MIRLN --- 7-27 June 2015 (v18.09)

MIRLN --- 7-27 June 2015 (v18.09) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | PODCASTS | RESOURCES | FUN | LOOKING BACK | NOTES

• Lawyers may need to encrypt e-mail in especially risky or sensitive scenarios
• Protecting directors and officers from derivative liability arising from data breaches
• Russian billboard advertising contraband hides when it recognises cops
• Does a data breach cost an average of 58 cents a record -- or $154?
• The data that's collected from you when you're routed to a call center
• HackerOne connects hackers with companies, and hopes for a win-win
• Hacker can send fatal dose to hospital drug pumps
• US Justice Department selects Box for file sharing
• Surveillance Law and Surveillance Studies
• 22 years after Verizon fiber promise, millions have only DSL or wireless
• House passes extension of Internet tax ban
• One of the biggest security firms in the world admits it was hacked
• Airbus transport crash caused by "wipe" of critical engine control data
• Facial recognition technology is everywhere. It may not be legal.
• FTC announces first consent order on misrepresentation in crowdsourcing
• Feds tighten restrictions on 3-D printed gun files online
• Where cyber insurance underwriting stands today
• Cyberattacks are exploding and investors are cashing in
• Catching up on the OPM breach
• Ethical responsibilities and information security
• EFF's 2015 data privacy report lauds Apple, Dropbox, slams Verizon
• Can liberal musicians stop Republicans from using their songs?
• Secretive surveillance court skips talking to privacy advocates
• Google Earth's digital tack, used to show location, wasn't hearsay, 9th Circuit rules
• ABA President pushes online models for civil disputes
• SEC hunts hackers who stole corporate emails to trade stock
• GCHQ asked court to let it infringe on anti-virus copyrights... for national security

Lawyers may need to encrypt e-mail in especially risky or sensitive scenarios (Bloomberg, 20 May 2015) - Attorneys who handle divorce, employment and criminal defense matters may in some circumstances have a duty "to consider whether it is prudent to use encrypted email" to communicate with clients, the Texas bar's ethics committee concluded in April. The opinion addresses an issue that many experts have urged bar authorities to look at anew: whether technological changes and escalating concerns over computer hacking have made it necessary to revisit existing guidance on using e-mail to communicate with clients. "Having read reports about email accounts being hacked and the National Security Agency obtaining email communications without a search warrant, [inquiring] lawyers are concerned about whether it is proper for them to continue using email to communicate confidential information," the opinion states. The panel said that although it "has not addressed the propriety of communicating confidential information by email, many other ethics committees have [concluded that] except in special circumstances, the use of email, including unencrypted email, is a proper method of communicating confidential information." * * *

top

Protecting directors and officers from derivative liability arising from data breaches (Proskauer, 1 June 2015) - With data breaches affecting companies across virtually every industry, cyber security has remained front page news. Lawsuits brought by aggrieved consumers and financial institutions against companies that have suffered data breaches are not uncommon. Increasingly, companies are also being subjected to shareholder derivative suits against directors and officers alleging breach of fiduciary duty relating to a data breach. As a result, corporate boards should expect closer scrutiny of their actions regarding cybersecurity and data breaches. A proactive approach to risk management and insurance coverage may make the difference in minimizing exposure. * * * With data breaches showing no signs of slowing down, the attendant litigation can also be expected to continue. Following the data breach suffered by Target, a 2014 shareholder derivative action was filed against the company's board for failing to adequately attend to its cybersecurity. The lawsuit against Target alleges that the board's conduct caused the data breach, and challenges the board's subsequent containment, disclosure and analysis. In addition to the derivative action, a prominent proxy adviser also called for the ouster of Target's directors due to their perceived "failure…to ensure appropriate management of [the] risks" of Target's December 2013 cyber-attack ( reported by the Wall Street Journal ). As the available precedent confirms, perfect data security is not the standard. Instead, courts will look to verify that boards are taking steps to understand and protect against this very real threat. However, there are practical steps that companies can take, including: * * *

top

Russian billboard advertising contraband hides when it recognises cops (Naked Security, 1 June 2015) - Moscow's Don Giulio Salumeria promises "small islands of warm and sunny Italy," offering authentic Italian prosciutto, ricotta, mozzarella and tiramisu for sale in the cold lands of Russia. Fat lot of good any of it will do Muscovites, given that Russia has banned food imports from the European Union and the US. It's not that Don Giulio can't figure out how to import it, but the shop sure can't advertise those delicious imported foods. So what's a well-stocked salumeria to do? Pay an ad company to rig billboards with facial recognition that's been tweaked to spot the official symbols and logos on the uniforms worn by Russian police, that's what. As Adweek reports, an ad agency called The 23 created an outdoor ad that could apparently spot police uniforms. As police approached the ad, as you can see in this YouTube video , the billboard would switch from advertising a nice, fat wedge of Don Giulio Salumeria's imported cheese, rolling over instead to an ad for a nice, completely non-contraband Matryoshka doll shop. An ad that hides itself from the law is a clever stunt, albeit not too effective, as you can see from the police in the video, who had time to spot the ad for imported food before it scurried behind Matryoshka dolls. But what's more interesting than the effectiveness of this particular ad is the idea that billboards can use facial recognition to this degree as they tailor offerings. Gizmodo suggested that it's not much of a leap to imagine having your jacket's sports team logo recognized as you wait at the bus stop, so you can be target-marketed for your team's next big game...or to have your car make and model recognised and your daily commute crunched so that the ad makers could pitch getaway vacations at you...or how about a beverage vending machine that takes photos of people nearby, superimposes wigs on their heads and exhorts them to buy a drink, or even guesses those people's names and genders - the better to target-market at them.

top

Does a data breach cost an average of 58 cents a record -- or $154? (Network World, 5 June 2015) - Does a data breach cost an average of 58 cents a record -- or $154? That's a significant difference for companies preparing incident response plans, as well as for insurance companies, regulators, auditors and others looking to ensure that companies are adequately prepared or covered for such an event. Ponemon Institute's $154 number is based on an analysis of 350 companies that suffered breaches in 2014, and uses an analytical model based on the real costs of a breach that the company has been refining for a decade. Verizon's 58 cents calculation is based on 191 insurance claims filed in 2014, and this is the first year that Verizon has run these numbers. In addition to different data sources, Ponemon also includes indirect costs, while Verizon's does not. But Verizon's estimate seems unreasonably low, said Caleb Barlow, vice president at IBM Security. IBM sponsored this year's Ponemon report. At a minimum, a company with a data breach has to send out letters notifying customers that they were breached and pay for credit monitoring, he said. "Normally, Verizon does some great work," he said, "But we had to discount this because 58 cents doesn't even cover the cost of the postage and printing the letter." Companies usually don't have enough insurance coverage to cover the total cost of a breach, said Larry Ponemon, chairman and founder of the Ponemon Institution, and the insurance doesn't cover indirect costs or loss of business. For example, he said, Target's latest breach is estimated to cost the company over $1 billion, but it was only insured for $100 million. In general, he said, companies buy enough insurance to cover 50 percent of the value of their fixed assets -- but only 12 percent of the value of their digital assets, according to a study released last month by Ponemon and sponsored by Aon Plc, a global insurance brokerage.

top

The data that's collected from you when you're routed to a call center (Quartz, 5 June 2015) - "This call may be recorded for quality and training purposes." It's a familiar phrase, and one that people likely don't even notice anymore when they phone a call center. But companies are listening carefully to these recordings, trying to glean insights that can help them run their businesses more effectively. Sifting through hours upon hours of audio recordings is a laborious task. One company that helps automate the process is Santa Barbara, California-based Invoca. With its technology, the marketing firm has analyzed more than 100 million calls since 2008 and provides its clients with a trove of data. One of Invoca's clients, an unnamed satellite TV company, listens carefully for certain keywords. When someone calls in and mentions "sports package," for example, the company makes a note in the customer's file and tailors its marketing for that person accordingly. "Because it's said in a call, it's a huge buying signal you can capitalize on," says Christensen. Prospective customers who pick up the phone generally have higher purchasing intent. According to the company's data, 30% to 50% of phone calls lead to sales, compared with 2% for online leads. When sales reps lose a deal, they usually just chalk it up to the price and move on. "You never get insight into why people aren't buying," he says. But by scanning audio recordings, companies can track how often a competitor is mentioned in calls, and amend their strategies accordingly. Christensen says some companies are using Invoca to listen for specific keywords, such as confirmation number or email receipt, mentioned by the caller. The system can then tie in purchasing data, so customer service representatives don't have to wait for other departments to pull this information for them.

top

HackerOne connects hackers with companies, and hopes for a win-win (NYT, 7 June 2015) - In 2011, two Dutch hackers in their early 20s made a target list of 100 high-tech companies they would try to hack. Soon, they had found security vulnerabilities in Facebook, Google, Apple, Microsoft, Twitter and 95 other companies' systems. They called their list the Hack 100. When they alerted executives of those companies, about a third ignored them. Another third thanked them, curtly, but never fixed the flaws, while the rest raced to solve their issues. Thankfully for the young hackers, no one called the police. Now the duo, Michiel Prins and Jobert Abma, are among the four co-founders of a San Francisco tech start-up that aims to become a mediator between companies with cybersecurity issues and hackers like them who are looking to solve problems rather than cause them. They hope their outfit, called HackerOne, can persuade other hackers to responsibly report security flaws, rather than exploit them, and connect those "white hats" with companies willing to pay a bounty for their finds. In the last year, the start-up has persuaded some of the biggest names in tech - including Yahoo, Square and Twitter - and companies you might never expect, like banks and oil companies, to work with their service. They have also convinced venture capitalists that, with billions more devices moving online and flaws inevitable in each, HackerOne has the potential to be very lucrative. HackerOne gets a 20 percent commission on top of each bounty paid through its service.

top

Hacker can send fatal dose to hospital drug pumps (Wired, 8 June 2015) - When security researcher Billy Rios reported earlier this year that he'd found vulnerabilities in a popular drug infusion pump that would allow a hacker to raise the dosage limit on medication delivered to patients, there was little cause for concern. Altering the allowable limits of a particular drug simply meant that if a caregiver accidentally instructed the pump to give too high or too low a dosage, the pump wouldn't issue an alert. This seemed much less alarming than if the pumps had vulnerabilities that would allow a hacker to actually alter the dosage itself. Now Rios says he's found the more serious vulnerabilities in several models of pumps made by the same manufacturer, which would allow a hacker to surreptitiously and remotely change the amount of drugs administered to a patient. The vulnerabilities are known to affect at least five models of drug infusion pumps made by Hospira-an Illinois firm with more than 400,000 intravenous drug pumps installed in hospitals around the world.

top

US Justice Department selects Box for file sharing (Robert Ambrogi, 8 June 2015) - When it comes to identifying a group of lawyers who are particularly fussy about file security, it is hard to imagine a better example than the U.S. Department of Justice. These, after all, are the lawyers who handle the nation's most sensitive criminal and civil matters. For that reason, it is notable that the DOJ has awarded a contract to Box to serve as its platform for file sharing and information management, according to a recent announcement by Box. Box also received a DOJ authority to operate, which is essentially an IT certification of the security of a cloud-based product.

top

Surveillance Law and Surveillance Studies (Bruce Schneier, 8 June 2015) - Interesting paper by Julie Cohen: Abstract : The dialogue between law and Surveillance Studies has been complicated by a mutual misrecognition that is both theoretical and temperamental. Legal scholars are inclined to consider surveillance simply as the (potential) subject of regulation, while scholarship in Surveillance Studies often seems not to grapple with the ways in which legal processes and doctrines are sites of contestation over both the modalities and the limits of surveillance. Put differently, Surveillance Studies takes notice of what law does not -- the relationship between surveillance and social shaping -- but glosses over what legal scholarship rightly recognizes as essential­ -- the processes of definition and compromise that regulators and other interested parties must navigate, and the ways that legal doctrines and constructs shape those processes. This article explores the fault lines between law and Surveillance Studies and considers the potential for more productive confrontation and dialogue in ways that leverage the strengths of each tradition.

top

22 years after Verizon fiber promise, millions have only DSL or wireless (Ars Technica, 9 June 2015) - A 22-year-old Verizon promise to bring fiber Internet or "comparable technology" to its entire service area in Pennsylvania has instead left more than two million homes with nothing but slower DSL or wireless service. In 1993, Verizon predecessor Bell signed an agreement with state regulators in which it committed "to deploy the technologies necessary to provide universal broadband availability in 2015. In order to meet this commitment, Bell plans to deploy a broadband network using fiber optics or other comparable technology that is capable of supporting services requiring bandwidth of at least 45 megabits per second or its equivalent." In exchange, Verizon was allowed to charge higher phone rates. (More specifically, the company was freed from the restrictions of rate-of-return regulation.) But today, at least 2.1 million Pennsylvania households in Verizon's phone territory do not have access to the company's fiber network. "The fiber network is available to approximately 2.1 million premises (which includes residential and business). The vast majority of the remaining households have either DSL or wireless LTE broadband options available to them," a Verizon spokesperson told Ars this week. [ see also , NYC possible lawsuit: Verizon ordered to finish fiber build that it promised but didn't deliver (Ars Technica, 18 June 2015)]

top

House passes extension of Internet tax ban (The Hill, 9 June 2015) - The House on Tuesday passed a bill that would permanently extend a ban on state and local taxes on Internet access. Lawmakers approved the legislation on a voice vote, which would also ban discriminatory taxes on e-commerce. The ban, first passed in 1998, has required a series of extensions over nearly two decades. But Tuesday's proposal would put the law in place for the long term, removing any sunset date. The long-term extension is largely noncontroversial. The House bill sponsored by Judiciary Committee Chairman Bob Goodlatte (R-Va.) had 188 co-sponsors, and 50 senators are backing a similar bill in the Senate. The House easily passed the proposal last Congress, but it stalled in the Senate after some members attempted to tie the measure to a more controversial online sales tax bill, which would give states the power to collect a sales tax from businesses that don't have a physical presence in their boundaries. [ Polley : normally I don't post about pending legislation, but was impressed by this bill's permanent extension of the tax ban.]

top

One of the biggest security firms in the world admits it was hacked (Business Insider, 10 June 2015) - Russia-based Kaspersky Lab, one of the biggest and most well-known cybersecurity research firms in the world, has admitted to being hacked. In a blog post published earlier today , Kaspersky Lab CEO and founder Eugene Kaspersky wrote, "We discovered an advanced attack on our own internal networks. It was complex, stealthy, it exploded several zero-day vulnerabilities, and we're quite confident that there's a nation state behind it."

top

Airbus transport crash caused by "wipe" of critical engine control data (Ars Technica, 10 June 2015) - Airbus had already revealed that the fatal crash of an Airbus A400M military transport was caused by what was described as a "quality issue in the final assembly" of the electronic control units (ECU)-a fault in software configuration that led to a loss of control of the aircraft and resulted in the death of four crew members . Reuters reported additional details today provided by individuals familiar with the investigation into the crash, stating that a critical part of the configuration data in three of the aircraft's four ECUs-a file storing torque calibration parameters for each engine-was somehow "accidentally wiped" when the software was being installed. As a result, three of the aircraft's engines automatically shut down in flight. Citing a safety document shown to Reuters, Tim Hepher reported that the pilot of the A400M would not have gotten an alert about the missing data until the aircraft was already at an altitude of 400 feet. No cockpit alert about the data fault would appear while the aircraft was on the ground. According to Hepher's sources, the lack of a ground warning was an issue raised during a safety review last year, but "regulators approved it on the basis that the chances of failure were small and the installation procedure included extra checks," people familiar with the matter said.

top

Facial recognition technology is everywhere. It may not be legal. (WaPo, 11 June 2015) - Being anonymous in public might be a thing of the past. Facial recognition technology is already being deployed to let brick-and-mortar stores scan the face of every shopper, identify returning customers and offer them individualized pricing - or find "pre-identified shoplifters" and "known litigious individuals." Microsoft has patented a billboard that identifies you as you walk by and serves ads personalized to your purchase history. An app called NameTag claims it can identify people on the street just by looking at them through Google Glass. Privacy advocates and representatives from companies like Facebook and Google are meeting in Washington on Thursday to try to set rules for how companies should use this powerful technology. They may be forgetting that a good deal of it could already be illegal. There are no federal laws that specifically govern the use of facial recognition technology. But while few people know it, and even fewer are talking about it, both Illinois and Texas have laws against using such technology to identify people without their informed consent. That means that one out of every eight Americans currently has a legal right to biometric privacy. The Illinois law is facing the most public test to date of what its protections mean for facial recognition technology. A lawsuit filed in Illinois trial court in April alleges Facebook violates the state's Biometric Information Privacy Act by taking users' faceprints "without even informing its users - let alone obtaining their informed written consent." This suit, Licata v. Facebook , could reshape Facebook's practices for getting user consent, and may even influence the expansion of facial recognition technology. * * * Companies like Facebook and Google routinely collect facial recognition data from their users, too. Google's FaceNet algorithm can identify faces with 99.63 percent accuracy . Facebook's algorithm, DeepFace, gets a 97.25 percent rating. The FBI, on the other hand, has roughly 85 percent accuracy in identifying potential matches-though, admittedly, the photographs it handles may be harder to analyze than those used by the social networks.

top

FTC announces first consent order on misrepresentation in crowdsourcing (Covington, 11 June 2015) - The Federal Trade Commission ("FTC") announced today that it has entered into a proposed consent order against the founder of a failed Kickstarter project, marking the first time that the agency has taken a consumer protection action in the rapidly-emerging field of crowdsourcing. According to the complaint , the defendant, Erik Chevalier misused money raised through Kickstarter for personal expenses despite promises to use this money to develop a board game, or otherwise to return the contributions. While State Attorneys General have brought similar enforcement actions in the past against misrepresentations in crowdsourcing campaigns, this action breaks new ground for the FTC as part of its self-described efforts to "protect consumers taking advantage of new and emerging financial technology." Mr. Chevalier's campaign began in May 2012 when he pitched the idea of a Monopoly-like board game taking place in Atlantic City, where players take the role of H.P. Lovecraft's Great Old Ones laying waste to the city. The idea quickly garnered attention from the internet, raising $122,874 , almost four times the original funding goal. Backers were promised a copy of the completed board game, and those who pledged more were promised exclusive pewter figurines that could be used as game pieces. However, the project quickly ran into significant delays, and in June 2013, Mr. Chevalier announced that the project had been cancelled because the majority of the money had already been spent on game development with no end in sight. He also posted on Kickstarter that: "My hope is .[] to eventually refund everyone in full." Yet according to the FTC complaint , Erik Chevalier had actually used these funds for "miscellaneous personal equipment, rent for a personal residence, and licenses for a separate project," contrary to his representations to consumers. While the proposed consent order does not admit fault, Mr. Chevalier agreed to a judgment of $111,794 (suspended due to an inability to pay); a prohibition against using, disclosing, or benefiting from customer information obtained through the fundraising campaign; a promise to refrain from making misrepresentations to consumers in future projects, and an ongoing duty for compliance reporting and record keeping for the next 18 years.

top

Feds tighten restrictions on 3-D printed gun files online (Wired, 11 June 2015) - The notion of a 3-D printable gun has become the perfect flashpoint in a new conflict between digital arms control and free speech . Should Americans be allowed to say and share whatever they want online, even if that "speech" is a blueprint for a gun? The State Department has now answered that question with a resounding "no." In the last few days, the State Department has issued two new statements confirming its intention to act as gatekeeper for when Americans can legally publish online data that could allow someone to digitally fabricate a gun. And those statements outline how it plans to restrict those publications as a controlled "foreign export" of munitions. Earlier this week, the State Department sent a letter to the controversial gun access group Defense Distributed, confirming that it will require the group to get specific permission from the government before publishing its 3-D printable gun files online. That warning comes more than two years after the State Department sent Defense Distributed an initial letter telling it to take its gun files off its website pending a decision about their legality . And in a separate filing to the federal register last week, the State Department also wrote that it intends to require prior approval for the online publication of any "technical data" that, vaguely defined, would allow for the creation of weapons, an even broader swathe of files. The agency's statement warns that publishing those weapon files to the Internet, with its global connections, could amount to violating the International Trade in Arms Regulations (ITAR) by exporting controlled weapons data to a foreign country-hardly different, by its definition, from sending missile schematics to Iran.

top

Where cyber insurance underwriting stands today (Insurance Journal, 12 June 2015) - "You would think the first question to ask would be: Do insured parties understand the elements and limitations of coverage?" said Kevin Kalinich, speaking on cyber risk. "The real first question is: Do the insurance companies understand?" Kalinich, global practice leader for cyber/network risk, at consulting firm Aon Risk Services, was a panelist at the Standard & Poor's Ratings Services 2015 Insurance Conference this week in New York where experts stressed the importance of underwriters working together to gain a better understanding of the market so they can properly assess and price cyber risk. Demand for insurance covering cyber attacks is mounting and the risk is evolving rapidly, panelists noted. A number of U.S. insurers are testing the waters but panelists said that even the insurers with larger market shares have thus far been cautious due to the lack of actuarial data available in this nascent market. They have been writing policies with low limits and a slew of exclusions such as excluding damages resulting from data handled by an external contractor. Right now, a handful of players - American International Group Inc., ACE Ltd., Chubb Corp., Zurich Insurance Co. Ltd., and Beazley Group Ltd. - dominate the market for cyber insurance, but panelists said clients are looking to buy more coverage than insurers are willing to offer. As the market develops, providers will need some time to model risk sufficiently and to set premiums accordingly. This will remain difficult, Kalinich said, because the threat is evolving fast. He said two decades of reliable data are needed to feed models. "We're much farther along than we were two years ago; we have much better information now," he said. "But it's not a static model. It changes over time, and in two years it will be much better." Regulators have taken steps to guide insurers toward a consistent approach to the market. The National Association of Insurance Commissioners (NAIC) recently adopted guiding principles for insurers underwriting cyber risk. The NAIC is also developing a set of best practices for insurance company examiners to test protocols and processes, as well as a consumer bill of rights so that consumers know when data has been hacked. [ Polley : So far, the insurance industry has failed to provide the de facto best-practice development many had hoped would guide cyber-risk management ( compare, insurance-led development of fire safety codes in the early 20th century). Looks like it's going to take much longer.]

top

Cyberattacks are exploding and investors are cashing in (Business Insider, 15 June 2015) - The amount of sensitive data stored online has increased exponentially in recent years, and so has the number of attempts to steal that information. While this is a huge problem to both the government and private companies, for some it is an opportunity. "In May 2015, the Goldman Sachs Chief Information Security Officers (CISOs) survey found that almost 60% of respondents expected to boost security spending by at least 5%, with 20% budgeting increases greater than 15%," Goldman Sachs' David Kostin said in a note to clients. The value of good cybersecurity, and the bottom lines of companies offering it, has exploded. Goldman's ISE Cyber Security Index, a collection of 30 publicly traded cybersecurity companies, has grown 19% faster than the S&P 500 year-to-date, following a trend established the last few years. Companies in the index include FireEye, CyberArk Software, Infoblox, Palo Alto Networks, Fortinet, and AVG Technologies. "Since 2011, the total return of the index is 123pp higher than the S&P 500 (207% vs. 84%)," Kostin said. As you can see in the chart, the amount the stocks are outperforming the S&P coincides with the number of files exposed through cyberattacks. And sales for cybersecurity companies are expected to continue their meteoric rise.

top

Catching up on the OPM breach (Brian Krebs, 15 June 2015) - I heard from many readers last week who were curious why I had not weighed in on the massive (and apparently still unfolding) data breach at the U.S. Office of Personnel Management (OPM). Turns out, the easiest way for a reporter to make sure everything hits the fan from a cybersecurity perspective is to take a two week vacation to the other end of the world. What follows is a timeline that helped me get my head on straight about the events that preceded this breach, followed by some analysis and links to other perspectives on the matter.

top

Ethical responsibilities and information security (InsideCounsel, 16 June 2015) - The elephant in the room is: You will be hacked. This is the opinion of Mark Sangster, vice president of marketing at eSentire, who was speaking at the Mid-year Cybersecurity and Data Protection Legal Summit. He, along with Vince Polley , principal at KnowConnect, spoke during the panel "Protect Your Ethics - Infosec Responsibilities in the Attorney-Client Relationship." It's no surprise that cybercrime is big business. According to Sangster, estimates show that somewhere north of $500 billion are lost every year due to cybercrime. Hackers have easy access to cyber-weapons, need few skills, are highly motivated and face few consequences. These days, many threats come in the form of "spear-phishing," where criminals do research on you to send you personally specific messages that, when opened, unleash havoc on your network. Polley was a co-author of the ABA cybersecurity handbook, and stated flatly to the audience that "you've all been hacked." Though there has not yet been a single law firm that has admitted to being hacked, the fact of the matter is, hackers are targeting law firms, in real life and on "The Good Wife." Even some of the biggest security firms in the world themselves have been hacked. So the question is, what to do about it? Law firms are targets, Polley says, because they are soft and attractive targets will lots of confidential client information and little technological sophistication, representing a back door into client systems. Clients in highly regulated and vulnerable industries - such as medical, insurance and financial sectors - are going to law firms and auditing their security measures. In terms of ethics, the ABA Model Rules of Professional Conduct lay out several rules that apply - competence, confidentiality and supervision (1.1, 1.6 and 5), and there are common law requirements as well. Rule 1.1, comment 6, says that lawyers must remain up-to-date with the benefits and risks of technology. As Polley puts it, they must acquire it or hire it. State bars have been saying the same thing for years. [Polley : I'm not sure the quotes are precise, but the essence of the story is accurate. Email me if you'd like an annotated copy of the PPT I delivered there.]

top

EFF's 2015 data privacy report lauds Apple, Dropbox, slams Verizon (TechCrunch, 18 June 2015) - Digital rights organization the Electronic Frontier Foundation (EFF) has published its fifth annual Who has your back? report into online service providers' transparency and privacy practices when it comes to government requests for accessing user data. The organization notes a general transformation among major Internet players to be more transparent with users about data requests over the past four years. But for its latest report it's tightened evaluation criteria, arguing that "it's time to expect more from Silicon Valley". The report awards companies up to a maximum of five stars for performance in various areas, such as following what the EFF judges as "industry-accepted best practices"; telling users about government data demands; disclosing policies on data retention disclosing government content removal requests; and taking what it dubs a "pro-user" public policy position and specifically opposing government mandated backdoors in digital services.

top

Can liberal musicians stop Republicans from using their songs? (WaPo, 18 June 2015) - Neil Young's song "Rockin' In The Free World" was played Tuesday at Donald Trump's campaign announcement, and as has become standard operating procedure, Young's manager released a statement saying Trump wasn't authorized to use the song and that Young doesn't support Trump's candidacy. It's all very predictable, something we see played out over and over again in politics (mostly among Republican politicians and liberal musicians). What if a politician X was like, "You know what, I don't care what musician Y thinks; we're going to keep playing that song. Louder, even. We're going to blast it, on repeat, from Iowa to New Hampshire until I'm elected President of these United States!?" Despite the fact politicians usually stop playing songs when asked, they could fight it if they really wanted to. According to the ASCAP guidelines on using music in political campaigns , if campaigns obtain a public performance license from them or other performing rights organizations like BMI, they're in compliance with copyright law, which is why campaigns always first respond to statements from angry musicians by saying they were following the rules. But being in compliance with copyright rules doesn't mean musicians can't complain and even take legal action -- which is why the ASCAP advises campaigns get permission from artists' management and songwriters as well, to avoid all this. Per the ASCAP, musicians could seek recourse through their right to publicity (which public figures have for their image in some states), false endorsement (an argument that their work is being used to incorrectly imply support for something) or the Lanham Act (dealing with unauthorized use of a trademark leading to confusion). So there are legal grounds for them to fight the song's use. But there's not much precedent for that happening, because campaigns generally give in to musician's demands so quickly.

top

Secretive surveillance court skips talking to privacy advocates (National Journal, 19 June 2015) - The secretive court that oversees U.S. spying programs selected to not consult a panel of privacy advocates in its first decision made since the enactment earlier this month of major surveillance reform, according to an opinion declassified Friday. The Foreign Intelligence Surveillance Court opted to forgo appointing a so-called "amicus" of privacy advocates as it considered whether the USA Freedom Act could reinstate spying provisions of the Patriot Act even though they expired on June 1 amid an impasse in the Senate. The Court ruled that the Freedom Act's language-which will restore the National Security Agency's bulk collection of U.S. call data for six months before transitioning to a more limited program-could revive those lapsed provisions, but in assessing that narrow legal question, Judge Dennis Saylor concluded that the Court did not first need confer with a privacy panel as proscribed under the reform law. "The statute provides some limited guidance, in that it clearly contemplates that there will be circumstances where an amicus curiae is unnecessary (that is, 'not appropriate')," Saylor wrote . "At a minimum, it seems likely that those circumstances would include situations where the court concludes that it does not need the assistance or advice of amicus curiae because the legal question is relatively simple, or is capable of only a single reasonable or rational outcome." [ Polley : uh-oh… I think I'd prefer an amicus even when it's "simple" or there's only a "single reasonable or rational outcome." Think: Dick Cheney.]

top

Google Earth's digital tack, used to show location, wasn't hearsay, 9th Circuit rules (ABA Journal, 22 June 2015) - A "digital tack" on Google Earth used to pinpoint the location of an arrest isn't an inadmissible statement governed by hearsay rules, a federal appeals court has ruled. The San Francisco-based 9th U.S. Circuit Court of Appeals ruled in the case of a defendant, Paciano Lizarraga-Tirado, who claimed he was on the Mexican side of the border when he was arrested by Border Patrol agents for illegal re-entry into the United States, report the Wall Street Journal Law Blog and IDG News Service . An arresting agent recorded the coordinates of the arrest with a GPS device. At trial, prosecutors introduced evidence of the location by entering the GPS coordinates into Google Earth, creating a digital tack on Google Earth's satellite image. The tack was clearly north of the border. The appeals court considered Lizarraga-Tirado's objection under the hearsay rule, which generally bars out-of-court statements to prove the truth of the matter asserted. The rule defines a statement as a person's oral assertion, written assertion, or nonverbal conduct, if the person intended it as an assertion. A satellite image, absent any markers, makes no assertion and isn't hearsay, the court said in an opinion (PDF) by Judge Alex Kozinski. Because the tack was computer-generated rather than placed manually and labeled, it isn't an assertion made by a person and isn't hearsay, the court said. "Though a person types in the GPS coordinates," Kozinski wrote, "he has no role in figuring out where the tack will be placed. The real work is done by the computer program itself." Machine statements do raise evidentiary concerns, Kozinski said, but they should be addressed by the rules of authentication, not hearsay. A litigant seeking admission of Google Earth evidence over an objection would have to establish its reliability and accuracy, perhaps by testimony from a Google Earth programmer or perhaps by judicial notice, Kozinski said. The defendant in the case before the court had not raised an authentication objection.

top

ABA President pushes online models for civil disputes (DailyNews, 22 June 2015) - The president of the American Bar Association says the traditional method of providing pro bono legal services in civil matters to those who can't afford to pay for an attorney isn't working despite best efforts. And William C. Hubbard wants those in the legal system to work more with tech companies finding a demand for online dispute resolution programs. "Despite all of our best efforts, we have not closed this justice gap despite more pro bono work and more support," Hubbard told a group of 200 attorneys and judges Thursday, June 18, at the Tennessee Bar Association's annual meeting, held this year in Memphis. Hubbard cites a report from Modria.com , the online dispute resolution company that spun off from eBay and PayPal in 2011. Of 60 million annual disputes on eBay, 90 percent are resolved using software with no human intervention and the results are "almost never" appealed in court, according to Modria. While Modria's efforts and pitch are aimed at business disputes, Hubbard has already begun talking with the company and similar online companies. Modria cites property tax disputes in Nashville that are settled online among other uses and concludes "the next justice system will look more like ODR than the courts."

top

SEC hunts hackers who stole corporate emails to trade stock (Reuters/ReCode, 23 June 2015) - U.S. securities regulators are investigating a group of hackers suspected of breaking into corporate email accounts to steal information to trade on, such as confidential details about mergers, according to people familiar with the matter. The Securities and Exchange Commission has asked at least eight listed companies to provide details of their data breaches, one of the people said. The unusual move by the agency reflects increasing concerns about cyber attacks on U.S. companies and government agencies. It is an "absolute first" for the SEC to approach companies about possible breaches in connection with an insider trading probe, said John Reed Stark, a former head of Internet enforcement at the SEC. "The SEC is interested because failures in cyber security have prompted a dangerous, new method of unlawful insider trading," said Stark, now a private cyber security consultant. According to people familiar with the matter, the SEC's inquiry and a parallel probe by the U.S. Secret Service - which investigates cyber crimes and financial fraud - were spurred by a December report by security company FireEye about a sophisticated hacking group that it dubbed "FIN4." Since mid-2013, FIN4 has tried to hack into email accounts at more than 100 companies, looking for confidential information on mergers and other market-moving events. The targets include more than 60 listed companies in biotechnology and other healthcare-related fields, such as medical instruments, hospital equipment and drugs, according to the FireEye report. The SEC has asked companies for data on cyber intrusions or attempted intrusions, as well as information on the tactics that the unknown hackers used to lure employees into giving up email passwords, known as "spear phishing" or "credential harvesting," people familiar with the investigation said. As concerns about cyber security grew, the SEC in 2011 issued guidance for public companies on disclosing breaches. Companies are not required to disclose any breaches unless they are deemed to be "material" under federal securities laws. The probe is unusual for the SEC, which has typically searched for questionable trading activity in stocks and options when investigating insider trading cases, said Stark. The SEC only has the power to bring civil cases, so any possible criminal cases resulting from the probe would be brought by a federal prosecutor.

top

GCHQ asked court to let it infringe on anti-virus copyrights... for national security (TechDirt, 24 June 2015) - National security apparently means "securing" the nation at the expense of citizens' security. New Snowden documents published by The Intercept show massive amounts of dicking around in the coding of popular anti-virus software by the NSA and GCHQ. The list of antivirus products not affected would be much, much shorter than a list of those that have been. The GCHQ obtained a warrant to reverse engineer Kapersky products because it felt the company's software was "obstructing" its hacking attempts. Not only did the GCHQ seek permission to tear apart a legitimate security product for its own ends, but it also asked for an exception to UK copyright law in order to do so: GCHQ's success as an intelligence agency is founded on technical knowledge and creativity. In particular this may involve modifying commercially available software to enable interception, decryption and other related tasks, or "reverse engineering" software (this means to convert it from machine readable code into the original format, which is then comprehensible to a person). These actions, and others necessary to understand how the software works, may represent an infringement of copyright. The interference may also be contrary to, or inconsistent with, the provisions of any licensing agreement between GCHQ and the owners of the rights in the software. Recognizing this could potentially cause a problem if its efforts were discovered, GCHQ explicitly asked that it be granted permission to engage in copyright infringement in the name of national security. [ Polley : How far can a court go in "authorizing" otherwise unlawful activity? Transcend copyright law? Break into computers? Defraud? Steal? Torture?]

top

NOTED PODCASTS

Distributed and digital disaster response (Willow Brugh at Berkman, 10 March 2015; 59mins) - The citizen response to 2012's Hurricane Sandy was in many important ways more effective than the response from established disaster response institutions like FEMA. New York-based response efforts like Occupy Sandy leveraged existing community networks and digital tools to find missing people; provide food, shelter, and medical assistance; and offer a hub for volunteers and donors. In this talk Willow Brugh -- Berkman fellow and Professor of Practice at Brown University -- demonstrates examples ranging from Oklahoma to Tanzania where such distributed and digital disaster response have proved successful, and empowered citizens to respond in ways traditional institutions cannot. Find Willow's presentation deck here . [ Polley : Lots of stuff here on KM and knowledge sharing across time and across events/communities. This also implicates the question of meta-KM - i.e., knowledge sharing outside an "enterprise" and among/between ad hoc virtual teams.]

top

RESOURCES

Irving Younger's 10 Commandments Of Cross Examination (Lawyerist, 24 June 2015) - If you will put these suggestions to use, if you will cross-examine in accordance with these suggestions, I can virtually guarantee - not that you will be a brilliant cross-examiner, but that you won't be ashamed of yourself, you won't be a buffoon in that courtroom. Whenever you do not comply with them, you will regret it. Instantly. [ Polley : This is the classic; guaranteed to educate and entertain. Highly recommended.]

top

Privacy and Security Training Requirements (web compendium maintained by Prof. Dan Solove) - Many laws, regulations, and industry codes require privacy awareness training and/or data security awareness training. Here is a list of a number of these requirements: * * * Below is a brief description of each requirement with excerpts of the relevant provisions: * * *

top

The Legal Impact of Technology on M&A Transactions (Kaye Scholer white paper; undated) - Across the hundreds of M&A transactions that our firm has worked on in recent years, we and our clients have together explored and analyzed a relatively consistent set of diligence concerns. Increasingly, however, a new subject is beginning to interest dealmakers: the underlying technologies at each acquisition candidate and their related obligations and risk implications. This report, The Legal Impact of Technology on M&A, explores this important and still-evolving area of interest.

top

FUN

The Influence Of Immanuel Kant On Evidentiary Approaches In 18th-Century Bulgaria (Orin Kerr, June 2015) - Chief Justice Roberts has drawn attention to the influence of Immanuel Kant on evidentiary approaches in 18th- century Bulgaria. [fn omitted] No scholarship has analyzed Kant's influence in that context. This Article fills the gap in the literature by exploring Kant's influence on evidentiary approaches in 18th-century Bulgaria. It concludes that Kant's influence, in all likelihood, was none. [Kerr's explication of this tongue-in-cheek article is here .]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Plan to put company reports on the web (Reuters, 30 Nov 2005) -- Corporations would be allowed to post proxy statements and annual reports on Web sites, instead of sending them through the mail, under a plan proposed Tuesday by federal regulators. The Securities and Exchange Commission voted 5 to 0 to submit the plan to a 60-day public comment period, with a final vote by the commission expected later. Aimed at saving postage and printing costs, the so-called e-proxy measure is also seen as a way to cut the costs to shareholders of waging proxy contests. Under the proposed rule, investors would receive a postcard notice in the mail telling them that a proxy statement and annual report was available online. Investors wishing to continue receiving printed matter could request it. "Studies show that today 75 percent of Americans now have access to the Internet and this percentage is rising steadily," Christopher Cox, the S.E.C. chairman, said at a meeting. "The percentage of investors with Internet access is even higher." The proposal, if adopted early next year, would probably not be enacted in time for the 2006 proxy season but would come into play in 2007, said Alan L. Beller, director of the S.E.C.'s corporate finance division.

top

Sony's anti-file-sharing CD causes a firestorm of anger (Houston Chronicle, 8 Nov 2005) -- Since the dawn of file-sharing in the late 1990s, the music industry has struggled with keeping its wares from being traded freely. Recording labels have tried all kinds of approaches, from suing their own customers to Draconian copy protection to changing formats. The one that has worked the best - surprise! - has been to offer a low-cost way to buy music that allows users to do pretty much what they want to do with the tunes they purchase. It's almost as though there's a Good Side and a Dark Side to the musical force. Over time, you'd think the business would get that the Good Side will win more converts. That is, until you see something like the strange case of the Sony rootkit. On Halloween, a developer with an Austin-based software company posted on his blog a detailed report on a troubling discovery - a CD from Sony BMG had installed software on his PC that uses the same technique for hiding itself as the most pernicious type of spyware. Mark Russinovich of Sysinternals also discovered that the software, known as a rootkit, could then be used by the creators of viruses and worms to hide their own malicious payloads. A rootkit works at the very lowest levels of the Windows operating system to cloak files. Spyware purveyors use the technique to hide their code from programs designed to find and remove it. In Sony's case, the rootkit was part of a media player designed to restrict how a CD's tunes are played, stored to a computer's hard drive or copied, and was used to hide those files, making it difficult to get around the protection. The software was installed when the CD's buyers - in Russinovich's case, Van Zant's Get Right with the Man - first tried to play the disc on a PC. The disc can't be used in a PC without Sony's player. The rootkit hid the software by looking for a particular sequence of characters in the name. Any files that included the sequence were cloaked. Russinovich had to jump through hoops to find the software, trace its source and remove it. When he did, he found the process disabled his CD drives, which were no longer visible in Windows Explorer. His report, at www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html , concluded: "The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files ... will cripple their computer if they attempt the obvious step of deleting the cloaked files." http://www.chron.com/cs/CDA/ssistory.mpl/business/3445666

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top