MIRLN --- 25 Sept - 15 Oct 2016 (v19.14)
- HP inkjet printers refuse to accept third-party ink cartridges after stealth firmware update
- HP blinked! Let’s keep the pressure on!
- Microsoft’s new datacenters aim to put customer data beyond the reach of US snooping
- ABA launches free virtual legal advice clinic
- Four states expanded employer data breach notification obligations in 2016
- Cybersecurity disclosures: not happening much in SEC filings
- Father sues for copyright infringement after live-streaming baby’s birth
- Should you call in the feds after a cyber breach?
- Florida is 25th state to adopt duty of technology competence
- Florida becomes first state to mandate tech CLE
- 10 Questions: Raj De’s career has taken him from 9/11 Commission to White House to NSA
- J&J warns diabetic patients: Insulin pump vulnerable to hacking
- New York to test facial recognition cameras at ‘crossing points’
- Remotely accessing an IP address inside a target computer is a search
- Feds convinced police to use license plate-scanning tech at gun shows
- Police use surveillance tool to scan social media, ACLU says
- Most Comcast customers now have a 1TB home internet data cap
- Clearing up the fog of cloud service agreements
- Aon announces agreement to acquire risk management firm, Stroz Friedberg
- Comcast in middle of Oregon fight over taxes and censorship
- Facebook helped drive a voter registration surge, election officials say
- Signal is a free, secure, easy-to-use client communication tool
- HHS imposes $400k fine for outdated BAA
HP inkjet printers refuse to accept third-party ink cartridges after stealth firmware update (Extreme Tech, 20 Sept 2016) - The inkjet printer market has been a ridiculously profitable racket for HP and its ilk for decades, and manufacturers have fought tooth and nail to keep it that way. HP launched the latest salvo in this effort earlier this month, when a six-month-old firmware update suddenly kicked in and locked out third-party ink cartridges. Multiple models in HP’s OfficeJet, OfficeJet Pro, and OfficeJet Pro X were all affected, even though none of these models had seen a firmware update in the past six months. The consensus is that HP actually baked this response into the March 2016 update it released, but told no one it was coming. This ensured more people would adopt the firmware and report that it worked without incident. In a statement to the BBC , HP noted that some devices had been updated with this functionality via firmware, while others had shipped with the necessary chips and capabilities from Day 1. “The purpose of this update is to protect HP’s innovations and intellectual property,” HP said in a statement. “In many cases, this functionality was installed in the HP printer and in some cases it has been implemented as part of an update to the printer’s firmware.” Dutch ink cartridge manufacturer 123inkt noted it had received more than 1,000 complaints in a single day as a result of its cartridges suddenly failing to work in HP hardware. Refilled cartridges with an HP security chip should still function, though this requires that the user still purchase an original set of HP cartridges at significantly higher prices.
- and -
HP blinked! Let’s keep the pressure on! (BoingBoing, 3 Oct 2016) - Only three days after EFF’s open letter to HP over the company’s deployment of a stealth “security update” that caused its printers to reject third-party cartridges, the company issued an apology promising to let customers optionally install another update to unbreak their printers. That’s good for starters, but it’s a long way from making up for one of the most egregious abuses of a security update in recent memory. With HP on the run, it’s time to push for real, meaningful reassurances and remedies about this bad conduct—not just to make sure HP does right by its customers, but also to put other companies on notice about the kind of drubbing they can expect if they follow HP’s lead. EFF’s open letter has more than 10,000 signatures, and there’s more flooding in as I type these words. If you haven’t signed the letter, please do—and then tell your friends. Even if you don’t have an HP printer, we all share the same internet with tens of millions of these things, and the last thing we can afford is for HP to be giving its customers reasons not to run security updates, especially as these kinds of devices are being hijacked to perform unprecedented attacks on the net . * * *
Microsoft’s new datacenters aim to put customer data beyond the reach of US snooping (ZDnet, 21 Sept 2016) - Microsoft has started offering its Azure cloud services from two new German datacenters , which have been set up to make it much harder for US authorities—and others—to demand access to the customer data stored there. Microsoft Cloud Germany is different to the company’s existing European cloud services: the customer data in the datacenters is under the control of a “data trustee”, T-Systems International , which is an independent German company and subsidiary of Deutsche Telekom. Microsoft’s cloud and enterprise corporate vice president Takeshi Numoto described the new datacenters as a “first-of-its-kind model”. Microsoft cannot access data at the sites without the permission of customers or the data trustee—and if permission is granted by the latter, the company can only do so under its supervision.
ABA launches free virtual legal advice clinic (ABA Journal, 22 Sept 2016) - The ABA has unveiled a free Q&A-style program to allow income-eligible users to ask civil law-related questions to pro bono attorneys. The ABA formally launched ABAFreeLegalAnswers.org on Thursday. According to a press release , the site will function as a virtual legal advice clinic that will serve low-income individuals and communities. The service will also help lawyers by giving them a more convenient, flexible option for performing pro bono work. Free Legal Answers is currently available in eight states - Connecticut, Louisiana, Mississippi, New York, Oklahoma, Tennessee, Virginia and Wyoming, and the ABA hopes to expand the service to a majority of the country by the end of the year. “Free Legal Answers is a no-cost, online version of the walk-in clinic model where clients request brief advice and counsel about a specific civil legal issue from a volunteer lawyer,” ABA President Linda Klein said in the press release. “It is an important part of the ABA’s efforts to expand access to legal services to low-income communities. With our partner states, the program also provides significant pro bono opportunities for lawyers. It’s a real win-win.” Free Legal Answers has existed, in some form, in Tennessee for six years, the press release stated. Meanwhile, Virginia recently implemented a similar service and received interest from over 170 lawyers across the state to participate. According to the press release, Free Legal Answers will contain some similarities with these existing programs. The ABA Standing Committee on Pro Bono and Public Service created Free Legal Answers while software developers at Baker, Donelson, Bearman, Caldwell & Berkowitz built the website. Baker Donelson, alongside with another law firm, Nelson Mullins Riley & Scarborough, will provide support for the initiative, along with companies from other industries such as AT&T, FedEx, International Paper, Pilot Travel Centers and Wal-Mart, as well as the ABA sections on Business Law and Litigation.
Four states expanded employer data breach notification obligations in 2016 (Littler, 23 Sept 2016) - With over 680 security breaches reported so far in 2016,1 more employers are being forced to confront the issue of how to respond to a breach. All states except Alabama, North Dakota and New Mexico now require notification when information commonly maintained by employers, such as Social Security numbers and driver’s license numbers, is compromised. While many of these breach notification laws were initially modeled after California’s pioneering 2002 breach notification statute, more and more states are amending their notice laws in different ways, increasing the complexity of security incident response for multi-state employers. Following on amendments by eight states in 2015,2 four states-Illinois, Tennessee, California, and Nebraska-reinforced their data breach notification statutes in 2016. For employers, the net impact of these amendments is an increased number of circumstances in which they must inform employees, customers, or other state residents whose personal information has been compromised (and, in some cases, the state’s attorney general) of a data breach. The following Insight highlights the key amendments to these laws in Illinois, Tennessee, California and Nebraska, of which employers should be aware. * * * In March, Tennessee made its data breach notification law the strictest in the country by requiring Tennessee residents to be informed of a data breach, regardless of whether the compromised information is encrypted. Effective July 1, 2016, the Tennessee Code now defines a breach as any “unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder."3 Personal information is defined as an individual’s first name or first initial and last name, in combination with the individual’s: (1) Social Security number (SSN); (2) driver’s license number; or (3) information that would permit access to a financial account. Prior to this amendment, Tennessee, like all other states with data breach laws, required notification of a data breach only if the compromised personal information was unencrypted. Tennessee is now the only state in the country that requires notification of a breach of encrypted personal information. * * *
Cybersecurity disclosures: not happening much in SEC filings (Corporate Counsel, 27 Sept 2016) - Here’s an excerpt from this “ D&O Diary Blog ” about how few companies are disclosing cybersecurity & data breach incidents in their SEC filings (which could be a concern for investors - and for D&O underwriters): According to a September 19, 2016 Wall Street Journal article entitled “Corporate Judgment Call: When to Disclose You’ve Been Hacked,” notwithstanding the long-standing SEC disclosure guidelines, companies are being hacked more frequently but are not disclosing these incidents in their periodic reports to the SEC. The article cites a recent Audit Analytics report, in which the firm reviewed the filings of nearly 9,000 reporting companies during the period January 2010 to the present. The report found that only 95 of these companies had informed the SEC of a data breach. However, according to the Privacy Rights Clearinghouse, the number of data breaches during that period experienced by all U.S. businesses - including both public and private companies - totaled 2,642. The most important consideration accounting for this apparent discrepancy is the question of “materiality.” If the company believes that the incident or incidents it experienced are not “material” within relevant reporting obligation standards, then, many companies apparently are concluding that they have no obligation to report the incident. Significantly, while only a small number of companies have reported cyber incidents in their periodic reports, a greater number are reporting data breaches and other incidents to other regulators. The Journal article cites the Audit Analytics report as stating that about 300 publicly traded U.S. companies have reported cybersecurity incidents to a state regulator or directly to affected consumers over the past six years. Obviously, whether or not any potentially reportable item is “material” and therefore subject to disclosure is a judgment call of a type that corporate officials have long been called upon to make. The concern is that these types of judgment calls can be subject to hindsight scrutiny. In that regard, it is probably worth noting that to date the SEC has not yet brought a regulatory enforcement action against a company that failed to disclose a cyberincident - but, the Journal article notes, SEC officials “have not ruled out doing so.”
Father sues for copyright infringement after live-streaming baby’s birth (Mandour & Associates, 29 Sept 2016) - It seems each day more people are willing to share ever more personal things on the Internet. Along these lines, in May of this year Kali Kanongataa a California resident used Facebook to live stream his wife giving birth. After portions the live stream ended up on television and publicized on the Internet, he sued ABC and Yahoo for allegedly infringing his copyright by displaying the video. The day after the live stream, ABC’s “Good Morning America” ran a short segment about the live stream and showed a brief excerpt from the video that was up loaded by Mr. Kanogataa which had been widely viewed online since this airing. The clip also appeared on Yahoo, which has a partnership with ABC. Mr. Kanogataa explained to People magazine that he has family in the Polynesia island Tonga and by using Facebook Live he was hoping to easily share the birth of his son with them and other family members who were not able to be present. He expressed he never expected it to been seen by the public at large. “There’s a lot of negative stuff on Facebook and so I thought this would be positive,” he reportedly told People magazine in May. He alleges in a complaint filed in federal court in Manhattan that “Good Morning America” and Yahoo never obtained his permission to show the video, which he registered with the U.S. Copyright Office. “Defendants infringed plaintiff’s copyright in the video by reproducing and publicly displaying the video on the GMA Website, Yahoo Website, and on GMA,” he alleges in a petition filed Thursday.
Should you call in the feds after a cyber breach? (PropertyCasulaty360.com, 30 Sept 2016) - After a business is affected by a cyber breach, any number of decisions need to be made for the well-being of the company, its customers and other stakeholders. One of the major questions for many companies is whether to involve the authorities, and there are several considerations surrounding this action. Bryan Rose, managing director with the New York City-based business consulting firm Stroz Friedberg , told an audience at ALM’s cyberSecure conference in New York City this week that a company must consider whether reporting the breach to the government will hurt or benefit the company in any way. “There are benefits to reporting to law enforcement, but it depends on the company,” Rose said, adding that the company will likely be viewed as a victim of the breach. “They (the FBI and Secret Service) are dealing with national security, and will make decisions based on that perspective.” Nicole Friedlander, special counsel at the New York City law firm of Sullivan & Cromwell LLP , said that other considerations around reporting the breach include the type of information affected (such as personal identifiable information or personal health information), and whether the breach will generally affect public health or safety. Richard Jacobs, assistant special agent in charge of the cyber branch in New York for the FBI said they would like to be notified any time a company suffers a breach. “We would like a phone call,” he said. “Your breach might be connected to a dozen others and help us paint a picture of the criminals. The FBI’s role is to get the bad guys out from behind the keyboard and into jail. If we don’t neutralize those responsible, they will come back and attack again and again.” [ Polley : There are other important considerations, too. This is a tricky area.]
Florida is 25th state to adopt duty of technology competence (Bob Ambrogi, 30 Sept 2016) - Just last week, I reported that Oklahoma had adopted the duty of technology competence for lawyers, becoming the 24th state on my ongoing tally of states that have adopted the ABA Model Rule. Now there is another. Yesterday, the Supreme Court of Florida ordered adoption of the duty of tech competence for that state, effective Jan. 1, 2017. From the court’s order: The comment to rule 4-1.1 (Competence) is amended to add language providing that competent representation may involve a lawyer’s association with, or retention of, a non-lawyer advisor with established technological competence in the relevant field. Competent representation may also entail safeguarding confidential information related to the representation, including electronic transmission and communications. Additionally, we add language to the comment providing that, in order to maintain the requisite knowledge and skill, a lawyer should engage in continuing study and education, including an understanding of the risks and benefits associated with the use of technology. In adopting the rule, the Supreme Court went farther than other states have done, adding two separate comments pertaining to technology competence. One is based on the ABA Model Rule on maintaining competence, but varies slightly: To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, engage in continuing study and education, including an understanding of the benefits and risks associated with the use of technology , and comply with all continuing legal education requirements to which the lawyer is subject. (Emphasis added.) The language is the same as the ABA rule except for the addition of the words “an understanding of.” I’ll leave it to scholars to debate why the court added those three words and what their significance may be. In addition, the Supreme Court added language that other states rules do not have: Competent representation may also involve the association or retention of a non-lawyer advisor of established technological competence in the field in question. Competent representation also involves safeguarding confidential information relating to the representation, including, but not limited to, electronic transmissions and communications.
- and -
Florida becomes first state to mandate tech CLE (Bob Ambrogi, 3 Oct 2016) - Talk about burying the lede. On Friday, I reported that Florida had become the 25th state to adopt the duty of technology competence for lawyers. That was notable news, for sure, but I skipped over the even-bigger story - the same rule change also made Florida the first state to mandate technology CLE for lawyers. The rule change, ordered by the Supreme Court of Florida on Thursday, added a requirement that Florida lawyers must complete three hours of CLE every three years “in approved technology programs.” The rule raises the state’s minimum credit hours from 30 to 33 to accommodate the tech requirement.
10 Questions: Raj De’s career has taken him from 9/11 Commission to White House to NSA (ABA Journal, 1 Oct 2016) - Nearly 20 years ago, a young Harvard Law School student named Raj De sat in his mentor’s office and explained why he’d decided to bypass BigLaw for the Department of Justice. The older lawyer understood completely. “You should always go where the action is,” he counseled. De took this advice-and then some. Leadership roles at the DOJ? Check. 9/11 Commission? He was a part of it, serving as counsel and contributing to its historic final report. U.S. Senate? Check that off, too: De was counsel to the committee charged with drafting and implementing intelligence reform legislation. Then came two dizzyingly busy years at the White House, where De worked directly with President Barack Obama as staff secretary. The follow-up? Three years as general counsel to the National Security Agency, where he helped steer the agency through perhaps its biggest crisis-the leak of countless classified documents by former contractor Edward Snowden. De left the NSA last March for the private sector, returning to the Washington, D.C., office of Mayer Brown-the law firm where he was a partner before working with the NSA-to direct the firm’s global cybersecurity and data privacy practice. * * * [ Polley : interesting Q&A]
J&J warns diabetic patients: Insulin pump vulnerable to hacking (Reuters, 4 Oct 2016) - Johnson & Johnson is telling patients that it has learned of a security vulnerability in one of its insulin pumps that a hacker could exploit to overdose diabetic patients with insulin, though it describes the risk as low. Medical device experts said they believe it was the first time a manufacturer had issued such a warning to patients about a cyber vulnerability, a hot topic in the industry following revelations last month about possible bugs in pacemakers and defibrillators. “The probability of unauthorized access to the OneTouch Ping system is extremely low,” the company said in letters sent on Monday to doctors and about 114,000 patients who use the device in the United States and Canada. “It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network.” The Animas OneTouch Ping, which was launched in 2008, is sold with a wireless remote control that patients can use to order the pump to dose insulin so that they do not need access to the device itself, which is typically worn under clothing and can be awkward to reach. Jay Radcliffe, a diabetic and researcher with cyber security firm Rapid7 Inc, said he had identified ways for a hacker to spoof communications between the remote control and the OneTouch Ping insulin pump, potentially forcing it to deliver unauthorized insulin injections. The system is vulnerable because those communications are not encrypted, or scrambled, to prevent hackers from gaining access to the device, said Radcliffe, who reported vulnerabilities in the pump to J&J in April and published them on the Rapid7 blog on Tuesday.
New York to test facial recognition cameras at ‘crossing points’ (Vocativ, 6 Oct 2016) - New York will soon test facial recognition technology around Manhattan. In a 35-minute speech detailing a landmark $100 billion investment into state infrastructure, largely focused on New York City and Long Island, Governor Andrew Cuomo made a number of promises that would thrill New Yorkers, like the promise of a renovated Penn Station, called Penn-Farley, a direct train from there to LaGuardia Airport, and the completion of the long-awaited Second Avenue Line. Oh, and facial recognition cameras around the city, he said: “At each crossing, and at structurally sensitive points on bridges and tunnels, advanced cameras and sensors will be installed to read license plates and test emerging facial recognition software and equipment.” “We’re going to be using this in Penn-Farley and we also want to be testing it in bridges and crossings system,” he added. On the matter of facial recognition cameras, Cuomo was shy on details. It’s unclear how many cameras will be deployed, which agencies will have access to them, what defines a crossing, how citizens’ photos will be stored, and what photo databases will be used to compare against the faces of the millions of people who drive into the city. In his speech, Cuomo referenced the cameras as necessary for New York to adapt to 21st century security threats. “In this age of terrorist activity and lone wolves, if you look at points of vulnerability you’ll go to our tunnels and to our bridges. So really they have to be reimagined for a new reality,” he said.
- and -
Remotely accessing an IP address inside a target computer is a search (Orin Kerr, 7 Oct 2016) - Last week, I wrote a post on the Playpen warrant currently being litigated in federal courts around the country. My post included a section, “Retrieving IP Addresses is Clearly a Search,” that said the following: A significant amount of media attention about the Playpen cases has focused on a curious argument. A minority of the judges have held that the Playpen searches were constitutional because they weren’t searches at all. According to this argument, a person has no Fourth Amendment rights in IP addresses. Because the most important information obtained by the NIT was IP addresses, use of the NIT was not a search and no Fourth Amendment rights were violated. As far as I can tell, the government has not actually made this argument. Rather, it is a position introduced by one judge and then adopted by some others. This argument is clearly wrong, though. Individuals have Fourth Amendment rights in information stored inside their computers unless they voluntarily share the information. A person using Tor has not voluntarily shared his IP address with the websites he visits. Indeed, the absence of voluntarily sharing is precisely what led the government to surreptitiously obtain the information using the NIT. Given that a Tor user has not voluntarily shared his IP address, it doesn’t matter that obtaining an IP address from a third party or a visited website would not be a search in other circumstances that did involve voluntarily sharing. Put another way, it’s the way of obtaining information that makes the act a search, not the information itself in the abstract. This point is obvious in the physical world. See Arizona v. Hicks, 480 U.S. 321 , 325 (1987) ("A search is a search, even if it happens to disclose nothing but the bottom of a turntable."). It should be equally obvious with computers. If the police want to read today’s newspaper, they can’t break into my house and open my desk drawer to find my copy without committing a search. The fact that they could have read the newspaper by finding a copy in public doesn’t mean they can break into my house to read mine. Similarly, the fact that IP addresses may be available without searching a target in some cases doesn’t mean they can break into his computer to find the IP address without committing a search. Here’s a follow-up. First, several readers pointed out that the government actually has made this argument. You can read the government’s argument here in the Michaud case (pages 6-7) and here in the Lemus case (pages 8-12). My apologies for the misstatement, and thanks to reader Jonathan Mayer for sending on the briefs. Second, some readers argued that a Tor user loses a reasonable expectation of privacy in IP addresses because the user must disclose his true IP address to Tor. This is essentially the argument the government (briefly) makes in Michaud : By using Tor, you are sending your IP address to Tor, which is ultimately hosted by “an unknowable collection of strangers” who are running Tor exit nodes. You have put out your IP address to lots of people, which means that you have no expectation of privacy in it. That argument doesn’t work. Fourth Amendment law regulates how the government learns information, not what information it learns. * * *
- and -
Feds convinced police to use license plate-scanning tech at gun shows (SlashDot, 8 Oct 2016) - Long-time Slashdot reader SonicSpike quotes the Wall Street Journal: Federal agents have persuaded police officers to scan license plates to gather information about gun-show customers , government emails show, raising questions about how officials monitor constitutionally protected activity. Emails reviewed by The Wall Street Journal show agents with the Immigration and Customs Enforcement agency crafted a plan in 2010 to use license-plate readers—devices that record the plate numbers of all passing cars—at gun shows in Southern California, including one in Del Mar, not far from the Mexican border. Agents then compared that information to cars that crossed the border, hoping to find gun smugglers, according to the documents and interviews with law-enforcement officials with knowledge of the operation… [T]he officials didn’t rule out that such surveillance may have happened elsewhere. The agency has no written policy on its use of license-plate readers and could engage in similar surveillance in the future, they said. Jay Stanley, a lawyer at the American Civil Liberties Union, said the gun-show surveillance “highlights the problem with mass collection of data.” He said law enforcement can take two entirely legal activities, like buying guns and crossing the border, “and because those two activities in concert fit somebody’s idea of a crime, a person becomes inherently suspicious.”
- and -
Police use surveillance tool to scan social media, ACLU says (NYT, 11 Oct 2016) - A Chicago company has marketed a tool using text, photos and videos gleaned from major social media companies to aid law enforcement surveillance of protesters, civil liberties activists say. The company, called Geofeedia , used data from Facebook , Twitter and Instagram , as well as nine other social media networks, to let users search for social media content in a specific location, as opposed to searching by words or hashtags that would be less likely to reveal an exact location. Geofeedia marketed its abilities to law enforcement agencies and has signed up more than 500 such clients, according to an email obtained by the American Civil Liberties Union . In one document posted by the organization , as part of a report released on Tuesday, the company appears to point to how officials in Baltimore, with Geofeedia’s help, were able to monitor and respond to the violent protests that broke out after Freddie Gray died in police custody in April 2015. Geofeedia appears to have used programs that Facebook, Twitter and other social media companies offered that allow app makers or advertising companies to create third-party tools, like ways for publishers to see where their stories are being shared on social media. Facebook, Twitter and Instagram say they have cut off Geofeedia’s access to their information. But civil liberties advocates criticized the companies for lax oversight and challenged them to create better mechanisms to monitor how their data is being used.
Most Comcast customers now have a 1TB home internet data cap (The Verge, 6 Oct 2016) - Comcast’s home internet data caps are going live for a majority of customers starting November 1st, the company announced today . Called the “Xfinity Terabyte Internet Data Usage Plan,” the cap restricts the amount of data you consume in your home to 1TB per month regardless of the speed of your plan. Comcast claims 99 percent of customers use less than 1TB per month, but it does now offer an unlimited option for $50 more per month. Back in April, Comcast bumped its data cap from 300GB to 1TB after consumer backlash and renewed regulatory concern from the FCC. And until today, the plan has been active in select markets for 16 states. But starting November 1st, the list will add 18 new markets, bringing the total number of states with the terabyte data cap to around 30. Notable exceptions include New York and nearly the entire northeast. For a full list of included markets, check Comcast’s online FAQ . Comcast says it will never throttle customers who go over the cap, but it will automatically add 50GB to your plan at a cost of $10. The company will continue to charge you $10 in 50GB intervals up to $200 a month. To notify customers, the company will use in-browser, email, and text notifications starting at the 50 percent point, and a usage meter is available on your online account. Comcast says customers will get two grace months every year, meaning you won’t be charged unless you exceed the cap a third time in any given 12-month period.
Clearing up the fog of cloud service agreements (LinkedIn post by Dan Solove, 10 Oct 2016) - Contracting with cloud service providers has long been a world shrouded in fog. Across various organizations, cloud service agreements (CSAs) are all over the place, and often many people entering into these contracts have no idea what provisions they should have to protect their data. According to a recent survey by Forrester Research , “cloud agreements are often missing key considerations.” In the survey of 467 small and medium-sized businesses and government entities, 48% said that they wished they would have included more security requirements in their CSAs and 41% said they wished they would have included more requirements to protect privacy. The Forrester survey involves more sophisticated actors who already realize that something might be missing from their CSAs. There are many out there who don’t even know what might be missing and who think their CSAs are just fine when, in fact, their CSAs are woefully inadequate. Significant guidance is needed to improve this landscape and bring more order to the chaos. Fortunately, a new standard—ISO/IEC 19086 - provides this much-needed guidance. * * *
Aon announces agreement to acquire risk management firm, Stroz Friedberg (AON, 11 Oct 2016) - As the complexity and severity of cyber risk continues to expand, threatening organizations across all industries, Aon Risk Solutions , the global risk management business of Aon plc , today announced it has entered into an agreement to acquire all of Stroz Friedberg Inc., a leading global risk management firm based in New York City, with offices across the U.S. and in London, Zurich, Dubai and Hong Kong. Financial terms were not disclosed and the acquisition is subject to customary closing conditions. The combination of Aon and Stroz Friedberg will extend Aon’s industry-leading position in cyber risk brokerage and creates a comprehensive Cyber Risk Management Advisory Group with distinct client value, including standards-based cyber assessments and industry-leading risk transfer solutions. Integrating Stroz Friedberg’s cyber security governance and advisory services, including its penetration testing, incident response, digital forensics, eDiscovery and due diligence capabilities, will position Aon as the global leader in cyber risk management.
Comcast in middle of Oregon fight over taxes and censorship (The Hill, 11 Oct 2016) - Comcast has blocked versions of an advertisement backing a hike in Oregon’s corporate tax, which the cable giant opposes, from appearing on its video-on-demand service. The versions that raised red flags specifically mention Comcast as one of the out-of-state corporations that would have to pay higher taxes as a result of Measure 97, which would raise income taxes on corporations across the state. New versions of all three advertisements initially flagged by Comcast are back on air and do not mention the cable giant, but the initial decision has rankled supporters of the tax.
- and -
Facebook helped drive a voter registration surge, election officials say (NYT, 12 Oct 2016) - A 17-word Facebook reminder contributed to substantial increases in online voter registration across the country, according to top election officials. At least nine secretaries of state have credited the social network’s voter registration reminder, displayed for four days in September, with boosting sign-ups, in some cases by considerable amounts. Data from nine other states show that registrations rose drastically on the first day of the campaign compared with the day before. In California, 123,279 people registered to vote or updated their registrations on Friday, Sept. 23, the first day that Facebook users were presented with the reminder. That was the fourth-highest daily total in the history of the state’s online registration site. Indiana similarly recorded its third-highest daily online registration total ever. Minnesota, meanwhile, broke its record for the most online voter registrations in a single week, thanks at least in part to the Facebook campaign, which continued through Monday, Sept. 26. Those were among the nine states where election administrators extolled the social network in official statements. In nine others, online registration rose as Facebook began its effort, according to a review of data collected by the nonprofit Center for Election Innovation & Research . In those states, registration increased anywhere from two- to 23-fold on the first day the reminder went up, compared with the previous day. Facebook’s effort is notable not just for boosting voter registration, but also for the kinds of voters it may have helped to enlist. While Facebook could not provide demographic breakdowns of the users who registered, the social network is more popular among female internet users than male users, and the same is true for young users compared with older users, according to 2015 data from the Pew Research Center .
Signal is a free, secure, easy-to-use client communication tool (Lawyerist, 12 Oct 2016) - Lawyers need a way to communicate securely with clients , if not about everything, then about especially sensitive matters. It’s just too easy for a spouse, coworker, employer, or malicious hacker to intercept email. If you don’t have one or you have had trouble getting clients to use your existing communication portal, try Signal . Signal is a free messaging app for iPhone and Android. If you’ve texted or used iMessage, Hangouts, Facebook Messenger, WhatsApp, or any of a dozen other messaging utilities, you know what it’s like. Everyone knows how to install apps, and everyone knows how to use messaging apps. Like most messaging apps now do, Signal also supports voice calls. Signal is pretty similar to other messaging apps, with one big difference: Signal uses zero-knowledge, end-to-end encryption to that nobody outside the conversation can get your messages. Signal is pretty similar to other messaging apps, with one big difference: Signal uses zero-knowledge, end-to-end encryption to that nobody outside the conversation can get your messages. * * * [ Polley : This is how I use Signal - for secure key/password distribution. See also , This app [Signal] promises privacy through encrypted messaging, but a U.S. subpoena puts it to test (LA Times, 4 Oct 2016), and Facebook rolls out opt-in encryption for ‘secret’ Messenger chats (ZDnet, 5 Oct 2016)]
HHS imposes $400k fine for outdated BAA (Steptoe, 13 Oct 2016) - Last month, Care New England Health System (CNE) settled with the Department of Health and Human Services (HHS) on behalf of the covered entities under its common ownership or control related to alleged violations of HIPAA and agreed to pay a $400,000 penalty. The allegations stem from the business associate agreement (BAA) between the Woman & Infants Hospital of Rhode Island (WIH), one of CNE’s subsidiary covered entities, and CNE, which acted as a “business associate” for WIH and its other subsidiary covered entities by providing centralized corporate support. HHS concluded that the BAA between WIH and CNE had not been updated since March 2005, and thus did not incorporate the revisions required by the HITECH Act of 2009 and HHS’s implementing regulations. That’s a stiff fine for forgetting to update the paperwork.
Adler on Fair Use and the Future of Art (MLPB, 29 Sept 2016) - Amy Adler, New York University School of Law, is publishing Fair Use and the Future of Art in volume 91 of the New York University Law Review (2016). Here is the abstract: Twenty-five years ago, in a seminal article in the Harvard Law Review, Judge Leval changed the course of copyright jurisprudence by introducing the concept of “transformativeness” into fair use law. Soon thereafter, the Supreme Court embraced Judge Leval’s new creation, calling the transformative inquiry the “heart of the fair use” doctrine. As Judge Leval conceived it, the purpose of the transformative inquiry was to protect the free speech and creativity interests that fair use should promote by offering greater leeway for creators to build on preexisting works. In short, the transformative standard would ensure that copyright law did not “stifle the very creativity which that law [was] designed to foster.” This Article shows that the transformative test has not only failed to accomplish this goal; the test itself has begun to “stifle the very creativity which that law was designed to foster.” In the realm of the arts, one of the very areas whose progress copyright law is designed to promote, the transformative standard has become an obstacle to creativity. Artistic expression has emerged as a central fair use battleground in the courts. At the same time that art depends on copying, the transformative test has made the legality of copying in art more uncertain, leaving artists vulnerable to lawsuits under a doctrine that is incoherent and that fundamentally misunderstands the very creative work it governs. The transformative test has failed art. This Article shows why and what to do about it, turning to the art market itself as a possible solution to the failure of the transformative use test.
Animated map reveals the 550,000 miles of cable hidden under the ocean that power the internet (Business Insider, 8 Oct 2016; 2 minute video) - Every time you visit a web page or send an email, data is being sent and received through an intricate cable system that stretches around the globe. Since the 1850s, we’ve been laying cables across oceans to become better connected. Today, there are hundreds of thousands of miles of fiber optic cables constantly transmitting data between nations.
LOOKING BACK - MIRLN TEN YEARS AGO
(note: link-rot has affected about 50% of these original URLs)
2005 worst year for breaches of computer security (USA Today, 28 Dec 2005)—Data breaches disclosed at Marriott International, Ford Motor, ABN Amro Mortgage Group and Sam’s Club this month capped what computer experts call the worst year ever for known computer-security breaches. At least 130 reported breaches have exposed more than 55 million Americans to potential ID theft this year. Security experts warn that wayward personal data, such as Social Security and credit card numbers, could end up in the hands of criminals and feed a growing problem. An adviser for the Treasury Department’s Office of Technical Assistance estimates cybercrime proceeds in 2004 were $105 billion, greater than those of illegal drug sales. The breaches come at a time when the Department of Homeland Security’s research budget for cybersecurity programs was cut 7%, to $16 million, for 2005. ID theft-related bills are stalled in Congress, and data brokers such as ChoicePoint, itself a victim of fraud this year, remain unregulated, “so it is likely that many more serious breaches have gone unreported,” says Avivah Litan, a security analyst at Gartner. As a result, the Bush administration has drawn the ire of the Cyber Security Industry Alliance, which represents high-tech heavyweights Symantec, McAfee and RSA Security. “Attacks are taking place every day,” says Paul Kurtz, a former Bush administration cybersecurity official who is executive director of CSIA.
New breach notification laws springing up all over (Steptoe & Johnson’s E-Commerce Law Week, 1 April 2006)—After a relatively quiet winter, data security legislation is once again brewing in state legislatures. And, with the advent of Spring, new laws are blooming across the country. Three more states have jumped on the “breach notification law” bandwagon. Since our last update, the governors of Utah (S.B. 69), Wisconsin (Act 138), and Indiana (H.B. 1101) signed data security bills with breach notification provisions. The Utah law is the broadest of the three, with its breach notification sections accompanied by provisions requiring businesses to “implement and maintain” reasonable security procedures. And both Utah and Indiana have requirements regarding the destruction of personal information, which is an important but often overlooked element of any good security policy.