This begins MIRLN’s 20th year!
- Obama: Espionage is being ‘turbocharged’ by the internet
- Guidance issued on determining if companies need a Data Protection Officer under GDPR
- A lack of Yakking
- How good is law firm security? This report may surprise you
- 3 men made millions by hacking merger lawyers, US says
- Law firms subject to same cyber risk as others, but is compliance required?
- Court documents for law firm lax security case
- Big banks are stocking up on blockchain patents
- Is Distance Ed rule DOA?
- GE creates ‘Yelp for Lawyers’ to assess outside law firms
- NIST introduces comprehensive cyber incident recovery guide
- Corporate boards aren’t prepared for cyberattacks
- New cybersecurity guidelines for medical devices tackle evolving threats
- Another state adopts duty of technology competence; makes it 26
- New York eases proposed cyber regulations after industry complaints
- New French law bars work email after hours
- US Treasury makes standalone cyber insurance policies more valuable
- MN Bar returns to Fastcase, six months after switching to Casemaker
- A warning about Tallinn 2.0 … whatever it says
- California law makes ransomware use illegal
- Ten worst Section 230 rulings of 2016 (plus the five best)
- Massachusetts makes data breach records public online
Obama: Espionage is being ‘turbocharged’ by the internet (NPR, 16 Dec 2016) - The world is entering a new cyber era — one with no ground rules, and with the potential for traditional espionage to be “turbocharged” by the Internet, President Obama told NPR in an exclusive interview. “Among the big powers, there has been a traditional understanding of, that everybody is trying to gather intelligence on everybody else,” Obama told Morning Edition ’s Steve Inskeep in a wide-ranging interview on Thursday. “It’s no secret that Russian intelligence officers, or Chinese, or for that matter Israeli or British or other intelligence agencies, their job is to get insight into the workings of other countries that they’re not reading in the newspapers every day.” The informal, unwritten rules of the past are no longer adequate, the president added. “One of the things that we’re going to have to do over the next decade is to ultimately arrive at some rules of what is a new game,” he said. “And that is the way in which traditional propaganda and traditional covert influence efforts are being turbocharged by the Internet.” The president suggested the U.S. is more vulnerable than other nations because the American economy is both bigger and more highly digitized than those of other countries.
Guidance issued on determining if companies need a Data Protection Officer under GDPR (Winston & Strawn, 19 Dec 2016) - The new data privacy regulations (the GDPR) requires some companies to have a data protection officer. For many companies, they will need a DPO if they have core activities that require regular and systematic monitoring of individuals on a large scale. Article 37(1)(b). The effective date of the regulations is May 2018. There has been confusion about which companies need such a role. In response, the Article 29 Working Party recently issued a guidance . It gives some clarification for these three concepts: (1) core activities requiring monitoring, (2) regular and systematic monitoring, and (3) large scale. The Working Party expects that companies will document how they determined if they needed a DPO. As companies think about the DPO role, it is helpful to look at how the Working Party thinks about these three concepts. Core activities, the guidance indicates, are those that are key to achieving a company’s goals. Examples given are processing of patient data by a hospital, or the surveillance a private security company might carry out of a shopping center. Routine processing, like HR-related processing, is not a core activity. Examples given of regular and systematic monitoring include “all forms of tracking and profiling on the internet,” as well as email retargeting, location tracking (by mobile apps, for example), loyalty programs, and monitoring fitness data by a wearable device, among others. Finally, with respect to large scale, the Working Party indicates that standards to define this will likely develop over time. For now, examples given include processing geo-location data of customers for statistical purposes related to the company’s services (in the example given, a fast food chain restaurant) and processing of customer data in the “regular course of business” by a bank or insurance company. The guidance also gives direction on the DPO’s role and responsibilities, reminds companies that DPOs do not have the ultimate compliance obligation under GDPR (that responsibility falls on the controller or processor), and even if a company concludes that it does not need a DPO, it may find it “useful” to voluntarily designated someone to be in that role.
A lack of Yakking (InsideHigherEd, 19 Dec 2016) - Remember Yik Yak? The app was the scourge of the college campus just last year, with anonymous harassment posted to its local discussion boards causing arrests, demonstrations, sit-ins and more. Administrators grappled with how to respond -- some moved to ban the app or restrict students’ access to it, but those actions drew criticism from civil liberties and free speech groups. Now the app appears to be going the way of Google+, MySpace and Vine. Once a staple on smartphone app store top downloads charts, Yik Yak has this year fallen out of the top several hundred most popular. Students appear to have moved to other platforms -- Snapchat, for example, which is showing impressive reach among 18- to 34-year-olds (as well as all-important appeal to advertisers). As a business, Yik Yak’s momentum is also slowing down. The Verge reported last week that the company, which has raised $73.5 million and was once valued at between $300-400 million, has fired about 60 percent of its employees, shrinking its office from about 50 to 20 people. Some social media experts point to Yik Yak’s shift away from anonymity as one reason why the app is no longer as popular as it once was. Last year, Yik Yak introduced user names -- first optional, later mandatory -- and began highlighting nearby users. The changes were controversial among users, and by that November, the company reversed its course. But more recent changes to the app, such as phone number verification, have continued to trend away from anonymity. “When Yik Yak moved away from anonymity, they took away the most important feature of the app,” said Eric Stoller, a higher education consultant (and Inside Higher Ed blogger) who frequently writes about social media. “Why use Yik Yak when you can use other platforms that have user profiles? Yik Yak was always about user location and anonymity.”
How good is law firm security? This report may surprise you (Ride the Lightning, 20 Dec 2016) - As DarkReading recently reported , there is good news about law firm security: The legal sector scored second-best in the latest security ratings report by BitSight, just ahead of retail, and behind the formidable financial industry. It’s hard to surprise me, but this report did. As much as I’ve seen greater attention to cybersecurity by law firms over the past several years, I’ve also seen a lot of data breaches, some public and some not. Since BitSight uses publicly disclosed breaches to benchmark security, it may be that there are a lot of law firm data breaches that have not been publicly disclosed. It is probably also true, since BitSight analyzed 1,269 legal entities, that it probably did not include a lot of solo and small firms. The bad news: More than half of law firms are vulnerable to a known attack called DROWN that breaks encryption and exposes communication and information in Web and e-mail servers and VPNs, and a large percentage of law firms scored low security-wise. BitSight provides a credit-score type security rating system for various industries. On a 250 (lowest) to 900 (highest) security rating scale, finance scored 703; legal, 687; retail, 685; healthcare, 668; energy/utilities, 667; and government, 657. Legal actually dropped two points from last year’s rating of 690. 70% of law firms surveyed in the recent Law Firm Cybersecurity Report by ALM Intelligence said they are under pressure from their clients to beef up internal data security, but only about half conduct regular “fire drills” for incident response. The report said firms were confident in their ability to thwart attacks. Um, that’s not what they tell us. But it does make for good PR. “Many firms’ confidence in their own cyberattack preparedness seems misguided. Our research indicates that most remain surprisingly unprepared for the threat,” said Daniella Isaacson, co-author of the report and ALM Intelligence senior legal analysis. “For example, many never test their cybersecurity protocols. This means that on the day of a breach, those firms are using an unproven response plan.”
- but -
3 men made millions by hacking merger lawyers, US says (NYT, 27 Dec 2016) - Law firms that advise on mergers once had to worry about a rogue employee trading on deal tips. Now, they have to worry about hackers doing the same. Federal prosecutors in Manhattan have charged three Chinese citizens with making more than $4 million by trading on information they got by hacking into some of the top merger-advising law firms in New York. The three men targeted at least seven New York law firms to try to obtain information about deals in the works, according to an indictment unsealed on Tuesday. The men were successful in hacking two firms, stealing emails of partners who work on mergers, prosecutors said. The three then bought shares of target companies, selling them after the deals were announced, prosecutors said. Hackers’ ability to breach the defenses of big law firms in search of confidential information about corporate clients — including tips about coming mergers and acquisitions — has long been a concern of federal authorities. Most major law firms have played down the threat posed by hackers and have been reluctant to discuss breaches or even attempted breaches. “This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world,” Preet Bharara , the United States attorney in Manhattan, said in a statement. “You are and will be targets of cyberhacking because you have information valuable to would-be criminals.” [ Polley : see also Law firm hacks traced back to Bay Area transactions (SF Gate, 27 Dec 2016)]
- and -
Law firms subject to same cyber risk as others, but is compliance required? (CSO Online, 4 Jan 2017) - This is an article I have been meaning to write ever since we performed an IT audit for a large law firm a year or so ago. The firm was responding to the HIPAA law that requires all third-party vendors working with healthcare organizations to have a Risk Assessment. This further proves my point that most businesses won’t do much in the area of cyber security or compliance, not even an IT risk assessment unless required by law. Let’s look at some specifics about the legal sector: ALM Legal Intelligence has reported the following facts on the legal sector. * * * [ Polley : pretty interesting.]
- and -
Court documents for law firm lax security case (Ride the Lightning, 5 Jan 2017) - On December 12 th , I posted about the lawsuit filed by Edelson PC against Chicago’s Johnson & Bell law firm alleging that lax security put client data at risk. No breach was alleged and it was acknowledged that security vulnerabilities had been fixed. The lawsuit has moved into a confidential arbitration and it is likely that we will never learn the outcome. But the court documents are available for review – hat tip to colleague Lance Johnson – and I have posted them here . According to the complaint, “Johnson & Bell has injured its clients by charging and collecting market-rate attorneys’ fees without providing industry standard protections for client confidentiality.” That is really the heart of the argument and I am still dubious that such suits will succeed where no breach or damage can be shown, especially where the law firm took steps to remediate the insecurities when they became known. Nonetheless, happy reading and see what you think of Edelson’s arguments.
Big banks are stocking up on blockchain patents (Bloomberg, 21 Dec 2016) - In the headlong rush to revolutionize modern finance, blockchain enthusiasts are overlooking one potentially costly problem: their applications, built on open-source code, may actually belong to someone else. Recently, some of the biggest names in business, from Goldman Sachs to Bank of America and Mastercard, have quietly patented some of the most promising blockchain technologies for themselves. Through mid-November, the number of patents that companies have obtained or said they’ve applied for has roughly doubled since the start of the year, according to law firm Reed Smith. As the blockchain -- essentially a shared, cryptographically secure ledger of transactions -- evolves beyond its techno-utopian roots and startups like Chain and Hyperledger open their source code to the public, the risk is growing that patents will turn into powerful weapons in protracted lawsuits over intellectual property, especially in the hands of trolls trying to cash in on the technology’s skyrocketing rise. Increasingly, experts warn established firms will use them to assert exclusive rights over the work of blockchain’s pioneers. “Open-source code -- that doesn’t necessarily restrict the ability to patent the underlying innovation,” said Patrick Murck, a long-time blockchain legal expert who joined Cooley LLP last month. “Anybody who’s investing in the ecosystem, anybody who’s interested in the technology should be worried about this.”
Is distance ed rule DOA? (InsideHigherEd, 21 Dec 2016) - The U.S. Department of Education, with a month to go until the transition of power, has finalized a rule that clarifies how colleges become authorized to offer online programs to students in other states -- an effort in the works since the first years of the Obama administration. But the rule is by all indications dead on arrival. The final rule, released on Dec. 16, requires colleges that offer online education programs to follow each state’s authorization process -- which often involves filling out an application and paying a fee to a local higher education agency -- and clarifies disclosure and student complaint procedures. It also recognizes that states can participate in reciprocity agreements. The rule-making process has been one of fits and starts, complete with court cases, delays and failed negotiations -- and then a surprise last-ditch effort this summer. After collecting input on a draft this fall, the Education Department published the final rule in the Federal Register on Monday. Yet the rule may never go into effect. The Trump administration will have plenty of time to set its own regulatory agenda, given that the rule’s effective date isn’t until July 1, 2018.
GE creates ‘Yelp for Lawyers’ to assess outside law firms (Bloomberg, 21 Dec 2016) - General Electric has developed what it’s calling a Yelp for lawyers . An internal website is now available to its approximately 800 in-house lawyers, through which they can search “preferred providers” of outside counsel and learn about their track record with the company. Titled GE Select Connect, more than 200 of the company’s outside law firms maintain profiles (à la Facebook) that feature firm information, including feedback the outside firms have received from GE lawyers, the firm’s diversity staffing levels, hourly rates, along and discounts the company has previously achieved. The internal site will provide GE lawyers with a better handle on discounts they can negotiate with outside law firms, gain easy access to firms’ strengths and weaknesses, as well as phone numbers and emails for primary contacts, said Dan Hendy, associate general counsel at GE, who oversaw the creation of the tool. “It’s a good way to collaborate,” said Hendy, who noted that the law firms listed on the site are only GE’s preferred providers, “a little more than” 200 firms which have signed an agreement stipulating negotiated rates and possibly other benefits over a certain period of time. “It makes being a preferred provider at GE more meaningful,” said Hendy, who framed the website as “a great marketing platform” for outside firms, since preferred law firms can update their profiles with information and news about firm initiatives and matters they’re handling. So far, Hendy said that the use cases are fairly simple and it certainly isn’t being used to select counsel for bet-the-company litigation or blockbuster M&A. He estimated that as much as 80 percent of GE’s 800 lawyers have the ability to hire outside counsel directly. [ Polley : At Schlumberger, we mostly did this in 1999; then, we couldn’t get outside counsel interested.]
NIST introduces comprehensive cyber incident recovery guide (Federal Times, 23 Dec 2016) - Noting an overall rise in cybersecurity incidents and inconsistent response capabilities across the federal government, the National Institute of Standards and Technology has published the “Guide for Cybersecurity Event Recovery” to assist agencies in developing plans, processes and procedures to fully restore a weakened system. ”It’s no longer if you are going to have a cybersecurity event, it is when,” said computer scientist Murugiah Souppaya, one of the guide’s authors. According to the Cybersecurity Strategy and Information Plan, published by the Office of Management and Budget, recovery could involve a simple data backup or a far more complicated process of bringing a system back online in stages. The NIST guide addresses this critical facet of risk management by consolidating existing guidance on incident handling and contingency planning, while offering a framework for organizations needing to create strategic playbooks for data breaches, ransomware and other cybersecurity incidents. “To be successful, each organization needs to develop its own plan and playbooks in advance,” said Souppaya. “Then they should run the plays with tabletop exercises, work within their team to understand its level of preparation and repeat.” The NIST guide can be viewed in its entirety on their website.
Corporate boards aren’t prepared for cyberattacks (Computerworld, 26 Dec 2016) - Major cyberattacks against organizations of all sizes seem to happen almost weekly. On Dec. 14, Yahoo announced the largest-ever data breach, involving more than 1 billion customer accounts. Despite the scale and potential harm from such attacks, there’s wide recognition that corporate leaders, especially boards of directors, aren’t taking the necessary actions to defend their companies against such attacks. It’s not just a problem of finding the right cyber-defense tools and services, but also one of management awareness and security acumen at the highest level, namely corporate boards. * * * [W]orries seem to have reached some quarters of the corporate governance community. The National Association of Corporate Directors (NACD) recently released a survey of more than 600 corporate board directors and professionals that found only 19% believe their boards have a high level of understanding of cybersecurity risks. That’s an improvement from 11% in a similar poll conducted a year earlier. The survey also found that 59% of respondents find it challenging to oversee cyber risk. The nonprofit NACD, which has 17,000 members, is working with security awareness firm Ridge Global and Carnegie Mellon University to create a Cyber-Risk Oversight program to educate corporate directors about the systemic risks of cyberattacks.
New cybersecurity guidelines for medical devices tackle evolving threats (The Verge, 27 Dec 2016) - Today, the US Food and Drug Administration released its recommendations for how medical device manufacturers should maintain the security of internet-connected devices, even after they’ve entered hospitals, patient homes, or patient bodies. Unsecured devices can allow hackers to tamper with how much medication is delivered by the device — with potentially deadly results. First issued in draft form last January , this guidance is more than a year in the making. The 30-page document encourages manufacturers to monitor their medical devices and associated software for bugs, and patch any problems that occur. But the recommendations are not legally enforceable — so they’re largely without teeth. The FDA has been warning the health care industry for years that medical devices are vulnerable to cyberattacks. It’s a legitimate concern: researchers have managed to remotely tamper with devices like defibrillators, pacemakers, and insulin pumps . In 2015, FDA warned hospitals that the Hospira infusion pump , which slowly releases nutrients and medications into a patient’s body, could be accessed and controlled through the hospital’s network. * * * The FDA issued an earlier set of recommendations in October 2014 , which recommended ways for manufacturers to build cybersecurity protections into medical devices as they’re being designed and developed. Today’s guidance focuses on how to maintain medical device cybersecurity after devices have left the factory. The guidelines lay out steps for recognizing and addressing ongoing vulnerabilities. And they recommend that manufacturers join together in an Information Sharing and Analysis Organization (ISAO) to share details about security risks and responses as they occur.
Another state adopts duty of technology competence; makes it 26 (Bob Ambrogi, 28 Dec 2016) - As this blog continues to follow the states that adopt the duty of technology competence for lawyers, there is another to add: Colorado. That brings to 26 the number of states that have adopted some version of Comment 8 to ABA Model Rule 1.1. Colorado’s version of Comment 8, which was adopted and became effective on April 6, 2016, differs from the Model Rule. Colorado’s version says: “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, and changes in communications and other relevant technologies , engage in continuing study and education, and comply with all continuing legal education requirements to which the lawyer is subject. See Comments  and  to Rule 1.6.” (Emphasis added.) The ABA version says: “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology , engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. (Emphasis added.)” Note that the Colorado version cross-references Comments 18 and 19 to Rule 1.6. That rule pertains to confidentiality of client information. The comments advise that lawyers must “make reasonable efforts” to safeguard client information “against unauthorized access by third parties and against inadvertent or unauthorized disclosure.”
New York eases proposed cyber regulations after industry complaints (Reuters, 28 Dec 2016) - New York state’s financial regulator on Wednesday issued a revised proposal for the nation’s first cyber security rules for banks and insurers, loosening some security requirements and delaying implementation by two months to March 1. The rules from the New York State Department of Financial Services are being closely because they lay out unprecedented requirements on steps that financial firms must take to protect their networks and customer data from hackers and disclose cyber events to state regulators. “Many organizations are going to have a lot of work to do to come into compliance with these revised regulations,” said Jed Davis, a partner with law firm Day Pitney and former U.S. federal cyber crimes prosecutor. The state revised the rules in response to more than 150 comments on its initial proposed regulations. The New York Insurance Association in one letter called the regulation “too much of a ‘one size fits all’ rule” that was overly specific and too broad. A New York Bankers Association letter warned of unintended consequences that would “hamper efforts to protect the public and may defy its purpose of preventing cyber attacks.” The revised regulations include easing some timelines and requirements, including standards for encrypting data and authenticating access to networks. They also provide more time for compliance, expanding the transition from six months to as long as two years.
New French law bars work email after hours (Fortune, 1 Jan 2017) - A new French law establishing workers’ “right to disconnect” goes into effect today. The law requires companies with more than 50 employees to establish hours when staff should not send or answer emails. The goals of the law include making sure employees are fairly paid for work, and preventing burnout by protecting private time. French legislator Benoit Hamon, speaking to the BBC, described the law as an answer to the travails of employees who “leave the office, but they do not leave their work. They remain attached by a kind of electronic leash—like a dog.” While the measure may seem like a boon to workers, it was reportedly the most broadly supported measure of a comprehensive labor package passed in May. The package as a whole was primarily oriented to liberalizing France’s job market, including by making it easier to fire workers, and sparked widespread protests. The email restrictions could provide a benefit to both workers and businesses, by making employees more relaxed and effective. As NPR points out, academic studies have found that workplace email is a significant source of stress. A group of Stanford business professors have estimated that workplace stress added between $125 and $190 billion dollars per year to America’s healthcare costs, amounting to between 5 and 8% of total costs. Overwork accounted for $48 billion of that. Those healthcare costs are largely borne by employers, along with the drag of irritable or absent employees worn down by the colonization of their private lives.
US Treasury makes standalone cyber insurance policies more valuable (Aon, 3 Jan 2017) - The United States Department of the Treasury issued a “Notice of Guidance” December 27, 2016, which clarifies that stand-alone “Cyber Liability” insurance policies are included under the Terrorism Risk Insurance Act of 2002, as amended (“TRIA”). TRIA requires insurers to “make available” terrorism risk insurance for commercial property and casualty losses resulting from certified acts of terrorism (insured losses), and provides for shared public and private compensation for such insured losses. Effective April 1, 2017, and consistent with TRIA and the TRIA program regulations, an insurer must provide disclosures and offers that comply with TRIA and the program regulations on any new or renewal policies reported as standalone Cyber Liability insurance. * * *
MN Bar returns to Fastcase, six months after switching to Casemaker (Bob Ambrogi, 3 Jan 2017) - In their ongoing competition to win over bar associations as the legal-research member benefit, Fastcase is starting 2017 with an unprecedented victory over Casemaker. Just six months after the Minnesota State Bar Association left Fastcase and switched to Casemaker, it is going back to Fastcase in response to demand by its members. “Our members offered a clear preference for Fastcase,” Gerry Ford, MSBA membership director, told me in an email. “Their most common theme was ease of use. MSBA members find Fastcase to be more user-friendly and its interface to be more intuitive.” I have reported here on other bars switching from Casemaker to Fastcase — such as my own state’s bar in December 2015. But when the MSBA switched last July after having been with Fastcase since 2007, it was the first bar to go from Fastcase to Casemaker. Now, as it switches back just six months later, I can think of no precedent for such a rapid turnabout.
A warning about Tallinn 2.0 … whatever it says (Lawfare, 4 Jan 2017) - The Tallinn Manual on the International Law Applicable to Cyber Warfare is the most comprehensive and thoughtful work to date on the applicability of existing international law to cyber warfare. It is routinely referenced and relied upon by civilian and military practitioners across the globe and—if it has not already done so—it may very well achieve the authors’ objective of joining the ranks of the San Remo Manual on International Law Applicable to Armed Conflicts at Sea and the Manual on International Law Applicable to Air and Missile Warfare as one of the authoritative (albeit non-binding) manuals detailing the manner in which international law applies to particular forms of warfare. No doubt the soon-to-be-released Tallinn 2.0 will prove to be equally well received. And that is precisely the problem. Despite the benefits of the Tallinn Manual —a proffer of increased certainty for States that international law does apply to cyber activities; a framework that adopts and applies international legal norms; the general utility of a ready reference for government officials, operators, and legal advisers; and the recording of a group of experts’ opinions that can be scrutinized by others in ways that might help to develop long-term legal consensus—the Tallinn Manual presents two dangers that we should hope Tallinn 2.0 avoids.
California law makes ransomware use illegal (On the Wire, 4 Jan 2017) - It was nice to see the calendar turn over to 2017, for a lot of reasons, not the least of which is that on Jan. 1 a new law went into effect in California that outlaws the use of ransomware. The idea of needing a new law to make a form of hacking illegal may seem counterintuitive, but ransomware is a case of criminals outflanking the existing laws. Ransomware emerged in a big way a few years ago and the law enforcement community was not prepared for the explosion of infections. While there have been takedowns of ransomware gangs, they often involve charges of money laundering or other crimes, not the installation of the ransomware itself. In September, California Gov. Jerry Brown signed into law a bill that made the use of ransomware a crime, essentially a form of extortion. The law went into effect on Jan. 1. The new law in California makes the use of ransomware a felony that is punishable by up to four years in prison.
Ten worst Section 230 rulings of 2016 (plus the five best) (Eric Goldman, 4 Jan 2017) - 2016 was a tough year in many respects (check out the #Fuck2016 hashtag ), including a swarm of adverse Section 230 rulings. Even in paradigms where the immunity still functions reasonably well, such as user comments on message boards or online marketplace operator liability, rulings this year provided plaintiffs/regulators with powerful tools to undermine the immunity. As bad as 2016 was, after we see the full effects of this year’s rulings, I think we’ll look back nostalgically at 2016 as Section 230’s high-water mark. How’s that for a “happy” new year? So rather than enumerate the 10 most important Section 230 rulings, I’ve cynically decided to just list out the 10 worst rulings this year. For those looking for a ray of optimism, the 5 best rulings are at the end of this post. * * *
Massachusetts makes data breach records public online (Infosecurity, 4 Jan 2016) - The state of Massachusetts has upped the ante on data breach transparency: The Office of Consumer Affairs and Business Regulation has decided to make reports of potential identity theft available to the public on its website. Previously, those reports could only be accessed by a public records request. State law requires that any organization that keeps personal information about a Massachusetts resident notify state officials, as well as affected customers, any time that information is compromised. This includes external hacking incidents, unintentional data leakage and insider mistakes, among other scenarios. It also includes incidents outside of the cyberworld—say, if a briefcase with papers is stolen or misplaced. Hundreds of data breaches affecting thousands of Massachusetts residents were reported to the state in 2016, and information on all of them is now available in a handy spreadsheet format that details how many residents were affected, what kind of information was lost, whether the organization in question provided credit monitoring, and more. Massachusetts has been out on front in cybersecurity, recently offering a $5 million grant that will be used to bolster cyber-research and the computing technology used by the University of Massachusetts.
New Technology on the Block: Exploring the legal and regulatory implications of the blockchain (Harvard Law Today, Fall 2016) - * * * The blockchain raises fascinating legal questions, about both transactions and property, says Patrick Murck, a fellow at the Berkman Klein Center, who previously was co-founder of the Bitcoin Foundation (it paid him entirely in bitcoin, which worked fine until his kids started going to day care, he quipped). “Bitcoin is interesting not because it’s digital money but because it’s digital property,” says Murck, noting that bitcoins are actually tokens generated and validated by computer, and property rights can be tied to those tokens. While the blockchain is most closely associated with bitcoin—the two were released together in 2009—its use is not limited to currency. Music companies are experimenting with using it for tracking online transactions, and an open source group called Ethereum has built a blockchain-based platform for managing contracts that also includes a digital currency, or token, called Ether. What it doesn’t have is much of a legal framework. De Filippi and, separately, Murck convened a series of meetings over the last few years to address that. De Filippi’s initially involved mostly Boston-area participants from the Berkman Klein Center and the HLS community and MIT (for example: bit.ly/coalaworkshop), before she broadened the gatherings’ scope. Murck brought together members of the bitcoin community with financial companies, technology firms, lawyers and regulators for a series of meetings called Shared Ledgers Roundtables. All of the meetings were designed to explore the legal framework needed for the blockchain to work safely, and to prevent fraud. * * *
Basu on Copyright Law & the Drummer (MLPB, 5 Jan 2017) - Ronojoy Basu, University of Toronto, has published Copyright Law & The Drummer . Here is the abstract: Recent relevant judicial decisions in the US suggest that the question of subsistence of originality in drum beats remains a subject of debate. Unbeknownst to the non-musical world, this question continues to gather momentum and poses some rather interesting questions about degree and threshold of creativity and applicability of Copyright law. This paper explores the copyright-ability of drum patterns, the position of US and Canadian laws on the subject and under what circumstances may such beats be accorded copyright protection.
LOOKING BACK - MIRLN TEN YEARS AGO
(note: link-rot has affected about 50% of these original URLs)
Big sister Clinton (2.0) (New York Times, 19 March 2007) -- Wondering what this presidential campaign might look like in the world of “Web 2.0” social networking sites? We have our answer: The buzz-generating Internet ad featuring Senator Hillary Rodham Clinton as a scary Big Brother figure, conducting her presidential campaign “conversation” on a giant screen to drone-like humans. The ad, a near-copy of an Apple spot for Macintosh in 1984, has drawn more than 438,00 viewers on YouTube in the last two weeks, (and linked by hundreds of blogs), showing the potential reach of such guerilla ad campaigns. It ends with a female athlete (who seems to be wearing an iPod) smashing the screen image of Mrs. Clinton’s face with a hammer. Then these words appear — “On January 14th the Democratic primary will begin. And you’ll see why 2008 isn’t going to be like ‘1984′” — followed by the closing text, BarackObama.com. Mr. Obama’s camp has disavowed responsibility for the ad, although there are links to it on community pages on Mr. Obama’s Web site. (And, it was apparently mashed by a 59-year-old with the YouTube username ParkRidge47; Mrs. Clinton was born in 1947 and grew up in Park Ridge, Ill., by the way.) A spokesman for Mrs. Clinton had no comment. YouTube clip at http://www.youtube.com/watch?v=6h3G-lMZxjo ; creator unmasked: http://www.newsday.com/news/nationworld/nation/ny-usdems225139825mar22,0,1775351.story?coll=ny-uspolitics-headlines
Missing e-mail may be related to prosecutors (New York Times, 13 April 2007) -- The White House said Thursday that missing e-mail messages sent on Republican Party accounts may include some relating to the firing of eight United States attorneys. The disclosure became a fresh political problem for the White House, as Democrats stepped up their inquiry into whether Karl Rove and other top aides to President Bush used the e-mail accounts maintained by the Republican National Committee to circumvent record-keeping requirements. It also exposed the dual electronic lives led by Mr. Rove and 21 other White House officials who maintain separate e-mail accounts for government business and work on political campaigns — and raised serious questions, in the eyes of Democrats, about whether political accounts were used to conduct official work without leaving a paper trail. The clash also seemed to push the White House and Democrats closer to a serious confrontation over executive privilege, with the White House counsel, Fred F. Fielding, asserting that the administration has control over countless other e-mail messages that the Republican National Committee has archived. Democrats are insisting that they are entitled to get the e-mail messages directly from the national committee. Representative Henry A. Waxman, the California Democrat who is chairman of a House committee looking into the use of political e-mail accounts, wrote a letter to the attorney general on Thursday saying he had “particular concerns about Karl Rove” after a briefing his aides received from Rob Kelner, a lawyer for the Republican National Committee. Mr. Rove uses several e-mail accounts, including one with the Republican National Committee, one with the White House and a private domain account that is registered to the political consulting company he once owned.
World faces “cyber cold war” threat ( Reuters, 29 Nov 2007) - A “cyber cold war” waged over the world’s computers threatens to become one of the biggest threats to security in the next decade, according to a report published on Thursday. About 120 countries are developing ways to use the Internet as a weapon to target financial markets, government computer systems and utilities, Internet security company McAfee said in an annual report. Intelligence agencies already routinely test other states’ networks looking for weaknesses and their techniques are growing more sophisticated every year, it said. Governments must urgently shore up their defenses against industrial espionage and attacks on infrastructure. The report said China is at the forefront of the cyber war. It said China has been blamed for attacks in the United States, India and Germany. China has repeatedly denied such claims. The report was compiled with input from academics and officials from Britain’s Serious Organised Crime Agency, the U.S. Federal Bureau of Investigation and NATO. Cyber-attacks on private and government Web sites in Estonia in April and May this year were “just the tip of the iceberg,” the report warned. Estonia said thousands of sites were affected in attacks aimed at crippling infrastructure in a country heavily dependent on the Internet. The attacks appeared to have stemmed initially from Russia although the Kremlin denied any wrongdoing. “The complexity and coordination seen was new,” the report quoted an unnamed NATO source as saying. “There were a series of attacks with careful timing using different techniques and specific targets.” EU Information Society commissioner Viviane Reding said in June that what happened in Estonia was a wake-up call. NATO said “urgent work” was needed to improve defenses. The McAfee report predicted that future attacks would be even more sophisticated. “Attacks have progressed from initial curiosity probes to well-funded and well-organised operations for political, military, economic and technical espionage,” it said.
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:email@example.com?subject=MIRLN ) with the word “MIRLN” in the subject line. Unsubscribe by sending email to Vince with the words “MIRLN REMOVAL” in the subject line.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu
2. InsideHigherEd - http://www.insidehighered.com/
3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/
4. Aon’s Technology & Professional Risks Newsletter
5. Crypto-Gram, http://www.schneier.com/crypto-gram.html
6. Eric Goldman’s Technology and Marketing Law Blog, http://blog.ericgoldman.org/
7. The Benton Foundation’s Communications Headlines
8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html
9. Readers’ submissions, and the editor’s discoveries
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top