MIRLN --- 19 June 2011 - 9 July (v14.09)

I’m moderating a 90-minute July 26 webinar by SMU, Univ of Texas, and the InternetBar.org on ODR - “The Future Of Justice: How Technology is Shaping the Dispute Resolution Ecosystem”. Panelists include Ethan Katsh and Prof. Vikki Rogers; $10 registration ends July 10; $49 thereafter. Join us! http://bit.ly/mzH2Of

NEWS | PODCASTS | RESOURCES | LOOKING BACK | NOTES

Catch Me If You Can (Law Tech News, 1 June 2011) - Could Matthew Kluger, a mergers and acquisitions attorney arrested on April 6, 2011, on charges of insider trading, have been caught before he did so much damage? That was the disturbing question CIOs discussed behind closed doors at many law firms this spring. Although it’s possible to discover the kind of information theft that Kluger allegedly committed, the odds are stacked against it, say CIOs, software vendors, analysts, and IT security experts. That has law firms increasingly worried. Kluger’s is just the latest in a string of law firm insider trading cases over the last two years, but it has ratcheted up the level of concern throughout BigLaw. Perhaps it’s because the case involved three of the most respected firms in the world: Cravath, Swaine & Moore; Skadden, Arps, Slate, Meagher & Flom ; and Wilson Sonsini Goodrich & Rosati. If it happened to them, it could happen to any law firm. What, exactly, happened? Kluger and two accomplices - a Wall Street trader and a mortgage broker - allegedly stole and traded on material nonpublic information about M&A deals over a period of 17 years, according to federal authorities. The trio, facing charges from the U.S. Securities and Exchange Commission and the Department of Justice, allegedly made at least $32 million from the trades. At his most recent employer, Wilson Sonsini, Kluger took information from M&A deals he was not involved with (in an apparent effort to avoid detection), according to the charges. He got the information from the firm’s document management system (DMS), say prosecutors. Kluger had access to information on M&A deals in Wilson Sonsini’s DMS, but he did not open the documents - to avoid leaving an audit trail that could possibly expose the scheme, prosecutors assert. Instead, he conducted searches and perused titles. “Kluger looked for board resolutions, press releases, and merger agreements because the titles of these documents revealed that specific companies were involved in pending mergers and acquisitions,” the charges state (http://1.usa.gov/ltn642). Could someone really get that much information without opening the documents? “Easy,” says George Rudoy, CEO of Integrated Legal Technology. “Even with all the effort of organizing ethical walls, I have not heard nor seen firms locking the title of the documents. If you go directly into the document management system, you can read all the titles and in most cases you can read short descriptions even if the document is locked.” Remember, when people fill out the titles of documents, they are thinking about how to make the document easier to find, not about how to conceal information. Even if the firm uses code names, as was the case in the Wilson Sonsini files, it’s often easy to figure out the codes.

top

Law Firm Not Liable for Purchasing Competitor’s Name as Keyword to Drive Traffic to Own Website (ABA Journal, 8 June 2011) - Once upon a time, when bus benches and the yellow pages offered some of the only ways to promote a personal injury firm effectively, competitors tried to crowd each other out or dominate the space with the biggest ad. It wasn’t unheard-of to put a billboard up right next to another law firm’s offices. And, now that the Internet provides another option, purchasing key words to drive traffic to a website is simply another form of acceptable proximity advertising, a Wisconsin judge has ruled. Although Habush Habush & Rottier had argued that it had a privacy right in the names of its name partners, Milwaukee County Circuit Judge Charles Kahn Jr. effectively told the plaintiff personal injury firm, “Welcome to the 21st century,” reports the Milwaukee Journal-Sentinel. While there may be a privacy issue, Kahn held, another law firm’s purchase of the names Habush and Rottier as advertising key words on the Internet is a reasonable commercial use. The Habush firm plans to appeal today’s ruling, as competitor Cannon & Dunphy celebrated its victory. Kahn was somewhat sympathetic to an argument that it is unethical for a law firm to misrepresent itself by using another law firm’s name. However, he said there is no ethical prohibition, at present, against doing so. “The time may come when a legislature, regulatory board or supreme court determines that the conduct at issue in this case is deceptive and misleading and therefore improper,” he wrote. “But no such body has yet drawn this conclusion.” [Editor: I think I agree that overriding ethical concerns should cause a different result. For good, albeit 15-month-old, summary of social media legal ethics/practice issues look at: http://solopracticeuniversity.com/2010/03/11/a-dozen-social-media-ethics-issues-for-lawyers/ ]

top

NATO Uses Twitter to Help Gather Targets in Libya (Mail & Guardian, 16 June 2011) - NATO is using information gleaned from Twitter to help analysts judge which sites could be targeted by commanders for bombing and missile strikes in Libya. Potentially relevant tweets are fed into an intelligence pool then filtered for relevance and authenticity, and are never passed on without proper corroboration. However, without “boots on the ground” to guide commanders, officials admit that Twitter is now part of the overall “intelligence picture”. They said Nato scooped up all the open source information it could to help understand Gaddafi, who is constantly changing his tactics and concealing himself—and his forces—in places such as schools and libraries. [NATO] monitors Twitter feeds from Tripoli and other places for “snippets of information”. These could then be tested, corroborated or not, by Nato’s own sources, including direct lines of communication with the rebels, and imagery and eavesdropping from Nimrod spy planes. Nato is also aware that Gaddafi might be using Twitter to feed false information. “We have to be careful it is not used for propaganda [by Gaddafi’s forces],” the Nato official said.

top

Court: Passwords + Secret Questions = ‘Reasonable’ eBanking Security (June 17, 2011) - A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week - if adopted by a U.S. district court in Maine - will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks. In May 2009, Sanford, Maine based Patco Construction Co. filed suit against Ocean Bank, a division of Bridgeport, Conn. based People’s United Bank. Pacto used online banking primarily to make weekly payroll payments. Patco said cyber thieves used the ZeuS trojan to steal its online banking credentials, and then heisted $588,000 in batches of fraudulent automated clearing house (ACH) transfers over a period of seven days. In the weeks following the incident, Ocean Bank managed to block or claw back $243,406 of the fraudulent transfers, leaving Patco with a net loss of $345,445. Because the available funds in Patco’s account were less than the total fraudulent withdrawals, the bank drew $223,237 on Patco’s line of credit to cover the transfers. Patco ended up paying interest on that amount to avoid defaulting on its loans. Patco sued to recover its losses, arguing in part that Ocean Bank failed to live up to the terms of its contract when it allowed customers to log in to accounts using little more than a user name and password. On May 27, a magistrate recommended that the court make Patco the loser by denying Pacto’s motion for summary judgment and granting the bank’s motion. A copy of the recommended decision is available here (PDF).

top

- and -

Bank Left Holding the Bag in Phishing Attack (Steptoe’s E-Commerce Law Week, 7 July 2011) - The U.S. District Court for the Eastern District of Michigan has held Comerica Bank responsible for withdrawals made by a hacker who had “phished” a Comerica customer in order to gain access to the customer’s accounts. Even though the customer’s employee had fallen for the phishing trick - an email made to look like it was from the bank, which asked for confidential account information - the court held that the bank failed to prove that it had acted in accordance with “reasonable commercial standards” when it allowed the hacker’s wire transfers to go through. Though the decision in ExperiMetal, Inc., v. Comerica Bank involves an interpretation of Michigan law, that law is based on the Uniform Commercial Code, meaning the decision will have at least persuasive effect in other states. This case underscores the importance for financial institutions of having well-developed procedures for detecting fraudulent transactions as part of their overall security programs. Until an effective means is developed to prevent phishing attacks altogether, some of the defense will need to focus on limiting the damage phishers can do once they are inside the bank’s network.

top

What Big Media Can Learn From the New York Public Library (The Atlantic, 20 June 2011) - With all [recent] change—not to mention a possible $40 million budget cut looming—it would be no surprise if the library was floundering like the music industry, newspapers, or travel agents. (Hey, man, we all get disintermediated sooner or later.) But that’s the wild thing. The library isn’t floundering. Rather, it’s flourishing, putting out some of the most innovative online projects in the country. On the stuff you can measure—library visitors, website visitors, digital gallery images viewed—the numbers are up across the board compared with five years ago. On the stuff you can’t, like conceptual leadership, the NYPL is killing it. The library clearly has reevaluated its role within the Internet information ecosystem and found a set of new identities. Let’s start from here: One, the New York Public Library is a social network with three million active users and two, the New York Public Library is a media outfit. The library still lends books, but over the past year, the NYPL has established itself as a beacon in the carcass-strewn content landscape with smart e-publications, crowdsourcing projects, and an overall digital strategy that shows a far greater understanding of the power of the Internet than most traditional media companies show. Biblion, a storytelling app whose iPad icon features the lion head, is the flashiest of these efforts. It presents a slice of the library’s 1939 World Fair Collection in a format that, while controversial, pushed the traditional boundaries of the e-publication. Moving around the app doesn’t feel like flipping through the pages of a museum catalog or crawling around a website. To me, it felt like a native application for the tablet era, a new form for the more spatial experience afforded by the tablet’s touchiness. Even for those who didn’t like the interface, the question had to be asked: this thing came out of a library? Then there is the library’s slick crowdsourcing projects, which allow users to digitize beautiful old menus from New York’s restaurants and plot historical maps of the city onto the GPS-enabled digital maps of today. Both projects are both useful and feature user interfaces that best most commercial crowdsourcing applications.

top

The North Carolina Bar’s Double Standard for Data and Dollars (Carolyn Elefant, 20 June 2011) - Two months ago, North Carolina released Proposed Formal Ethics Opinion 6 , Subscribing to Software as a Service (SaaS) While Fulfilling the Duties of Confidentiality and Preservation of Client Property. As others, including my Social Media for Lawyers co-author Nicole Black, NC Bar LPM Advisor Eric Mazzone, e-lawyering pioneer Richard Granat and North Carolina virtual lawyer Steph Kimbro have already written, the decision represents a step backward for lawyers - and indeed, may have the effect of precluding lawyers from using popular services like Google docs, Mozy, email or texting even for entirely non-confidential purposes. It’s bad enough that North Carolina’s proposed opinion will make it nearly impossible for lawyers to take advantage of new technologies that could reduce the cost of legal service. But to add insult to injury, FEO 6′s stringent regulations applies only to use of SaaS (or cloud) vendor services, while giving online banking services for trust account management a pass, in an proposed opinion released the same day, FEO 7 Using Online Banking to Manage a Trust Account. Yet, there’s no rational justification for North Carolina to maintain a double-standard for online management of client dollars and client data. North Carolina’s proposed FEO 7 requires lawyers using online banking to exercise reasonable care, specifically, taking steps to minimize the risk of loss or theft of client money. Though the Opinion states that lawyers have an affirmative duty to understand the risks of online banking and to employ best practices such as strong password policies, the Opinion goes on to state that: “Understanding the contract with the depository bank and the use of the resources and expertise available from the bank are good first steps toward fulfilling the lawyer’s fiduciary obligations.” Simply put, lawyers can meet their ethics obligations by relying on banks as a trusted source of information regarding online banking security practices.
Contrast the bar’s deferential approach towards online banking with its adversarial attitude towards SAAS companies. Lawyers can’t simply rely on a cloud providers’ expertise in security practices or on the company’s representations regarding its security practices. Instead, lawyers are required (not encouraged, but required!) to:

  • personally, or through a security expert, evaluate the company’s measures for safeguarding the physical and electronic security of data, including but not limited to “firewalls, encryption techniques, socket security features, and intrusion-detection systems.”
  • investigate a cloud provider’s financial history
  • review the cloud provider’s security audits, and
  • install special security software to ensure that users connected to cloud vendors are protected against malware and viruses.

top

Expert Assesses Cyberinsurance Market: Demand, Prevention, Recovery (Insurance Journal, 20 June 2011) - Demand for cyberinsurance was rising even before the most recent highly-publicized parade of breaches at major corporations and organizations. After the news of the first major Sony hack but before the subsequent reports involving Sony, Citicorp, the International Monetary Fund and others, Insurance Journal spoke with an expert to gauge how the insurance market for this coverage is doing. James Whetstone, senior vice president and U.S. technology and privacy manager for insurer Hiscox Specialty, is a former technology geek and broker turned underwriter. Hiscox is one of the original underwriters of the coverage. Whetstone says there are almost 30 carriers now offering cyber liability coverage, some more seriously than others. He says these times of claims are when an insurer’s commitment to a market can be tested, citing what he calls the “naive” capacity that exists. The coverage has evolved quickly- Whetstone compares the product’s acceptance to that of employment practices liability (EPL) coverage- to where cyberinsurance is a “must-have” for most firms today. The underwriting has also changed. “We used to really focus our underwriting attention on how well they could prevent the breach, but we’ve added another phase to it,” says Whetstone. “Not only can you prevent it, but if it happens, how quickly can you respond? Do you have a plan in place? Kind of like a disaster recovery plan or a business continuity plan. It’s the same with this incident response plan.”

top

Business Must Report Data Breaches to Public, EU Says (ZDnet, 21 June 2011) - Businesses in all sectors will have to tell customers when their data has been exposed in a security breach, EU justice and rights commissioner Viviane Reding has told a gathering of bankers in London. On Monday, Reding said she will extend the breach notification obligations that already apply to telecoms and internet access companies. Such plans have been afoot for at least the last three years. “I intend to introduce a mandatory requirement to notify data security breaches - the same as I did for telecoms and internet access when I was telecoms commissioner, but this time for all sectors, including banking and financial services,” Reding said at the British Bankers’ Association’s Data Protection and Privacy Conference. In support of the proposals, Reding noted recent data thefts that have hit people using PlayStation, Google and Facebook services, saying that such breaches hurt confidence in the internet and in online services.

top

Survey: 90% of Companies Say They’ve Been Hacked (PC World, 22 June 2011) - If it sometimes appears that just about every company is getting hacked these days, that’s because they are. In a new survey ( download .pdf ) of 583 U.S companies conducted by Ponemon Research on behalf of Juniper Networks, 90% of the respondents said their companies’ computers were breached at least once by hackers over the past 12 months. Nearly 60% reported two or more breaches over the past year. More than 50% said they had little confidence of being able to stave off further attacks over the next 12 months. Those numbers are significantly higher than similar surveys and suggest that a growing number of enterprises are losing the battle to keep malicious intruders out of their networks. “We expected a majority to say they had experienced a breach,” said Johnnie Konstantas, director of product marketing at Juniper. “But to have 90% saying they had experienced at least one breach and more than 50% saying they had experienced two or more, is mind blowing,” she said. It suggests “that a breach has become almost a statistical certainty,” these days. The organizations that participated in the Ponemon survey cut across both the private sector and government and ranged from relatively small entities with less than 500 employees to enterprises with more than 75,000. The online survey was conducted over a five-day period earlier this month. Roughly half of the respondents blamed resource constraints for their security woes, while about the same number cited network complexity as the primary challenge to implementing security controls. [Editor: see discussion in MILRN 14.08 under “Senators Ask SEC for Guidance on Information Security Risk Disclosure” et al. This is becoming a huge governance issue, I think.]

top

U. of Michigan Library Opens Up Orphan Works (InsideHighedEd, 23 June 2011) - The University of Michigan Library will announce today that it will be allowing authorized library patrons to access all of its digitized “orphan works” in full. Students and guests will now be able to access online any texts they would have been able to find in the stacks, Michigan officials said in a press release. This is the latest step in Michigan’s attempts to identify and unlock the orphans—books whose copyright holders cannot be found or contacted—in its collection. The university announced last month that it is also working to identify more orphans among the millions of volumes held by HathiTrust Digital Library, a Michigan-based aggregator of university library collections. Other institutions are preparing making their own orphans available to authorized students and researchers, officials said in Wednesday’s press release. In light of a federal court’s recent rebuke of Google’s attempts to sell broad access to orphan works through its controversial Google Books Project, experts have speculated that it may be up to Congress to determine how orphans can and cannot be used. Michigan is not waiting around to open up its own orphans to authorized users, a move that it sees as covered by the “fair use” exemptions to copyright law.

top

Facebook Friend Request to Exec of Represented Corp. May Violate Ex Parte Rule, Opinion Says (ABA Journal, 23 June 2011) - A lawyer who sends a Facebook friend request to executives of a corporation he or she knows is represented by counsel in a litigation matter is violating a legal ethics rule against ex parte communications with parties, the San Diego County Bar Ethics Committee held in an advisory ethics opinion (PDF) last month. However, “nothing in our opinion addresses the discoverability of Facebook ruminations through conventional processes, either from the user-represented party or from Facebook itself,” writes the San Diego committee in its opinion. “The conclusion we reach is limited to prohibiting attorneys from gaining access to this information by asking a represented party to give him entry to the represented party’s restricted chat room, so to speak, without the consent of the party’s attorney. The evidentiary, and even the disciplinary, consequences of such conduct are beyond the scope of this opinion and the purview of this committee.” The opinion is billed in a Recorder article as the first to address the issue. But prior ethics opinions in New York and Philadelphia have focused on similar Facebook friending concerns:

Lawyers Can’t Friend Potential Witnesses Under False Pretenses, Ethics Opinion Says

Attorney Can’t Ask 3rd Party to ‘Friend’ Witness on Facebook, Opinion Says

Friending a Naive Adverse Witness for Info Could Violate Ethics Rules

[Editor: Eric Goldman’s blog also has a useful analysis of the San Diego holding: http://blog.ericgoldman.org/archives/2011/06/san_diego_count.htm]

top

What The Drake Prosecution Was Really About - IG Report Vindicates NSA Whistleblowers (Jesselyn Radack, Daily Kos, 23 June 2011) - The Department of Defense Inspector General just released a heavily redacted version of the Intelligence Audit “Requirements for the TRAILBLAZER and THINTHREAD SYSTEMS.” NSA whistleblower Tom Drake served as a critical material witness during the investigation for this report. Drake’s reward was an indictment under the Espionage Act. This Report is what the government’s case against NSA whistleblower Tom Drake was really about. Drake would have been on trial this week had the Justice Department’s case not crumbled two weeks ago in the face of negative judicial rulings and almost universally critical media coverage (chiefly inThe New Yorker and on 60 Minutes, The Washington Post, and Politico). The newly-released IG report completely vindicates Drake, and the Hotline complainants (former NSA officials J. Kirk Wiebe, Bill Binney and Ed Loomis, and former House Intelligence Committee staffer Diane Roark) who raised concerns that the National Security Agency (NSA) was trading the security of the American people for a undeveloped funding vehicle (Trailblazer) that needlessly invaded the privacy of Americans; all the while NSA rejected a viable, cheaper program (ThinThread) that contained privacy protections and was ready to deploy prior to 9/11. My organization, Government Accountability Project (GAP), represents Drake, Binney and Wiebe. [Editor: see discussion and related stories in MIRLN 14.07 about the Drake prosecution.]

top

Court Conducts In Camera Review of Plaintiff’s Facebook Page to Resolve Discovery Dispute (Eric Goldman’s blog, 24 June 2011) - Background: Discovery disputes over Facebook accounts and whether they are discoverable in civil cases are piling up. Courts and litigants continue to grapple with the central problem that even to the extent the information is properly discoverable, at least some portion of a litigant or party’s Facebook’s account deserves privacy protection and should also be protected by federal statutes such as the Stored Communications Act. On the other hand, an opposing litigant needs to get access to the Facebook profile in order to determine whether something contained in the account is relevant, in order to articulate a “likely to lead to the discovery of admissible evidence” argument. Courts have come up with interesting and mostly imperfect ways to solve this problem. In one case, a court suggested that the litigants “friend” the court so the court could review the contents of the account which would be visible to the witness’s friends. (” Judge Offers to Facebook ‘Friend’ Witnesses in Order to Resolve Discovery Dispute. “) In this case, the court conducted an in camera review of the plaintiff’s Facebook profile and determined what information was discoverable. * * * It still feels awkward that the court took the approach of actually logging in to plaintiff’s Facebook account using plaintiff’s password. Isn’t this a violation of the Facebook terms of service? There’s another issue lurking in the background of these disputes that courts will be forced to confront: can a party be forced to consent to disclosure of information that falls under the Stored Communications Act? No case has directly confronted this question, although one court has held that a party’s default and fugitive status is not consent. (See “ Being a Fugitive is Not Consent for Production under the Stored Communications Act .")

top

Lawsuit: Sony Laid Off Security Staff, Unprepared for PS3 Hacks (ArsTechnica, 24 June 2011) - A new class-action lawsuit has been filed against Sony that claims the company has been negligent with online security, leading to multiple hostile attacks and the loss of customers’ private data. The suit claims that personal information-including credit card numbers and expiration dates-were taken from Sony’s servers, and cites a number of confidential witnesses who claimed Sony’s security was inadequate. Perhaps most damning is the claim that Sony laid off employees working in security before the attacks. “Sony was more concerned about their development server being hacked rather than some consumer’s data being stolen,” according to a confidential witness quoted in the complaint. “They want to protect themselves and not the people that use their servers.” While Sony has always stressed that the company has no reason to believe credit information was compromised, the complaint treats the theft of credit card data as fact. The suit claims that Sony “spent lavishly to secure its proprietary development server containing its own sensitive information,” while not providing nearly the same level of security for the information of its customers. The suit asks for “appropriate” restitution for class members, credit-monitoring services, and “exemplary damages” if its found that Sony acted in a reckless or negligent manner.

top

Companies Are Erecting In-House Social Networks (NYT, 26 June 2011) - What would Facebook look like without photos of drunken nights out and tales of misbehaving cats? It might look a lot like the internal social network at the offices of Nikon Instruments. The tone is decidedly businesslike, as employees exchange messages about customer orders, new products and closing deals. And the general rule is that “if you don’t want your company president to see it, don’t post it,” said John G. Bivona, a customer relations manager at Nikon Instruments, which makes microscopes. As social networks increasingly dominate communications in private lives, businesses of all sizes - from tiny start-ups to midsize companies like Nikon to behemoths like Dell - are adopting them for the workplace. Although it is difficult to quantify how many companies use internal social networks, a number of corporate software companies have sensed the opportunity and offer various systems, some free to existing customers, others that charge a fee per user. It’s one more instance of how consumer technology trends, like the use of tablet computers, are crossing into office life. Because of Facebook, most people are already comfortable with the idea of “following” their colleagues. But in the business world, the connections are between colleagues, not personal friends or family, and the communications are meant to be about work matters - like team projects, production flaws and other routine business issues. At Nikon, for example, which employs 500 people in offices throughout the United States, Canada and Brazil, a code of conduct for using the service leaves little room for the idle chit-chat that is pervasive on Facebook. Still, it can be tricky to transport the mores and practices of social networking into the office. For instance, some workers prefer to be “lurkers” who read posts rather than write them. Others are just not interested. At Symantec, the computer security company, a few employees initially disliked the idea of an internal social network, but nevertheless used it to air their complaints. Another issue is how to protect corporate secrets. The systems are generally set up so that companies can determine who sees particular files and who belongs to specific groups on the network. Yet problems still arise over where the data is ultimately stored. Some social network providers use their own servers. But that may conflict with the rules of some potential clients that prohibit storing company information outside their firewall, said Susan Landry, an analyst with Gartner. [Editor: these tools dovetail with “knowledge management” processes, facilitating communities of practice and lubricating knowledge-flows. Listen to Harvard Prof. Andrew McAfee’s 2009 podcast “Enterprise 2.0: How Organizations Are Exploiting Web 2.0 Technologies and Philosophies”, available at KnowConnect.com]

top

‘Times’ Ticks On (InsideHigherEd, 28 June 2011) - The New York Times Company plans to continue its slow advance into the realm of higher education this fall. It announced today that it is teaming up with the University of Southern California to offer continuing education programs to try to tap a growing market of adults looking to pick up new skills. The new programs will comprise sequences of online courses taught by USC faculty through the Times Company’s online learning platform. While the programs will not count toward any degree, they represent the media company’s first foray into multicourse online sequences intended to confer a coherent body of knowledge. And that is yet another step toward full-fledged degree programs, which are coming, according to Felice Nudelman, the company’s executive director of education. The company is pursuing partnerships that might soon have it stamping its seal on diplomas, Nudelman says. “We intend to grow in that market,” she says. “With USC, we are excited with this first step because we are excited about the potential for further depth and collaboration.” The Times Company, which has seen its annual revenues fall by about 30 percent in the last five years, has waded into the waters of higher education more deliberately than some of its peers—most notably the Washington Post Company, which now pays for its journalism operations largely off the back of Kaplan Inc., one of the country’s largest degree-granting enterprises. But the Times’s activities in higher education have picked up in recent years. The Times Company in 2008 purchased a majority stake inEpsilen, an online learning and social networking platform. It has since teamed up with a number of colleges and universities to offer online courses in which students can earn certificates and, in some cases, transferable credits. The Times Company would not disclose how much money it has been making from its higher ed forays, but Nudelman says it has been “very happy” with the outcome so far. At a time when many institutions are entering into financial partnerships with outside education companies to help grow their online infrastructures, sometimes to the chagrin of traditional faculty, the Times is trying to position itself as an alternative to companies that offer similar services but seem like less natural allies to universities. “It is a model that we find our colleagues in the education sector to be comfortable with, and it’s a model that benefits both in terms of revenue,” says Nudelman.

top

Newsgathering Law: A Guide for Reporting (Citizen Media Law Project, 28 June 2011) - Post by David Ardia: ”I’m excited to announce the latest installment in a series of legal modules we are publishing in conjunction with Poynter’s News University. The free course, entitled Newsgathering Law & Liability: A Guide for Reporting , is designed for reporters, citizen journalists and anyone who wants to know more about the laws that relate to gathering content, interviewing sources and handling documents. It’s chock full of interactive exercises and quizzes and anyone can enroll at the NewsU site and take the course at their own pace. I co-authored the module with Geanne Rosenberg , Chair of the Department of Journalism and the Writing Professions at the City University of New York’s Baruch College. This is our second course module at NewsU. The first, entitled Online Media Law: The Basics for Bloggers and Other Publishers , went live in 2008 and—shockingly—is NewsU’s most popular legal course. Hopefully we will catch some of that magic with this one.”

top

FFIEC Releases Banking Authentication Guidance (DigitalIDNews, 29 June 2011) - The Federal Financial Institutions Examination Council released new guidance for financial institutions on online customer authentication to accounts. The council first releases guidance in 2005 recommending a risk-based approach and telling institutions to provide periodic assessments in response to new threats. The latest report reinforces those expectations. “Financial institutions should perform periodic risk assessments considering new and evolving threats to online accounts and adjust their customer authentication, layered security, and other controls as appropriate in response to identified risks,” the supplement states. “It establishes minimum control expectations for certain online banking activities and identifies controls that are less effective in the current environment. It also identifies certain specific minimum elements that should be part of an institution’s customer awareness and education program.” The new guidance recognizes the emergence of malware and new, more sophisticated man in the middle and man in the browser attacks. The attacks can circumvent one-time pass code tokens and the report recommends anti-malware software, transaction monitoring, out-of-band authentication and secure USB devices. Lacking from the report is any guidance on how financial institutions should do authentication on mobile devices. The FFIEC’s Guidance is here: http://images.avisian.com/Auth-ITS-Final_6-22-11_FFIEC_Formated.pdf

top

Olympic Social Media Guidelines In Full: Athlete Photos But No Video (PaidContent.org, 29 June 2011) - News media this week reported next year’s London Olympics will allow athletes to tweet from the Summer Games. In fact, that consent was contained in general guidelines applying to all social media, which were issued to athletes back in May and which themselves are a variant of guidelines issued for Vancouver 2010 and, later, the Youth Olympic Games in Lausanne… They are permissive yet notably try to protect broadcasters and sponsors. Video and audio from within venues is banned and other material must be “in a first-person, diary type format and should not be in the role of a journalist”. Athletes are forbidden from promoting their sponsors in social media. In parts, the guidelines are loose enough to potentially be contradictory. Athletes are allowed to “post still photographs” from inside venues but not to “distribute these photographs”. “Taking Facebook as an example, we would be crazy not to want to be involved in a platform that has half a billion active users - that’s one in 12 people in the world,” according to IOC communications director Mark Adams. IOC Guidelines are here: http://www.olympic.org/Documents/Games_London_2012/IOC_Social_Media_Blogging_and_Internet_Guidelines-London.pdf

top

U.S. Company Preying on Foreigners Feels the Wrath of the FTC (Steptoe’s E-Commerce Law Week, 30 June 2011) - Kryptonite may be Superman’s weakness, but it apparently has no effect on the Federal Trade Commission’s enforcement powers. The FTC recently reached a settlement with Balls of Kryptonite, a California retailer that had tricked British customers into believing that it was based in England. The enforcement action was brought under Section 5 of the FTC Act, which prohibits unfair or deceptive practices; the Undertaking Spam, Spyware, and Fraud Enforcement With Enforcers beyond Borders Act (U.S. SAFE WEB Act); and the FTC Trade Regulation Rule Concerning the Sale of Mail or Telephone Order Merchandise (Mail Order Rule). The U.S. SAFE WEB Act allows the agency to bring actions against U.S. companies that harm foreign nationals. Balls of Kryptonite was also accused of misrepresenting its participation in the EU-U.S. Safe Harbor Framework. Under the settlement, the company will be banned from using foreign website suffixes (such as “.co.uk"), and will cease certain business practices that were determined to be unfair or deceptive. Balls of Kryptonite will also be fined $500,000. The action represents the first time that the FTC has punished a company under the U.S. SAFE WEB Act for doing harm to foreign nationals.

top

Alarm Over ABA Study of Online Advertising Proves Unfounded (NLJ, 30 June 2011) - The ABA’s Commission on Ethics 20/20 caused a minor stir last fall when it launched a study into the ethics of online client development tools including Facebook. The Commission on June 29 released its conclusions, and they are hardly drastic. Rather than develop a new set of rules pertaining specifically to online advertising, the commission recommended several relatively minor clarifications to the existing rules. The point was to offer attorneys more guidance about their ethical responsibilities when it comes to online client development, according to the report submitted by the commission, which is chaired by Wilmer Cutler Pickering Hale and Dorr partner Jamie Gorelick. The commission’s Technology Working Group looked at recent surveys of how lawyers use technology, examined marketing Web sites, reviewed litigation and disciplinary proceedings involving online client development, and considered suggestions by other ABA sections. “As a result of these efforts, the commission concluded that no new restrictions on lawyer advertising are required,” the panel wrote. “For example, the commission concluded that Rule 7.1’s prohibition against false and misleading communications is readily applicable to online advertising and other forms of electronic communications that are used to attract new clients.” The relatively small scale of the proposed changes has helped ease the concerns that surfaced among legal marketers in October when the review was announced. Some marketers feared that the inquiry would lead to onerous restrictions, while others applauded the possibility that the ABA would clear up unanswered questions about what is permissible online. Massachusetts lawyer Robert Ambrogi said that the proposals strike a “sensible balance” between the need to regulate lawyer advertising and lawyers’ ability to use technology to educate consumers. [Editor: There are some areas of concern in the proposed revised rules - e.g., the requirement that disclaimers be “conspicuously placed” Comment 3 to Rule 1.18. The Commission’s Report here: http://www.americanbar.org/content/dam/aba/administrative/ethics_2020/20110629ethics202technologyclientdevelopmentinitialresolutionsandreport.authcheckdam.pdf ]

top

Talking (Exclamation) Points (NYT, 1 July 2011) - In an essay published in 1895 called “How to Tell a Story,” Mark Twain chastised writers who use “whooping exclamation-points” that reveal them laughing at their own humor, “all of which is very depressing, and makes one want to renounce joking and lead a better life.” One shudders to imagine what Twain would have made of e-mail. Writing is by definition an imperfect medium for relaying the human voice. And in the age of electronic communication, when that voice is transmitted so often via e-mail and text message, many literate and articulate people find themselves justifying the exclamation point to convey emotion, enthusiasm or excitement. Some do so guiltily, as if on a slippery slope to smiley faces. “I’ve degenerated to the point where I allow one per e-mail, but I don’t feel good about it,” said Alex Knight, a media and technology investor in Seattle. “If I use one, I will go back and delete the previous ones. It’s sort of ‘Sophie’s Choice.’ “ In their book “Send: Why People Email So Badly and How to Do It Better,” David Shipley and Will Schwalbe say that the exclamation point was originally reserved for an actual exclamation ("My goodness!” or “Good grief!") but that they have become unexpected champions of this maligned punctuation. “We call it the ur emoticon,” Mr. Schwalbe said in a recent phone conversation. “In an idealized world, we would all be able to do what our English teachers told us to do, which is to write beautiful prose where enthusiasm is conveyed by word choice and grammar.” [Editor: There’s quite a bit more here; it’s thoughtful and useful.]

top

So Sue Me: Are Lawyers Really the Key to Computer Security? (ArsTechnica, 1 July 2011) - If your code gets hacked, are you the one on the hook? In the early decades of the software industry, the answer was usually “no.” Software licenses routinely disclaimed liability, and until recently, security flaws were considered to be just another fact of life. When problems were discovered, companies were expected to fix them quickly, but they were rarely on the hook for the resulting damage. That’s changing rapidly. Recently, Sony faced a class action lawsuit for losing the private information of millions of users. And this week, it was reported that Dropbox is already being sued for a recent security breach of its own. It’s too early to know if these particular lawsuits will get anywhere, but they’re part of a growing trend. As online services become an ever more important part of the American economy, the companies that create them increasingly find that security problems are hitting them where it really hurts: the bottom line. The world in which software companies could safely treat security as an afterthought is gone-but it’s not yet clear what will replace it. Class action lawsuits and FTC enforcement actions are two possible mechanisms for getting companies to take security seriously. But there are other candidates, including prospective security audits, education, and data retention rules. The right rules will encourage companies to take security seriously, but too much regulation could unduly hamper the software development process. [Editor: Some leaders in the Intelligence Community are pointing to lawsuits-and the resulting move toward better governance-as a useful security development. Me, too.]

top

Ear! Ear! Podcast Gains Are in the Listening, Not Creating (Dennis Kennedy, 1 July 2011) - Podcasts have become a great way to get free, informative audio programs on a seemingly limitless number of topics, including legal topics. However, most lawyers are not taking full advantage of the potential of podcasts. That might be because most articles about lawyers and podcasting focus on lawyers creating their own podcasts. While podcasting might make sense for a limited number of lawyers, listening to podcasts will have value for many lawyers. In this column, we’ll focus on listening to podcasts, how to start listening to podcasts and, if you already do so, how to improve your experience.

top

Job Posting to LinkedIn Group Doesn’t Violate Non-Solicitation Clause (Eric Goldman’s blog, 3 July 2011) - Enhanced developed software, and had a relationship with Hypersonic, which modified existing software. The two companies often jointly bid on projects together. They were parties to an agreement which contained the following non-solicitation clause: “Employee Protection. During the term of this Agreement and for a period of twelve (12) months from the date of effective date of its termination, unless mutually agreed to in writing otherwise the Parties . . . shall refrain from soliciting or inducing, or attempting to solicit or induce, any employee of the other Party in any manner that may reasonably be expected to bring about the termination of said employee toward that end . . . .” Some time after Enhanced and Hypersonic unsuccessfully bid on a project, Hypersonic posted an open position for an outside sales representative to “its LinkedIn webportal” (which the court describes as “a social internet site that connects businesses and people"). An Enhanced employee saw the posting and informed the President of Hypersonic that he was interested. After this, the employee met with Hypersonic’s owner and hammered out a deal. Hypersonic then filed a complaint for declaratory relief regarding the enforceability of the agreement between Hypersonic and Enhanced. (There must have been some sabre-rattling obviously that prompted the filing of the complaint by Hypersonic.) The trial court concludes that Hypersonic did not violate the non-solicitation clause by posting the opening on LinkedIn. The appeals court affirms. The court looks to the dictionary definitions of the relevant terms ("solicit" and “induce") and concludes that Hypersonic did not solicit or induce the Enhanced employee to terminate his relationship with Enhanced: “[t]he record clearly supports that [the employee] made the initial contact with Hypersonic after reading the job posting on a publicly available portal of LinkedIn. In other words, [the employee] solicited Hypersonic.” A previous case addressing the question of whether recruiters violated their non-compete clause by “connecting” (on LinkedIn) with candidates who were in discussions with their previous employer settled quietly. Here’s Evan Brown’s initial post on the case: “ Nefarious LinkedIn use finally makes it to the courts .” Here is a copy of the stipulated permanent injunction , which imposes broad restrictions on the defendants’ solicitation of certain customers, but interestingly does not mention LinkedIn. [Editor: instant case: Enhanced Network Solutions Group v. Hypersonic Technologies Corp. , 2011 WL 2582870 (Ind. Ct. App. June 30, 2011)]

top

Defense Federal Acquisition Regulation Supplement; Safeguarding Unclassified DoD Information (BeSpacific, 4 July 2011) - “The purpose of this proposed DFARS rule is to implement adequate security measures to safeguard unclassified DoD information within contractor information systems from unauthorized access and disclosure, and to prescribe reporting to DoD with regard to certain cyberintrusion events that affect DoD information resident on or transiting through contractor unclassified information systems. This rule addresses the safeguarding requirements specified in Executive Order 13556, Controlled Unclassified Information. On-going efforts, currently being led by the National Archives and Records Administration regarding controlled unclassified information, may also require future DFARS revisions in this area. This case does not address procedures for Government sharing of cyber security threat information with industry; this issue will be addressed separately through follow-on rulemaking procedures as appropriate.” Federal Register Volume 76, Number 125 (Wednesday, June 29, 2011)

top

Unlicensed: Are Google Music and Amazon Cloud Player Illegal? (ArsTechnica, 4 July 2011) - Amazon.com made waves in March when it announced Cloud Player, a new “cloud music” service that allows users to upload their music collections for personal use. It did so without a license agreement, and the major music labels were not amused. Sony Music said it was keeping its “legal options open” as it pressured Amazon to pay up. In the following weeks, two more companies announced music services of their own. Google, which has long had a frosty relationship with the labels, followed Amazon’s lead; Google Music Beta was announced without the Big Four on board (read our first impressions). But Apple has been negotiating licenses so it can operate iCloud with the labels’ blessing. The different strategies pursued by these firms presents a puzzle. Either Apple wasted millions of dollars on licenses it doesn’t need, or Amazon and Google are vulnerable to massive copyright lawsuits. All three are sophisticated firms that employ a small army of lawyers, so it’s a bit surprising that they reached such divergent assessments of what the law requires. So how did it happen? And who’s right? [Editor: Pretty interesting piece, parsing the reverberations of the MP3 case, Cablevision’s user-dedicated remote-storage DVR service, de-duplication thinking, and possible litigation strategies of Google and Amazon.]

top

Google Loses Street View Battle, But Did It Win Wiretap War? (Steptoe’s E-Commerce Law Week, 7 July 2011) - In a recent ruling from the Northern District of California, a federal judge dismissed some claims but allowed others to proceed in a case brought against Google for alleged privacy violations in connection with its Street View program. In the class action suit, the plaintiffs brought claims against Google for violations of the wiretap portions of the federal Electronic Communications Privacy Act (ECPA) and various state laws that allegedly occurred when Google collected private information from unencrypted wireless networks while its specially outfitted cars drove through neighborhoods across the country, taking pictures for Google Street View. The court in In re Google Inc. Street View Electronic Communications Litigation allowed the plaintiffs’ ECPA claim to go forward, but dismissed their state law claim. Although most attention in the media will focus on the court’s ruling on the ECPA claim, the more consequential aspect of the ruling may be the court’s decision that ECPA preempts state wiretap statutes, and that plaintiffs therefore could not bring claims against Google for violations of those statutes. As we recently reported, most courts have found that ECPA does not preempt state law. But now that another federal court has found that ECPA does preempt state wiretap laws, more courts could follow suit. This is a big deal for communications providers that want to monitor communications for purposes of network security or behavioral advertising, for example, since some state wiretap laws are more restrictive than ECPA. It also matters for employers who want to monitor employee communications. Ultimately, the preemption question will have to be resolved by the circuit courts, the Supreme Court, or Congress.

top

NOTED PODCASTS

Joi Ito: How to Save the Internet from its Success (Radio Open Source, 7 June 2011; 28 minutes) - If the Internet dream could take human form, it might look and sound a lot like cheerful, boyish, 44-year-old Joi Ito, the new director of the fantasy factory known as the MIT Media Lab. Like the Web, he’s everywhere and nowhere - often, in fact, 30,000 feet in the air, circumnavigating the planet every couple of weeks, but wrapped always in a digital cloud of conversation and omnidirectional exploration.

top

Seth Flaxman & Paul Schreiber on a Netflix for Voting (Berkman, 24 May 2011; 61 minutes) - TurboVote is a service that makes voting by mail and voter registration as simple as renting a DVD with Netflix. Seth Flaxman - Co-Founder and Executive Director of Democracy Works (and a former Berkman Center intern) - and Paul Schreiber - one of the software engineers behind Barack Obama’s 2008 presidential campaign - talk about how, in two months for spare change, TurboVote built what the government couldn’t do for any price, and discuss the project’s legal, technical and philosophical issues.

top

RESOURCES

Know Your Rights! (EFF, June 2011) - Your computer, your phone, and your other digital devices hold vast amounts of personal in- formation about you and your family. This is sensitive data that’s worth protecting from prying eyes - including those of the government. The Fourth Amendment to the Constitution protects you from unreasonable government searches and seizures, and this protection extends to your computer and portable devices. But how does this work in the real world? What should you do if the police or other law enforcement officers show up at your door and want to search your computer? EFF has designed this guide to help you understand your rights if officers try to search the data stored on your computer or portable electronic device, or seize it for further examination somewhere else.

top

LOOKING BACK - MIRLN TEN YEARS AGO

THE CHANGING MOVIE RENTAL BUSINESS In the four years since movies in digital video disk (DVD) format have been on the market, the VHS rental business has been stagnant. DVD sales have outpaced rental revenue by more than four to one in total dollars, and in a dramatic shift in video economics many movie studios are now selling their DVDs to Wal-Mart, Target, and other retailers for approximately the same price they charge a rental chain such as block buster. Warner Home Video president Warren Lieberfarb says, “We are trying to drive this to be a mass distributed, high-volume impulse purchase, like a trade softback or paperback book. Ultimately, DVDs will be distributed as ubiquitously as paperback books.” Lieberfarb predicts that the lower prices of DVD movies means that “Blockbuster is finished,” but Blockbuster chairman John Antioco disagrees: “DVD sales will never replace rentals. If Warner lowers the price, that will be the best news I have heard in a long time. We can lower our price somewhat to the renter and our margins would improve.” (New York Times 16 Apr 2001) http://www.nytimes.com/2001/04/16/business/16DISC.html

top

CAR SPY PUSHES PRIVACY LIMIT (ZDNET News, 20 June 2001)—Car renters beware: Big Brother may be riding shotgun. In a case that could help set the bar for the amount of privacy drivers of rental cars can expect, a Connecticut man is suing a local rental company, Acme Rent-a-Car, after it used GPS (Global Positioning System) technology to track him and then fined him $450 for speeding three times. The case underscores the ways that new technologies can invade people’s privacy, said Richard Smith, chief technologist at the not-for-profit Privacy Foundation. “Soon our cell phones will be tracking us,” he said. “GPS could be one more on the checklist here. Frankly, giving out speeding tickets is the job of the police, not of private industry.” http://www.zdnet.com/zdnn/stories/news/0,4586,2778752,00.html

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN) with the word “MIRLN” in the subject line. Unsubscribe by sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln. Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites,

4. NewsScan and Innovation, http://www.newsscan.com

5. BNA’s Internet Law News, http://ecommercecenter.bna.com

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood’s Technology & Business Articles of Note

8. Steptoe & Johnson’s E-Commerce Law Week

9. Eric Goldman’s Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top