MIRLN—- 28 Oct - 17 Nov 2018 (v21.15)

MIRLN—- 28 Oct - 17 Nov 2018 (v21.15)




MIRLN began in 1997 and I’ve have published around 250 times, using an evolving, idiosyncratic approach to stories (not too new, not too obvious, etc.), with an idiosyncratic cross-section of readers (steady at about 3000: techies, lawyers, judges, international types, people in the IC, two former US AGs, etc.). This year probably will be MIRLN’s last. (With curated Twitter/RSS feeds you may not miss it at all.) It’s been fun; thanks for reading! top


Ohio’s new cybersecurity law: creating a data breach safe harbor (Mayer Brown, 23 Oct 2018) - Policymakers long have wrestled with how to enhance private-sector cybersecurity without imposing prescriptive one-size-fits-all requirements that undermine effective cyber risk management. With the passage of its Cybersecurity Safe Harbor Act (the “Act”) on August 3, 2018, Ohio has enacted legislation-the first of its kind-that is intended to use the promise of relief from legal liability to incentivize companies to adopt appropriate cyber protections. Specifically, the Act gives companies that take certain steps to create, maintain and comply with a written cyber program an affirmative defense to data breach claims sounding in tort (such as negligence) brought under the laws or in the courts of Ohio. It remains to be seen whether the Act will have a practical impact on companies’ approaches to cyber risk management or their liability exposure after a data breach. The Act nonetheless is important because it suggests a new approach to the regulation of cybersecurity practices and liability after a data breach. * * * top

FTC offers small businesses free cybersecurity resources (DarkReading, 26 Oct 2018) - The Federal Trade Commission’s (FTC) newly launched national initiative to educate small business owners about cybersecurity threats and defenses began with a “listening tour” last year. What it learned became the foundation for the agency’s new Cybersecurity for Small Business website and related resources, which draw from a dozen different security topics FTC officials gathered from its discussions with small and midsize business (SMB) owners nationwide, said Jon Miller Steiger, director of the FTC’s East Central Region, who spoke at the 2018 Cyber Security Conference for small businesses in Charlottesville, Va., earlier this week. Among their hot-button concerns, Steiger said, are their ability to train employees properly for security awareness, cyberthreats, and human error leading to a cyberattack. “They want to get one unified message from the federal government” on cybersecurity as well, he said. The new website , created in cooperation with the US Department of Homeland Security (DHS), the National Institute of Standards and Technology (NIST), and the Small Business Administration (SBA), was officially launched on Oct. 18. It includes cybersecurity basics and best practices including the NIST cybersecurity framework for SMBs , and covers security threats, such as phishing, ransomware, email spoofing, and tech support scams. The FTC site also includes free resources, such as quizzes and educational videos. top

- and -

Law firm cybersecurity: Are your vendors posing the threat of a data breach? (Nat’l Law Review, 30 Oct 2018) - If you’ve been paying attention, chances are your law firm security is up-to-date and fairly strong. While that takes care of the firm itself, these days it is just as important that your cybersecurity policy takes into account the cybersecurity of your vendors. “A responsible firm must also reduce the risk of a data breach at their third-party vendors,” according to Ishan Girdhar, CEO and founder of Privva , a cloud-based platform that streamlines the data security assessment process throughout the value chain. * * * Girdhar’s article ” Vendor Risk Management for Law Firms: 7 Steps to Success ,” lists the following steps needed to be included in cybersecurity policy for law firms: * * * top

- and -

Solo, small firms are concerned about the cloud’s confidentiality and security (Law.com, 13 Nov 2018) - In the lead-up to its scheduled January release of its annual Legal Technology Survey Report, the American Bar Association recently released a report examining the tech usage of solo lawyers and small firms with two to nine lawyers. In the report, 63 percent of all lawyer-respondents who use cloud technology said they are concerned about cloud-based services’ confidentiality and security. Among those not using cloud-based services, confidentiality and security (56 percent) and lack of control over the data (40 percent) were cited as key barriers preventing them from using the technology. To be sure, cloud technology has been adopted by many solo lawyers and lawyers in small firms alike. The ABA reported 59 percent of solo practitioners and 58 percent of lawyers in small firms use cloud-based computing for their work. On the cybersecurity front, the report found that 14 percent of solos and 24 percent of small law firms said they experienced a breach. Of those, 66 percent of solos and 65 percent of small firms said no significant business disruption or loss occurred due to the breach. About half, 51 percent of lawyers in small law firms, said they had data retention policies, while only 33 percent of solo practitioners reported the same. The ABA also found that most, 70 percent, of solo practitioners and 63 percent of small firms don’t use use password management tools. But most firms surveyed said they were required under ethical competency rules to stay abreast of the benefits and risks of technology, which may fuel faster technology retention by lawyers. top

The Vote With Me app looks up your contacts’ voting records (BuzzFeed, 29 Oct 2018) - The app Vote With Me connects to your phone’s contact list and matches names and phone numbers with state voter rolls - telling you which party your friends are registered to and which of the last elections they actually voted in. The idea is that you can use this information to encourage friends to go vote, and will prewrite a text message to them through the app. Great, right? Except that upon deeper reflection, I found this creepy and believe it’s a strange invasion of my and my friends’ privacy. Just because the voter records of our friends (or really, anyone on our phones, which is a lot of random people!) are a matter of public record doesn’t mean they expect other people to look for them. Even weirder is getting a text from someone telling you that they saw you didn’t vote in the last election! Mikey Dickerson, executive director of The New Data Project, the non-profit group that made Vote With Me, says that he knows his app might seem a little, well, creepy to some people, but he’s ok with that. “Establishing the social norm of voting is important enough that a little bit of discomfort is warranted,” he told BuzzFeed News. “It feels new because it hasn’t been easy to have [voter records] publicly viewed before, but we think that’s for the public good.” Voter rolls are technically a matter of public record, but it’s not easy to look up your friends’ information. There simply isn’t a single free website where you can enter a name and get a voter record. There’s voterrecords.com , but it only covers 14 states plus D.C. On certain official state websites, you can look up registrations, but only if you know extra information like a person’s actual full name and, say, their zip code or birth date. And all of these just say if you’re registered or not, not which years you voted. (Who you voted for is, of course, always secret and not part of any of this information.) Vote With Me gets its info by paying for a licensed set of records from a commercial entity that provides this as a service to campaigns or other groups. In a Medium post , the group that made Vote With Me called the Project describeshow they obtained the voter data: “Campaigns have used these records for decades, and sometimes have taken steps to prevent you from realizing it. We feel that as long as this data exists, regular people not on a political payroll should be able to see and use it, too.” top

Project provides access to all US case law, covering 360 years (Robert Ambrogi, 29 Oct 2018) - Launching today is the capstone to a massive project executed over the last three years to digitize all U.S. case law, some 6.4 million cases dating all the way back to 1658, a span of 360 years. The Caselaw Access Project site launching today makes all published U.S. court decisions freely available to the public in a consistent digitized format. The site is the product of a partnership started in 2015 between Harvard Law School’s Library Innovation Lab and legal research service Ravel Law to digitize Harvard’s entire collection of U.S. case law, which Harvard says it the most comprehensive and authoritative database of American law and cases available anywhere outside the Library of Congress. The collection includes all federal and state courts, and all territorial courts for American Samoa, Dakota Territory, Guam, Native American Courts, Navajo Nation, and the Northern Mariana Islands. For now, the collection is text only, although Harvard plans to add images at a later time. top

SEC Section 21(a) report focuses on cyber threats and internal accounting controls - measures to consider taking to mitigate risk (MoFo, 30 Oct 2018) - The Securities and Exchange Commission’s October 16, 2018 Section 21(a) report focusing on public companies victimized by cyber-related attacks underscores the importance of devising and implementing proper internal accounting controls with an eye on addressing such cyber threats. The report, after detailing the SEC Enforcement Division’s investigations of nine public companies that had lost millions of dollars as victims of cyber fraud, did not announce any action against the victims of the cyberattacks, but makes clear the Enforcement Division will continue to scrutinize how public companies create and implement internal controls relating to cybersecurity. [1] Indeed, the SEC’s press release announcing the report specifically cautioned public companies that they “should consider cyber threats when implementing internal accounting controls.” [2] Section 21(a) reports are not enforcement actions, but the SEC often utilizes such reports to signal an area of emphasis in its enforcement program, with enforcement actions relating to the same subject matter likely to follow. For example, the SEC’s July 25, 2017 Section 21(a) report known as the “DAO Report,” which reminded readers of the federal securities laws’ registration requirements and their application to sales of certain “tokens,” heralded the SEC’s recent spate of enforcement actions relating to crypto-currency transactions. Companies would be wise, therefore, to read the SEC’s latest Section 21(a) report as a reminder to revisit their internal accounting controls to ensure compliance with the federal securities laws. The SEC has previously provided guidance on cybersecurity disclosures, cybersecurity risk management, and the insider-trading implications of cybersecurity incidents, [3] and it has pursued enforcement actions against regulated firms for failure to safeguard customer information in the wake of cybersecurity incidents and companies for alleged delays in the disclosure of a material data breach. The Section 21(a) report focuses on a different dimension of cybersecurity, specifically, cyber fraud schemes targeting public company personnel, and provides a window into how the SEC Enforcement Division would look at whether a company’s vulnerabilities to cyber fraud could signal an underlying failure in its internal accounting controls. top

US-CERT issues guide on how to properly dispose of your electronic devices (ZDnet, 31 Oct 2018) - This week, the United States Computer Emergency Readiness Team (US-CERT), a division part of the Department of Homeland Security (DHS), has published an official advisory with instructions and recommendations for properly deleting data from electronic devices that a user wishes to dispose of in one form or another. These instructions are universal and can be applied to computers, smartphones, tablets, cameras, media players, external storage devices, and even gaming consoles. Many of these recommendations are also common knowledge for IT industry veterans, but the guide was also written with non-technical users in mind. So let’s take a deep dive into the proper device sanitization procedures. * * * top

Copyright Office extends anti-circumvention DMCA exemptions to all filmmakers, not just documentarians (TechDirt, 2 Nov 2018) - Earlier this year, we wrote a bunch of posts on the Copyright Office’s request for comment on changes needed to the DMCA’s anti-circumvention exemption list. There were lots of interesting submissions, but one that caught my attention was a whole bunch of film association groups, most of them for documentarians, advocating that the anti-circumvention they enjoyed to be able to use clips from other films and content be expanded to include filmmakers generally. This would address the copyright industries’ cynical attempt to route around Fair Use usage by filmmakers by simply locking up their content behind all kinds of DRM that, unless you’re a documentarian, you can’t circumvent. The MPAA, as you would expect, said that allowing for this would kick off “widespread hacking” of all the DVDs on the planet, while all it was really concerned about was the licensing agreements it was able to secure by filmmakers who didn’t want to violate the DMCA to get the Fair Use clips they wanted. Well, the Copyright Office made its decision and the exemption will now be offered to filmmakers en masse . top

‘Modern-day neighborhood watch’ (C&G Newspapers, 5 Nov 2018) - Each year, criminals get a little smarter and more advanced in their scheming. You know it’s true - you’ve got a chip in your credit card, a mind-numbingly complex login password, and a missed call log full of spoofed “local” numbers from overseas scam callers to prove it. The only way to fight unlawful technology is with gadgets for good. Police departments across the country are taking advantage of the growing availability of surveillance systems to keep a closer eye on neighborhoods. Several weeks ago, Bloomfield Township police launched a registry list for homeowners and businesses with outdoor surveillance systems called Extra Eyes. Residents and business owners simply add their address and phone number to the list, and if police investigate a crime in their neighborhood, they could be called to see if their camera system recorded anything suspicious. * * * Aside from a lack of awareness, Pizzuti said he’s had an issue with explaining the program to residents, who mistakenly think that by signing up they are granting the department access to their camera systems. “That’s not true at all. We couldn’t have access to your cameras, nor would we want it,” he explained. “This is just a faster way for us to see who in the area has cameras, instead of us canvassing neighborhoods one home at a time looking for (witnesses).” How Extra Eyes works is this: When a crime is committed and police begin to investigate, officers would normally go door to door looking for clues, asking neighbors if they’d seen anything that could be helpful to the case. With the registry, officers can see who in the area might have surveillance cameras and they can contact the owners for help. “It can work one of two ways: They can view the camera themselves and tell us if they saw anything suspicious. Maybe we can say, ‘Did you see this vehicle go by at this time?’ Or they can offer for us to come over and take a look at the footage with them. We never have direct access. It’s more of a modern-day neighborhood watch program.” top

- and -

The DEA and ICE are hiding surveillance cameras in streetlights (Quartz, 9 Nov 2018) - The US Drug Enforcement Administration (DEA) and Immigration and Customs Enforcement (ICE) have hidden an undisclosed number of covert surveillance cameras inside streetlights around the country, federal contracting documents reveal. According to government procurement data , the DEA has paid a Houston, Texas company called Cowboy Streetlight Concealments LLC roughly $22,000 since June 2018 for “video recording and reproducing equipment.” ICE paid out about $28,000 to Cowboy Streetlight Concealments over the same period of time. It’s unclear where the DEA and ICE streetlight cameras have been installed, or where the next deployments will take place. ICE offices in Dallas, Houston, and San Antonio have provided funding for recent acquisitions from Cowboy Streetlight Concealments; the DEA’s most recent purchases were funded by the agency’s Office of Investigative Technology, which is located in Lorton, Virginia. * * * Earlier this week, the DEA issued a solicitation for “concealments made to house network PTZ [Pan-Tilt-Zoom] camera, cellular modem, cellular compression device,” noting that the government intended to give the contract to Obsidian Integration LLC, an Oregon company with a sizable number of federal law enforcement customers. On November 7, the Jersey City Police Department awarded a contract to Obsidian Integration for “the purchase and delivery of a covert pole camera.” The filing did not provide further design details. * * * In addition to streetlights, the DEA has also placed covert surveillance cameras inside traffic barrels , a purpose-built product offered by a number of manufacturers. And as Quartz reported last month , the DEA operates a network of digital speed-display road signs that contain automated license plate reader technology within them. top

West Virginians abroad in 29 countries have voted by mobile device, in the biggest blockchain-based voting test ever (WaPo, 6 Nov 2018) - Nearly 140 West Virginians living abroad in 29 countries have cast their election ballots in an unprecedented pilot project that involves voting remotely by mobile device, according to state officials. The statewide pilot, which covers 24 of West Virginia’s 55 counties, uses a mixture of smartphones, facial recognition and the same technology that underpins bitcoin - the blockchain - in an effort to create a large-scale and secure way for service members, Peace Corps volunteers or other Americans living overseas to participate in the midterm elections. West Virginia is the first state to run a blockchain-based voting project at such a scale, state officials say. And if adopted more widely, the technology could make it easier to vote and potentially reduce long lines at the polls. But many security experts worry that the technology may not be ready for broader use - and could even contain vulnerabilities that risks the integrity of elections. As many as 300,000 U.S. voters located overseas requested ballots in the 2016 elections but failed to submit them. West Virginia sought to solve the problem by turning to Voatz, a company that in January received $2.2 million from Medici Ventures, a blockchain-focused investment firm owned by the online retailer Overstock.com. The Voatz app has been used on a limited basis in a number of other settings, such as student council races and West Virginia’s May primary. top

Flickr says it won’t delete Creative Commons photos (7 Nov 2018) - will spare both the Flickr Commons and Creative Commons photos from deletion, the now SmugMug-owned company announced today. However, its new storage limitations on free accounts may impact its use as a home for photos with a Creative Commons license in the future. When the company unveiled its big revamp last week, one of the immediate concerns among users was what the changes meant for the Creative Commons photos hosted on Flickr. Under its new management, Flickr decided to stop offering free users a terabyte of storage, and instead will begin charging users who want to host more than 1,000 photos on its site. Users with more than 1,000 photos either had to choose to upgrade to a Pro account to retain those photos on the site or see them deleted. Ryan Merkley, CEO at Creative Commons, expressed some concern last week over what this meant for the millions of CC images hosted on Flickr. Would they be gone, too? Flickr today says the answer is “no.” It vows not to delete either its own Flickr Commons archive or any photos uploaded with a Creative Commons license before November 1, 2018. The Flickr Commons is a resource consisting of photos from institutions that want to share their digital collections with the world, such as NASA, the National Parks Service, the UK National Archives and The British Library, for example. These organizations were either already Pro account holders or have now received a free Pro account from Flickr, the company says. top

As state actors continue to wage cyberwar on the United States, they have a powerful ally-gaps and ambiguities in the law (Harvey Rishikof, et al., in the ABA Journal, Nov 2018) - A major hack on the firms Cravath, Swaine & Moore and Weil Gotshal & Manges a few years ago was linked to foreign nationals with ties to the Chinese government. Their target? Proprietary client information. In 2014, a group with links to the Russian state energy sector hacked into a website belonging to the British law firm 39 Essex Chambers looking for information. Last year, the Department of Justice opened an investigation into whether the Chinese government had attempted to hack Clark Hill, a law firm representing a Chinese dissident. And those are just the directed assaults. Law firms also are vulnerable to more broad-based attacks. DLA Piper was devastated in 2017 by a ransomware worm that placed nearly 3,600 of their lawyers on temporary lockdown. The worm later was found to be the work of hackers linked to North Korea. Cyber exploitations and attacks happen every day on a global scale. How do we characterize this new cyber reality? Are these network violations criminal activity or espionage? Or are they acts of war? Our existing international laws, domestic statutes and law of armed conflict frameworks, all conceived in the pre-internet age, are struggling to find principles to bring order to our digital era. The legal rules for cyber incidents below the threshold of an “armed attack” live in a gray zone as practitioners and scholars struggle to fill the legal doctrinal gaps on nonintervention under international law. The roles, responsibilities, authorities, accountability or standards for attribution are not universal, and there are no agreed-upon responses or norms for unlawful acts in cyberspace. As the U.S. attorney general’s 2018 Cyber-Digital Task Force Report makes clear, although many government agencies are working on cybersecurity, and much has been accomplished, the DOJ is “keenly aware” that the current “tools and authorities are not sufficient by themselves” to keep America safe from cyberthreats. * * * top

Pentagon draws back the veil on APT malware with sudden embrace of VirusTotal (Threatpost, 8 Nov 2018) - The Pentagon has suddenly started uploading malware samples from APTs and other nation-state sources to the website VirusTotal, which is essentially a malware zoo that’s used by security pros and antivirus/malware detection engines to gain a better understanding of the threat landscape. The Cyber National Mission Force (CNMF), which is under the auspices of the U.S. Cyber Command, posted its first malware samples to VirusTotal on Monday, after opening its account there. It also set up a “malware alert” Twitter feed to go along with the new effort. No advanced announcement of a new initiative accompanied the move, which is unusual for government entities. “Recognizing the value of collaboration with the public sector, the CNMF has initiated an effort to share unclassified malware samples it has discovered that it believes will have the greatest impact on improving global cybersecurity,” CNMF said in a brief statement . The first two samples are files called rpcnetp.dll and rpcnetp.exe, which are both detected as dropper mechanisms for what was formerly known as the Computrace backdoor trojan, often associated with the Russia-based APT28/Fancy Bear group. “The particular pair of samples, Computrace/LoJack/Lojax, is actually a trojanized version of the legitimate software ‘LoJack,’ from a company formerly called Computrace (now called Absolute). The trojanized version of the legitimate LoJack software is called LoJax or DoubleAgent,” a spokesperson from Chronicle told Threatpost. Releasing such samples is a bold move for a Department of Defense that has long kept its cyber-activities and knowledge very close to the vest, according to Tom Kellermann, chief cybersecurity officer at Carbon Black. “This is a huge leap forward for the cybersecurity community,” he told Threatpost. “For too long, the U.S. has over-classified cyber- threat intelligence. This empowers the cybersecurity community to mobilize on clandestine threats in real time, thus aiding the U.S government in protecting and securing American cyberspace.” [ Polley : Bruce Schneier writes about this: “This feels like an example of the US’s new strategy of actively harassing foreign government actors. By making their malware public, the US is forcing them to continually find and use new vulnerabilities.” ] top

The New York Times turns to Google Cloud to digitize its photo archive (BetaNews, 9 Nov 2018) - The New York Times is to digitize more than a century’s worth of photographs, and it is going to use Google Cloud to do so. The NYT has a massive collection of photos dating back decades, and the plan is to digitize millions of images—some dating back to the late nineteenth century—to ensure they can be accessed by generations to come. The digitization process will also prove useful for journalists who will be able to delve into the archives far more easily in future. top

Judges need not recuse themselves just because they are Facebook “friends” with a lawyer (Volokh Conspiracy, 15 Nov 2018) - “The establishment of a Facebook ‘friendship’ does not objectively signal the existence of the affection and esteem involved in a traditional ‘friendship.’” Indeed, as the court points out in today’s Law Offices of Herssein & Herssein, P.A. v. United Servs. Auto. Ass’n , even traditional “friendship” doesn’t always require recusal (though perhaps very close friendship might): Though the court doesn’t give these as examples, state and federal Supreme Court Justices are often on close terms with their former clerks, who routinely practice in front of them, and in many small towns all the judges and lawyers may know each other well, especially since judges are usually former local lawyers. Note, though, that these rules vary from state to state; as the majority points out, its position is the dominant view among those states that have considered it, but other states do require recusal in such situations (as the 3-Justice dissent in the Florida Supreme Court would have). top


(note: link-rot has affected about 50% of these original URLs)

Moody’s error gave top ratings to debt products (Financial Times, 20 May 2008) - Moody’s awarded incorrect triple-A ratings to billions of dollars worth of a type of complex debt product due to a bug in its computer models, an Financial Times investigation has discovered. Internal Moody’s documents seen by the FT show that some senior staff within the credit agency knew early in 2007 that products rated the previous year had received top-notch triple A ratings and that, after a computer coding error was corrected, their ratings should have been up to four notches lower. top

SEC to require electronic financial reporting in 2009 (Duane Morris article, 24 June 2008) - Certain companies will soon be required to submit their financial results, including annual and quarterly required submissions, electronically using XBRL, a language for communication of financial data. On May 14, the Securities and Exchange Commission unanimously agreed to propose the mandatory use of this technology, which has been in development since 1998, to ensure that investors receive essential financial information in a more timely fashion, with increased levels of reliability and at a lower cost. This interactive reporting vehicle will not only provide information to investors more rapidly but will aid companies in preparing their financial reporting packages more accurately and efficiently. Interactive data will revolutionize how the SEC collects data and will change the backbone of the financial reporting system, improve analytic capabilities and put vital information at the fingertips of investors. top

SEC provides guidance regarding use of company websites to disclose information for investors (Duane Morris advisory, 15 August 2008) - The Securities and Exchange Commission (the “SEC”) has published an interpretive release, Commission Guidance on the Use of Company Web Sites, Release No. 34-58288 (the “Release”), providing guidance to companies and issuers of securities on the use of company websites to disclose information to investors. The Release, which became effective August 7, 2008, is intended to encourage companies to develop their websites in compliance with the federal securities laws so that such websites can serve as effective analytical tools for investors by being a vital source of information about a company’s business, financial condition and operations. The Release is intended to provide guidance to those companies that are utilizing websites to supplement their required SEC filings. Since the adoption of the Securities Act of 1933 and the Securities Exchange Act of 1934 (the “Exchange Act”), the foundation of securities regulation in the United States has rested upon timely disclosure of relevant information to investors and the securities markets. Historically, companies have disclosed information to investors and the markets by mailing reports to stockholders, filing periodic reports with the SEC and issuing press releases. As technology has advanced, the Internet, the SEC’s Electronic Data Gathering, Analysis and Retrieval (“EDGAR”) system, and electronic communications have modernized the disclosure system. More and more investors are turning to the Internet and company websites as their main source of information before making investment decisions. The Release provides guidance to companies posting information on their websites, including (1) when information posted on their website is considered “public” for purposes of the “fair disclosure” requirements of Regulation FD; (2) the application of the antifraud provisions of the federal securities laws to information posted on company websites; (3) the types of controls and procedures advisable with respect to posting information; and (4) the appropriate format of the information presented on the website. top