- Half of US adults in a face-recognition database
- Why a cyber risk assessment is essential for M&A due diligence
- Despite Obama's pledge to make the government more open, a report shows secret laws still abound
- Can warrants for digital evidence also require fingerprints to unlock phones?
- The Fifth Amendment and Touch ID
- Regulators to set new cybersecurity standards for banks
- G-7 adopts cybersecurity guidelines for financial sector
- Bloomberg Law's new litigation analytics peeks under the robes of judicial data
- Artificial intelligence predicted case outcomes with 79% accuracy by analyzing fact portrayal
- New tool from Bing maps the flow of campaign cash
- Are you audit ready? Strategies, tools, and tactics to address compliance concerns in the legal industry
- Cybersecurity insurance is a 'must have' for law firms
- Cyber security 'key issue for lawyers'
- NPR rides Facebook wave to traffic record
- Google has quietly dropped ban on personally identifiable web tracking
- CJEU decision on dynamic IP addresses touches fundamental DP law questions
- EveryCRSReport.com is making 8,255 CRS reports available to the general public
- MIT releases report on 'Future of Libraries'
- AT&T used broad data-gathering system for federal government
- Oil industry should hire hackers to boost cybersecurity
- BDO board survey finds board of directors increasingly invested in cybersecurity issues
- FCC orders far-reaching new privacy and data security rules
- The average cost of a data breach involving fewer than 10,000 records was $5 million
- It's finally legal to hack your own devices (even your car)
- UK ICO recommends company directors have personal liability for data breaches
- Companies face lawsuits over website accessibility for blind users
- ABA Blueprint launches today to help small firm lawyers buy products and services
Vendor Contracting Project: Cybersecurity Checklist (ABA's Cybersecurity Legal Task Force, Nov 2016) - The objective of this Checklist is to assist procuring organizations, vendors, and their respective counsel to address information security requirements in their transactions. The Checklist frames the issues parties should consider consistent with common principles for managing cybersecurity risk. The Checklist contemplates transactions from due diligence and vendor selection through contracting and vendor management. It suggests that cybersecurity provisions are not "one-size-fits-all," but should instead be informed by parties' assessment of risk and strategies to mitigate risk. The ABA Cybersecurity Legal Task Force recognizes that cybersecurity is a dynamic subject, and we expect practitioners will modify and supplement the Checklist to reflect the particular regulatory requirements and business needs of their clients. We welcome your feedback and suggestions regarding the Checklist. Please send your feedback to the Task Force staff: Kelly Russo at Kelly.Russo@americanbar.org .
Half of US adults in a face-recognition database (ArsTechnica, 18 Oct 2016) - Half of American adults are in a face-recognition database, according to a Georgetown University study released Tuesday. That means there's about 117 million adults in a law enforcement facial-recognition database, the study by Georgetown's Center on Privacy & Technology says. "We are not aware of any agency that requires warrants for searches or limits them to serious crimes," the study says. The report (PDF), titled "The Perpetual Line-up: Unregulated Police Face Recognition in America," shows that one-fourth of the nation's law enforcement agencies have access to face-recognition databases, and their use by those agencies is virtually unregulated. "Innocent people don't belong in criminal databases," said Alvaro Bedoya, the executive director of the Center on Privacy & Technology and co-author of the study. "By using face recognition to scan the faces on 26 states' driver's license and ID photos, police and the FBI have basically enrolled half of all adults in a massive virtual line-up. This has never been done for fingerprints or DNA. It's uncharted and frankly dangerous territory." Where do the mug shots come from? For starters, about 16 states allow the FBI to use facial recognition to compare faces of suspected criminals to their driver's licenses or ID photos, according to the study. "In this line-up," the study says, "it's not a human that points to the suspect-it's an algorithm." The study says 26 states or more allow police agencies to "run or request searches" against their databases or driver's licenses and ID photos. This equates to "roughly one in two American adults has their photos searched this way," according to the study. Many local police agencies also insert mug shots of people they arrest into searchable, biometric databases, according to the report. According to the report, researchers obtained documents stating that at least five "major police departments," including those in Chicago, Dallas, and Los Angeles, "either claimed to run real-time face recognition off of street cameras, bought technology that can do so, or expressed an interest in buying it." [ Polley : see also Neural networks are alarmingly good at identifying blurred faces (Motherboard, 25 Sept 2016)]
Why a cyber risk assessment is essential for M&A due diligence (RSA, 18 Oct 2016) - According to J.P. Morgan , the global mergers and acquisitions (M&A) market amounted to $5 trillion in 2015 and continues to show strong levels of growth. When it comes to M&A, the due diligence process involves investigating the health of another business before engaging in any sort of transaction. This process will take many factors into account, including the target organization's assets, liabilities, finances, and commercial potential. The due diligence process influences the price that an organization ultimately pays in a M&A deal. If the enterprise uncovers risk, their offering price will be lower. Unfortunately, a cyber risk assessment is often not included as part of the process. In fact, according to a survey by law firm Freshfields Bruckhaus Deringer , 78% of organizations state that cyber security is not included in the risks they deal with or analyze in-depth during due diligence. Instead, many deal makers rely on statements regarding the state of security from executives or others in the organization, which may be less than reliable. In a recent survey, 60% of high-ranking executives stated they could "truthfully assure the board beyond reasonable doubt" that their organizations are secure. However, less than one-third claimed that they had full exposure to their network infrastructure. As such, they may not be fully aware of all the gaps that exist and where they are located. Without a cyber risk assessment, the acquiring organization puts itself at risk of taking on unknown security vulnerabilities, which can have a major impact on the organization's overall security level. In order for the acquiring enterprise to put good governance, risk management, and compliance practices into place, they must have a solid understanding of the other company's security posture. A thorough cyber risk assessment should encompass all parts of an organization's network and security architecture. Best practices call for acquiring enterprises to provide the acquired party with a questionnaire in which it can give a summary of all the administrative, technical, and physical security controls it has in place. This party should be asked to identify its most critical data assets, where its sensitive data is stored, and how this information is protected in motion, at rest, and in transit. * * *
Despite Obama's pledge to make the government more open, a report shows secret laws still abound (WaPo, 19 Oct 2016) - The Justice Department has kept classified at least 74 opinions, memos and letters on national security issues, including interrogation, detention and surveillance, according to a report released Tuesday by the Brennan Center for Justice. Also still classified are between 25 and 30 significant opinions issued between 2003 and 2013 by the Foreign Intelligence Surveillance Court (FISC), the secretive federal court that interprets the law governing foreign intelligence-gathering inside the United States. And at the State Department, 807 international agreements signed between 2004 and 2014 have not been published. Despite President Obama's pledge to make government more open and transparent, federal agencies are still keeping a considerable amount of policy and legal interpretations under wraps, the Brennan Center found. The opinions and memos by the Justice Department's Office of Legal Counsel (OLC) were written between 2002 and 2009, said the report's author, Elizabeth Goitein, who obtained several data sets through Freedom of Information Act requests. "This is an extensive body of secret law, which is fundamentally incompatible with democratic self-governance," said Goitein, the co-director of the Brennan Center's Liberty and National Security Program. "When the government makes law out of the public eye, the results are more likely to be tainted by bias or groupthink, and are frankly more liable to violate statutes or to be unconstitutional." But senior national security officials said the government has in fact been particularly transparent in recent years. "In the last several years the government has engaged in an unprecedented level of transparency regarding its intelligence collection authorities," said Brian Hale, a spokesman for the Office of the Director of National Intelligence.
Can warrants for digital evidence also require fingerprints to unlock phones? (Orin Kerr, Volokh Conspiracy, 19 Oct 2016) - There has been a lot of press coverage recently about a search warrant obtained in Los Angeles allowing the government to force people present when the warrant is executed to press their fingers and thumbs on the fingerprint sensors of any phones or computers found there to unlock them. A lot of people have wondered: Is that legal? I don't think there's an easy answer to that. Here's an overview of some of the legal issues. First, an important caveat: It's hard to draw conclusions about the legality of the warrant because we know so little about it. All we have is a seven-page memo in which the government makes the case for the warrant, plus word from Thomas Fox-Brewster ( who broke the story ) that the warrant was later executed at a residence. We haven't seen the warrant, and we don't know what it says. We don't know what happened when the warrant was executed. So we don't have much information yet. With that said, I have some preliminary thoughts on the question. The short version is, I think this raises a bunch of hard issues. Here are some details for those who want the longer version. * * *
- and -
The Fifth Amendment and Touch ID (Orin Kerr, Volokh Conspiracy, 21 Oct 2016) - My recent post on the legality of warrants that permit phone unlocking prompted some reader comments on how the Fifth Amendment might apply to using fingerprint readers such as Apple's Touch ID . I think this is a hard issue, so it might be worth explaining my thinking in detail. Here are my current thoughts, with the caveat that my views aren't completely settled and I may revisit them in the future. * * *
Regulators to set new cybersecurity standards for banks (The Hill, 19 Oct 2016) - Three of the federal government's most powerful financial regulators will propose new rules for financial institutions to protect themselves from cyberattacks. The Federal Deposit Insurance Corporation (FDIC), the Federal Reserve and the Office of the Comptroller of the Currency (OCC) issued Wednesday a notice of proposed rulemaking for enhanced cybersecurity standards. Those rules would cover how banks, financial institutions and affiliates create strategies to prevent cyberattacks, minimize and gauge their risk of a being hacked and respond to an attack. The rules would be divided into two tiers based on a bank or financial institution's size and prominence. The lower tier, called "enhanced standards," would apply to banks, bank holding companies, loan holding companies, and U.S. operations of foreign banks with more than $50 billion in assets and their subsidiaries and servicers. That tier also includes any non-bank financial companies and depository institutions with more than $50 billion in assets, along financial market utilities and financial market infrastructures. Regulators drew the $50 billion threshold from the Dodd-Frank financial reform law, which used that standard to identify systemically risky institutions, according to agency officials. The higher "sector critical" tier applies to banks and financial institutions that perform irreplaceable roles or cover significant portions of key financial markets. These include "systems" and their subsidiaries "that support the clearing or settlement of 5 percent of the value of transactions" in federal funds, foreign exchange, commercial paper, U.S. government and agency securities, and corporate debt and equity securities, according to the summary. The higher tier also includes institutions that support 5 percent of the value of transactions in exchange-traded and over-the-counter derivatives and institutions that provide irreplaceable services to the financial markets. Regulators could also determine a bank or institution to be sector critical even if it doesn't fall under the rule's definition for that tier. Covered firms wouldn't be required to submit cyberattack plans to federal regulators - as some do for financial crisis stress testing - but agency officials said they would monitor them for compliance.
- and -
G-7 adopts cybersecurity guidelines for financial sector (Steptoe, 20 Oct 2016) - The Group of 7 bloc of nations (G-7) ‒ comprising the United States, United Kingdom, Canada, France, Germany, Italy, and Japan ‒ released a set of cybersecurity guidelines for the financial sector. The guidelines, entitled "Fundamental Elements of Cybersecurity for the Financial Sector," provide best practices in cybersecurity for both public and private entities in the financial sector. They lay out eight elements to "serve as building blocks" for entities to design, implement, and continue to evolve their cybersecurity strategy and framework. While non-binding, the guidelines state that "[p]ublic authorities within and across jurisdictions can use the elements as well to guide their public policy, regulatory, and supervisory efforts." Although these guidelines address the financial sector specifically, we are likely to see international cooperation on cyber standards continue to expand. As the U.S. Department of Treasury and Board of Governors of the Federal Reserve System recognized in a statement praising their adoption, the guidelines are "a testament to the growing international resolve to counter cyberattacks."
Bloomberg Law's new litigation analytics peeks under the robes of judicial data (Bob Ambrogi, 19 Oct 2016) - Last year, I wrote here that judge analytics is the new black . I was referring to the growing selection of tools that analyze case dockets and judicial opinions to provide insights into how judges rule on various types of matters and how long it takes them to do so. Products in this space include ALM's Judicial Perspectives , Lex Machina , Premonition and Ravel Law with its Judge Analytics. Now comes Bloomberg Law to the mix with its launch yesterday of Litigation Analytics. It aims to help attorneys gain insights into questions such as how long federal judges typically take to resolve cases, how they rule on dispositive motions, and how often they are overturned on appeal. The product is not just for judicial analytics. It can also be used to perform analytics on some 7,000 law firms, more than 70,000 public companies, and more than 3.5 million private companies. To illustrate how litigators can use its new product, Bloomberg Law created an analytics snapshot comparing five influential federal judges. It shows how they rule in certain cases, how long they take to decide a case from start to finish and which firms appear before them most often.
- and -
Artificial intelligence predicted case outcomes with 79% accuracy by analyzing fact portrayal (ABA Journal, 25 Oct 2016) - Researchers were able to predict the results of human rights cases with 79 percent accuracy by using artificial intelligence to analyze the factual sections of published human rights judgments. The study, published in PeerJ Computer Science , found that the outcomes were best predicted by analyzing the "circumstances" section of a case-which includes factual background-along with the topics covered by the case and the language used, according to a press release . Publications covering the findings include the Wall Street Journal Law Blog , Law.com (sub. req.), the Guardian and Motherboard . The researchers examined 584 cases before the European Court of Human Rights with a machine-learning algorithm. They found that the court's judgments were highly correlated to facts rather than legal arguments. Ideally, the researchers said, they would use their algorithm to test applications to the court rather than published judgments, but they didn't have access to that data. Assuming a similarity between chunks of text in published judgments and applications and briefs, the research could be used to predict outcomes before judgment, the study says . The findings could help prioritize cases and identify which cases are most likely to be violations of the European Convention on Human Rights, according to the researchers. "We don't see AI replacing judges or lawyers," said University College London computer scientist Nikolaos Aletras in the press release. Also working on the study were academics from the University of Sheffield and the University of Pennsylvania. The researchers acknowledge that the circumstances section of a case is not a neutral statement of the facts. The section could contain the court's judgments about what is important, and could be tailor-made to reach a certain outcome. It's also possible, the researchers say, that judges were reacting to the facts because the cases had been selected for their indeterminate legal issues.
New tool from Bing maps the flow of campaign cash (Mashable, 20 Oct 2016) - How do the billions of dollars shaping this election seep through the United States? A new project from Microsoft's Bing and political tech firm Circa Victor looks to answer that question by drawing on dozens of types of public disclosures. Location data on vendors that serve campaigns and super PACs is fed into Circa Victor's system in real time, giving visitors a rough picture of how much each candidate is spending in each state. The company claims the entire process is quick enough that it oftentimes updates before donations are officially tallied and tracked. Using this data, the team added a panel within the search engine that is cued every time someone looks for information related to political spending - trigger terms include phrases like "Clinton spending" or "election predictions." Hover the cursor over a state to see totals for each of the four candidates - Democrat Hillary Clinton, GOP pick Donald Trump, Green Party nominee Jill Stein and Libertarian Gary Johnson - or select from a dropdown menu for a fuller profile. You can also find an ideological breakdown of each contender's leanings on particular policy points like abortion, drug policy and environmental issues. The tool reveals Trump to be somewhat liberal on LGBT rights and drug policy and only mildly conservative on tax reform, while Clinton remains staunchly progressive across the board.
Are you audit ready? Strategies, tools, and tactics to address compliance concerns in the legal industry (California Lawyer, 20 Oct 2016) - If you've read the headlines , you know that this has been a banner year for security breaches targeting law firms. The trends in 2016 are up and to the right, and they don't look like they're abating. Even the FBI has notified law firms that they're being targeted and their information security processes need to be tight. Clients recognize this as well and are increasingly holding firms accountable. As the American Bar Association reports , "Previously, some clients wanted to see law firm security policies. Some have allowed law firms to effectively audit themselves. Today, clients want to see if security policies and plans are actually being followed. And they want independent third-party audits, sometimes including penetration testing." Audits can take a variety of forms, and they're rarely consistent. There is no single format or framework for client requests. They can take the form of a simple questionnaire or a formal assessment validated by a third party. But each client will have their own version, and without a thorough and structured set of materials, responding to requests can be costly and time consuming. * * *
- and -
Cybersecurity insurance is a 'must have' for law firms (ABA Journal, 25 Oct 2016) - Nearly a quarter of law firms with 500 or more attorneys have experienced a cybersecurity breach, according to those who responded to the ABA's 2015 Legal Technology Survey Report . So there's no question that securing online information is on the mind of many law firm leaders. So is the need for cybersecurity insurance. "It's something you must have," says Robert Owen, a New York City-based partner with Sutherland Asbill & Brennan. A firm victimized by a cyberattack may need to hire experts to investigate the breach, reassure clients, stanch any reputational damage and address possible regulatory inquiries. "There's a whole host of risks," Owen says. An endorsement to a firm's property and casualty policy typically provides just a "sliver of coverage," says Eileen Garczynski, senior vice president with specialty broker Ames & Gough in McLean, Virginia. For instance, an endorsement might cover the cost to restore data, but not any fines stemming from the breach. An effective cybersecurity policy must have several provisions. First of all, it should be a primary policy. "A primary policy responds first," Garczynski says. It wouldn't require the firm to turn to its professional liability coverage first. The Lewis Baach law firm also looked for policies that would cover pre-existing problems, says Katherine Toomey, a Washington, D.C.-based partner there. That could include a virus in the firm's system at the time the policy was obtained that hadn't been detected. Law firms also will want to assess the additional services the insurer offers, Owen says. For example, some insurers retain forensics experts for use in cyber investigations. The firm should know if it will be required to use the insurer's expert. If so, it will want to evaluate the experts' qualifications. Some coverage is limited to personally identifiable information, such as Social Security numbers. "You want it to cover a breach of anything protected under attorney-client privilege," Garczynski says. Conduit coverage also is critical, says Jim Rhyner, senior vice president and specialty law firm segment manager with Chubb. This protects the firm if another entity suffers damages because of a breach in the firm's system. Applying for cybersecurity insurance often requires documenting the cybersecurity practices in place at the firm. The insurer may ask whether the firm encrypts data, if it has implemented an information security plan that addresses the network as well as portable devices, and if employees receive security training. "We're focused on a culture of risk mitigation versus just risk transfer," says Erica Davis, vice president with insurer Zurich North America.
- and -
Cyber security 'key issue for lawyers' (BBC, 25 Oct 2016) - Nearly half of Scottish solicitors see cyber security as their biggest technological challenge, according to a survey of practitioners. The survey, carried out by Ipsos Mori for the Law Society of Scotland, found 81% of lawyers had a "very" or "fairly" positive view about the impact of technology on their business. But 42% believed that maintaining cyber security was a key issue.
NPR rides Facebook wave to traffic record (Columbia Journalism Review, 20 Oct 2016) - Yesterday, NPR reported a large ratings increase across the board: radio, podcasts, and the website all saw a major jump in audience this year. NPR President and CEO Jarl Mohn attributes this to the country's "appetite for factual reporting" and NPR's reputation. On the digital side, one of NPR's greatest successes this year was its fact-checking page during the first presidential debate . The fact-checking page garnered almost 10 million page views total, NPR reports, and debate night and the day following made for NPR's two best traffic days ever. The page displayed a live transcript of the debate, with reporters' annotations rolling in on top of it. While NPR had prepared for the page to be popular, the amount of traffic it drove was unprecedented, and surprised many NPR staffers. Why did it perform so well? Building the audience ahead of time was surely one major factor contributing to the page's performance. NPR spent many months before the debates building a reputation as a source for fact-checking, Washington Editor Beth Donovan and NPR News Digital Editor Amita Kelly told me. They did test runs of the fact-checking process during the RNC and DNC speeches to build their muscles and refine the annotation approach. But this isn't the whole story. Looking into the analytics, according to Chartbeat data and confirmed by NPR, Facebook was the major driver of traffic for the page, though it also did well on search. On the night of the debate alone, Facebook sent over 2 million page views to the page.
CJEU decision on dynamic IP addresses touches fundamental DP law questions (Bird & Bird, 21 Oct 2016) - The European Court of Justice ("CJEU") finally issued its long-awaited judgment on dynamic IP addresses ( judgment in Case C-582/14: Patrick Breyer v Bundesrepublik Deutschland ). The judgment will have a general impact on how to define 'personal data' beyond dynamic IP addresses, in particular on the question of whether a so-called 'subjective/relative approach' or 'objective/absolute' approach needs to be applied in this respect (which also affects more general questions like anonymisation, big data etc.). The court ruled that dynamic IP addresses may constitute 'personal data' even where only a third party (in this case an internet service provider) has the additional data necessary to identify the individual - but only under certain circumstances: The possibility to combine the data with this additional data must constitute a "means likely reasonably to be used to identify" the individual (the court assumed such means for Germany). The so-called 'absolute/objective approach', that is applied in some Member States and according to which data is already considered to be 'personal data' if any third party (worldwide) is able to determine the identity of the individual, was not applied (unfortunately the court did not expressly refrain from this concept). The CJEU favoured a more 'subjective/relative approach' that focuses on the online media service provider's possibility of (potentially) identifying an individual and whether it has the legal and practical means which enable it to do so with additional data a third party has about that person (this means third party knowledge needs to be considered but only to certain extent). In its judgment, the court also deemed a restrictive interpretation of a German law provision that allows only for limited use of personal data in the telemedia/online context to be not in line with the EU-Data Protection Directive 95/46/EC ("Directive") if it does not give any consideration to the concept of legitimate interest. The court held that legitimate interests must be considered and must constitute a legal justification beyond the restrictive provision of the German Telemedia Act. It therefore reconfirmed its earlier (but in many Member States in practice still often disregarded) view on the level of harmonisation provided by the Directive (see judgment of 24 November 2011, Cases C-468/10 and C-469/10: 'ASNEF and FECEMD' ). The judgment may have a considerable practical impact on online analytics and targeting (so-called "Profiling"), which is very strictly regulated in Germany and so far only possible to very limited extent. In more detail: * * *
EveryCRSReport.com is making 8,255 CRS reports available to the general public (BeSpacific, 23 Oct 2016) - Congressional Research Service reports are the best way for anyone to quickly get up to speed on major political issues without having to worry about spin - from the same source Congress uses. CRS is Congress' think tank, and its reports are relied upon by academics, businesses, judges, policy advocates, students, librarians, journalists, and policymakers for accurate and timely analysis of important policy issues. The reports are not classified and do not contain individualized advice to any specific member of Congress. Until today, CRS reports were generally available only to the well-connected. Now, in partnership with a Republican and Democratic member of Congress, we are making these reports available to everyone for free online. A coalition of public interest groups, journalists, academics, students, some Members of Congress, and former CRS employees have been advocating for greater access to CRS reports for over twenty years. Two bills in Congress to make these reports widely available already have 10 sponsors ( S. 2639 and H.R. 4702 , 114th Congress) and we urge Congress to finish the job. This website shows Congress one vision of how it could be done. What does EveryCRSReport.com include? EveryCRSReport.com includes 8,255 CRS reports. The number changes regularly. It's every CRS report that's available on Congress's internal website. We redact the phone number, email address, and names of virtually all the analysts from the reports. We add disclaimer language regarding copyright and the role CRS reports are intended to play. That's it. If you're looking for older reports, our good friends at CRSReports.com may have them.
MIT releases report on 'Future of Libraries' (InsideHigherEd, 25 Oct 2016) - The MIT libraries should focus on its four "pillars" -- community and relationships, discovery and use, stewardship and sustainability, and research and development -- to reimagine itself as an "open global platform," according to a preliminary report published Monday. The report is the culmination of a yearlong initiative at the Massachusetts Institute of Technology to determine "how the MIT libraries ought to evolve to best advance the creation, dissemination and preservation of knowledge; and to serve as a leader in the reinvention of research libraries," according to an announcement last October. The report, which contains the task force's recommendations, is available here .
AT&T used broad data-gathering system for federal government (The Hill, 25 Oct 2016) - An AT&T system meant to assist the Drug Enforcement Administration (DEA) by searching through the company's millions of stored phone records was used to help a broad array of government agencies on cases from Medicaid fraud to murder, according to a new report Tuesday. Law enforcement officials pay the telecommunications giant from $100,000 to $1 million or more per year to get information from its massive data trove, according to the Daily Beast , which obtained internal company documents about the system. The program itself, known as "Hemisphere," has been known to the public since 2013, when it was revealed by the New York Times. The Times reported at the time that the system was similar to but broader than a massive collection of phone records previously stored at the National Security Agency (NSA). That controversial NSA program was effectively ended last summer , following revelations from leaker Edward Snowden. The arrangement calls for AT&T officials to search the company's database on behalf of federal and local law enforcement officials, who pay for the access. The records under AT&T's control can go back decades. But new documents reported on by the Daily Beast on Tuesday detail the broad scope of the program as well as the company's efforts to disguise its extensive cooperation with the government. According to one 2014 document obtained by the news outlet, AT&T requires law enforcement agencies "not to use the data as evidence in any judicial or administrative proceedings unless there is no other available and admissible probative evidence." The practice of disguising the source of evidence, known to lawyers as "parallel construction," is viewed skeptically by civil rights activists who worry that it prevents people from challenging whether evidence against them was collected legally. Law enforcement officials do not need a warrant to obtain access to AT&T's system. Instead, the information can be acquired through administrative subpoenas, which are used by a greater number of agencies and do not require probable cause.
Oil industry should hire hackers to boost cybersecurity (Rigzone, 26 Oct 2016) - The oil and gas industry should hire hackers in order to boost cybersecurity, said Eric Knapp, chief engineer for cybersecurity solutions and technology at Honeywell Process Solutions. Speaking at the EMEA HUG conference in The Hague, Knapp urged delegates to shed their negative perceptions of these people and offer them a place in the sector. "We have to stop thinking of hackers as evil ... the truth is hackers are people. They have a curiosity, they have an interest, they have a skill, and a skill isn't good or evil. A person isn't good or evil. The circumstances you put them in dictate that," Knapp said. "If we hire them, and we put them on the good team, then they're our heroes. If we don't hire them, they're going to find some other way to make money off of their skills ... If they're on our team they help, if they're on the other team, they hurt. They're not going to just go away," he added. Knapp's comments followed a stark warning from Laura Pilia of energy company SARAS and Jos Oelers of petrochemicals firm SABIC, made during the opening speech of the third day of the conference, which outlined a growing spate of cyberattacks in the industry. Eighty-two percent of oil and gas industry respondents have reported an increase in successful cyberattacks over the past 12 months, Pilia and Oelers told conference participants. Looking at the influence of cyberattacks in the wider community, the conference leaders outlined that these occurrences cost businesses as much as $400 billion per year.
BDO board survey finds board of directors increasingly invested in cybersecurity issues (Legaltech News, 26 Oct 2016) - Corporate boards of directors are increasingly investing in and staying abreast of company cybersecurity practices, according to BDO Consulting's annual Board Survey released this week. The survey, which took stock of 160 corporate directors of public company boards, found that 74 percent of directors say their board is more involved with cybersecurity than it was a year ago, a steady growth from the 69 percent last year and 59 percent in 2014. Breach response planning showed similar expansion, as over half (63 percent) of directors reported having breach response plans in place, up from 45 percent last year. Because many companies and corporate legal departments outsource sensitive data to third-party vendors, they've needed to beef up the security standards used to evaluate third-party organizations. The BDO Board Survey found that 43 percent of directors now report using specific risk requirements and assessments for third-party vendors, as compared to 35 percent reporting the same last year.
FCC orders far-reaching new privacy and data security rules (Wilson Sonsini, 27 Oct 2016) - As expected, the Federal Communications Commission (FCC) has handed down sweeping new privacy and security rules for Internet service providers (ISPs). On Thursday, October 27, 2016, a sharply divided commission voted to enact these new rules, which impose strict new requirements for ISPs' collection, use, sharing, and protection of their customers' information, including information ISPs receive about their customers' geolocation and online activities. Consequently, ISPs will soon be subject to heightened notice and consent requirements for activities such as behavioral advertising and other online tracking, as well as more robust security and data breach notification obligations. Up until now, there have not been specific FCC privacy rules that govern ISPs' handling of such data. ISPs and members of the online advertising industry objected strenuously to numerous aspects of the FCC's proposed rules, including the FCC's classification of web browsing behavior as sensitive information subject to opt-in consent, an approach at odds with that of the Federal Trade Commission (FTC), the nation's primary regulator of commercial privacy and security interests. Ultimately, the FCC waved off those objections in adopting its final rules. The FCC's action today represents the culmination of a rulemaking process that the FCC initiated in 2015. At that time, as part of the Open Internet Order, the FCC made the decision to apply the privacy requirements of Section 222 of the Communications Act-which had previously only governed telephone services-to the world of broadband. The FCC adopted a Notice of Proposed Rulemaking (NPRM) in March 2016 to address a host of questions regarding how Section 222 applies to broadband providers. On October 6, 2016, FCC Chairman Tom Wheeler circulated to his fellow commissioners a proposed Order, which was approved earlier today by a 3-2 vote. The final Order has not yet been released. This WSGR Alert briefly summarizes the aspects of the FCC's decision that we believe will be of the greatest significance to our clients. * * *
The average cost of a data breach involving fewer than 10,000 records was $5 million (Network World, 28 Oct 2016) - * * * Given the large numbers involved, it can seem a challenge to attempt to calculate the total price tag of a widespread data breach. It is, however, possible to review the data and establish some benchmarks, as has been done in the 2016 Data Breach Study by the Ponemon Institute and IBM . According to the report, the total average cost for a breach is $7 million. Only in 2011 was there a higher average cost, $7.24 million. Unfortunately, this year saw the highest average cost per record , costing companies an average of $221 per compromised record. Looking at that number more closely yields an important piece of information-companies spend more on the indirect costs than direct costs of a data breach. In this case, direct costs refer to the amount spent to minimize the consequences of a data breach and to assist victims. Indirect costs are defined as the amount spent on existing internal resources to deal with the data breach. Using that measure, only $76 per record represents the direct cost to the organization, including items such as legal fees and technological investments. The far greater portion, $145, reflects the indirect costs of a data breach, including the damage to an organization's reputation and increased customer churn rate. Certain industries are more vulnerable to churn and, consequently, have higher data breach costs. Financial, healthcare, technology, life sciences and service companies all experience higher churn rates after a breach. Heavily regulated industries such as insurance also suffer higher costs than average. Knowing this helps explain why these industries put so much investment in securing their information.
It's finally legal to hack your own devices (even your car) (Wired, 31 Oct 2016) - You may have thought that if you owned your digital devices, you were allowed to do whatever you like with them. In truth, even for possessions as personal as your car, PC, or insulin pump, you risked a lawsuit every time you reverse-engineered their software guts to dig up their security vulnerabilities-until now. Last Friday, a new exemption to the decades-old law known as the Digital Millennium Copyright Act quietly kicked in, carving out protections for Americans to hack their own devices without fear that the DMCA's ban on circumventing protections on copyrighted systems would allow manufacturers to sue them. One exemption, crucially, will allow new forms of security research on those consumer devices. Another allows for the digital repair of vehicles. Together, the security community and DIYers are hoping those protections, which were enacted by the Library of Congress's Copyright Office in October of 2015 but delayed a full year, will spark a new era of benevolent hacking for both research and repair. For now, the exemptions are limited to a two-year trial period. And the security research exemption in particular only applies to what the Copyright Office calls "good-faith" testing, "in a controlled environment designed to avoid any harm to individuals or to the public." But within those restrictions, the exemptions remove a looming fear of DMCA lawsuits that has long hung over the security research community. "There's a universe of security vulnerabilities that the law keeps researchers from figuring out and telling you about, but are nonetheless present in devices you use every day," says Kit Walsh, an attorney with the Electronic Freedom Foundation. "For the next two years, that threat will be lifted for many forms of security research that are really important."
UK ICO recommends company directors have personal liability for data breaches (SC Magazine, 31 Oct 2016) - The UK's Information Commissioner, Elizabeth Denham, recently recommended at a Parliamentary meeting to discuss the draft Digital Economy Bill, that the government should hold company directors with personal liability and accountability for data breaches . Denham gave evidence to a House of Commons Public Bill Committee on the 13th of October, detailing the ICO's recommendations for the Digital Economy Bill , one of which was support for making directors personally liable for breaches of data protection law by their companies. Denham claimed that the ICO issued a total of £4 million in fines in the last year, and only collected a small percentage of that sum. This is down to companies who had committed serious breaches of data protection law would shut down following the fine, quickly re-opening with the same management, staff and premises only with a new corporate identity. The ICO recently imposed a fine of £400,000 on UK ISP TalkTalk, which was its largest fine ever for a breach of data protection law. With the General Data Protection Regulation's honeymoon period ending on the 25 May 2018, it will give the ICO the power to impose fines of up to the greater sum of €20 million or 4 percent of worldwide turnover .
Companies face lawsuits over website accessibility for blind users (SJ, 1 Nov 2016) - The disability lawsuits started hitting the Pittsburgh federal courthouse last July, all claiming corporations' websites violated the law by not being accessible to the blind. The first round came against household names such as Foot Locker Inc., Toys "R" Us, Brooks Brothers Group Inc., and the National Basketball Association. Later suits targeted lesser-known retailers including Family Video Movie Club Inc. and Rue21 Inc. All told, about 40 nearly identical cases have landed in front of the same federal judge, Arthur Schwab, all brought by one local law firm, Carlson Lynch Sweet Kilpela & Carpenter LLP. Nationwide, more than 240 businesses have been sued in federal court since the start of 2015, concerning allegedly inaccessible websites, according to law firm Seyfarth Shaw LLP. Most settle quickly, for between $10,000 and $75,000, lawyers involved say, with the money typically going toward plaintiffs' attorneys' fees and expenses. The suits named above have been dismissed, according to court dockets, which don't reflect if a private settlement was reached. Toys "R" Us said it is looking for ways to make its website more accessible. The other companies had no comment or didn't respond to a request for comment. The Justice Department, which enforces the Americans with Disabilities Act, has delayed since 2010 releasing technical guidelines as to how websites should comply, most recently putting it off until 2018. The delay has led to "complete mayhem," said Minh Vu, a Seyfarth Shaw partner who represents companies in disability-access cases. A Justice Department spokesman declined to comment on the guidelines, but noted public settlements the agency has reached with companies, including tax-preparation service H&R Block and online grocer Peapod, requiring them to make websites accessible. Public businesses have long been required to be accessible to the disabled under the ADA, signed into law in 1990. Websites, however, weren't expressly included in the law as a place of "public accommodation." Federal appellate courts have been divided on the issue, with some finding that all websites must comply with disability standards, and others contending that websites only fall under the ADA if they have a "nexus" to a brick-and-mortar business. Mr. Danielsen said there is no data as to how many websites don't accommodate blind users.
ABA Blueprint launches today to help small firm lawyers buy products and services (Bob Ambrogi, 3 Nov 2016) - The American Bar Association today is launching ABA Blueprint , its website designed to help solo and small firm lawyers manage the complexities of their legal practices by helping them find the products and services they need at affordable prices. As I reported here in August, plans to develop the site were first announced by ABA President Linda A. Klein in a speech to the ABA House of Delegates during the ABA Annual Meeting in San Francisco. The site will provide lawyers with a "one-stop shop for members to get what they need while saving far more than they pay in dues," she said then. The site is intended to be used by all solo and small firm attorneys, but ABA members get access to special services and product discounts through the site. The idea of the site is to help lawyers choose the products and services they need to build their firms. Lawyers who come to the site are given two routes by which to do this. The first, called Firm Builder, is restricted to ABA members and is intended to provide customized recommendations based on the user's unique needs. The user first chooses a category - technology, virtual assistance or marketing - and then answers a series of questions. The result is a set of recommended products and services. The other route, called Universal Solution, is open to anyone and offers one-size-fits-all packages tailored to these needs: * * * A notable advantage of using the site is the discounts it offers. Take Clio, for example. Clio has three levels of monthly subscriptions (with an annual contract) - $39, $59 and $99. Blueprint offers 25 percent discounts off Clio's top two tiers, so the $59 tier would be $44.25 and the $99 tier would be $74.25. That is an annual savings of $177 or $297. Ruby Receptionists is offering a new Solo Plan through Blueprint that is not available through the company's own website. The solo plan is $180 a month, compared to the lowest-priced plan on the company's website, which is $259 a month. Clearly, the ABA intends the members-only features of this site to provide an incentive for non-members to join. The fact is, the ABA appears to be right about this. Consider that ABA dues for a solo lawyer range from $117 to $260 (depending on year of bar admission). Just the Clio discount alone could make back the price of the dues. If you buy other products as well, then the savings become even greater.
Every piece of art you've ever wanted to see - up close and searchable (TED video, Feb 2016; 15:00) - What does a cultural Big Bang look like? For Amit Sood, director of Google's Cultural Institute and Art Project, it's an online platform where anyone can explore the world's greatest collections of art and artifacts in vivid, lifelike detail. Join Sood and Google artist in residence Cyril Diagne in a mind-bending demo of experiments from the Cultural Institute and glimpse the exciting future of accessibility to arts and culture.
How to get social media evidence admitted to court (ABA, 1 Nov 2016) - As technology continues to influence the practice of law, court cases are increasingly turning on social media. But unlike other forms of evidence, social media is fleeting - and, if you can get the data, questions of authenticity arise when you seek to admit it as evidence. In a recent ABA CLE, " Acquiring, Preserving and Authenticating Websites and Social Media ," Jennifer Ellis of Lowenthal & Abrams PC, and Michael Maschke of Sensei Enterprises, Inc., share how you can obtain and use social media and other forms of digital evidence in your cases. When it comes to using social media as evidence, all the usual standards apply, said Ellis, who is not only her firm's go-to expert on digital evidence, but also a consultant with a focus on technology issues. "Is it relevant? Is it more probative than prejudicial? Is there a hearsay problem or exception? And, is it authentic?" she told lawyers to ask themselves, referencing Federal Rules 401-402, 403 and 901-902. But in order to get the material in the first place, should you just subpoena Facebook or Twitter? Ellis said no, explaining that social media sites will likely claim that sharing the information violates the Stored Communications Act. "They won't respond to a subpoena for the content itself," she said. But "they do cooperate with authorities in regard to criminal cases." What you may be able to get is proof of ownership, which can be critical to the authentication of the evidence if the owner of the account lies and says it isn't her account. "It's not easy," said Ellis, explaining that most of the social media sites are based in California and they will want a local subpoena. "It can be complex-but sometimes critically necessary." So, how do you get access to the specific posts you need? " Trail v. Lesko really spells out where the law is going in terms of getting access to this stuff," Ellis said of the case, which centered on accessing a Facebook account during discovery. According to Judge R. Stanton Wettick's decision, a requesting party must show "sufficient likelihood" that such an account would include relevant information that is "not otherwise available" before being granted access to it. * * *
The Future of Self-Regulation is Co-Regulation (Ira Rubinstein, NYU, 5 October 2016) - The Cambridge Handbook of Consumer Privacy, From Cambridge University Press (Forthcoming). Abstract: Modern regulatory theory has long treated voluntary self-regulation and direct government regulation as opposing ends of a regulatory continuum, with most self-regulatory schemes falling somewhere in the middle. This chapter explores the middle ground by examining co-regulatory approaches to privacy, in which industry enjoys considerable flexibility in shaping self-regulatory guidelines, consumer advocacy groups have a seat at the table, and government sets default requirements and retains general oversight authority to approve and enforce these guidelines. Privacy co-regulation is generally understood as a collaborative, flexible, and performance-based approach to privacy regulation that draws on the theoretical insights of collaborative governance theory. This chapter argues that privacy self-regulation in the form of voluntary codes has had a sufficiently long run to prove its worth but has failed. Now is the time to make the transition to co-regulation, especially in the U.S. It is organized into three sections. The first considers in greater detail the differences between self-regulation and co-regulation. The second looks at the failure and stubborn persistence of voluntary codes of conduct. The third shifts the discussion to three case studies of privacy codes and practices that have benefited from a co-regulatory approach. In the past few years, there have been some notable developments in co-regulatory schemes as well some important empirical studies. These new materials provide an opportunity to understand the conditions for the success (and failure) of co-regulatory solutions in the privacy field and what this implies for the future of regulatory innovation. The chapter concludes by offering a few recommendations on how the U.S. Congress can implement co-regulatory approaches in any future legislation to optimally protect online consumer privacy while preserving innovation and economic growth.
A Practical Guide to Software Licensing for Licensees and Licensors (6th Edition, by MIRLN subscriber Ward Classen, available thru the ABA Webstore) [ Polley : I reviewed the 4th edition in MIRLN 15.07. This new edition still contains access to on-line forms with contract language (perfect for cut-and-paste), checklists and new chapters on software development agreements, agile development, APIs, and SDKs.]
LOOKING BACK - MIRLN TEN YEARS AGO
(note: link-rot has affected about 50% of these original URLs)
Yale to post video of courses online (Inside Higher Ed, 20 September 2006) -- Yale University announced plans to begin posting video of course lectures online. Yale's effort is part of a larger movement in higher education toward open courseware, led in large part by an initiative started at MIT in 2001. For the OpenCourseWare project, MIT posts course materials online, including syllabi, reading lists, and other resources. Diana Kleiner, who is leading the effort at Yale, said the project follows "MIT's footprints" but represents the next step. Kleiner said that Yale officials believe the in-class experience to be central to the educational experience. Under the program, all of the lectures for a given course will be recorded and placed online. Beginning with seven courses this year, the program is expected to grow quickly to include many more in successive years. The university is exploring ways to ensure that offering video of lectures online will not encourage Yale students to skip class and simply watch the lectures at their convenience. Also at issue are intellectual property considerations, given that faculty are free to use some copyrighted materials in lectures, but that those materials may not be used similarly by the public. http://www.insidehighered.com/news/2006/09/20/yale
- and -
Harvard offers virtual class in Second Life (Edupage, 30 August 2006) -- This fall, Harvard Law School professor Charles Nesson will coteach a course on argument with his daughter, Harvard Extension School instructor Rebecca Nesson, that will take place in the Second Life virtual world. In Second Life, users create avatars that they control, using them to move around the virtual environment and interact with others and with the virtual physical space. A number of other colleges and universities have used Second Life as a component of certain courses. For this new course at Harvard, Nesson and Nesson will teach students--entirely through the virtual environment--how to use blogs, wikis, podcasts, and other electronic tools to make effective arguments. The class, which is open to the public through Harvard's extension school, will take place in an online replica of the university's Ames Courtroom. Rebecca Nesson will hold office hours in Second Life; Charles Nesson's office hours will be in his actual office.
- and -
Second Lifers get first look at new hotel chain (CNET, 14 August 2006) -- Avatars looking for a stylish place to mingle and get a cocktail will soon be able to check out a trendy new hotel--months before their fleshy counterparts. Starwood Hotels & Resorts Worldwide, which oversees such well-known hotel brands as Sheraton, St. Regis and Westin, will launch its newest chain, Aloft, in the online society "Second Life" in September. In the brick-and-mortar realm, the plan is for the first Aloft inn to open sometime in 2008, catering to active, urban 30- to 50-year-olds. But the real-world lodge will be preceded by a 3D cyberversion designed to prompt feedback from virtual guests and help guide the earthbound endeavor. "We think the SL world is a specific community of early adopters, of tech-savvy people who like to voice their opinions," said Brian McGuinness, vice president of the Aloft Hotels brand. Aloft will be the first hotel for "Second Life," which has already incorporated businesses from Wells Fargo to Major League Baseball. Marc Schiller, CEO and founder of ElectricArtists 2.0, a marketing services company, approached Starwood two months ago with the idea of a virtual debut for Aloft. Starwood then purchased an island in "Second Life," and construction began on the hotel a month ago. "We're hoping we can learn a lot about where (Second Lifers) congregate and how they use space in a communal way," Schiller said. "That could be valuable as Starwood develops the hotel." "Second Life" is an open-ended virtual world in which players can create or do just about anything they can imagine. Opened to the public in 2003, it features a mainland composed of an array of square, 16-acre plots. The so-called metaverse is free to play in, but users must pay monthly fees if they want to own land. Its publisher, Linden Lab, makes money from land-usage fees, as well as player purchases of the "Second Life" currency, the Lindendollar, which is used to purchase property and other goods. The virtual marketplace supports millions of U.S. dollars in monthly transactions. One of the most intriguing elements of "Second Life" is its bustling economy. Linden Lab is one of the few companies that grants its users full intellectual-property rights to their creations, and that's engendered a robust marketplace in any number of virtual goods, including land, clothing, vehicles, magic wands and more.
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:firstname.lastname@example.org?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu
2. InsideHigherEd - http://www.insidehighered.com/
3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/
4. Aon's Technology & Professional Risks Newsletter
5. Crypto-Gram, http://www.schneier.com/crypto-gram.html
6. Steptoe & Johnson's E-Commerce Law Week
7. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/
8. The Benton Foundation's Communications Headlines
9. Gate15 Situational Update Notifications, http://www.gate15.us/services.html
10. Readers' submissions, and the editor's discoveries
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top