Saturday, November 18, 2017

MIRLN --- 29 Oct - 18 Nov 2017 (v20.16)

MIRLN --- 29 Oct - 18 Nov 2017 (v20.16) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENTS | NEWS | RESOURCES | DIFFERENT | LOOKING BACK | NOTES

ANNOUNCEMENT

The new Second Edition of the ABA's best-selling Cybersecurity Handbook is a must-read for anyone working in the field, including private-practice attorneys, in-house counsel, non-profit and government lawyers, and others. For more detail, visit the ABA store at http://bit.ly/2x7HNbJ . (get a 10% discount with code 2ECYBERTF10). Below, an ABA story on the Handbook:

Updated ABA cybersecurity handbook helps lawyers protect sensitive client information from hackers (ABA, 1 Nov 2017) - Cybersecurity breaches in law firms have made headlines and clients are asking questions about lawyers' and firms' security programs. From the massive Panama Papers breach that led to the dissolution of the Mossack Fonseca Law Firm in April 2016 to the WannaCry and Petya ransomware attacks, which led to a work outage at DLA Piper in June 2017, it is imperative that attorneys understand their obligations and the potential risk of inadequate information security practices to their practices and their clients. " The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business, Second Edition" is an updated edition of the handbook that expands on many of the issues raised in the 2013 first edition, while highlighting the extensive changes in the current cybersecurity environment. It is co-edited by cybersecurity legal experts Jill D. Rhodes, chief information security officer at Option Care and former senior executive with the intelligence community; and Robert S. Litt, counsel, Morrison & Forester and former general counsel of the Office of the Director of National Intelligence, This new edition will enable lawyers and law firms to identify potential cybersecurity risks and prepare a response in the event of an attack. It addresses the current overarching threat as well as ethical issues and special considerations for law firms of all sizes. It also includes the most recent ABA Ethics Opinions and illustrates how to approach the subject of cybersecurity threats and issues with clients, as well as when and how to purchase and use cyber insurance. Rhodes and Litt will deliver a book talk at noon on Dec. 8 at the Army Navy Club - click here for information on how to register. top

NEWS

How Facebook, Google and Twitter 'embeds' helped Trump in 2016 (Politico, 26 Oct 2017) - Facebook, Twitter and Google played a far deeper role in Donald Trump's presidential campaign than has previously been disclosed, with company employees taking on the kind of political strategizing that campaigns typically entrust to their own staff or paid consultants, according to a new study released Thursday. The peer-reviewed paper , based on more than a dozen interviews with both tech company staffers who worked inside several 2016 presidential campaigns and campaign officials, sheds new light on Silicon Valley's assistance to Trump before his surprise win last November. While the companies call it standard practice to work hand-in-hand with high-spending advertisers like political campaigns, the new research details how the staffers assigned to the 2016 candidates frequently acted more like political operatives, doing things like suggesting methods to target difficult-to-reach voters online, helping to tee up responses to likely lines of attack during debates, and scanning candidate calendars to recommend ad pushes around upcoming speeches. Such support was critical for the Trump campaign, which didn't invest heavily in its own digital operations during the primary season and made extensive use of Facebook, Twitter and Google "embeds" for the general election, says the study, conducted by communications professors from the University of North Carolina at Chapel Hill and the University of Utah. The companies offered such services, without charge, to all the 2016 candidates, according to the study, which details extensive tech company involvement at every stage of the race. But Hillary Clinton's campaign declined to embed the companies' employees in her operations, instead opting to develop its own digital apparatus and call in the tech firms to help execute elements of its strategy. "Facebook, Twitter, and Google [went] beyond promoting their services and facilitating digital advertising buys," the paper concludes, adding that their efforts extended to "actively shaping campaign communications through their close collaboration with political staffers." top

- and -

How Russian trolls got into your Facebook feed (WaPo, 1 Nov 2017) - Americans are getting our first glimpse of how we got played. On Wednesday, Congress released some of the 3,000 Facebook ads and Twitter accounts created by Russian operatives to sway American voters. You can explore them in an analysis the Post published here. These disturbing messages, seen by up to 126 million Americans, raise thorny questions about Silicon Valley's responsibility for vetting the information it publishes. Beyond Washington, it leaves all of us who use social media to keep up with friends, share photos and follow news wondering: How'd the Russians get to me? The short answer is Silicon Valley made it very easy. Facebook's top lawyer told Congress on Wednesday the Russian effort was "fairly rudimentary." Here's what he meant: Ever notice a Facebook ad that's eerily relevant to something you've been talking about? Had an ad for a pair of sneakers follow you around the Internet for a week? Or seen an ad that says your friend "liked" it? * * * You were in Russia's crosshairs if you liked the Facebook page of Donald Trump or Hillary Clinton. Same goes for people who said they were fans of Martin Luther King, Jr. Russians even targeted people who shared enough stuff about the South that Facebook tagged them being interested in "Dixie." top

- and -

Manipulating social media to undermine democracy (Freedom House, Nov 2017) - Key Findings: (1) Online manipulation and disinformation tactics played an important role in elections in at least 18 countries over the past year, including the United States; (2) Disinformation tactics contributed to a seventh consecutive year of overall decline in internet freedom, as did a rise in disruptions to mobile internet service and increases in physical and technical attacks on human rights defenders and independent media; (3) An record number of governments have restricted mobile internet service for political or security reasons, often in areas populated by ethnic or religious minorities. * * * Russia's online efforts to influence the American election have been well documented, but the United States was hardly alone in this respect. Manipulation and disinformation tactics played an important role in elections in at least 17 other countries over the past year, damaging citizens' ability to choose their leaders based on factual news and authentic debate. Although some governments sought to support their interests and expand their influence abroad-as with Russia's disinformation campaigns in the United States and Europe-in most cases they used these methods inside their own borders to maintain their hold on power. top

Days after activists sued, Georgia's election server was wiped clean (ArsTechnica, 26 Oct 2017) - A server and its backups, believed to be key to a pending federal lawsuit filed against Georgia election officials, was thoroughly deleted according to e-mails recently released under a public records request. Georgia previously came under heavy scrutiny after a researcher discovered significant problems with his home state's voting system. A lawsuit soon followed in state court , asking the court to annul the results of the June 20 special election for Congress and to prevent Georgia's existing computer-based voting system from being used again. The case, Curling v. Kemp , was filed in Fulton County Superior Court on July 3. As the Associated Press reported Thursday, the data was initially destroyed on July 7 by the Center for Elections Systems at Kennesaw State University, the entity tasked with running the Peach State's elections. The new e-mails, which were sent by the Coalition for Good Governance to Ars, show that Chris Dehner , one of the Information Security staffers, e-mailed his boss, Stephen Gay, to say that the two backup servers had been " degaussed three times ." * * * According to the AP, the FBI made a forensic image of the relevant server in March 2017 as part of its investigation. Atlanta FBI spokesman Stephen Emmett "would not say whether that image still exists." Neither Emmett nor the FBI field office in Atlanta immediately responded to Ars' request for comment. top

Law firms fail on cybersecurity, and corporate clients are cracking down (LegalTechNews, 26 Oct 2017) - Law firm technology services group LogicForce recently released its quarterly report card on law firm cybersecurity, giving the legal industry a score of only 42 percent on its cybersecurity health. The most recent scorecard aggregated data from client surveys at more than 300 law firms of various sizes. Scores were generated based on the number of firms who reported implementing 12 different factors set forth by LogicForce: information security executives, cybersecurity policies, multifactor authentication, cyber training, cyber insurance, penetration, vulnerability testing, third-party risk assessments, records management policies, cyber investment, full disk encryption, data loss prevention services, and third-party penetration testing. Each factor was weighted differently. The scorecard's most heavily weighted factor was the presence of an information security executive, a position filled at only 38 percent of surveyed law firms. * * * The report also noted that corporate law firm clients are beginning to crack down harder on their outside counsel for their failure to meet cybersecurity standards. The report found that 48 percent of law firms surveyed had their data security practices subjected to an audit by a corporate client in the last year. top

- and -

Corporate legal's new cybersecurity role: First risk responders (Corporate Counsel, 7 Nov 2017) - As corporations devote more attention to cybersecurity, many are expanding the legal department's role to cover tasks like third-party risk management. But according to Grant Thornton's " 2017 Corporate General Counsel Survey " of over 190 general counsel, that's far from where their cybersecurity responsibility ends. Over half (58 percent) of general counsel surveyed said they were highly involved in responding to their organizations' data security risks and cybersecurity incidents. In addition, 23 percent said that responding to such risks and events were their "primary responsibility," up from 11 percent in 2015. Of course, it wasn't always this way. "When we did this survey two years ago, the CFO among other members of the C-suite were driving cybersecurity initiatives," said Johnny Lee, principal and forensic technology practice leader for Grant Thornton's Forensic Advisory Services. But as "breaches become more prevalent and as they represent more downstream risk-regulatory and litigation exposure, for example-we've seen a shift to legal departments taking the helm on the response," he said. In light of legal repercussions of cybersecurity incidents, he added, the legal department's participation in risk response can be an asset given the umbrella of attorney-client privilege. Depending on the nature and extent of a breach, such privilege may need "to be attached early if it's going to be invoked, and may need to be managed carefully if it's going to be protected and preserved." Lee cautioned, however, that the legal department's cybersecurity role "doesn't necessarily mean they're inserting themselves into insurance discussions or being the primary flag holders in front of the board. But it does mean, vis-à-vis the response, that they intend to be the standard bearers there." top

- and -

Ok, we get technology competence, but how do we get technologically competent? (Above The Law, Bob Ambrogi, 6 Nov 2017) - By now, you've probably heard of the duty of technology competence. As more and more states adopt it, more and more articles get written about it, and more and more CLEs get presented about it. But the focus of all this is largely on the nature and scope of the duty. One aspect we hear little about is how lawyers can get and remain technologically competent. There are no easy answers to that question. Florida has taken the most dramatic step, not only mandating tech competence but also mandating technology training . The first and only state to do this, Florida requires that lawyers complete three hours of CLE every three years in approved technology programs. Another option for law firms and legal departments seeking to promote technology competence is the Legal Technology Assessment developed by Casey Flaherty and his company Procertas . The LTA assesses legal professionals' proficiency with the basic technology tools they use every day - Word, Excel, and PDF - and provides training on tasks in which they are deficient. Now, there is further progress. The past week brought news of two more initiatives that should further promote technology competence among legal professionals. One is online training for lawyers in legal innovation and technology, the other an index tracking how well law schools are preparing students to deliver legal services in the 21 st Century. * * * top

Can algorithms send you to prison? Apparently, yes. (Ride The Lightning, 1 Nov 2017) - The New York Times reported in an opinion piece last week on a fascinating and disturbing story. In 2013, police officers in Wisconsin arrested Eric Loomis, who was driving a car that had been used in a recent shooting. He pleaded guilty to attempting to flee an officer, and no contest to operating a vehicle without the owner's consent. Neither of his crimes mandated prison time. But at Mr. Loomis's sentencing, the judge cited, among other factors, Mr. Loomis's high risk of recidivism as predicted by a computer program called COMPAS, a risk assessment algorithm used by the state of Wisconsin. The judge denied probation and prescribed an 11-year sentence - six years in prison, plus five years of extended supervision. No one knows exactly how COMPAS works; its manufacturer won't disclose the proprietary algorithm. We only know the final risk assessment score, which judges may consider at sentencing. Loomis challenged the use of an algorithm as a violation of his due process rights to be sentenced individually, and without consideration of impermissible factors like gender or race. The Wisconsin Supreme Court rejected his challenge. In June, the United States Supreme Court declined to hear his case, meaning a majority of justices effectively condoned the algorithm's use. This may have far-reaching effects. Why are we allowing a computer program, into which no one in the criminal justice system has any insight, to play a role in sending a man to prison? The author of the op-ed piece asked that question - and so do I. Wisconsin is one of several states using algorithms in the sentencing process. * * * top

Oil States amicus briefs seek to stabilize IPR constitutional footing (Patently-O, 1 Nov 2017) - As per usual, the briefs are largely divisible into two categories: (1) direct merits arguments focusing on congressional power to enact the IPR regime; and (2) policy briefs arguing that IPRs do important work. I'll note here that the focus of the policy briefs is on efficient and timely adjudication. I have not seen any of the briefs so far that recognize the third reality - that the PTAB is invaliding patents that would have been upheld by a court. For some reason amicus consider it appropriate to identify court failures in efficiency but not to identify failures in the substantive decisionmaking. The closest on-point is likely Apple's Brief which promotes the "well-informed and correct" outcomes of the PTAB. 16-712bsacAppleInc . Overall, the collection of briefs here is quite strong. The most compelling brief in my view is that filed by the well-known team of Duffy and Dabney on behalf of several groups, including the Internet Association. They write: * * * [ Polley : Fairly arcane, but absolutely fascinating set of historical analyses, getting to the very fundamentals of US IPR jurisprudence.] top

What does a Director of Knowledge Management for a legal firm do? (KnoCo, 2 Nov 2017) - This month there were two "Director of KM" jobs advertised on linked-in. Let's see what this job entails. "Knowledge Management" is a poorly defined term, and Knowledge Management jobs can range from low level data-entry clerks to high level strategic posts, and anything in between. However when you see "Director of Knowledge Management" vacancies, that tells you that this is a high level post. One of these advertised vacancies gives few details of the post, but the second, from CMS (the legal firm) gives a full list of responsibilities and characteristics. These are listed below * * * top

New federal cybersecurity regulations force colleges to strengthen data management (EdScoop, 2 Nov 2017) - A new set of federal regulations is forcing colleges and universities to tighten their cybersecurity practices, which will require changes in the way colleges manage their data, according to a new report . Higher education institutions will have to fulfill new contractual obligations to maintain federal grants, research contracts and other transactions in which the institutions receive data from the federal government, according to the report, issued by Deloitte's Center for Higher Education Excellence and nonprofit EDUCAUSE. In 2016, the U.S. Department of Education signaled it would make colleges comply with requirements laid out in the National Institute of Standards and Technology (NIST) Special Publication 800-171, which are designed to protect the confidentiality of "controlled unclassified information." The first compliance deadline schools have to meet is Dec. 31. "Whether a college or university has many large government research contracts or one small contract, each institution will need to comply with these new data protection standards," said Joanna Lyn Grama, director of cybersecurity and IT GRC programs at EDUCAUSE. "Simply put, the evolving higher education threat landscape and very complex regulatory environment means that ad-hoc approaches to data management and protection are no longer adequate and formalized information security programs, based on recognized frameworks and responsive to specific regulations, are required." According to the report, while higher education CIOs and CISOs are aware of the new standard, "this awareness hasn't necessarily translated into progress. "Many institutions are still working out how to get started and get everyone on board," the report says. "Other institutions, notably those that receive significant defense research funding, are much further down the path." Colleges will have to overcome many existing challenges in order to fulfill the requirements, according to experts at Deloitte and EDUCAUSE. And those challenges go beyond just technological problems. They also encompass organizational change management, training, end-user adoption and process controls. Specific challenges outlined in the report include a lack of executive and board-level attention on NIST's regulations. top

35 states and DC back bid to collect online sales taxes (USA Today, 3 Nov 2017) - Thirty-five state attorneys general and the District of Columbia this week signed on to support South Dakota's legal bid to collect sales taxes from out-of-state Internet retailers. South Dakota is asking the U.S. Supreme Court to review whether retailers can be required to collect sales taxes in states where they lack a physical presence. The case could have national implications for e-commerce. South Dakota Attorney General Marty Jackley said in a statement Thursday that Colorado filed a friend-of-the-court brief supporting South Dakota's petition to the high court. The state is seeking to overturn legal rulings issued mostly before the online shopping boom that hamstring officials who want to collect sales taxes from out-of-state retailers. States have pushed Congress to address the issue without success, and one estimate put the loss to states at roughly $26 billion in 2015. South Dakota estimates it loses about $50 million annually to e-commerce. "The problem with the physical-presence rule is that it was first conceived of in 1967, two years before the moon landing and decades before the first retail transaction occurred over the Internet," according to the brief. Some companies such as Amazon have decided to collect state sales taxes despite the precedent. South Dakota legislators passed a law last year requiring collection of the tax. The law was struck down in September by the state Supreme Court due to precedent. The state had welcomed the defeat so it could try to get the U.S. Supreme Court to take up the case. top

US Court sides with Google against Canadian de-indexing order (ZDnet, 3 Nov 2017) - A US federal court on Friday issued a preliminary injunction against a Canadian Supreme Court ruling, which asked Google to de-index certain search results not just in Canada but on a global basis. The Canadian ruling "undermines the policy goals of Section 230 [of the US Communications Decency Act] and threatens free speech on the global internet," wrote Judge Edward Davila of the US District Court for Northern California. The ruling pertains to the case Google v. Equustek , which started with a 2011 complaint from the company Equustek Solutions. The British Columbia firm charged that a group of Equustek distributors (known as the Datalink defendants) were selling counterfeit Equustek products online. Datalink continued to sell these goods globally, even after the court ordered it to stop, prompting Equustek to ask Google to intervene. Google initially de-indexed 345 specific webpages associated with Datalink on google.ca. Equustek then sought an injunction to stop Google from displaying any part of the Datalink websites on any of its search results worldwide. A lower court granted the injunction, and the Canadian Supreme Court upheld it. The ruling's global implications elicited concern from freedom of speech advocates. Google asked the US District Court for Northern California to intervene, arguing that Canada's ruling was "repugnant" to the rights established by the First Amendment and the Communications Decency Act. Furthermore, the company said it "violates principles of international comity, particularly since the Canadian plaintiffs never established any violation of their rights under U.S. law." Now that the US District Court has intervened, Google can seek a permanent injunction and ask the Canadian court to modify its original order, according to the Electronic Frontier Foundation. top

TSA plans to use face recognition to track Americans through airports (EFF, 9 Nov 2017) - The "PreCheck" program is billed as a convenient service to allow U.S. travelers to " speed through security " at airports. However, the latest proposal released by the Transportation Security Administration (TSA) reveals the Department of Homeland Security's greater underlying plan to collect face images and iris scans on a nationwide scale. DHS's programs will become a massive violation of privacy that could serve as a gateway to the collection of biometric data to identify and track every traveler at every airport and border crossing in the country. Currently TSA collects fingerprints as part of its application process for people who want to apply for PreCheck. So far, TSA hasn't used those prints for anything besides the mandatory background check that's part of the process. But this summer, TSA ran a pilot program at Atlanta's Hartsfield-Jackson Airport and at Denver International Airport that used those prints and a contactless fingerprint reader to verify the identity of PreCheck-approved travelers at security checkpoints at both airports. Now TSA wants to roll out this program to airports across the country and expand it to encompass face recognition, iris scans, and other biometrics as well. [ Polley : "contactless fingerprint reader?!?] While this latest plan is limited to the more than 5-million Americans who have chosen to apply for PreCheck, it appears to be part of a broader push within the Department of Homeland Security (DHS) to expand its collection and use of biometrics throughout its sub-agencies. For example, in pilot programs in Georgia and Arizona last year, Customs and Border Protection (CBP) used face recognition to capture pictures of travelers boarding a flight out of the country and border and compared those pictures to previous recorded photos from passports, visas, and "other DHS encounters." In the Privacy Impact Assessments (PIAs) for those pilot programs, CBP said that, although it would collect face recognition images of all travelers, it would delete any data associated with U.S. citizens. But what began as DHS's biometric travel screening of foreign citizens morphed, without congressional authorization , into screening of U.S. citizens, too. Now the agency plans to roll out the program to other border crossings, and it says it will retain photos of U.S. citizens and lawful permanent residents for two weeks and information about their travel for 15 years. It retains data on "non-immigrant aliens" for 75 years. top

Equifax profit falls as hacking costs take toll (Reuters, 9 Nov 2017) - Equifax Inc ( EFX.N ) on Thursday reported lower quarterly profit, and quarterly revenue missed estimates, as the credit bureau warned that its massive data breach had prompted some customers to hold back business. The breach, which compromised sensitive data of 145.5 million people, has harmed the company's reputation and prompted investigations in every U.S. state, a federal criminal probe and hundreds of lawsuits. Equifax said it was not possible to estimate how much it would cost the company to respond to the probes and litigation. The Atlanta-based company said it recorded $87.5 million in expenses related to the hack during the quarter, including legal fees, investigation of the breach, and free credit monitoring for U.S. consumers whose data was exposed in the breach. Equifax estimated a range of additional costs between $56 million and $110 million to continue providing the free services. The company warned there could be further attacks. "We cannot assure that all potential causes of the incident have been identified and remediated and will not occur again," it said in a quarterly filing with the Securities and Exchange Commission. top

- and -

Equifax looks to in-house lawyer to 'build a new future' after massive breach (Law.com, 14 Nov 2017) - As Equifax Inc. continues to face fallout from the massive data breach announced earlier this year, the consumer credit reporting company has selected one of its in-house attorneys to oversee its response to the disaster. Taking on this role is Julia Houston, whose official title is chief transformation officer. Along with leading the company through the aftermath of the breach, Houston will coordinate Equifax's efforts to "build a new future," according to the company's corporate leadership page . In response to request for comment on Houston's role and on the timing of her appointment, an Equifax spokesperson said: "Equifax's top priorities are to improve service for consumers and to continue to strengthen our company's security capabilities. We have revised our corporate structure to address both of these areas and have created a Chief Transformation Officer who reports directly to the CEO." The spokesperson added that Houston was appointed to this role in October. Houston joined Equifax in October 2013 and was most recently senior vice president of U.S. legal, where she led Equifax's legal team supporting three businesses in the United States. She previously held the general counsel title at customer management company Convergys Corp. and energy company Mirant Corp. Prior to that, Houston was an in-house attorney at Delta Air Lines Inc. top

Alphabet's Project Loon delivers internet service to 100,000 people in Puerto Rico (The Verge, 9 Nov 2017) - Alphabet's Project Loon, which last month partnered with AT&T and T-Mobile to bring LTE connectivity to disaster-stricken Puerto Rico , says its helium air balloons have delivered internet to 100,000 residents on the island. A significant portion of Puerto Rico, still struggling to recover from the effects of Hurricane Maria, is still without cell tower reception, with the Federal Communications Commission reporting earlier today that nearly 44 percent of Puerto Rico cell sites are still out of service. Loon deployed balloons in late October in what was its fastest-ever deployment in an effort to help residents get back online as soon as possible. While 100,000 is an impressive metric on its own, Puerto Rico is an island of nearly 3.5 million people. A map released today by the FCC shows that a vast majority of the island's counties still have between 20 and 60 percent of cell towers out of service. Only four counties are reporting only 1 to 20 percent of cell sites out of service, while another four counties have more than 80 percent of their cell sites down. So while Loon is certainly helping Puerto Rico's government get more residents online, there's a lot of infrastructure work to be done to get the entire island back online and in contact with the rest of the world. top

Copyright exceptions for libraries widespread, study at WIPO shows, but disharmony persists (IP Watch, 15 Nov 2017) - Nobody among members of the World Intellectual Property Organization disputes the importance of the public services provided by libraries and archives. However, positions are different when it comes to providing exceptions to copyright to those entities so they can continue to dispense their services, in particular in the digital age. An updated study presented today in a WIPO committee shows that most countries have exceptions relating to libraries, but termed in very different ways, and are hesitant on how to deal with digital technologies. Prof. Kenneth Crews, former director of the copyright advisory office at Columbia University (US) and now an attorney at Gipson, Hoffman & Pancione in Los Angeles, today presented the latest version [pdf] of his original 2008 study, already updated in 2014 and in 2015, during the 35th session of the WIPO Standing Committee on Copyright and Related Rights, taking place from 13-17 November. According to Crews, since 2015, a number of countries have revised their copyright laws and the exceptions they provide to libraries and archives, which, he said, serves as a reminder that this is a dynamic issue. The study covers all 191 WIPO member states and found that 161 of those have at least one provision in their copyright statutes that explicitly applies to libraries or archives. Crews describes four types of exception: type 1 with no library exception (28); type 2 with a general library exception (21); type 3 with specific library exceptions; and type 4 providing for anti-circumvention exemptions. Compared to the last version of the study, fewer countries have no exception, and fewer countries are relying on general exception, Crews said. Specialised exceptions, which constitute the largest share of countries, include preservation and replacement, private study and research, making available on the premises, document delivery, and copy machines in the library. As example, Crews said 102 member states have an exception for preservation, 98 for replacement, and 105 for private study and research. Crews described the influence of several models in current copyright laws, such as the British Copyright Act, which provides multiple provisions such as for preservation and research. He also cited the Bangui Agreement, which also provides clear rules for preservation and research, and the 2001 Information Society Directive and the 2012 Orphan Works Directive of the European Union, which he said have influenced some 14 countries outside of the EU. top

Guide to cybersecurity due diligence worth reading (NY Law Journal, 15 Nov 2017) - On the subject of business risk, Warren Buffett observed that the rearview mirror is always clearer than the windshield. For an M&A acquirer, one prime risk is assessing the effectiveness of a target's cybersecurity program. As data breach incidents involving Yahoo and Neiman Marcus have shown, such incidents can profoundly impact even the largest deals. With billions of M&A dollars at stake, there is a need to clear the windshield. Ronald [sic] Smedinghoff and Roland Trope prove up to the task in this new book, which compiles topical papers written by M&A lawyers whose practices focus on protecting their clients' high-value digital assets. Although the book is primarily written for M&A lawyers, it can also be useful to a wider audience that includes directors, officers, in-house counsel and data security professionals whose duties include the designing, implementing, updating, testing and monitoring of cybersecurity programs. Throughout the book's thirteen chapters, it explains how an acquirer can properly assess a target's cybersecurity posture. As such, the book is intended as an issue-spotting resource. It is not intended to prepare an M&A lawyer to be an expert in cyber crime, or to serve as a manual of M&A provisions that specifically address cybersecurity risks. Although some of the material is repetitive, the editors have done an admirable job in organizing the topics, eliminating jargon, minimizing the use of acronyms, bullet-pointing key checklists, discouraging run-on sentences, reducing paragraph length and ensuring that the entire text appears as though it was written in plain English by a single author. * * * More than a hundred years ago, Theodore Roosevelt observed that risk is like fire: If controlled it can help you; uncontrolled it will rise up and destroy you. For M&A lawyers assessing a target's cybersecurity risk, this book helps control the fire. [ Polley : It's Tom Smedinghoff, not Ronald. Excellent resource, and quite positive review.] top

RESOURCES

Liability for Providing Hyperlinks to Copyright-Infringing Content: International and Comparative Law Perspectives (Columbia, 12 Nov 2017) - Abstract: " Hyperlinking, at once an essential means of navigating the Internet, but also a frequent means to enable infringement of copyright, challenges courts to articulate the legal norms that underpin domestic and international copyright law, in order to ensure effective enforcement of exclusive rights on the one hand, while preserving open communication on the Internet on the other. Several recent cases, primarily in the European Union, demonstrate the difficulties of enforcing the right of communication to the public (or, in US copyright parlance, the right of public performance by transmission) against those who provide hyperlinks that effectively deliver infringing content to Internet users. This article will first address the international norms that domestic laws of states member to the multilateral copyright agreements must implement. It next will explore how two of the most significant regional or national copyright regimes, the EU and the US, have coped with the question of linking, and then will consider the relationship of the emerging approaches to copyright infringement with national and regional laws instituting limited immunity for copyright infringements committed by internet service providers. We will conclude with an assessment of the extent to which the outcomes under US and EU regimes, despite their apparently different approaches, in fact diverge." top

Preventing Data Breaches at Law Firms: Adapting Proactive, Management-Based Regulation to Law-Firm Technology (Arizona Law Review, Nov 2017) - Today, law firms of every size are relying on technology more than ever before. However, a firm's investment in securing its information systems pales in comparison to that of its corporate counterparts, leaving law-firm clients' data unnecessarily at risk. Although there has been a modest increase in regulation for firm management overall, law firms have largely ignored the threat of data breaches, failing to adhere to widely accepted information security standards. This lack of compliance has caused cyber criminals to shift their sights from the client to the vulnerable information security systems of law firms. This Note proposes a proactive, regulatory approach to establish a technology infrastructure in law firms, thus ensuring the protection of client information. [ Polley : Others also have proposed a prescriptive, regulatory approach; I'm unconvinced.] top

DIFFERENT

The digital ruins of a forgotten future (The Atlantic, Dec 2017) - Gidge Uriza lives in an elegant wooden house with large glass windows overlooking a glittering creek, fringed by weeping willows and meadows twinkling with fireflies. She keeps buying new swimming pools because she keeps falling in love with different ones. The current specimen is a teal lozenge with a waterfall cascading from its archway of stones. Gidge spends her days lounging in a swimsuit on her poolside patio, or else tucked under a lacy comforter, wearing nothing but a bra and bathrobe, with a chocolate-glazed donut perched on the pile of books beside her. "Good morning girls," she writes on her blog one day. "I'm slow moving, trying to get out of bed this morning, but when I'm surrounded by my pretty pink bed it's difficult to get out and away like I should." In another life, the one most people would call "real," Gidge Uriza is Bridgette McNeal, an Atlanta mother who works eight-hour days at a call center and is raising a 14-year-old son, a 7-year-old daughter, and severely autistic twins, now 13. Her days are full of the selflessness and endless mundanity of raising children with special needs: giving her twins baths after they have soiled themselves (they still wear diapers, and most likely always will), baking applesauce bread with one to calm him down after a tantrum, asking the other to stop playing "the Barney theme song slowed down to sound like some demonic dirge." One day, she takes all four kids to a nature center for an idyllic afternoon that gets interrupted by the reality of changing an adolescent's diaper in a musty bathroom. But each morning, before all that-before getting the kids ready for school and putting in eight hours at the call center, before getting dinner on the table or keeping peace during the meal, before giving baths and collapsing into bed-Bridgette spends an hour and a half on the online platform Second Life , where she lives in a sleek paradise of her own devising. Good morning girls. I'm slow moving, trying to get out of bed this morning. She wakes up at 5:30 to inhabit a life in which she has the luxury of never getting out of bed at all. What is second life? The short answer is that it's a virtual world that launched in 2003 and was hailed by some as the future of the internet. The longer answer is that it's a landscape full of goth cities and preciously tattered beach shanties, vampire castles and tropical islands and rainforest temples and dinosaur stomping grounds, disco-ball-glittering nightclubs and trippy giant chess games. In 2013, in honor of Second Life's tenth birthday, Linden Lab-the company that created it-released an infographic charting its progress : 36 million accounts had been created, and their users had spent 217,266 cumulative years online, inhabiting an ever-expanding territory that comprised almost 700 square miles. Many are tempted to call Second Life a game, but two years after its launch, Linden Lab circulated a memo to employees insisting that no one refer to it as that. It was a platform . This was meant to suggest something more holistic, more immersive, and more encompassing. * * * [ Polley : detailed story, worth reading. I haven't logged into SL for years; I may need to go back for another look.] top

Math student wins "Dance Your Ph.D." contest (InsideHigherEd, 6 Nov 2017) - Science sponsors an annual "Dance Your Ph.D." contest to highlight research and the importance of communicating findings in ways that help nonspecialists understand them. Below is the video of this year's winner, Nancy Scherich of the University of California, Santa Barbara. She studies topology, the study of geometry in which shape and size don't matter. Her focus is on braid theory, or "the rules that determine the unique representations of twists and knots in high-dimensional spaces." [ Polley : I'm guessing the math is real; the 9m dance video (with some subtitles) certainly is intriguing. Remember the string game "Cat's Cradle"?] top

LOOKING BACK

FTC issues online ad privacy guidelines (NBC News, 20 Dec 2007) - On the same day they cleared Google Inc.'s purchase of online advertiser DoubleClick, federal regulators said industry needs to be more transparent about how consumers' Web-surfing habits are tracked. The Federal Trade Commission on Thursday proposed guidelines by which advertisers would voluntarily fess up to Web surfers about whether their online behaviors are monitored and used to personalize ads. Privacy experts said the guidelines could be helpful, but only if industry enforces them. Consumers are largely in the dark about companies tracking them through these ads, the agency said, adding that companies should give people a realistic choice in whether they want to be tracked or not. "You shouldn't have to be a computer geek to protect your privacy," said Peter Swire, an Ohio State University law professor and senior fellow at the Center for American Progress, a liberal think tank. top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, October 28, 2017

MIRLN --- 8-28 Oct 2017 (v20.15)

MIRLN --- 8-28 Oct 2017 (v20.15) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENT | NEWS | DIFFERENT | RESOURCES | LOOKING BACK | NOTES

ANNOUNCEMENT

The new Second Edition of the ABA's best-selling Cybersecurity Handbook is a must-read for anyone working in the field, including private-practice attorneys, in-house counsel, non-profit and government lawyers, and others. For more detail, visit the ABA store at http://bit.ly/2x7HNbJ. A pre-release review of the Handbook is here: ABA urges lawyers to adopt encryption, other cybersecurity practices in latest 'handbook' (Inside Cybersecurity, 24 Oct 2017).

Framing the Museum GitHub Repository (Berkman Klein, 5 Oct 2017) - When we use information, we need to understand what we're looking at. We do this by framing that information - sharing new details about what it is and how we can use it. For museum collections that connect data points across centuries of artworks and objects, institutions are turning to new tools to share and communicate that data. Here, we can look at four institutions using GitHub as a platform to share collections data - the Metropolitan Museum of Art, Museum of Modern Art (MoMA), Cooper Hewitt Smithsonian, Design Museum, and the Tate collection - as an opportunity to parse current practice in this area. GitHub is a platform for sharing and collaborating on code repositories. In a GitHub repository, the README functions as an overview of the repository and its contents. In the museum context, the README may act as a guide for how institutions have chosen to share their collections data. In identifying what information is commonly included in the README, we can map commonalities in which elements institutions have selected to frame and contextualize their collections data. * * * top

- and -

Jeff Koons' augmented reality Snapchat artwork gets 'vandalized' (TechCrunch, 8 Oct 2017) - Earlier this week, Snapchat launched a new augmented reality art exhibiting feature as part of a collaboration with the artist Jeff Koons. ART, as it's called, will plaster the digital artwork and sculptures of artists into geo-tagged physical locations across the world that viewers can see as a Lens inside the Snapchat app. There has already been a backlash by some in the artistic community who are skeptical of corporations "putting up" digital art that they could potentially monetize wherever they would like. As a way to spark the conversation, earlier this week a group of New York-based artists mocked-up a "vandalized" version of Jeff Koon's AR Balloon Dog. To be fair, this is a patently 2017 issue to have, but also one that we will definitely have conversation build around it as we question the ownership of physical digital locations. The group didn't hack Snap's servers to vandalize the sculpture, the work is more simply a 3D digital recreation of the work placed on top of a photo of the same geo-tagged location as Koons' work. Graffiti artist Sebastien Errazuriz sought to raise some interesting questions with the work done with Cross Lab Studio, positing whether augmented reality experiences should be governed by similar rules to those renting out physical spaces. On an image of the vandalized artwork, he added more questions: Should corporations be allowed to place what ever content they choose over our digital public space? Central Park belongs to the city of NY. Why should corporations get to geo-tag its gps coordinates for free? We know they will make money renting gps spots to brands and bombard us with advertisement. They should pay rent, we should choose to approve what can be geo-tagged to our digital public and private space. These debates might be a few years ahead of their time, but as augmented reality grows less gimmicky and more monetizable, advertising in public space could grow to be a major industry. It's interesting to see artists looking to the government to regulate public companies creating art platforms, but it also shows the hesitation many are feeling to the manner in which tech companies are looking to mesh the digital world onto public physical locations with AR tech. top

Court dismisses FTC's unfairness claims against D-Link (Crowell & Moring, 6 Oct 2017) - Earlier this month, the Northern District of California dismissed FTC's unfairness claims against D-Link, a manufacturer of routers and IP cameras, while allowing most of FTC's claims rooted in deception to survive, suggesting that traditional false advertising actions may be FTC's most effective means of addressing suspect data security practices. Further, the Northern District of California's decision to dismiss the unfairness claims shows this court's unwillingness to entertain data security actions rooted in the FTC's unfairness prong, without concrete harm. FTC filed suit against D-Link in January of this year, alleging that the company engaged in both deceptive and unfair practices based on D-Link's claimed flimsy data security practices. Specifically, the FTC alleged that D-Link engaged in deceptive practices by marketing sophisticated and state-of-the-art security provided with its products, while simultaneously failing to protect users from "widely known and reasonably foreseeable risks of unauthorized access." For example, D-Link touted that its products featured "the latest wireless security features to help prevent unauthorized access" and offered the "best possible encryption." But in practice, according to FTC's pleadings, D-Link failed to take "easily preventable measures" against "hard-coded user credentials and other backdoors." And, the Northern District held, these accusations were sufficient to plead a deception claim under the FTC Act. However, where the company did not specifically market its data security practices, its advertising was not deceptive - such as in a brochure where D-Link described the camera as a "surveillance camera" for the "home or small office." Indeed, where D-Link did not refer to its digital security, the court would not imply messages about the state of that security. Notably though, the Northern District dismissed FTC's claims that, because D-Link failed to provide adequate data security, it engaged in unfair practices. Specifically, the court found that, because the FTC could not plead actual harm, it had not sufficiently pled a violation of the FTC Act. FTC was unable, the court noted, to show any "monetary loss or an actual incident where sensitive personal data was accessed or exposed." It was not enough to plead that D-Link put customers at risk. The Northern District did not, however, completely close the door on potential unfairness claims against D-Link. Choosing to dismiss the claims without prejudice, the Northern District noted that "[i]f the FTC had tied the unfairness claim to representations underlying the deception claims, it might have had a more colorable injury element." Accordingly, where a company does not make affirmative representations about its data security practices, a court will likely be reluctant to find a violation of the FTC Act without concrete injury. top

DoD issues guidance for compliance with cybersecurity regulations (Holland & Knight, 6 Oct 2017) - The U.S. Department of Defense (DoD) published in 2016 a new Defense Federal Acquisition Regulation Supplement (DFARS) provision and two clauses covering the safeguarding of contractor networks. The final DoD clauses are DFARS 252.204-7008, "Compliance with Safeguarding Covered Defense Information Controls," and DFARS 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting." To comply with the rule, contractors must meet the standards set forth in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations," not later than Dec. 31, 2017. On Sept. 21, 2017, the Office of the Under Secretary of Defense provided guidance to DoD acquisition personnel concerning implementation of the NIST SP 800-171 standards. * * * top

Publishers take ResearchGate to court, alleging massive copyright infringement (Science Magazine, 6 Oct 2017) - Scholarly publishing giants Elsevier and the American Chemical Society (ACS) have filed a lawsuit in Germany against ResearchGate, a popular academic networking site, alleging copyright infringement on a mass scale. The move comes after a larger group of publishers became dissatisfied with ResearchGate's response to a request to alter its article-sharing practices. ResearchGate, a for-profit firm based in Berlin, Germany, which was founded in 2008, is one of the largest social networking sites aimed at the academic community. It claims more than 13 million users, who can use their personal pages to upload and share a wide range of material, including published papers, book chapters and meeting presentations. Science funders and investors have put substantial funds into the firm; it has raised more than $87 million from the Wellcome Trust charity, Goldman Sachs, and Bill Gates. In recent years, journal publishers have become increasingly concerned about the millions of copyrighted papers - usually accessible only behind subscription paywalls - that are being shared by ResearchGate users. And on 15 September, the International Association of Scientific, Technical, and Medical Publishers wrote to ResearchGate on behalf of more than 140 publishers, expressing concerns about its article-sharing policies. Specifically, the organization proposed that ResearchGate implement a "seamless and easy" automated system that would help the site's users determine if an article was protected by copyright and could be legally shared publicly or privately. The association asked for a response by 22 September , noting that its members could follow-up individually or collectively if ResearchGate failed to agree to its proposal. (AAAS, which publishes Science Insider, is a member of the association.) Yesterday, a group of five publishers - ACS, Elsevier, Brill, Wiley and Wolters Kluwer - announced that ResearchGate had rejected the association's proposal. Instead, the group, which calls itself the " Coalition for Responsible Sharing ," said in a 5 October statement that ResearchGate suggested publishers should send the company formal notices, called "takedown notices," asking it to remove content that breaches copyright. The five publishers will be sending takedown notices, according to the group. But the coalition also alleges that ResearchGate is illicitly making as many as 7 million copyrighted articles freely available, and that the company's "business model depends on the distribution of these in-copyright articles to generate traffic to its site, which is then commercialised through the sale of targeted advertising." The coalition also states that sending millions of takedown notices "is not a viable long-term solution, given the current and future scale of infringement. … Sending large numbers of takedown notices on an ongoing basis will prove highly disruptive to the research community." As a result, two coalition members-ACS and Elsevier-have opted to go to court to try to force ResearchGate's hand. The lawsuit, filed in a German regional court, asks for "clarity and judgement" on the legality of posting such content, says James Milne, spokesperson for the Coalition for Responsible Sharing and senior vice president of ACS's journals publishing group in Oxford, U.K. top

Petition to look at former CBS lawyer underscores ethical risks of social media (Inside Counsel, 6 Oct 2017) - After being fired for a controversial Facebook post in the aftermath of the mass shooting in Las Vegas, former CBS lawyer Hayley Geftman-Gold is the subject of a petition calling for the New York State Bar Association to consider whether she is capable of remaining professional in response to a tragedy. This push, which calls for the NYSBA to consider whether Geftman-Gold's social media post is in keeping with her professional obligations, highlights the ethical risks lawyers face when it comes to using social media, attorneys say. Not long after a gunman in Las Vegas killed more than 50 people and injured nearly 500, Geftman-Gold, who was a vice president and senior counsel of strategic transactions at CBS, posted in a Facebook discussion that she was "not even sympathetic" because "country music fans often are Republican gun toters." CBS fired her Monday, saying in a statement Friday to Corporate Counsel that the views expressed by Geftman-Gold on social media were "deeply unacceptable to all of us at CBS." Geftman-Gold, who could not be reached for comment, said in a statement provided to Fox News that she sincerely regrets making the "indefensible post." The petition, addressed to NYSBA executive director Pamela McDevitt, condemns Geftman-Gold's "reprehensible and despicable remarks" and calls on the association to "conduct an ethics review of this individual to measure her abilities to remain professional during the response phase of a national tragedy and to censor herself appropriately." In response to request for comment from McDevitt, Richard Rifkin, special counsel to the NYSBA, told Corporate Counsel that the association has "gotten a number of complaints" about Geftman-Gold. Rifkin added, however, that the NYSBA does not have the ability to discipline attorneys, and so complainants are informed on how "to file a complaint with the appropriate part of the court system." Currently, Geftman-Gold's attorney registration record shows no record of discipline. Posted Monday by the Citizens for Judicial Reform, the petition had more than 12,000 signatures as of publication of this article. "The bigger lesson here is people need to think before they post or tweet," said Ignatius Grande, senior discovery attorney at Hughes Hubbard & Reed, who is also co-chair of the Social Media Committee of the NYSBA's Commercial and Federal Litigation Section. "Especially as a lawyer, because there are a lot of ethical issues that can come back to haunt you." The NYSBA's social media ethics guidelines outline where issues can arise, such as violating rules around advertising or posting confidential information. The guidelines also point to an ethics opinion from the D.C. Bar Legal Ethics Committee in order to make clear that caution should be exercised when stating positions on issues and legal developments on social media platforms that may be inconsistent with those positions of clients. "I think part of what the ethics boards have been dealing with over the last ten years is how to deal with social media, because it really has changed how you apply some of the rules that are out there," Grande said. "And attorneys are looked at with a magnifying glass or looked at with a higher standard, so it's important to look before you post." top

Computer virus hits US Predator and Reaper drone fleet (ArsTechnica, 7 Oct 2017) - A computer virus has infected the cockpits of America's Predator and Reaper drones, logging pilots' every keystroke as they remotely fly missions over Afghanistan and other war zones. The virus, first detected nearly two weeks ago by the military's Host-Based Security System , has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech's computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the US military's most important weapons system. "We keep wiping it off, and it keeps coming back," says a source familiar with the network infection, one of three that told Danger Room about the virus. "We think it's benign. But we just don't know." top

How Russia harvested American rage to reshape US politics (NYT, 9 Oct 2017) - YouTube videos of police beatings on American streets. A widely circulated internet hoax about Muslim men in Michigan collecting welfare for multiple wives. A local news story about two veterans brutally mugged on a freezing winter night. All of these were recorded, posted or written by Americans. Yet all ended up becoming grist for a network of Facebook pages linked to a shadowy Russian company that has carried out propaganda campaigns for the Kremlin, and which is now believed to be at the center of a far-reaching Russian program to influence the 2016 presidential election. A New York Times examination of hundreds of those posts shows that one of the most powerful weapons that Russian agents used to reshape American politics was the anger, passion and misinformation that real Americans were broadcasting across social media platforms. * * * top

Cyberstalking case highlights how VPN provider claims about not keeping logs are often false (TechDirt, 10 Oct 2017) - When the Trump administration recently decided to gut consumer privacy protections for broadband , many folks understandably rushed to VPNs for some additional privacy and protection. And indeed, many ISPs justified their lobbying assault on the rules by stating that users didn't need privacy protections, since they could simply use a VPN to fully protect their online activity. But we've noted repeatedly that VPNs are not some kind of panacea , and in many instances you're simply shifting the potential for abuse from your ISP -- to a VPN provider that may not actually offer the privacy it claims. Latest case in point: like many companies, a VPN provider by the name of PureVPN has been advertising for years on its website that it keeps no logs of user behavior: "PureVPN operates a self-managed VPN network that currently stands at 750+ Servers in 141 Countries. But is this enough to ensure complete security? That's why PureVPN has launched advanced features to add proactive, preventive and complete security. There are no third-parties involved and NO logs of your activities ." But when the Department of Justice man by the name of Ryan Lin for stalking, one key component of the case involved using PureVPN logs to track his online activities. * * * top

Host of hacks not raising cyber premiums (iTreasurer, 10 Oct 2017) - Despite the continuing steady flow of news about major companies getting hacked, cyber policy premiums have continued to fall and their coverage broaden as insurers crowd into the space. In fact, the magnitude of cybercrimes only seems to be growing, with recent revelations that all of Yahoo's three billion customer accounts were hacked, as was Equifax's 140 million customers, along with Deloitte's client emails and certain SEC filings. As a result, some cyber insurers have increased underwriting scrutiny for certain risks while others still offer premiums that continue to fall, according to Kevin Kalinich, the global practice leader for cyber risk at brokerage Aon. "We have over 70 cyber carriers out of the US, Bermuda and London. Therefore, despite the recent cyber incidents, unless you are in a 'high risk' industry class, because there's so much competition we're seeing rates come down," Mr. Kalinich said. "If you're buying cyber insurance, now is definitely a good time to buy it." David Bradford, chief strategy officer and director of strategic partnership development at Advisen, a provider of data, media, and technology solutions for the commercial property and casualty insurance market, said that many companies are currently experiencing reductions between 5% and 15%, a trend that should continue for the immediate future. He said the Equifax breach is unlikely to have a significant impact on premiums, because the company has $150 million or less of coverage, and so is unlikely to drive capacity out of the marketplace. "It will probably cause some alarm among certain classes of buyers, but it's within the range of what insurers expected to pay," he said. Premiums remain elevated for companies in industries such as retail and healthcare, which have seen significant breaches in recent years. However, they likely will fall gradually as cybercriminals turn their sights to other industries. The broad downward pressure on premiums fundamentally stems from supply outweighing demand-the 65 insurers Advisen estimates plying the cyber-policy space are chasing after a relatively small pot of premiums, approximately $3.5 billion. Companies can take on upwards of $600 million in coverage, Mr. Bradford said, although brokers must cobble together that capacity using policies from numerous carriers. top

What could Equifax CLO John Kelley have done differently? (InsideCounsel, 11 Oct 2017) - John Kelley, CLO of Equifax, has found himself at the center of the controversy surrounding the recent massive data breach at the company. Former Equifax Inc. CEO Richard Smith spent much of last week testifying before Congress about the massive data breach that has affected some 145 million U.S. consumers . Many grilling Smith questioned the timeline following the discovery of the incursion and wondered how three Equifax executives were able to sell shares totaling close to $2 million just days later. The answers inevitably came back to the company's chief legal officer, John Kelley III , who along with being in charge of security within the company , is responsible for approving share sales by Equifax executives. Parsing the decisions Kelley made in the aftermath of the breach raises some intriguing issues for the many in-house counsel who must grapple with cybersecurity threats and shows that the story of how Equifax responded to its recent breach is anything but simple. * * * [ Polley : interesting.] top

- and -

What cybersecurity standard will a judge use in Equifax breach suits? (Lawfare, 20 Oct 2017) - Those affected by data breaches now have increasing opportunities to take their claims to court. Last month, in northern California's federal district court, Judge Lucy Koh upheld the right of victims to sue Yahoo for massive breaches between 2013 and 2016. Victims of the Equifax hack, which impacted millions more than initially reported, are filing dozens of lawsuits. And in another ruling last month, Koh upheld a class of health insurance company Anthem's data breach victims right to sue for a recently revealed second breach-shortly after Anthem was ordered to pay $115 million to victims and credit-monitors after the first incident. We've previously described the role of theories of harm to victims, and the duty of care for companies, as courts iron out standards in data breach litigation. But what happens in court? What standards are judges applying for cybersecurity when deciding these lawsuits? What amount of cybersecurity would have been sufficient, in court if not in practice? In other words, we should assume that because a cybersecurity regime is a series of processes, and because no large-scale entity is impenetrable, breaches can and will happen, even when a company exercises care. So, what standard of care is acceptable? Especially in large-scale operations that hold potential for large scale breaches? The Equifax case may set the high-water mark of weak precautions and bungled incident-response plans, coupled with the intimacy of data and vastness of people affected. But what is the lower limit of acceptable standards for situations that are less clear? (Incidents like the Deloitte hack in September that compromised confidential emails of some of its blue-chip clients.) * * * [ Polley : interesting, and lengthy; ultimately (unsurprisingly) indeterminate; still, a useful exposition.] top

Australian court rules an unsent text message on phone of a deceased man as a valid will (Mashable, 11 Oct 2017) - An unsent message of a deceased man in Australia has been ruled as a valid will. It means he will leave his estate to his brother and nephew as opposed to his son and wife, who he apparently had a difficult relationship with. The decision was handed down by a judge at the Supreme Court of Queensland, following no evidence of any other will created by the deceased man. The man, who tragically took his own life, was found with the phone by his widow in October 2016. The following day, a friend of the widow was asked to look through the deceased man's contact list to see who should be notified of his death. It was there the unsent text message was found, and a screenshot was taken. " Dave Nic you and Jack keep all that I have house and superannuation, put my ashes in the back garden with Trish Julie will take her stuff only she's ok gone back to her ex AGAIN I'm beaten . A bit of cash behind TV and a bit in the bank Cash card pin 3636 MRN190162Q 10/10/2016 My will ," read the text message. The widow, who contested the will, sought to rely on the fact that because the deceased man did not send the text message, he didn't mean it. But the judge in this case, Justice Susan Brown, was satisfied the unsent text constituted as a valid document and the deceased man had made up his mind on where his property would go after his death, due to the words "my will" at the end of the message. Also noted by the judge was the contact between the deceased man, his brother and nephew, prior to his death, and that the text was written close to the date of his death. It was also deemed likely the deceased man intended for the message to be found with him. "In all of the circumstances I consider that the text message was intended by the deceased to operate as his will upon his death," Brown said. top

Microsoft cloud can now host classified Pentagon data (NextGov, 17 Oct 2017) - Microsoft announced on Tuesday that the Defense Department can host secret classified data in its cloud. The announcement means the Defense Department, the military services, intelligence agencies and their industry partners working within secret enclaves can host classified data in Microsoft's Azure Government Secret cloud, where they'll have access to new technologies like machine learning. * * * Secret data is traditionally distributed through a system of computer networks managed by the Defense and State departments called the Secret Internet Protocol Router Network, or SIPRNet. Microsoft's Azure Government Secret cloud can now host SIPRNet data. top

Federal judge unseals New York crime lab's software for analyzing DNA evidence (ProPublica, 20 Oct 2017) - A federal judge this week unsealed the source code for a software program developed by New York City's crime lab, exposing to public scrutiny a disputed technique for analyzing complex DNA evidence. Judge Valerie Caproni of the Southern District of New York lifted a protective order in response to a motion by ProPublica , which argued that there was a public interest in disclosing the code. ProPublica has obtained the source code, known as the Forensic Statistical Tool, or FST, and published it on GitHub ; two newly unredacted defense expert affidavits are also available . "Everybody who has been the subject of an FST report now gets to find out to what extent that was inaccurate," said Christopher Flood, a defense lawyer who has sought access to the code for several years. "And I mean everybody - whether they pleaded guilty before trial, or whether it was presented to a jury, or whether their case was dismissed. Everybody has a right to know, and the public has a right to know." Caproni's ruling comes amid increased complaints by scientists and lawyers that flaws in the now-discontinued software program may have sent innocent people to prison. Similar legal fights for access to proprietary DNA analysis software are ongoing elsewhere in the U.S. At the same time, New York City policymakers are pushing for transparency for all of the city's decision-making algorithms, from pre-trial risk assessments, to predictive policing systems, to methods of assigning students to high schools. top

Casetext now automatically 'pushes' legal research to attorneys (Bob Ambrogi, 23 Oct 2017) - The legal research company Casetext has introduced a feature that monitors an attorney's litigation dockets for briefs and memoranda from opposing counsel and then automatically delivers a report of case law that is relevant but not included in the document. The feature uses Casetext's legal research assistant CARA , an analytical tool that automatically finds cases that are relevant to a legal document but not cited in the document. The standard way to use CARA is for an attorney who has received a brief, memoranda or other legal document to upload it to CARA, and CARA then performs its analysis and generates a list of relevant cases that are not mentioned in the document. With this new feature, which Casetext is calling CARA Notifications, Casetext monitors all the PACER dockets in which an attorney has active matters. Whenever opposing counsel files a substantive document such as a brief or memorandum, Casetext retrieves the document, runs it through CARA, and delivers the report to the attorney. "Traditionally in legal research, an attorney gets a brief and then seeks out case law to oppose the brief," Pablo Arredondo, chief legal research officer at Casetext, explained. "The closest thing there has been to push notification is that some research services let you track a case or track a search. What we're doing now - and I believe we're the first - is pushing the caselaw to oppose the brief automatically based on monitoring the dockets." Seven firms have been using this feature on a pilot basis since Oct. 1, including Quinn Emanuel Urquhart & Sullivan, Ogletree Deakins, and Fenwick & West. The feature is being provided to them as part of their standard subscription, at no extra cost. Casetext is analyzing the text of docket entries and documents to determine which are substantive and which are not, so that it does not run routine filings through the analysis. It only analyzes documents filed by opposing sides in the case, so the attorney's own filings are not automatically analyzed. (Of course, subscribers can always run their documents through CARA before they file them.) One early user called the service "anticipatory knowledge retrieval," Arredondo said. top

MIT issues diplomas using the Bitcoin blockchain (Cryptocoins News, 23 Oct 2017) - The Massachusetts Institute of Technology (MIT) has begun a pilot program to test the benefits and challenges of using the bitcoin blockchain to issue diplomas. As MIT News reports , the pilot program began this summer and provided 111 MIT graduates with the option to receive their diplomas through a blockchain-reliant smartphone app called Blockcerts Wallet, in addition to the traditional hard-copy format. The Blockcerts app, which was developed by the MIT Media Lab in collaboration with Cambridge software company Learning Machine, generates a public-private key pair after a student downloads it and registers for the program. The app then sends the public key to MIT, who writes it into the digital record and adds a one-way hash to the bitcoin blockchain. The app stores the user's private key, enabling him or her to prove ownership of the diploma. The school says "empower[s] students to be the curators of their own credentials." top

Decision reversed: Mistake using file sharing site didn't waive privilege (Ride the Lightning, 24 Oct 2017) - A case I wrote a post about in March of 2017 has now been reversed - to the relief of many lawyers, I'm sure. As Bloomberg BNA reported (sub. req.), the decision by a state magistrate judge in Harleysville Ins. Co. v. Holding Funeral Home, Inc . was reversed by a federal judge in Virginia on October 2nd. Thanks to Dave Ries for letting me know. The decision basically says that inadvertent disclosure of confidential materials through an error in using a file-sharing site didn't waive a plaintiff's attorney-client privilege and work product protection for those materials. The judge also found that defense counsel acted unethically by using the protected materials without notifying plaintiff's counsel and seeking a court ruling on the waiver issue. The case represents a reminder that lawyers generally aren't free to secretly exploit inadvertently disclosed materials even if they believe the disclosure waived any privilege claim. * * * top

DIFFERENT

Tenure-track Faculty Positions (MIT, 17 Oct 2017) - Tenure track faculty position; Program in Media Arts and Sciences/Media Lab: The MIT Media Lab seeks a new kind of early career faculty member, not defined by discipline, rather by his or her unique and iconoclastic experience, style and points of view. You can be a designer, inventor, scientist, scholar or other - any combination - as long as you make things that matter. Impact is key. This means somebody with at least these three sets of characteristics: (1) being deeply versed in a minimum of two fields, preferably not ones normally juxtaposed; (2) being an orthogonal and counter-intuitive thinker, even a misfit within normal structures; (3) having an adventurous personality, boundless optimism, and desire to change the world. Any disciplines apply as long as their confluence shows promise of solving big, hard and long-term problems. And, most importantly, candidates must explain why their work really can only be done at the Media Lab. We prefer candidates not be similar to our existing faculty. We welcome applicants who have never considered academic careers. Successful candidates will: establish and lead their own research group within the Media Lab; engage in collaborative projects with industrial sponsors and other Media Lab research groups; actively contribute to shaping the open and creative culture that defines our community; supervise masters and doctoral students; and participate in the Media Arts and Sciences academic program. Appointments will be within the Media Arts and Sciences academic program, principally at the Assistant Professor level. A doctorate is not necessary, but evidence of extreme creativity is. * * * [ Polley : I'd guess that every MIRLN reader wants this job. Pass it along.] top

RESOURCES

A tool to get your copyrights back (Lawrence Lessig, October 2017) - I was incredibly happy to read that Creative Commons and the Authors Alliance have released a tool (cool URL: rightsback.org) to enable authors to recover the rights they had transferred to someone else. This was a project started a decade ago. It was hard then. I am very proud they have delivered it now. Copyright is an incredibly interesting law of property, chock through with weird exceptions and protections. One of those protections is that a creator can get a second chance with his or her copyright. If you created something, and then transferred your copyright to someone else, even though the transfer might say "this is forever …" you have the right to get it back. But (surprise! surprise!) it turns out it is INCREDIBLY difficult to exercise that right properly. And many creators find it just way too difficult (read: expensive) to exercise the right. The tool that CC/AA have created tries to make it as simple as possible. The tool walks you through the steps necessary to determine whether you have a right, and when you need to file. The tool doesn't do the transfer, but it does help you see whether you are entitled, and if you are, it simplifies the process of making that happen. The purpose of copyright law is to help creators. You wouldn't know that by looking at the way the law actually works. But where the law clearly benefits creators, we should do whatever we can to support it. top

ABA Committee on Law and National Security launches national security podcast (ABA, 23 Oct 2017) - The ABA Committee on Law and National Security has created a new podcast called National Security Law Today . Hosted by committee members and staff, the podcast features legal experts discussing hot topics and current issues in the world of national security, as well as career advice for those looking to break into the field of national security law. Listeners will learn about the specific impact that national security law has on the legal, economic and business world outside the government. The theme for the first year is national security in private practice, focusing on laws and regulations that impact practitioners and their clients. Topics include State Department and Treasury Department sanctions, the Committee on Foreign Investment in the United States, the Foreign Agents Registration Act, export regulations, security clearances and litigation, international tribunals and prosecuting terrorist acts. New episodes air every other Thursday, and each one is approximately a half-hour long. The show is available online on the podcast website and you can find it for streaming or subscribing on iTunes , Stitcher , Soundcloud and TuneIn . Upcoming guests include: * * * top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Judge: Man can't be forced to divulge encryption passphrase (CNET, 14 Dec 2007) - A federal judge in Vermont has ruled that prosecutors can't force a criminal defendant accused of having illegal images on his hard drive to divulge his PGP (Pretty Good Privacy) passphrase. U.S. Magistrate Judge Jerome Niedermeier ruled that a man charged with transporting child pornography on his laptop across the Canadian border has a Fifth Amendment right not to turn over the passphrase to prosecutors. The Fifth Amendment protects the right to avoid self-incrimination. Niedermeier tossed out a grand jury's subpoena that directed Sebastien Boucher to provide "any passwords" used with his Alienware laptop. "Compelling Boucher to enter the password forces him to produce evidence that could be used to incriminate him," the judge wrote in an order dated November 29 that went unnoticed until this week. "Producing the password, as if it were a key to a locked container, forces Boucher to produce the contents of his laptop." Especially if this ruling is appealed, U.S. v. Boucher could become a landmark case. The question of whether a criminal defendant can be legally compelled to cough up his encryption passphrase remains an unsettled one, with law review articles for the last decade arguing the merits of either approach. (A U.S. Justice Department attorney wrote an article in 1996, for instance, titled "Compelled Production of Plaintext and Keys.") This debate has been one of analogy and metaphor. Prosecutors tend to view PGP passphrases as akin to someone possessing a key to a safe filled with incriminating documents. That person can, in general, be legally compelled to hand over the key. Other examples include the U.S. Supreme Court saying that defendants can be forced to provide fingerprints, blood samples, or voice recordings. Orin Kerr, a former Justice Department prosecutor who's now a law professor at George Washington University, shares this view. Kerr acknowledges that it's a tough call, but says, "I tend to think Judge Niedermeier was wrong given the specific facts of this case." top

E-mail from the grave? Microsoft seeks patent on 'immortal computing' (Seattle PI, 22 Jan 2007) -- In this culture of instant information, some Microsoft Corp. researchers are pursuing a radical notion -- the concept of saving messages for delivery in decades, centuries or more. The project, dubbed "immortal computing," would let people store digital information in physical artifacts and other forms to be preserved and revealed to future generations, and maybe even to future civilizations. After all, when looking that far in the future, you never know who the end users might be. One scenario the researchers envision: People could store messages to descendants, information about their lives or interactive holograms of themselves for access by visitors at their tombstones or urns. And here's where the notion of immortality really kicks in: The researchers say the artifacts could be symbolic representations of people, reflecting elements of their personalities. The systems might be set up to take action -- e-mailing birthday greetings to people identified as grandchildren, for example. The previously undisclosed project came to light through a newly surfaced patent application in which the researchers explain some of the concepts they're exploring. The project seeks to address the fact that large amounts of valuable information are stored on media with limited life spans, in formats that could be rendered obsolete. Consider how quickly floppy disks disappeared. But the researchers aren't just thinking about the informational legacies of individuals. "Maybe we should start thinking as a civilization about creating our Rosetta stones now, along with lots of information, even going beyond personal memories into civilization memories," said Eric Horvitz, a Microsoft principal researcher who also is working on the project. top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top