familiar with the matter said. The move comes as federal regulators have warned big banks to adopt more ethical internal cultures or they could be broken up to make them easier to manage. Officials with the Office of the Comptroller of the Currency (OCC), which in September finalized "heightened expectations" guidelines for the way large banks manage their risks, discussed the matter with Bank of America officials in December. Soon after that meeting, the bank decided to switch its compliance group to the risk control area, said the source, who spoke on condition of anonymity citing a lack of authorization to speak publicly on the matter. The OCC pressed for the move out of a belief that the legal group was focused on minimizing the application of rules, the source said.
'Family Law' is second in series of Uniform Law Commission apps (Robert Ambrogi, 8 Jan 2015) - A Boston-based developer of legal apps, Lawyer-Apps , has partnered with the Uniform Law Commission , the organization that drafts uniform laws and promotes their adoption by states, to release an iPad app, Family Law , that provides mobile access to the full text of the ULC's family law acts, including the official comments and annual updates. Released this week, the app is the second to be jointly developed by Lawyer-Apps and the ULC. They previously released the Trust & Estates app, which provides the full text of the ULC's trust and estate acts. The app is fully searchable or can be browsed on a section-by-section basis. The app also includes citations and links to state statutes based on the uniform acts for easy comparison. The app costs $9.99, which includes annual updates to uniform text and continuously updated enactment data. It is available for iPad only. Lawyer-Apps has also developed a series of apps in conjunction with the American Law Institute (ALI) based on the Uniform Commercial Code: Secured Transactions , Instruments-Deposits-Funds , and Sales & Leases .
Armed attacks in cyberspace: A reply to Admiral Stavridis (Lawfare, 8 Jan 2015) - Last week, Admiral (Ret.) James Stavridis, former NATO Supreme Allied Commander and presently Dean of the Fletcher School of Law and Diplomacy at Tufts University, correctly expressed concern that "unlike sea, air and land, much of cyberspace's doctrine remains undefined, to include even the most fundamental of terms. We do not even have an agreed-upon definition of what constitutes an attack in cyberspace-and it is high time we did." His article, appearing in Signal, identified a key real-world shortcoming of international law as applied to cyber activities. The lawyers cannot state with any certainty when a cyber operation trips over Article 51 's "armed attack" threshold thereby allowing the victim State to respond with either kinetic or cyber force. His frustration is palpable and rightly so. A former consumer of legal advice at the highest level of international security affairs, he understands first-hand the dilemma of being expected to effectively handle a sensitive situation without a clear rule book. As senior officers tend to do, he identified a problem and has set out to solve it. In fact, an unofficial rule book exists. The Tallinn Manual on the International Law Applicable to Cyber Warfare is the product of a three-year NATO Cooperative Cyber Defense Center of Excellence sponsored effort to offer a restatement of law, by a group of international legal scholars and cyber technical experts (the "International Group of Experts," IGE). The Manual sets forth the logic behind its 95 rules and, in an extensive accompanying commentary, highlights those issues that remain unsettled in the law. * * * [Admiral Stavridis' view] is a concerning sentiment because decision-makers like the Admiral and their lawyers are precisely the Tallinn Manual's target audience. It is especially troubling because his opinion deservedly carries enormous weight in the policy and operational communities . . . and he badly misconstrued the position of the IGE. As director of the project, allow me to clarify the position of the experts on the issue of armed attack. * * *
LegalZoom gets OK to operate in UK (ABA Journal, 8 Jan 2015) - An online purveyor of self-help legal documents such as living trusts and wills has gotten a green light to operate in the United Kingdom as an alternative business structure. LegalZoom has been licensed with the Solicitors Regulation Authority and will partner with the QualitySolicitors law firm network, reports the Law Society Gazette . LegalZoom is the first U.S.-based company approved to operate as an ABS in the U.K., the article notes. Craig Holt, who founded QualitySolicitors, is in charge of LegalZoom's operations in the U.K. He said the company plans to take an innovative approach to help fill an existing gap in affordable legal services. "An ABS provides broader freedom in how we work with lawyers, and we expect increasing levels of partnership in the U.S. and the U.K.," Holt told the Gazette.
Surveillance law videos for non-lawyers (Volokh Conspiracy, 4 Jan 2015) - Jonathan Mayer has posted a series of short YouTube videos about surveillance law that he created for a Stanford Coursera course. The videos are intended for non-lawyers, so the content is particularly easy to follow. If you're interested in learning about surveillance law but you're not sure where to start, the videos are definitely worth checking out .
Cybersecurity and the use of emerging technologies, Part 2 (ABA's Peter Geraghty, Center for Professional Responsibility, Jan 2015) - [ Polley : good discussion of outsourcing, social media, and metadata issues]
Ryan on open access to legal scholarship (Legal Theory Blog, 19 Dec 2014) - Christopher J. Ryan (Higher Education Policy and Law (Peabody College)) has posted Not-So-Open Access to Legal Scholarship: Balancing Stakeholder Interests with Copyright Principles (Richmond Journal of Law and Technology, Vol. 20, No. 1, 2013) on SSRN. Here is the abstract: At its core, open access, particularly public access to scholarly research, is grounded in considerations of transparency, accountability, democratic legitimacy, and the fulfillment of perhaps the most fundamental function of academia - providing educational service for the public. This article discusses the role that open access plays and should play in academic legal scholarship. Specifically, this article defines the Open Access Movement and the benefits of open access to scholarship, describes the current methods of accessing academic scholarship, discusses issues related to ownership of scholarly works and the interests of authors, and provides recommendations for ensuring open access to legal scholarship. In particular, the article identifies elements of existing solutions that should be combined to create a policy that can provide open access to such scholarship while handling the interests of scholars, institutions, publishers, and the public.
LOOKING BACK - MIRLN TEN YEARS AGO
(note: link-rot has affected about 50% of these original URLs)
9-11 Commissioner calls for end to ISACs (InfoWorld, 18 Feb 2005) -- The U.S. government's policy of relying on voluntary, industry-led information sharing and analysis centers, or ISACs, is not working and should be discontinued or reformed, according to Jamie Gorelick, a member of the 9-11 Commission. ISACs lack the organization and funding to work effectively and pass on vital security intelligence to the U.S. federal government about threats to the nation's critical infrastructure. Their failure poses a threat to national security, Gorelick said during a panel discussion at the RSA Conference in San Francisco. However, the head of at least one ISAC says the organizations are working well, despite continued skepticism of government demands for information on security breaches. The ISAC system was created by Presidential Decision Directive 63 (PDD 63), which was issued by President Bill Clinton in 1998. PDD 63 called for the creation of ISACs to encourage private sector cooperation and information sharing with the federal government on issues related to the nation's critical infrastructure. Today there are ISACs for the food, water and energy sectors, as well as the information technology, telecommunications, chemical and financial services industries. "I don't think the model of ISACs works," Gorelick said. "Asking industries to fund their own ISACs as they wish and in a disorganized fashion will not get us where we need to go." In particular, Gorelick objected to the requirement that critical industries fund and operate their own ISACs without government oversight. The U.S. government should provide funding and a reliable communications system for each ISAC, rather than requiring them to "pass the hat" to raise operating funds, she said. The government should also provide a single point of contact for ISACs that can be a "quarterback" for the various industry groups and win the support of senior executives within different industry sectors, she said. However, the president of one prominent ISAC thinks Gorelick is mistaken in her notion that the groups are not working. "(Gorelick) is unfortunately mistaken in her perception," said Guy Copeland, vice president of Information Infrastructure Advisory Programs at Computer Sciences Corp. and president of the Information Technology ISAC (IT-ISAC). "We've never received any funding from the government, and we're stronger because of it."
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:firstname.lastname@example.org?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu
2. InsideHigherEd - http://www.insidehighered.com/
3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/
4. NewsScan and Innovation, http://www.newsscan.com
5. Aon's Technology & Professional Risks Newsletter
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html
7. Steptoe & Johnson's E-Commerce Law Week
8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/
9. The Benton Foundation's Communications Headlines
10. Readers' submissions, and the editor's discoveries
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top