Saturday, May 16, 2015

MIRLN --- 26 April – 16 May 2015 (v18.07)

MIRLN --- 26 April - 16 May 2015 (v18.07) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | NOTED PODCASTS | RESOURCES | LOOKING BACK | NOTES

Addressing cyber attacks and data breaches in supplier contracts (Pillsbury, 17 April 2015) - Ten years ago, most "buyers/customers" expected their suppliers to absorb unlimited contractual liability if the supplier was responsible for a breach affecting the customer's data. Today, while customers may continue to insist upon such a position at the beginning of negotiations, they frequently expect that market-leading suppliers will ask for some sort of limit to the supplier's potential liability for data breaches. When customers are forced to negotiate a liability cap applicable to breaches of data (including PII and PHI), they usually insist that such liability cap be an amount that is greater than the "standard" limit of liability under the Agreement (i.e., greater than the standard financial cap applicable other contract breaches). In negotiating what that "higher cap" should be for data breaches, customers should not necessarily tie that higher cap to the total fees (or total annual fees) payable under the Agreement (for example, a liability cap for data breaches equal to 3 times the annual fees under the Agreement), unless those total fees (or total annual fees) will be so large that having a cap equal to a multiple of the contractual fees will provide adequate protection to the customer for a data breach. Instead, customers should focus on the question of "What is the potential amount of damages that I could suffer, if my supplier's actions (or inactions) lead to a data breach?" And the customer is, then, basing the higher liability cap for data breaches, on that potential damage amount. In other words, customers should insist that the higher financial cap for data breaches BE A DISCRETE AMOUNT OF MONEY (such as, for example, $5 million or $10 million or $50 million or $75 million). This should not impact the "standard" limit of liability for other breach of the agreement, which generally continues to be a multiple of the annual fees (such as 12 months' trailing fees, or 18 months or 24 months depending on the transaction). * * *

top

The FCC's $365 million man (National Journal, 26 April 2015) - There's a new sheriff in town at the Federal Communications Commission. And he's got corporations reaching for their checkbooks. In his first year on the job as chief of the FCC's Enforcement Bureau, Travis LeBlanc has issued some of the largest fines in the agency's history. AT&T agreed to pay $105 million for placing unwanted charges on consumers' phone bills. T-Mobile had to pay $90 million over similar allegations. Marriott Hotels paid $600,000 for blocking its customers' Wi-Fi hotspots. And CenturyLink and Verizon got fined $16 million and $3.4 million, respectively, for a software glitch that blocked 911 calls for six hours. In total, the FCC, working with other agencies, has collected more than $365 million in fines, settlements, and refunds for consumers since LeBlanc took office last March, according to a National Journal review of agency records. LeBlanc is a new kind of enforcement chief for the FCC. Previous heads of the bureau have usually been career FCC lawyers, with extensive experience in telecommunications issues in other parts of the agency. They were used to working closely with companies, often negotiating with them as the FCC crafted regulations. But LeBlanc is a prosecutor, who has little interest in playing nice. He has already helped the FCC earn a tougher reputation on enforcement, and his role will only grow under the agency's controversial net-neutrality rules, which will empower him to review complaints and launch investigations into a range of disputes over Internet access.

top

Boards are on high alert over security threats (CSO Online, 27 April 2015) - Fear of cyberattacks has corporate directors on edge. CIOs must paint a realistic view of the company's security posture and steer the conversation toward managing business risk. When Anthem revealed in early February that hackers had breached a database containing the personal information on 80 million of its customers and employees, the news hit a little too close to home for Gary Scholten, executive vice president and CIO of Principal Financial Group. His first order of business that day was to gather all the information he could to reassure his board of directors that the financial services provider did not have similar vulnerabilities. He contacted the industry's Financial Services Information Sharing and Analysis Center to get detailed intelligence on the exact nature of what Anthem publicly called a "very sophisticated external cyber attack" and was able to assure his board members that Principal's customer and employee data was not at risk from the type of attack launched against Anthem. Anthem is one of the nation's largest health insurers. Because of the size of its breach, the industry in which it occurred and the media attention it received, Scholten wanted to get ahead of the questions that Principal's directors might ask. "Cybersecurity is a huge priority for them because the service we provide is so reputation-based," says Scholten. "It's a top-of-mind board issue."

top

Texas admonishes judge for posting Facebook updates about her trials (Ars Technica, 27 April 2015) - A Texas judge is challenging a state panel's decision reprimanding her for posting Facebook updates about trials she was presiding over. The State Commission on Judicial Conduct ordered Michelle Slaughter, a Galveston County judge, to enroll in a four-hour class on the "proper and ethical use of social media by judges." The panel concluded that the judge's posts cast "reasonable doubt" on her impartiality. At the beginning of a high-profile trial last year in which a father was accused of keeping his nine-year-old son in a six-foot by eight-foot wooden box, the judge instructed jurors not to discuss the case against defendant David Wieseckel with "anyone." "Again, this is by any means of communication. So no texting, e-mailing, talking person to person or on the phone or on Facebook. Any of that is absolutely forbidden," the judge told jurors. But Slaughter didn't take her own advice, leading to her removal from the case and a mistrial. The defendant eventual was acquitted of unlawful-restraint-of-a-child charges. The judge told local media Friday that her Facebook posts about the "Boy in the Box" case and others were unbiased. "I will always conduct my proceedings in a fair and impartial way. The Commission's opinion appears to unduly restrict transparency and openness in government and in our judiciary," she told the Houston Chronicle . "Everything I posted was publicly available information." The commission didn't agree in its ruling last week: * * *

top

Apple makes ethics board approval mandatory for all medical research apps (The Verge, 29 April 2015) - Getting approval from an independent ethics board is now mandatory for all apps made using Apple's Researchkit - an open-source software platform meant to help scientists run clinical trials through apps available in the Apple app store. The additional guidelines, spotted by 9to5Mac, come two weeks after Apple opened up the platform to developers and medical researchers around the world. Apple announced ResearchKit in early March to great fanfare. At the time, only a handful of institutions had been given access to the platform. Almost immediately questions about the ethics of running clinical trials exclusively through mobile phones were raised. When The Verge reported on the story in March, it was unclear whether IRB approval would become mandatory for apps that made it to the Apple apps store. The five apps that were released through the app store on the day of the announcement had all been approved by an independent ethics review board, but the app store guidelines lacked specific wording about the need for Institutional Review Board (IRB) approval for these apps. Now, two weeks after making ResearchKit available to all developers, Apple has added another set of guidelines that make IRB approval mandatory. " Apps conducting health-related human subject research must secure approval from an independent ethics review board," the new guidelines read . "Proof of such approval must be provided upon request." It's unclear what might have prompted the addition.

top

SEC releases cybersecurity guidance for RIAs (Think Advisor, 29 April 2015) - The Securities and Exchange Commission's Division of Investment Management has released cybersecurity guidance to help advisors and funds address their cyber risks.

The IM Division's April cyber guidance recommends that advisors and funds conduct periodic assessments, have a cybersecurity strategy as well as written policies and procedures to mitigate cyberattacks. Cipperman Compliance Services warns that if advisors and funds have a data breach and have not implemented the measures described in the IM guidance, the SEC "may take regulatory action because your cybersecurity internal controls and policies and procedures were not sufficient." * * *

top

- and -

Department of Justice issues best practices guidance on cyber incidents (WilmerHale, 1 May 2015) - On Wednesday, April 29, the US Department of Justice released guidance titled "Best Practices for Victim Response and Reporting of Cyber Incidents." The guidance outlines steps companies should take before, during, and after an incident, and includes a summary checklist. The guidance also states the Justice Department's positions on the legal permissibility of a number of monitoring techniques and the impermissibility of many forms of so-called "hacking back." * * * [ Polley : guidelines are here .]

top

Unhappy anniversary, Google (InsideHigherEd, 30 April 2015) - On April 30 a year ago, Google announced: "Today, we're taking additional steps to enhance the educational experience for Apps for Education customers: (o) We've permanently removed the "enable/disable" toggle for ads in the Apps for Education Administrator console. This means ads in Apps for Education services are turned off and administrators no longer have the option or ability to turn ads in these services on. (o)We've permanently removed all ads scanning in Gmail for Apps for Education, which means Google cannot collect or use student data in Apps for Education services for advertising purposes." This announcement presumably came about to forestall attention from the May 1, 2014, publication of the White House Big Data Report, which warned of potential abuses of student data privacy. For some years, and then with momentum in the recent months, Congress held hearings on the subject, parents were raising critical questions of how school districts were managing their children's privacy, and research was coming out to suggest significant gaps between the Family Education Rights Privacy Act and practices of technological companies in the education space. I did not then nor do I now feel assuaged by Google's promise. First, their "don't ask permission, beg forgiveness" approach had already become hackneyed observing how they navigated F.T.C. investigations for Street View, Buzz, and Safari By-Pass. Second, their "clever by half" approach to the issue of talking about ads when the most pressing issues are data-mining and profiling felt flat on this audience of one. Finally, Google still has not presented any verification that on that day, or any time since, they stopped data-mining and profiling in Google Apps in Education (GAFE). Consequently, I have written a formal paper on this subject entitled, "Student Data and Blurred Lines: A Closer Look at Google's Aim to Organize U.S. Youth and Student Information." Eventually, I will present at a Berkman Center Forum on Student Data Privacy on May 20, eventually work it into a book on the culture, law and politics of the Internet in higher education that I am publishing through Cornell University Press.

top

How to conduct free legal research using Google Scholar in 2015 (part 2) (Nicole Black on LLRX, 30 April 2015) - Legal research is something lawyers do nearly every day. That's why convenient, affordable access to legal research materials is so important. The advent of computer-based legal research was the first step toward leveling the playing field and providing solos and small firms with access to the incredible depth of materials once only available in academic or government law libraries or in the law libraries of large law firms. But it was web-based legal research that truly gave solos and small firms the tools they needed to compete-and at a price they could afford. Google Scholar is a prime example of this-it provides free access to a wide range of legal materials, all of which are accessible and searchable via a user-friendly interface. The trick is to set aside time to learn the ins and outs of conducting legal research on Google Scholar. To make this process even easier for you, I'm writing this 2-part blog post series. Last week, in Part 1, I explained the basics of using Google Scholar for legal research. In today's post I'll delve into the more advanced search features and will also cover ways to sort and organize your research. * * *

top

Enterprises overlook legal issues in breach preparedness (CSO Online, 1 May 2015) - Companies preparing for data breaches and cyber security incidents too often focus on the technology and overlook the legal aspects. In a recent study by Hanover Research, for example, while about 54 percent of companies conducted a cyber threat audit -- but only 33 percent involved their legal departments in the process. "Companies are more likely to involve lawyers as a reactive measure, after an incident has occurred, rather than as a proactive measure," researchers said in their report, which was based on a survey of corporate law departments conducted on behalf of Indiana University's Maurer School of Law. This is a problem, because IT or security staff typically focus on physical and electronic security, not necessarily the legal, compliance, or privacy issues of a data breach, said Scott Vernick, the head of the data protection and privacy practice at the law firm of Fox Rothschild LLP, in Philadelphia. "They won't necessarily be sensitive to or be able to spot the issues that the lawyers are thinking about," he said. Corporations should bring in legal counsel early in the process, he said.

top

ACLU app lets you automatically send videos of police encounters (Mashable, 2 May 2015) - In a time when nearly everyone, regardless of income, seems to have a smartphone, the ACLU has come up with something that could help during your next encounter with an overzealous law enforcement officer: an instant reporting app. Mobile Justice CA was created by the Southern California branch of the American Civil Liberties Union as a way to "keep law enforcement accountable and protect your rights." Available for iOS and for Android, the free app allows users to instantly record and send a video of a police encounter to the ACLU. Available for iOS and for Android , the free app allows users to instantly record and send a video of a police encounter to the ACLU. Additionally, the app also allows you to turn on GPS tracking so that you can be notified if anyone else using the app near your location reports an incident. In light of recent demonstrations against police brutality, the app could be seen as essential equipment for some engaging in peaceful protests. The app also includes a list of U.S. rights, giving the user an additional tool in potentially touchy situations involving police encounters, as well as free speech and student rights demonstrations.

top

- and -

Witness's live-streaming app is a panic button for the smartphone age (TechCrunch, 3 May 2015) - What if live streaming, like those streams that run today on apps like Periscope or Meerkat, could be used to save lives? That's the premise behind an app called Witness , which made its debut today at the TechCrunch Disrupt NY Hackathon. Built over the course of the weekend, developer Marinos Bernitsas demoed an app that immediately begins recording live audio and video as soon as you tap the app's icon, but doesn't actually display the video stream being recorded on the smartphone's screen. Meanwhile, instead of having the stream sent out to the public via social networks like Twitter, only designated contacts you've previously configured in the app's settings are alerted to the incident via phone calls and text messages.

top

Effective social media practices and good online teaching (InsideHigherEd, 4 May 2015) - I have this theory that if you are effective on social media then you stand a good chance of being effective in online teaching. How do these two activities go together? Two words: presence and community . The people who seem to get the most out of social media are those who dedicate themselves to being present on their platform of choice. Presence does not necessarily mean contribution. You can be present in the IHE community if you show up daily to read the articles and opinion pieces. You can also be present if you regularly provide your opinions in a comment, even if your commenting is on every 1-in-50 articles. The power of IHE is that we are a community that is informed by both a common set of interests, and a common pool of content. We are all reading, thinking about, and commenting on the same articles and opinion pieces. On Twitter, being present means actively (on a daily basis), committing to interact with the platform. This may mean writing your own tweets, using Twitter to link to other things that you've read or seen on the Web, or simply using Twitter to filter what you consume. Presence on Twitter means that the people who follow you will reliably learn things from you. You build a community around the people you follow. We should always be suspicious of anyone who follows too many Twitter feeds, as above a certain number (maybe 500 follows at most), Twitter moves from a community to a promotional platform. The goal to invest in presence and achieve community are also the two hallmarks of effective online teaching. If you teach online you need be present. This does not mean answering every single discussion thread, or constantly putting up just-in-time videos to explain concepts. Rather, presence can take the form of active listening. Of knowing when it is time to contribute, when it is time to guide, and when it makes more sense to step back and let the conversation play out.

top

Why workers want self-service IT (MSP Hub, 4 May 2015) - The pendulum is in full swing toward employees empowered to make tech choices at work and away from traditional IT departments. A new survey found that workers are seeking self-service IT, driven in large part by cool consumer tech, "freemium" cloud services and an autocratic IT department whose slow, conservative ways aren't able to keep up with the urgent demand of business technology. "We're seeing a huge shift in the way enterprises define and enable 'efficiency,'" says CEO Adriaan van Wyk at K2, a business applications vendor that commissioned Harris Poll to survey more than 700 U.S. office workers. "It's no longer about deploying uniform business solutions across departments, but rather letting go of the reins and allowing employees to discover and use independent solutions on their own." Here are some of the more alarming findings: Seven out of 10 office employees use online tools outside of those licensed by their IT department for work purposes. More than half admitted they'd look for a free cloud service, such as Google Hangouts, Google Docs, DropBox, Evernote and Skype, before going through formal IT channels to procure a solution. Separately, a recent CompTIA study found that one out of three business units procures its own cloud applications, often leading to security breaches or system failures down the line.

top

With boxing match, video piracy battle enters latest round: mobile apps (NYT, 4 May 2015) - The method used by thousands of people to watch unauthorized broadcasts of Saturday night's big boxing match might have been new, but to longtime media executives, who have led one battle against piracy after another, it was the same old story. Technology and its acolytes always find a way to make their content free. In the latest case, the tools used to watch the welterweight boxer Floyd Mayweather Jr. defeat Manny Pacquiao included mobile apps, from Meerkat and Twitter's Periscope, that let people live-stream the pay-per-view bout by capturing their TV screens with the cameras on their smartphones. But live streaming from mobile apps is just one of the new piracy headaches facing media companies. Executives are stepping up efforts to fight Popcorn Time, an app with a slick user interface that makes using the years-old BitTorrent file-sharing technology as easy as Netflix. And they are scrambling to take down websites that illegally broadcast sports and other live events. "The challenge is technology is far outpacing the rules and regulations around media usage," said Rich Greenfield, an analyst at BTIG Research. "Media contracts never anticipated Periscope." Mr. Greenfield watched the boxing match himself on Periscope, and at one point posted a screenshot of his phone on Twitter showing nearly 10,000 people logged on to a single broadcast of the match.

top

How the NSA converts spoken words into searchable text (The Intercept, 5 May 2015) - Most people realize that emails and other digital communications they once considered private can now become part of their permanent record. But even as they increasingly use apps that understand what they say, most people don't realize that the words they speak are not so private anymore, either. Top-secret documents from the archive of former NSA contractor Edward Snowden show the National Security Agency can now automatically recognize the content within phone calls by creating rough transcripts and phonetic representations that can be easily searched and stored. The documents show NSA analysts celebrating the development of what they called "Google for Voice" nearly a decade ago . Though perfect transcription of natural conversation apparently remains the Intelligence Community's " holy grail ," the Snowden documents describe extensive use of keyword searching as well as computer programs designed to analyze and "extract" the content of voice conversations, and even use sophisticated algorithms to flag conversations of interest. The documents include vivid examples of the use of speech recognition in war zones like Iraq and Afghanistan, as well as in Latin America. But they leave unclear exactly how widely the spy agency uses this ability, particularly in programs that pick up considerable amounts of conversations that include people who live in or are citizens of the United States. Spying on international telephone calls has always been a staple of NSA surveillance, but the requirement that an actual person do the listening meant it was effectively limited to a tiny percentage of the total traffic. By leveraging advances in automated speech recognition, the NSA has entered the era of bulk listening. And this has happened with no apparent public oversight, hearings or legislative action. Congress hasn't shown signs of even knowing that it's going on.

top

Eleventh Circuit rules for the feds on cell-site records - but then overreaches (Orin Kerr on Volokh Conspiracy, 5 May 2015) - The en banc Eleventh Circuit has ruled that historical cell-site records are not protected by the Fourth Amendment under the third-party doctrine. The case, United States v. Davis , also adds an alternative holding that is even more important: Even if cell-site records were protected, the en banc court holds, accessing them would trigger only minimal Fourth Amendment concerns and would not require a warrant or probable cause. My bottom line: I agree with court's ruling that the third-party doctrine applies and there was no search, but I think the alternative holding is puzzling, inconsistent with precedent, and unnecessary. But stay tuned. It's a long shot, but that second alternative holding might end up drawing Supreme Court review of both holdings. This post will go through the majority's reasoning and then offer my thoughts. There's also lots of interesting stuff in the concurring and dissenting opinions, but in the interests of space and time I'll stick with the majority opinion. * * *

top

Google relieved of duty to search for relevant evidence in executing search warrant (Orin Kerr on Volokh Conspiracy, 6 May 2015) - I'm working on a new law review article about the internal procedures that Internet providers follow when executing search warrants for content. Given that, I was particularly interested in this new decision from a magistrate judge in Alaska relieving Google of a duty to execute a warrant by combing through stored files for relevant content. The case involves a search for evidence in e-mail accounts that were used to respond to a Craigslist advertisement about underage sexual activity. The warrant wasn't well-drafted, but it could be read as giving Google the job of searching through the e-mail accounts and identifying which e-mails were relevant to the case before handing them over to the government. The warrant was served on Google, which then challenged the warrant. From the opinion: Google asks the Court to amend the first warrant, relieving it from any requirement to inspect the content of email correspondence for relevance and evidentiary value. Google asserts that such content review of email is a law-enforcement function that cannot properly be delegated to service providers. Google also notes that it is "not steeped in the investigation," and does not have the background, expertise, or resources to sift through email correspondence for content to determine relevancy and evidentiary value under the warrant. For these reasons, Google asserts that the first warrant is unduly burdensome. It illustrates the burden by pointing out that over the twelve month period between July 2013 and June 2014, Google received 23,113 pieces of legal process from law enforcement agencies seeking information on 39,830 accounts. These legal process requests ran "the gamut from fraud cases, kidnapping and other emergencies, to routine civil and criminal demands for records." To respond to the myriad requests for assistance from law enforcement, Google maintains a "dedicated team" exclusively devoted to responding to legal process requests from law enforcement. Notwithstanding its policy of cooperation, Google asserts that the first warrant goes too far and imposes an undue burden on it because it does not have the resources necessary to review email content for relevance and for evidentiary value in a particular case. Moreover, even if it did have the resources, Google contends that the review of email content for investigative value should remain with law enforcement, should not be delegated to service providers. These arguments are persuasive.

top

LinkedIn serves up resumes of 27,000 US intelligence personnel (ZDnet, 6 May 2015) - The resumes of over 27,000 people working in the US intelligence community were revealed today in a searchable database created by mining LinkedIn. Transparency Toolkit said the database, called ICWatch, includes the public resumes of people working for intelligence contractors, the military and intelligence agencies. The group said the resumes frequently mention secret codewords and surveillance programs. "These resumes include many details about the names and functions of secret surveillance programs, including previously unknown secret codewords," Transparency Toolkit said. "We are releasing these resumes in searchable form with the hopes that people can use them to better understand mass surveillance programs and research trends in the intelligence community." The data was collected from LinkedIn public profiles using search terms like known codewords, intelligence agencies and departments, intelligence contractors, and industry terms, the group said. To create the database, Transparency Toolkit built search software, called LookingGlass, to make it easy to browse the data. Both Looking Glass and the ICWatch data have been released on Github.

top

Legal threat against security researcher claims he violated lock's copyright (BoingBoing, 6 May 2015) - Mike Davis from Ioactive found serious flaws in the high-security the Cyberlock locks used by hospitals, airports and critical infrastructure, but when he announced his findings, he got a legal threat that cited the Digital Millennium Copyright Act. Jeff Rabkin, a partner at the "elite international law firm" Jones Day sent the thinly veiled threat on April 29, asking Ioactive to help him discover whether "intellectual property laws such as the anticircumvention provision of the Digital Millennium Copyright Act" had been violated in the course of Davis's research. The 1998 DMCA prohibits actions that assist in bypassing "effective means of access control" to copyrighted works. It's the statute that lets Apple prevent competitors from launching rival App Stores, and stops companies from selling DVD-ripping software. Rabkin and Jones Day are quite possibly barking up the wrong tree here. Two early DMCA cases -- Skylink and Lexmark -- tested whether the law stretched to preventing competitors from reverse-engineering devices in order to make interoperable spares and consumables (garage door openers and printer cartridges) and in both cases, the Federal Circuit found that the DMCA could not be used to prevent this sort of activity. Disclosing vulnerabilities isn't exactly parallel to Lexmark/Skylink. In those cases, an original manufacturer sued a commercial rival, and the judges took offense at the use of copyright law to such a nakedly anti-competitive purpose. To me, it's clear that disclosing the drastic defects that a manufacturer made in its products is of the same character as making competing products -- a legitimate and socially vital process that is obviously out of copyright's scope.

top

- and -

Copyright as censorship? Katz v. Chevaldina (David Post on Volokh Conspiracy, 11 May 2015) - Briefs have now been filed in the very interesting Katz v. Chevaldina case, now on appeal in the 11th Circuit. Eugene blogged about this here on the VC almost a year ago , when the case was before the district court, and it remains a pretty interesting case about the limits of copyright law and copyright protection. [Full disclosure: I worked with defendant Chevaldina's attorney in the appeal - Michael Rosman at the Center for Individual Rights - so I won't pretend to be neutral and/or disinterested] The facts are pretty simple. Katz is a wealthy Miami real estate developer (and part owner of the NBA's Miami Heat franchise). While visiting Israel, a photograph of Katz - described as "unflattering" by the lower court and "ugly and embarrassing" by Katz himself [you can see the photo itself in Eugene's original posting ] - was published in the Israeli paper H'aaretz, accompanying a story about his purported interest in purchasing a stake in an Israeli basketball team. Chevaldina, who has a number of ongoing disputes with Katz and who operates several blogs which are highly critical of him and of his business practices, republished the photograph numerous times, "in its original state, sometimes accompanied by sharply worded captions, or cropped and pasted into derisive cartoons." Katz obtained an assignment of the copyright in the photograph from the Israeli photographer, and then sued Chevaldina for infringing his copyright. The district court found that Chevaldina was not infringing Katz' copyright because she was making "fair use" of the photographs, and Katz appealed to the 11th Circuit. There's some really interesting copyright law, and some really interesting copyright policy, in all this. The Copyright Act requires a court to consider "the effect" of Chevaldina's use on "the potential market for or value of the copyrighted work," in deciding whether or not her use is "fair." The district court found - correctly, in my view (but see disclosure above!) - that there was no "harm" to the market for the work because there was, for all intents and purposes, no market for the work at all, now that Katz had purchased the copyright (and clearly was not interested in having it distributed further by anybody) * * *

top

2015 Data Breach Class Action Report (Bryan Cave, May 2016) - We are pleased to announce the 5th edition of our whitepaper discussing trends in data breach class action litigation. The 2015 report provides the most comprehensive analysis of trends in complaint filings by industry, court, legal theory, and type of data breach * * *

top

Canadian law firms warned to encrypt client data or risk surveillance threat (Global Legal Post, 8 May 2015) - The Canadian Anti-Terrorism Act, now passing through parliament, could mean that law firms which do not encrypt data will imperil the confidentiality of clients - as the security forces will find it easier to get warrants that breach privacy. The Act paves the way for greater powers for the Canadian Security Intelligence Service to undertake mass transfers of data from government departments. David Fraser, technology and privacy specialist at McInnes Cooper, said: 'There's all kinds of mischief that can take place under the provisions.' He continued: 'Could a judge theoretically override solicitor-client privilege in one of these scenarios? Yes. Would it take place in secret? Absolutely.' The obvious solution is encrypting data so that the security forces cannot access it. For firms on the cloud this would mean that the service provider itself could not decrypt data that it holds even when warrants are issued.

top

Can you touch an electron? The weird metaphysics when states try to tax digital goods (Washington Post, 8 May 2015) - Are you in the mood for some House of Cards? Cue up an episode. Here's what will happen. A faraway computer will start spewing electronic information toward you. These pulses of energy might travel by copper wire, by optical fiber, or by radio before they reach your laptop, reassembling into closeups of Robin Wright giving a masterclass in side-eye. Once, not so long ago, people got their entertainment on discs engraved with microscopic bumps, a computer version of braille. Stores like Blockbuster rented these plastic pucks, which people referred to as "DVDs." Music, too, traveled around on platters of polycarbonate called "CDs." These days, your Britney albums are more likely to live on your computer's hard drive as a collection of magnetic stripes. You can still cuddle this hard drive, but it's really not the same thing. Right? Some state governments would argue yes. Some state governments are confused. Some state governments still grappling with the idea of goods that have transcended the material plane. How do you regulate them? How do you tax them? Though it's been over a decade since Apple sold its first song on iTunes, there's still a lot of murkiness concerning the metaphysics of, say, Miley Cyrus's latest digital exclusive. Alabama is the latest example of a state trying to reconcile reality with its behind-the-times tax code. In March, its Department of Revenue announced it would start taxing streaming services like Netflix and Spotify the same way it taxes rental stores that deal in physical discs. The actual law, which hasn't changed, says that the state will levy a 4 percent tax on rentals of "tangible personal property." So in order to tax a Netflix subscription, Alabama's tax collectors have been forced to argue that streaming movies are somehow exactly that - tangible. But the law in Alabama (and several other states) provides a much looser definition. It's anything "which may be seen, weighed, measured, felt, or touched, or is in any other manner perceptible to the senses." * * * Many states have chosen to define digital downloads (like movies or MP3s) as a third kind of property, neither tangible nor intangible. That's the position laid out in the Streamlined Sales and Use Tax Agreement, which about half of states have passed laws to participate in. The goal of this agreement is for states to coordinate on how to tax commerce between states, an issue that has become increasingly complicated with Internet sellers conducting business from thousands of miles away. In Louisiana, administrators from Jefferson Parish recently lost a lawsuit over whether they could tax streaming video-on-demand and pay-per-view services. Like Alabama, Jefferson Parish levies a tax when people rent "tangible personal property." Much of the argument went back to definition of "tangible." Lawyers from cable company Cox argued that video streams aren't really tangible property because they're not stored permanently; the data is thrown out after it hits the screen, so there is not even temporary transfer of ownership. In December, an appeals court agreed with Cox, ruling that streaming video was an untaxable service, not a taxable rental transaction.

top

Brick by brick (InsideHigherEd, 11 May 2015) - The next-generation learning management system shouldn't be a system at all, but a "digital learning environment" where individual components -- from grade books to analytics to support for competency-based education -- fit together like Lego bricks, a new white paper recommends. "The Next Generation Digital Learning Environment: A Report on Research," released last month, advances Educause's initiative to examine how faculty members and students feel about their learning management systems and what they want from them in the future. The effort , which is funded by the Bill & Melinda Gates Foundation, is known as the Next Generation Digital Learning Environment Initiative. Even though virtually all colleges and universities run some form of learning management system, many faculty members have a "love-hate relationship" with the software, Malcolm Brown, director of the Educause Learning Initiative, said in an interview. On the one hand, he pointed out, it's technology "you can't live without," but on the other, it's a source of frustration and impatience for many. Educause hoped to consider whether existing learning management systems can support higher education at a time when many colleges and universities are experimenting with new forms of delivering courses and awarding credit. Instead of focusing on "incremental change," the researchers decided to articulate what a re-envisioning of the market would look like, Brown said. The white paper combines Educause's own research with input from learning management system providers, accessibility and universal design experts, IT officials, university leaders, and others. Authors Malcolm Brown, Joanne Dehoney and Nancy Millichap then synthesized those opinions into one overarching recommendation: that commercial providers, open-source communities and individual developers settle on a set of specifications to make different software work together -- in other words, the studs and cylinders that make Lego bricks interlock.

top

New PacerPro service automatically retrieves and delivers federal 'free look' documents (Robert Ambrogi, 11 May 2015) - If I were to tell you that a new service could help you avoid a $40 million mistake in litigation, would you be interested? The mistake to which I refer was Sidley Austin's failure to timely read orders referenced in a notice of electronic filing (NEF). The orders denied Sidley's post-trial motions filed on behalf of AT&T after it was hit with a $40 million verdict in a patent infringement case. Because Sidley did not read the orders in time, it missed the deadline to file an appeal. Claiming that the NEFs were misleadingly labeled, Sidley sought to reopen the appeal period. In a March 19, 2015, decision , the Federal Circuit shot down Sidley's request, agreeing with the trial judge that it was "inexcusable for AT&T's multiple counsel to fail to read all of the underlying orders they received, or-at minimum-to monitor the docket for any corrections or additional rulings." A new service being launched this week by PacerPro could have helped avoid this outcome. On top of that, it solves a problem that vexes many law firms - the retrieval of electronically filed documents in federal district and bankruptcy courts. The new service automatically retrieves the documents referenced in NEFs from PACER and sends them to you by email. Whether the NEF references a single document or a dozen, you get them all in your inbox, available on your computer or mobile device.

top

Every computer border search requires case-by-case reasonableness, DC court holds (Orin Kerr on Volokh Conspiracy, 12 May 2015) - Imagine you're flying from the United States to a foreign country and you're carrying a laptop. Federal agents stop you on the jetway as you're about to board your flight. They want to take your computer and search it. Can they? And if they can do that, what are the limits on how much they can search, for how long, and where? Lower courts have divided on the question. Some courts have concluded that the "border search exception" that the Supreme Court has applied for searches of physical objects should also apply equally to computers. Under that approach, agents can seize and search computers at the border (or at its "functional equivalent," such as at international airports where passengers are boarding international flights) apparently without limit. The Ninth Circuit has adopted a different approach , ruling that agents need "reasonable suspicion" to seize and search a computer at the border if the search is a "forensic" search but not if it is a "manual" search. Last Friday, Judge Amy Berman Jackson of the D.C. District Court adopted a third approach in a new case called United States v. Kim . The opinion holds that that every computer search at the border must be justified as reasonable under the totality of the circumstances. After concluding that the search in this case was not reasonable under that test, she suppressed the evidence. I think Judge Jackson's decision is highly problematic. I won't be surprised if DOJ appeals it, as it raises a really important set of questions and answers them in some unusual ways. Will the Court of Appeals agree with Judge Jackson? Time will tell. But we'll probably hear more about this case either way, so here's a detailed rundown of the new decision together with my thoughts. * * *

top

Vast majority of companies significantly under-insured for cyber risk (Insurance Business, 12 May 2015) - About 80% of companies are likely to suffer a data breach within 12 months, and while most of the associated costs will total less than $1 million, there's a 5% chance the breach will cost the company $20 million or more. Despite these frightening statistics, however, the vast majority of companies are significantly under-insured for cyber risk. In fact, companies are likelier to buy fire insurance than they are to buy a cyber policy, according to a new report from the research firm Ponemon Institute. Researchers surveyed 2,243 company representatives in 37 countries on cyber risk and security. Of those, just one in five have a current cyber liability policy in place. Much of that lack of market penetration has to do with ignorance surrounding cyber coverage. Many companies believe their general liability policies will cover cyber risk, while others mistakenly believe their companies are too small to be at risk of a data breach. However, one other significant reason companies aren't buying coverage is a lack of market capacity. According to Kevin Kalinich, leader of the global cyber risk practice for Aon Risk Solutions - which sponsored the Ponemon study - it is difficult to find policies with adequate limits. "We are working with alternative markets because the traditional cyberinsurance markets run out of capacity between $200 million and $300 million," Kalinich said.

top

Polygraph.com owner pleads guilty to training customers to beat polygraph (Ars Technica, 14 May 2015) - A 69-year-old former Oklahoma police officer has pleaded guilty to five obstruction of justice and mail fraud charges in connection to an indictment accusing him of teaching people to successfully cheat on lie detector tests. According to last year's indictment (PDF), Douglas Williams charged customers for instruction on how to beat lie detector tests given during national security, federal, state, and local employment suitability assessments and for internal federal investigations. "Lying, deception and fraud cannot be allowed to influence the hiring of national security and law enforcement officials, particularly when it might affect the security of our borders," Assistant Attorney General Leslie Caldwell said . "Today's conviction sends a message that we pursue those who attempt to corrupt law enforcement wherever and however they may try to do so."

top

NOTED PODCASTS

The iGEM Revolution (Drew Endy at the Longnow Foundation, Sept 2014; 90 minutes) - Natural genomes are nearly impossible to figure out, Endy began, because they were evolved, not designed. Everything is context dependent, tangled, and often unique. So most biotech efforts become herculean. It cost $25 million to develop a way to biosynthesize the malaria drug artemisinin, for example. Yet the field has so much promise that most of what biotechnology can do hasn't even been imagined yet. How could the nearly-impossible be made easy? Could biology become programmable? Endy asked Lynn Conway, the legendary inventor of efficient chip design and manufacturing, how to proceed. She said, "Go meta." If the recrafting of DNA is viewed from a meta perspective, the standard engineering cycle---Design, Build, Test, Design better, etc.-requires a framework of DNA Synthesis, using Standards, understood with Abstraction, leading to better Synthesis, etc. "In 2003 at MIT," Endy said, "we didn't know how to teach it, but we thought that maybe working with students we could figure out how to learn it." It would be learning-by-building. So began a student project to engineer a biological oscillator-a genetic blinker-which led next year to several teams creating new life forms, which led to the burgeoning iGEM phenomenon. Tom Knight came up with the idea of standard genetic parts, like Lego blocks, now called BioBricks. Randy Rettberg declared that cooperation had to be the essence of the work, both within teams (which would compete) and among all the participants to develop the vast collaborative enterprise that became the iGEM universe-students creating new BioBricks (now 10,000+) and meeting at the annual Jamboree in Boston (this year there are 2,500 competitors from 32 countries). "iGEM" stands for International Genetically Engineered Machine. [ Polley : absolutely fascinating; I'd completely missed that distributed genetics "programming" has replaced nanotech. The confluences of serendipity & intention, cooperation & collaboration, knowledge management & sharing, all drive this process. For lawyers, around 60m45s this gets into ownership issues (genetic programming languages, DNA widgets/parts/tools/gizmos), applicability of DMCA (and the like) to ownership claims, and Creative Commons like approaches. Cites to the alluring BioBrick Public Agreement (BPA) 63m23s.]

top

RESOURCES

New draft article, "Norms of Computer Trespass" (Orin Kerr on Volokh Conspiracy, 4 May 2015) - I have posted a draft of a new article, Norms of Computer Trespass , forthcoming in the Columbia Law Review . The article addresses a recurring problem in computer crime law: What is unauthorized access? The article tries to answer that question at a conceptual level, and along the way resolves a lot of the hard cases courts have encountered in applying the Computer Fraud and Abuse Act. Here's the abstract: Federal and state laws prohibit computer trespass, codified as a ban on unauthorized access to a computer. In the last decade, however, courts have divided sharply on what makes access unauthorized. Some courts have interpreted computer trespass laws broadly to prohibit trivial wrongs such as violating Terms of Service to a website. Other courts have limited the laws to harmful examples of hacking into a computer. Courts have struggled to interpret authorization because they lack an underlying theory of how to distinguish authorized from unauthorized access. This Essay offers such a theory. It contends that authorization is inherently contingent on social norms. Starting with trespass in physical space, it shows how concepts of authorization necessarily rest on shared understandings of what technologies and its users are allowed to do. Norms classify the nature of each space, the permitted means of access, and the permitted context of access. This idea, applied to the Internet, readily answers a wide range of difficult questions of authorization under computer trespass laws such as the Computer Fraud and Abuse Act. It shows that the open norms of the web authorize most kinds of web use. On the other hand, the closed norms of authentication limit use of canceled or shared accounts. Properly understood, the norms-based nature of trespass does not render unauthorized access laws uncertain. To the contrary, the lines to be drawn become surprisingly clear once you identify the correct norms of computer usage.

top

Congress, the courts, and the development of copyright law (MLPB, 28 April 2015) - Christopher S. Yoo, University of Pennsylvania Law School; University of Pennsylvania Annenberg School for Communication; University of Pennsylvania School of Engineering and Applied Science, is publishing The Impact of Codification on the Judicial Development of Copyright in Intellectual Property and the Common Law (Shyamkrishna Balganesh, ed., 2014). Here is the abstract: Despite the Supreme Court's rejection of common law copyright in Wheaton v. Peters and the more specific codification by the Copyright Act of 1976, courts have continued to play an active role in determining the scope of copyright. Four areas of continuing judicial innovation include fair use, misuse, third-party liability, and the first sale doctrine. Some commentators have advocated broad judicial power to revise and overturn statutes. Such sweeping judicial power is hard to reconcile with the democratic commitment to legislative supremacy. At the other extreme are those that view codification as completely displacing courts' authority to develop legal principles. The problem with this position is that not all codifications are intended to be comprehensive or to displace all preexisting law. One way to reconcile democratic legitimacy with current practice would be to adopt a less categorical approach that recognizes that the proper scope for judicial development is itself a question of legislative intent. In some cases, Congress has affirmatively delegated to the courts the explicit authority to continue to develop the law. In others, Congress modeled certain provisions of the copyright statutes on patent or other areas of law, which provides leeway for judicial development. Either approach would not conflict with the democratic commitments reflected in legislative supremacy. Applying this framework to the four areas of law of judicial development identified above reveals that the courts' record in applying these principles consistently is mixed. With respect to fair use and misuse, the courts have adopted readings that either follow or are consistent with legislative intent. With respect to third-party liability and the first sale doctrine, the courts have invoked broad analogies between copyright and patent law or canons of construction without analyzing directly whether such approaches were consistent with legislative intent.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

New York Times to charge for archives, editorials (Reuters, 16 May 2005) -- The New York Times Co. on Monday said it plans to charge for some of its editorial columns and its archive of stories online to boost subscription sales, even as it invests in its free service. The New York-based publisher of the namesake newspaper and The Boston Globe said the new product, TimeSelect, will debut in September and cost $49.95 for an annual subscription. The company said most of its stories will still be available online for free. TimeSelect underscores the paper's push to create more Web products, both free and for a fee, to offset an uncertain advertising market for its print newspapers. The New York Times purchased Web site About.com for about $410 million earlier this year to increase its online advertising inventory. The paper's print subscribers will have free access to the paper's columnists online, including those written by Times staffers and International Herald Tribune writers. TimeSelect will also give subscribers access to its archives dating back initially to 1980. The company plans to eventually extend its archives back to the 1850s, a spokesman said.

top

L.A. Times suspends 'wikitorials' (AP, 21 June 2005) -- A bold Los Angeles Times experiment in letting readers rewrite the paper's editorials lasted all of three days. The newspaper suspended its "Wikitorial" Web feature after some users flooded the site over the weekend with foul language and pornographic photos. The paper had posted on its Web site Friday an editorial urging a better-defined plan to withdraw troops from Iraq. Readers were invited to add their thoughts. Dozens did, with some adding hyperlinks and others adding opposing views. One reader split the long editorial in two, something that pleased Michael Kinsley, the Times' editorial and opinion editor. But the number of "inappropriate" posts soon began to overwhelm the editors' ability to monitor the site. On Sunday, editors decided to remove the feature. The newspaper's Web page was to show the original editorial and interim versions along with the readers' final product. "The result is a constantly evolving collaboration among readers in a communal search for truth," the paper said in its Friday edition. "Or that's the theory." The Times said it might be creating a new form of opinion journalism - or an embarrassing failure. In a statement Monday, the Times said the feature would stay offline indefinitely while it looked at what happened and how to fix it. "We thank the thousands of people who logged onto the Wikitorial in the right spirit," the paper said.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

No comments: