MIRLN --- 29 May - 25 June 2016 (v19.09) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)
NEWS | PODCASTS/MOOCS | RESOURCES | LOOKING BACK | NOTES
- Ethics opinion draws line on when social media is considered advertising
- Attorney confidentiality, cybersecurity, and the cloud
- Another state adopts the duty of technology competence for lawyers
- Rethinking the "standard" arbitration clause in cloud agreements (part ii)
- Born in the VCR era, great courses seeks to evolve
- Doctors fire back at bad Yelp reviews - and reveal patients' information online
- Goldman Sachs: 5 practical uses for blockchain - from Airbnb to stock markets
- Get the complete guide to preservation case law 2008-2016
- Panama Papers fallout: What if your lawyer gets hacked?
- A brief history of law firm cyberattacks
- Tattoo recognition research threatens free speech and privacy
- Ponemon 2016 Cost of Data Breach study
- Will the Constitution protect your next smartphone?
- The Fifth Amendment limits on forced decryption and applying the 'foregone conclusion' doctrine
- 'Wifi whisperer' siphons your data in the creepiest way possible
- This interactive proves just how wrong our world maps really are
- Google's fair use victory is good for open source
- Cloaking threat risk assessments under legal privilege
- The net neutrality court decision, in plain English
- Key takeaways from the SEC Morgan Stanley cybersecurity case
- Blockchain tech tested for Sweden's land registry system
- Tor torpedoed! Tesco Bank app won't run with privacy tool installed
- Fed internal watchdog to study oversight of cybersecurity at banks
- Online interactive legal documents would be legal in North Carolina under bill passed by legislature
- Law schools are going online to reach new students
- Applying the Fourth Amendment to placing calls from a locked phone to identify its owner
- The Fourth Amendment does not protect your home computer
Ethics opinion draws line on when social media is considered advertising (ABA, 20 May 2016) - Whether social media constitutes attorney advertising is an unsettled question for attorneys. A recent ethics opinion provides much-needed guidance on the question. Attorneys can post away on professional networking sites like LinkedIn with certain caveats, according to an ethics opinion of the Association of the Bar of New York Committee on Professional Ethics . Attorneys looking for guidance regarding attorney advertising will find the opinion a useful resource. Whether social media constitutes attorney advertising is a question that has plagued attorneys in recent years. Ethics committees "find themselves straining to force fit the proverbial peg of social media into the round hole of legal ethics-with varying degrees of success," the New York City Bar noted. In addition, "due to the pace of technological change, bar regulators may be reluctant to amend ethics rules to incorporate social media use," the opinion added. This is because of "a legitimate concern that any such rules may become obsolete as social media platforms develop and change." The New York City Bar provided a detailed analysis in an attempt to address these concerns. A lawyer's LinkedIn profile is attorney advertising only if the profile meets five criteria: the lawyer makes the content; the primary purpose is for client retention of the lawyer for pecuniary gain; the content relates to the lawyer's legal services; new clients are the intended audience; and the content does not fall into an exception to the definition of attorney advertising. The New York City Bar noted that, although its opinion focused on LinkedIn, it applies to other social networking sites such as Facebook and Twitter. The New York City Bar emphasized that a LinkedIn profile comprises advertising only if there is "clear evidence that a lawyer's primary purpose is to attract paying clients." The opinion allows many types of LinkedIn content, for example, including a list of skills or description of practice areas. Simply displaying recommendations and endorsements is similarly permissible. * * *
- and -
Attorney confidentiality, cybersecurity, and the cloud (Dan Solove, 6 June 2016) - There is a significant degree of confusion and lack of awareness about attorney confidentiality and cybersecurity obligations. This issue is especially acute when it comes to using the cloud to store privileged documents. A common myth is that storing privileged documents in the cloud is a breach of attorney-client confidentiality. In other instances, many attorneys and firms are not paying sufficient attention to their obligation to protect the confidentiality and security of the client data they maintain. The general rules of professional conduct are written broadly, without specifically addressing privacy and cybersecurity issues. Under Rule 1.6 of the ABA Model Rules of Professional Conduct , "a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent." Lawyers must "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." The application of this rule to digital technologies has been dealt with by resolutions and commentary. Fairly recently, the ABA published Resolution 109 , calling for firms to "develop, implement, and maintain an appropriate cybersecurity program." And few years ago, the ABA amended Comment 8 to Model Rule 1.1 (requiring "competent representation to a client") to state that "a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology ." (added language italicized). Is it ethical for attorneys and law firms to store privileged documents in the cloud? After all, they are storing such documents on a third party's computer. This question has been a widespread concern, enough so that several state bar associations have issued guidance. Their consistent conclusion is that it is ethical to store privileged documents in the cloud. For example, according to the Pennsylvania Bar Association Formal Opinion 2011-200 : "An attorney may ethically allow client confidential material to be stored in 'the cloud' provided the attorney takes reasonable care to assure that (1) all such materials remain confidential, and (2) reasonable safeguards are employed to ensure that the data is protected from breaches, data loss and other risks." According to the Florida Bar Association Opinion 12-3 , "Cloud computing is permissible as long as the lawyer adequately addresses the potential risks associated with it." The Massachusetts Bar Association Opinion 12-03 provides that lawyers "may store and synchronize electronic work files containing confidential client information across different platforms and devices using an Internet based storage solution" if they undertake "reasonable efforts to ensure that the provider's terms of use and data privacy policies, practices and procedures are compatible with the lawyer's professional obligations, including the obligation to protect confidential client information." * * *
- and -
Another state adopts the duty of technology competence for lawyers (Robert Ambrogi, 17 June 2016) - I have been tracking here the states that have adopted the ethical duty of technology competence for lawyers. I have just learned of one more state that has adopted the duty. That brings the total number of states to 21. The latest state is North Dakota, where the Supreme Court ordered adoption effective March 1, 2016, of an amendment to Rule 1.1 of the North Dakota Rules of Professional Conduct. The amendment to the rule on maintaining competence adds the phrase adopted by the ABA in 2012 in Model Rule 1.1, Comment 8. In North Dakota, the comment is number 5 and reads: "To maintain the requisite knowledge and skill, a lawyer must keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements." The amendment added the italicized phrase, which is identical to the phrase in the Model Rule. (For the full list of states that have adopted the rule, see my earlier post .)
Rethinking the "standard" arbitration clause in cloud agreements (part ii) (LeClair Ryan, 23 May 2016) - Part I of this article included a little bit of history about how it came to be so common that modern technology agreements - including "cloud agreements" - often include a rather ubiquitous, sort of "standard" arbitration clause. The first article in this three-part series also put forth the question of whether some of the common assumptions about arbitration - namely, that arbitration is cheaper, faster and better than a traditional lawsuit - are true. This middle article in the series aims to try to answer that question: Is arbitration truly "cheaper, faster or better?" A close examination of these common assumptions reveals that, while there are indeed some clear advantages to arbitration, some of the claimed advantages may be lost if parties simply agree to a "standard" arbitration clause, without giving the matter any considered thought on the front end of a transaction. This kind of inertia often leads to an arbitration proceeding that looks very much like a traditional lawsuit. The parties who agree to an arbitration provision without giving it any thought will find that arbitration is often just as expensive as a traditional lawsuit, that it may not be any faster, and that a "more rational result" does not necessarily work to every party's advantage.
Born in the VCR era, great courses seeks to evolve (NYT, 27 May 2016) - Decades before TED Talks, so-called massive open online courses and YouTube videos made top educators accessible to the masses, the Great Courses built a loyal audience of lifelong learners by making "the world's greatest professors" available to anyone with a VCR or cassette player. Larry Weinberg, 72, typifies the Great Courses' core customer: A voracious learner, he got hooked on the Great Courses video and audio classes shortly after he retired from Boeing a decade ago. His personal library now includes more than 200 courses, as varied as "Understanding Multivariable Calculus" and "Yoga for a Healthy Mind and Body," all carefully cataloged on bookshelves and computer hard drives. Now the Great Courses program hopes to broaden its demographics with an all-you-can-learn streaming service, Great Courses Plus, which it introduced late last year. With the streaming option, customers are not limited to a single course. For $19.99 a month, or about $180 for an annual subscription, they have unlimited online access to more than 280 of the most recent and popular courses from the company's library of roughly 600 courses on topics including astrophysics and wine tasting. "I'm a big believer that we are the Netflix of learning," said Paul Suijk, chief executive of the Teaching Company of Chantilly, Va., which owns the Great Courses and has $150 million a year in revenue. "Looking at Netflix and where they are going, I think there are many similarities."
Doctors fire back at bad Yelp reviews - and reveal patients' information online (WaPo, 27 May 2016) - Burned by negative reviews, some health providers are casting their patients' privacy aside and sharing intimate details online as they try to rebut criticism. In the course of these arguments -- which have spilled out publicly on ratings sites like Yelp - doctors, dentists, chiropractors and massage therapists, among others, have divulged details of patients' diagnoses, treatments and idiosyncrasies. One Washington state dentist turned the tables on a patient who blamed him for the loss of a molar: "Due to your clenching and grinding habit, this is not the first molar tooth you have lost due to a fractured root," he wrote. "This tooth is no different." And a California dentist scolded a patient who accused him of misdiagnosing her. "I looked very closely at your radiographs and it was obvious that you have cavities and gum disease that your other dentist has overlooked. … You can live in a world of denial and simply believe what you want to hear from your other dentist or make an educated and informed decision." Health professionals are adapting to a harsh reality in which consumers rate them on sites like Yelp, Vitals and RateMDs much as they do restaurants, hotels and spas. The vast majority of reviews are positive. But in trying to respond to negative ones, some providers appear to be violating the Health Insurance Portability and Accountability Act, the federal patient privacy law known as HIPAA . The law forbids them from disclosing any patient health information without permission. Yelp has given ProPublica unprecedented access to its trove of public reviews -- more than 1.7 million in all -- allowing us to search them by keyword. Using a tool developed by the Department of Computer Science and Engineering at the NYU Tandon School of Engineering, we identified more than 3,500 one-star reviews (the lowest) in which patients mention privacy or HIPAA. In dozens of instances, responses to complaints about medical care turned into disputes over patient privacy.
Goldman Sachs: 5 practical uses for blockchain - from Airbnb to stock markets (Business Insider, 28 May 2016) - "Is the hype around blockchain justified?" asks Goldman Sachs in a blockbuster 88-page note sent to clients this week. The financial world has been going crazy for blockchain technology for the last year or so, hypothesising how it could rip out huge amounts of costs for big banks and streamline operations. Goldman itself was one of the key hype men, declaring in December that the technology "can change... well everything." The bank has examined the technology's application in 5 markets. We've summed up its thinking below * * *
Get the complete guide to preservation case law 2008-2016 (GC News, 31 May 2016) - Zapproved has published its updated Preservation Case Law Summaries 2008-2016 , the definitive guide to preservation case law with summaries tagged by venue, sanction and topic. Zapproved says courts are analyzing preservation cases for spoliation with a high bar to determine if awarding sanctions is appropriate. The standards set forth in proposed changes to Rule 37(e) require that in order to impose an adverse inference, spoliation must have (i) caused substantial prejudice in the litigation and the result of willfulness or bad faith; or (ii) irreparably deprived a party of any meaningful opportunity to present or defend against the claims in the litigation.
Panama Papers fallout: What if your lawyer gets hacked? (Information Week, 31 May 2016) - Your company has likely spent a lot of time, effort, and money keeping its security systems, policies, and practices up to date. Can the same be said of your law firm? The legal industry isn't exactly known for its technology leadership, which should be of concern, especially from a security perspective. Don't assume that your data is safe, in other words. Be prepared to do your own due diligence. "Law firms retain a lot of sensitive corporate data that would be extremely valuable to hackers or outside parties. In particular, hackers are interested in corporate legal information, intellectual property from their clients, information on directors and officers of corporate clients, settlement terms, and more," said Jacob Olcott, the former legal adviser to the Senate Commerce Committee, counsel to the House of Representatives Homeland Security committee, and current VP at Bitsight Technologies , in an interview. "Since law firms often deal with highly sensitive information, they are a clear target for hackers trying to earn money on the black market. In addition, hacktivists may be interested in the information held by a law firm for political purposes." "Many top law firms have pretty good structural security. However, they drop the ball in two places: They use less sophisticated local counsel and give them sensitive documents, and they don't put sufficient checks on their people," said Jay Edelson, founder and CEO at law firm Edelson PC , in an interview. The actual scope of attacks is difficult to gauge. For example, in its 2015 Annual Security Report, Cisco named the legal industry No. 7 in its list of top 10 company types at risk for Web malware infections. According to an American Bar Association (ABA) 2015 Legal Technology Survey Report , 15% of the 880 lawyer respondents said their firms had experienced a security breach, and 23% of them said they didn't know if they had. More than four in ten (42%) said their computers had been affected by a virus, while 23% said they didn't know. The larger the law firm, the greater the increase in breaches. "Law firms represent a critical component of most companies' supply chain[s]," said BitSight's Olcott. "Most companies are focused on managing the cyber risk of their supply chain, and one of the first organizations they start with is their law firm." [ Polley : See also The security vulnerabilities law firm hacks create for corporations (Inside Counsel, 1 June 2016)]
- and -
A brief history of law firm cyberattacks (Law360, 2 June 2016) - The legal industry is the latest gold mine for hackers, whose attacks continue growing in sophistication, frequency and motivation. This, coupled with the fact that so many law firms have branches and associates located around the world, means the entry points for hackers have become even more numerous. Over the past few months alone, major law firms including Cravath Swaine & Moore LLP , Weil Gotshal & Manges LLP , and most recently, Mossack Fonseca, have all fallen victim to simple, easily preventable data breaches. In the case of Mossack Fonseca, more than 2.6 terabytes of data were stolen without the firm detecting any sign of theft, and overall, a whopping 11.5 million sensitive records were confiscated. Most law firms do not have basic cybersecurity controls in place for detecting and mitigating data breaches. The incident at Mossack Fonseca just scratched the surface of demonstrating the lack of cybersecurity resources within the legal sector, as 90 percent of law firms have five or fewer employees dedicated to information security and safeguarding the business' crown jewels. The fact that the law firms entrusted with so much sensitive information have such poor cybersecurity policies, procedures and technologies should be alarming to just about every business, as the quickening pace of breaches could put thousands of businesses at risk. The FBI has reacted by issuing warnings to firms, but overall, the legal industry is - and always has been - lagging. Here's a look at the history of events leading up to the Mossack Fonseca incident: * * * [interesting graphic timeline] * * * According to Vincent I. Polley, former deputy general counsel for Schlumberger Ltd . for 20 years and co-author of a recent book for the American Bar Association on cybersecurity, "A lot of firms have been hacked, and like most entities that are hacked, they don't know that for some period of time. Sometimes, it may not be discovered for months and even years." History has a tendency of repeating itself, and given the aforementioned cybersecurity events, law firms must take proactive measures to properly secure the sensitive data. Through actions such as regular employee and third-party contractor training, cybersecurity audits, and investing in data protection technology tools and resources, firms can avoid falling victim to the next data breach - which could happen at any second. [ Polley : I wasn't interviewed for this story.]
Tattoo recognition research threatens free speech and privacy (EFF, 2 June 2016) - Tattoos are inked on our skin, but they often hold much deeper meaning. They may reveal who we are, our passions, ideologies, religious beliefs, and even our social relationships. That's exactly why law enforcement wants to crack the symbolism of our tattoos using automated computer algorithms, an effort that threatens our civil liberties. Right now, government scientists are working with the FBI to develop tattoo recognition technology that police can use to learn as much as possible about people through their tattoos. But an EFF investigation has found that these experiments exploit inmates, with little regard for the research's implications for privacy, free expression, religious freedom, and the right to associate. And so far, researchers have avoided ethical oversight while doing it. The research program is so fraught with problems that EFF believes the only solution is for the government to suspend the project immediately. At a minimum, scientists must stop using any tattoo images obtained coercively from prison and jail inmates and tattoos that contain personal information or religious or political symbolism. EFF has been filing public records requests around the country to reveal how law enforcement agencies are using mobile biometric technology-including facial recognition, digital fingerprinting, and iris scanning-to identify people based on their physical and behavioral characteristics. As part of this investigation, we learned that the National Institute for Standards and Technology (NIST), one of the oldest federal scientific institutions, began an initiative in 2014 to promote and refine automated tattoo recognition technology for the FBI. The FBI's plans for automated tattoo recognition go beyond developing algorithms that can identify people by their tattoos. The experiments facilitated by NIST also focused on improving technology that can map connections between people with similarly themed tattoos or make inferences about people from their tattoos (e.g. political ideology, religious beliefs). On top of the free speech concerns, the project should raise red flags for religious liberty advocates, since many of the experiments involved sorting people and their tattoos based on Christian iconography. NIST's Tattoo Recognition Technology program also raises serious questions for privacy: 15,000 images of tattoos obtained from arrestees and inmates were handed over to third parties, including private companies, with little restriction on how the images may be used or shared. Many of the images reviewed by EFF contained personally identifying information, including people's names, faces, and birth dates.
Ponemon 2016 Cost of Data Breach study (June 2016) - IBM and Ponemon Institute are pleased to release the 2016 Cost of Data Breach Study: Global Analysis . According to our research, the average total cost of a data breach for the 383 companies participating in this research increased from $3.79 to $4 million2. The average cost paid for each lost or stolen record containing sensitive and confidential information increased from $154 in 2015 to $158 in this year's study. In addition to cost data, our global study looks at the likelihood of a company having one or more data breach occurrences in the next 24 months. We estimate a 26 percent probability of a material data breach involving 10,000 lost or stolen records.
Will the Constitution protect your next smartphone? (The Atlantic, 3 June 2016) - Will new unlocking methods enjoy the same Fifth Amendment protections that prevent the government from forcing a person to give up their passwords? It all comes down to a distinction that the legal system uses to determine how far Fifth Amendment protections extend. The amendment covers what's in your head (thoughts, memories) but not what you are (fingerprints, DNA). A memorized password is unambiguously protected. But devices secured by biometrics or behavioral traits exist in a grayer area. When Apple introduced its first fingerprint reader-equipped iPhone in 2013, scholars speculated that the Fifth Amendment may not apply to fingerprints. Indeed, just a year later, a Virginia judge ruled that police could force a person to unlock his own iPhone with his fingerprint. And this February, a federal judge in Los Angeles signed a search warrant that compelled a 29-year-old woman to do the same. But these decisions don't necessarily mean the debate over the Fifth Amendment and fingerprint readers is all wrapped up, says Al Gidari, a technology lawyer and the director of privacy at Stanford University's Center for Internet and Society. Gidari disagrees with the judges who signed warrants for fingerprint unlocks. The Supreme Court has determined that the Fifth Amendment applies only to "testimonial communication that is incriminating." Gidari says that even though a fingerprint on its own isn't covered by the Fifth Amendment, the act of unlocking a device with a fingerprint falls into the special protected category. "When you put your fingerprint on the phone, you're actually communicating something," Gidari said. "You're saying, 'Hi, it's me. Please open up.'" [ Polley : Gidari is smart and experienced; his views are welcome counterpoint to others; see immediately below.]
- and -
The Fifth Amendment limits on forced decryption and applying the 'foregone conclusion' doctrine (Orin Kerr in Volokh Conspiracy, 7 June 2016) - The U.S. Court of Appeals for the 3rd Circuit has a case pending on the Fifth Amendment limits of forcing a suspect to enter his password to decrypt a computer. The case provides an opportunity for the 3rd Circuit to correct an error in the 11th Circuit's treatment of the same question, specifically on how to apply the "foregone conclusion" doctrine to an order requiring decryption of a storage device. Given the importance of the issue, I want to explain the issue, show where the 11th Circuit got it wrong, and explain what I think the right analysis should be. I'll start with a short summary of the facts in the pending case as found in the government's brief and the defense brief . The suspect, referred to in the briefs only as "John Doe," is a Philadelphia police officer. (News reports have named him as Francis Rawls , but I'll stick with "John Doe" to be consistent with the briefs.) Doe is believed to have used a peer-to-peer network to download a lot of child pornography from the Internet. Investigators were able to decrypt Doe's Apple computer without Doe's help pursuant to a search warrant. A search of the computer revealed evidence that Doe had accessed more than 20,000 files with child-porn-related file names and then stored the files on two external hard drives that were connected to Doe's computer when the government seized them. This case is about the government's access to the two external hard drives. The government obtained a search warrant to search the two hard drives as well as a supplemental order under the All Writs Act ordering Doe to decrypt them. Doe was then taken to a government computer lab where the drives were connected to a computer, and he was told to enter in the passwords to decrypt his hard drives. Doe claimed that he was unable to comply with the order because he did not remember the passwords. * * * [ Polley : pretty interesting reading.]
'Wifi whisperer' siphons your data in the creepiest way possible (Wired, 4 June 2016) - If you're connected to a wireless network, odds are high that little bits of data are trickling out of your device like water from a leaky faucet. "Our phones leak data in a bunch of different ways," says artist Kyle McDonald. "Sometimes it's really insidious or unexpected." Recently at Moogfest, a music and technology festival in Durham, N.C., McDonald with the help of fellow artist Surya Mattu created an installation called WiFi Whisperer that called attention to all that data your phone is giving away for free. As festivalgoers walked past the installation, the artwork grabbed insecure data and display it on monitors, while a hidden speaker whispered the stream of data-what networks you've recently connected to and websites you've visited, for example-like a creepy, demon-voiced Big Brother. "It's sort of like looking over someone's shoulder," says McDonald, "except you're doing it without actually looking over their shoulder." The artists built sniffers made from eight Raspberry Pis and wireless antennas, tuned to the different frequencies of open wireless channels. "We know where the data is in the air," McDonald explains. "Normally these packets are getting sent from one device to another, but there's no reason you can't just stand nearby and listen to that same data as though you were the device it was intended for." By partnering with Festify, Moogfest's wireless internet provider, the artists were able to grab even more data-things like the names of networks you were previously connected to, your device's MAC address, the host name of your laptop or phone, the server your http traffic is aiming for, and even text from whatever website you're visiting. "You can see exactly what articles people are looking at," McDonald says. "You can see exactly which comment they've thumbs-up'd." Businesses have actually used this kind of data to build consumer profiles. In 2012, Nordstrom began tracking the wifi signals emitted from shoppers' phones, to pinpoint their location in the store. Nordstrom argued it was simply the brick and mortar version of what online retailers do with cookies. Consumers didn't agree, and Nordstrom ended its experiment. Analytics companies like Euclid and Nomi use what they claim is anonymous data to figure out exactly where customers go and how many customers leave without buying something. Fairly practical information, you might think. The issue, McDonald says, is that most of us don't even realize we're broadcasting personal information.
This interactive proves just how wrong our world maps really are (FastCoDesign, 6 June 2016) - There are millions of reasons to love The West Wing , especially in a literally insane election year. But for design nerds, these four minutes in which White House Press Secretary C.J. Cregg takes a meeting with the Cartographers for Social Equality might be the highlight of the series. It's probably the only pop culture explanation of how well and truly borked our world maps actually are. Across the board, the Mercator projection of the Earth-which has been our baseline for world maps since the 16th century-skews the actual size of countries so they look bigger (and therefore, more important than they are) when they fall within the middle of the Northern Hemisphere. It's not just bad design, it has real geopolitical implications. For example, in most people's minds, Greenland is a much larger country than Australia. But the reality is that Australia dwarfs Greenland. Likewise, you probably think Africa and North America are roughly the same size, but Africa can swallow all of North America and Greenland with room for all of Western Europe to spare. And so on. Inspired by the aforementioned episode of The West Wing , James Talmage and Damon Maneice created The True Size . The web app lets you drag-and-drop different countries on a world map and see how they shrink or grow on a standard Mercator Projection map. It's a simple tool, but an eye-opening one that can be quickly used to show just how skewed our maps really are.
Google's fair use victory is good for open source (Pam Samuelson, 13 June 2016) - Oracle and Google have been fighting for six years about whether Google infringed copyright by its use of 37 of the 166 packages that constitute the Java API in the Android software platform for smart phones. Last week Google won a jury trial verdict that its reuse of the Java API elements was fair use. Let me first explain the main facts and claims in the lawsuit, and then why Google's fair use victory is a good thing not only for Google, but also for open source developers, for software developers more generally, and for the public. * * * [ Polley : excellent piece.]
Cloaking threat risk assessments under legal privilege (Aird & Berlis, 15 June 2016) - Threat risk assessments against technology-based systems and surrounding environments are increasingly mandated by customers and regulators. Threat risk assessments (TRAs) are typically done either pre-breach event as internal due diligence, or responsive to an event to determine the origins of the event and the scope of the impact. The breadth and penetration level of TRAs vary, but they are inherently intrusive, command significant time and financial resources, and will inevitably result in disclosing areas of possible vulnerabilities. The intent of TRAs is in part to identify those weaknesses, but that goal is often balanced by the concern that having actual knowledge of weaknesses and vulnerabilities exposes businesses to greater liability upon a breach event if the business was unable to implement a solution before the breach event occurs. Rectifying vulnerabilities, which could include simply catching up on ever-changing industry standards, often takes a significant amount of time to complete and that assumes that the business in question has the resources to allocate to such effort (whether or not this is simply the cost of doing business can be discussed another time). That inherently leaves a period of time between when an organization becomes aware of a vulnerability and when the solution is in place. In the United States, many law firms have standing agreements with cyber security experts to undertake TRAs. This is often done with the view that if the law firm engages the cyber security expert to perform the TRA and provide the resulting TRA report to the law firm, the TRA report and findings therein would be protected by a form of legal privilege and harder to use against the client should someone want to discover that TRA report. This approach has been tested in limited cases in the United States, and in certain post-breach incident TRAs, it has had some success. (We refer you to an Order issued by the U.S. District Court of Minnesota on October 23, 2015 by a U.S. Magistrate Judge, Jeffrey J. Keyes, in the matter relating to Target and a TRA prepared by Verizon Business Network Services). In Canada, the approach of law firms retaining cyber security experts to undertake the TRAs is less prevalent, but the merits and limitations should be considered.
The net neutrality court decision, in plain English (WaPo, 15 June 2016) - You may have heard something Tuesday about a court and net neutrality and something about the Internet. Maybe it didn't make much sense. And that's a good thing! If we all spent our time trying to decipher the Web, we'd never get around to actually using it, or creating awesome new things with it. That said, some debates are so important to the healthy function of the Internet that they're worth learning about in depth, and in the process grasping their implications for free speech, online commerce, educational opportunity and all the reasons that make the Internet worth using in the first place. One of those debates reached a key turning point Tuesday, when a federal appeals court said that the Internet is basically like a giant telephone network and that the companies that provide it, such as Comcast and Verizon, must offer essentially the same protections to Internet users that the government has required of phone companies for decades. [ Polley : This is key - while the "net neutrality" stuff is nice, the fundament of it is the recharacterization of ISPs as "telecom service" providers rather than "information service" providers. That recharacterization enables the FCC to regulate things like net neutrality; but also lots of other things, too.]
Key takeaways from the SEC Morgan Stanley cybersecurity case (D&O Diary, 16 June 2016) - As I noted in a recent post , on June 8, 2016, the SEC, in what one commentator called "the most significant SEC cybersecurity-related action to date," announced that Morgan Stanley Smith Barney LLC had agreed to pay a $1 million penalty to settle charges that as a result of its alleged failure to adopt written policies and procedures reasonably designed to protect customer data, some customer information was hacked and offered for sale online. In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC's Office of Internet Enforcement, takes a look at the circumstances at the company that led to this enforcement action and reviews the important lessons that can be learned from what happened. A version of this article originally appeared on CybersecurityDocket. I would like to thank John for his willingness to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this site's readers. Please contact me directly if you would like to submit a guest post. Here is John's guest post. * * *
Blockchain tech tested for Sweden's land registry system (ArsTechnica, 17 June 2016) - Blockchain-the technology that underpins Bitcoin-is to be tested on Sweden's land registry to see if it helps speed up property deals in the country. The Swedish National Land Survey ( Lantmäteriet ) has announced a trial that could have a significant impact on land deals, which are currently jotted down on paper, requiring several official documents, and the use of physical mail. A proof-of-concept both of the technology itself, and how it would work within the land registry has been developed by the government agency, alongside Swedish blockchain outfit ChromaWay‚ consulting firm Kairos Future, and telecoms company Telia. They say that the system is faster, more secure, and far less prone to human error than the current method.
Tor torpedoed! Tesco Bank app won't run with privacy tool installed (The Register, 18 June 2016) - UK supermarket giant Tesco's mobile banking app refuses to run on handsets where the Tor app is also installed, it emerged this weekend. Mainframe database admin Marcus Davage revealed the Tesco banking app tells users they must remove the Tor Project's anonymizing Android software to access the supermarket's money services. Davage posted an image of the message, which advises that in order to use the Tesco app, the Tor Project's Orbot Android client has to not only be turned off but removed entirely from the device. The issue appears to be related to security. Tesco's help site notes that the Android app checks for malware and other possible security risks (such as the phone being rooted) upon launching and, in this case, the Tor software triggers an alert.
Fed internal watchdog to study oversight of cybersecurity at banks (Reuters, 20 June 2016) - The Federal Reserve's internal watchdog plans to study how well the central bank is overseeing cybersecurity practices at financial institutions, the U.S. central bank said on Monday. The Office of Inspector General (OIG) at the Fed's Board of Governors plans to release the audit in the fourth quarter, the OIG said in a report on current and upcoming projects. Fed Chair Janet Yellen is due to appear before a U.S. Senate committee on Tuesday and will likely face questions about cybersecurity breaches involving the central bank. Lawmakers are also probing the Fed's own cybersecurity practices after a Reuters report revealed more than 50 cyber breaches at the Fed between 2011 and 2015. "The growing sophistication and volume of cybersecurity threats presents a serious risk to all financial institutions," the OIG said in its report released on Monday. The OIG study due later this year could be the first public report on how well the Fed is holding banks to rules that require them to have effective information security programs. Past studies posted on the Fed's website focused on the central bank's overall cybersecurity practices or on the security of particular information technology systems at the Fed.
Online interactive legal documents would be legal in North Carolina under bill passed by legislature (ABA Journal, 22 June 2016) - North Carolina lawmakers have passed a bill that amends the state's definition of law practice to permit websites that offer interactive legal documents. House Bill 436 (PDF) won unanimous approval last week, ending a long-running dispute with LegalZoom, WRAL reports. The bill was forwarded to Gov. Pat McCrory on Tuesday, according to the legislature's website. The bill says the practice of law does not include websites offering interactive software that generates a legal document based on the consumer's answers to legal questions. The bill adds several restrictions, including these: * * *
Law schools are going online to reach new students (NYT, 22 June 2016) - Law schools, in the face of marked declines in enrollment, revenue and jobs for graduates, are beginning to adopt innovative new ways of delivering legal education. Some law schools are moving away from relying solely on classic settings and instead are blending classroom learning with online instruction, said Michael B. Horn, a founder of the Clayton Christensen Institute, a research institution in San Mateo, Calif., that explores disruptive innovation in education. "Legal education is confronting the most imminent threat in higher education," Mr. Horn said. "Law schools are increasingly out of step with shifts in the legal services market." Law schools that "are able to pioneer online, competency-based programs that focus outside of the traditional J.D. will have a leg up in the struggle to survive," said Mr. Horn, an author of the newly released report, "Disrupting Law School: How Disruptive Innovation Will Revolutionize the Legal World." Mitchell Hamline School of Law, in St. Paul; Washington University School of Law, in St. Louis; and Syracuse University College of Law, in New York, all offer programs that fuse some elements of traditional legal education with technology in new educational vehicles. Harvard Law School also offers an online class on copyright law to its on-campus students and to students who can enroll for the free, not-for-credit course from anywhere in the world. Opportunities to earn a full-fledged law degree online are few, so far. The William Mitchell College of Law began offering a hybrid law degree in January 2015. The school has since merged with Hamline University School of Law. Syracuse's law school adopted a somewhat different approach when it announced in April that it would offer a hybrid law degree once it received approval from New York State and the American Bar Association, which regulates accredited law schools. Syracuse is working with 2U Inc., an education technology provider in Landover, Md., that has collaborated with some major universities, including Northwestern and Georgetown. The online degree program would use 2U's platform. The program will be for people whose work or family obligations prevent them from attending a residential law program. It will offer live online classes with Syracuse Law faculty members who will interact with students. The program, which is expected to begin in 18 months, will also include courses on campus and internships with outside employers.
Applying the Fourth Amendment to placing calls from a locked phone to identify its owner (Orin Kerr in Volokh Conspiracy, 22 June 2016) - A story in the Sacramento Bee flags a novel Fourth Amendment issue pending in federal court. Here's the issue: If the police find a locked phone that was left behind at a crime scene, do the police need to get a warrant before trying to identify the phone's owner by calling 911, thereby generating a caller-ID record at 911 that discloses the phone's number and leads to identification of its owner? This question has come up in the "Gone Girl" kidnapping case currently before Judge Troy Nunley in Sacramento. As I understand the facts from the SacBee story, the defendant, Matthew Muller, allegedly attempted a home burglary months after the kidnapping. The homeowner fought back, and Muller fled. In the course of fleeing, Muller left his locked cellphone behind. Cellphones allow emergency calls without unlocking the phone. The police took advantage of this and used the phone to call 911. Placing the call necessarily sent the phone's number to 911, and investigators then obtained the number from 911. The number was registered as a Verizon cellphone number. The police went to Verizon to find out who the registered user was. After serving a warrant on Verizon for this information, the police learned that the phone was registered to Muller's stepfather. That led the police to Muller. Muller has now moved to suppress the evidence that resulted from his identification. The issue being litigated is whether the government could call 911 from the phone without a warrant. Muller says no, because using the phone was a warrantless search. The government says yes, because the phone was abandoned when Muller left it behind. There are a lot of interesting issues here, and I can't do all of them justice in one post. But here's an overview of my thoughts. First, I think that calling 911 from another person's phone generally should be deemed a Fourth Amendment search of the phone. It's accessing another person's property to obtain information stored inside it, which I think of as a classic kind of search . Granted, the information from inside the phone (the number) is being retrieved in an unusual way. It's being pushed out and routed to 911 rather than revealed on the screen. And the only information retrieved is the number stored inside. But I think that is still accessing information from inside the device , and that it should still count as a search. That's my view, but there's some authority that points the other way. The best precedents on the other side are probably the recent cases holding that accessing the magstripe of a credit card is not a search. Those cases reasoned in part that there was no search because the information stored inside was disclosed to others in the ordinary course of use. The phone number associated with a phone is also disclosed to others in the ordinary course of use. If you buy the reasoning of the magstripe cases, you might say that getting the number from a phone is not a search for that reason. Because I don't think those cases are persuasive for reasons explained in my earlier posts , I would still say that calling from a phone is ordinarily a search.
- and -
The Fourth Amendment does not protect your home computer (EFF, 23 June 2016) - In a dangerously flawed decision unsealed today , a federal district court in Virginia ruled that a criminal defendant has no "reasonable expectation of privacy" in his personal computer, located inside his home. According to the court, the federal government does not need a warrant to hack into an individual's computer. This decision is the latest in, and perhaps the culmination of, a series of troubling decisions in prosecutions stemming from the FBI's investigation of Playpen -a Tor hidden services site hosting child pornography. The FBI seized the server hosting the site in 2014, but continued to operate the site and serve malware to thousands of visitors that logged into the site. The malware located certain identifying information (e.g., MAC address, operating system, the computer's "Host name"; etc) on the attacked computer and sent that information back to the FBI. There are hundreds of prosecutions, pending across the country, stemming from this investigation. The implications for the decision, if upheld, are staggering: law enforcement would be free to remotely search and seize information from your computer, without a warrant, without probable cause, or without any suspicion at all. To say the least, the decision is bad news for privacy. But it's also incorrect as a matter of law, and we expect there is little chance it would hold up on appeal. (It also was not the central component of the judge's decision, which also diminishes the likelihood that it will become reliable precedent.) [ see also Judge says FBI can hack computers without a warrant because computer users get hacked all the time (TechDirt, 24 June 2016)]
NOTED PODCASTS/MOOCS
'State of Surveillance' with Edward Snowden (Vice, 8 June 2016; 27 minute video) - When NSA whistleblower Edward Snowden leaked details of massive government surveillance programs in 2013, he ignited a raging debate over digital privacy and security. That debate came to a head this year, when Apple refused an FBI court order to access the iPhone of alleged San Bernardino Terrorist Syed Farook. Meanwhile, journalists and activists are under increasing attack from foreign agents. To find out the government's real capabilities, and whether any of us can truly protect our sensitive information, VICE founder Shane Smith heads to Moscow to meet the man who started the conversation, Edward Snowden.
RESOURCES
Griffiths on exhaustion and the alteration of copyright works in EU copyright law (MLPB, 6 June 2016) - Jonathan Griffiths, Queen Mary University of London, School of Law, has published Exhaustion and the Alteration of Copyright Works in EU Copyright Law - (C-419/13) Art & Allposters International BV v Stichting Pictoright at ERA Forum 1 (May 2016). Here is the abstract: The Judgment of the Court of Justice in (C-419/13) Art & Allposters International BV v Stichting Pictoright concerned a claim that the transfer of an image from paper poster to artist's canvas infringed copyright in that image. It is argued here that, while the case sheds little light on the potential application of the Usedsoft principle to copyright works more generally, its significance extends well beyond the relatively specialist practices with which the national proceedings were concerned. Following an outline of the Judgment, the article goes on to consider its implications for our understanding of the reproduction, distribution and adaptation rights in EU copyright law.
Manning on Hyperlinks and Copyright Law (MLPB, 9 June 2016) - Colin Manning, Cork Institute of Technology, has published Hyperlinks & Copyright Law . Here is the abstract: Reconciling the desire for wide distribution with the desire for control has proven challenging for the law. Deep linking is a good illustration of how applying print and broadcast era concepts to the challenges of the digital era can result in uncertainty and unintended consequences. In the Svennson decision, the court not only failed to acknowledge the distinction between linking and embedding, but it explicitly permitted embedding of content from other sites. This could have implications for how content is distributed, and may ultimately harm user privacy.
LOOKING BACK - MIRLN TEN YEARS AGO
(note: link-rot has affected about 50% of these original URLs)
Choicepoint to pay $15 million for data breach (CSO Online, 26 Jan 2006) -- ChoicePoint Inc., the data broker that set off a national debate after disclosing a data breach early in 2005, will pay US$15 million in fines and other penalties for lax security standards, the U.S. Federal Trade Commission (FTC) announced Thursday. ChoicePoint's $10 million fine is the largest civil fine in the FTC's history, the FTC said. Under a settlement with the FTC, the Georgia company will also set up a $5 million fund to aid victims of identity theft that resulted from the data breach, and the company has agreed to implement new security measures and have an independent auditor review its security every other year until 2026, said FTC Chairwoman Deborah Platt Majoras.
- and -
Keeping your enemies close (New York Times, 12 Nov 2006) - If you found yourself running a company suddenly branded one of the most reviled in the country - if, for example, you noticed that visitors to Consumerist.com, a heavily visited consumer Web site, voted yours as the second "worst company in America" and you had just been awarded the 2005 "Lifetime Menace Award" by the human rights group Privacy International - you might feel obliged to take extraordinary steps. You might even want to reach out to your most vocal critics and ask them, "What are we doing wrong?" So it was in early 2005 that Douglas C. Curling, the president of ChoicePoint, a giant data broker that maintains digital dossiers on nearly every adult in the United States, courted two critics whom he had accused just months earlier of starting "yet another inaccurate, misdirected and misleading attack" on his company. Mr. Curling also contacted others who had spent years calling for laws requiring better safeguarding of personal information that ChoicePoint and other data brokers assemble - records such as Social Security numbers, birth dates, driver's license numbers, license plate numbers, spouse names, maiden names, addresses, criminal records, civil judgments and the purchase price of every parcel of property a person has ever owned. "It was sort of like when I talk with my wife when she's not happy with me," Mr. Curling said of his dealings with some of ChoicePoint's harshest critics. "It's not exactly a dialogue I look forward to, but I can't deny it's important." He also could not deny his motivations for engaging in these conversations: in the public's mind, ChoicePoint had come to symbolize the cavalier manner in which corporations handled confidential data about consumers. [ Polley in 2006 : Long, excellent, thorough, piece on the fall, and rise, of ChoicePoint. Includes useful collateral graphics and timelines. Illuminates the social-engineering dimension of data security.]
NOTES
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.
Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu
2. InsideHigherEd - http://www.insidehighered.com/
3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/
4. Aon's Technology & Professional Risks Newsletter
5. Crypto-Gram, http://www.schneier.com/crypto-gram.html
6. Steptoe & Johnson's E-Commerce Law Week
7. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/
8. The Benton Foundation's Communications Headlines
9. Gate15 Situational Update Notifications, http://www.gate15.us/services.html
10. Readers' submissions, and the editor's discoveries
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top