Cyber breaches occur on a daily basis. Or at least it seems like they do…but consider the  breaches that we don’t hear about.

Companies’ fears that their brands could be adversely impacted by reports of cyber breaches mean that we rarely hear about them when they happen. What we do hear about are the very widespread, high profile breaches at large companies where there has been a failure protect a customer’s personal information.

What we often fail to consider is that any entity, commercial or non-profit, public or private, can fall victim to a cyber breach. Certainly, commercial businesses would be expected to insure against such risks. But what about governmental entities? Here’s one example.

The state of Oregon is investigating whether two state agencies violated the Oregon Consumer Identity Theft Protection Act. Each year thousands of Oregonians become victims of identity theft. According to the Federal Trade Commission, Oregon is ranked 13th in the nation for this crime. In response,  both Oregon businesses and government have clear direction and expectations under the Act to ensure the safety of the personal identifying information they maintain. Personal information includes a consumer’s name in combination with a Social Security number, Oregon drivers license number or Oregon identification card, financial, credit or debit card number along with a security or access code or password that would allow someone access to a consumer’s financial account. Specific protections under the Act are detailed on the website of Oregon government’s Division of Finance and Corporate Securities (DFCS) , and include the following:

Read the rest of this entry »

We all know that it’s illegal to download and distribute copyrighted digital music without paying for it. But can this sort of file sharing ever constitute “Fair Use”? Why or why not?

Last Monday, as part of our feature on the Top 10 Cyber Law Cases Pending Before Courts Today, we discussed The File Sharing Trials. We mentioned that on December 7, 2009, Judge Gertner of the District Court of Massachusetts issued a decision in Sony BMG Music v. Tenenbaum which considered whether a college student’s sharing of digital music for the personal enjoyment of himself and his friends constituted “fair use” of the copyrighted songs. The decision can be viewed Here.

Here’s a quick recap of the facts:  the defendant, Joel Tenenbaum, was a college sophomore who was accused of using file-sharing programs like KaZaA to download and distribute 30 copyrighted songs. Tenenbaum’s file sharing was not for profit; it was for his own private enjoyment and that of his friends. He had downloaded songs, but not entire albums of music, and he did not make any changes to the music (i.e., turn them into his own creative work). Unfortunately, he had continued to file share notwithstanding changes in the case law which made it clear that his conduct was not protected, and after digital music was lawfully available (the iTunes Music Store debuted in April 2003, approximately 15 months before Tenenbaum’s computer was detected on the Kazaa network). Justice Gertner concluded that “fair use” was not a defence. Here’s why.

Read the rest of this entry »

In a decision handed down last week by the Court of Appeal of England and Wales, a judge admonished a lawyer for citing too many legal authorities.

In National Ability SA v Tinna Oils & Chemicals Ltd [2009] EWCA Civ 1330, Lord Justice Thomas berated the lawyer for placing before the Court, on a simple legal point, a bundle of materials containing 25 separate authorities, including a number of 19^th century statutes and cases. Although his Lordship noted that counsel had acted out of “an abundance of caution”, he said that, “It would have been no credit to the law of arbitration of England and Wales if it had been necessary to rely on all this authority on what is a simple point.”

The thought that immediately occurs  is that the lawyer had gone straight to the Internet, using either paid or free databases, and went “click-happy”, pulling up and downloading a multitude of cases, including unreported decisions (although who still makes a distinction these days?) and bundled them up willy-nilly for the poor judges. While undoubtedly this happens, and of course, as more and more full-text material is made freely available online through projects like Google Books, it’s important to remember that the problem, and the admonitions are not new, indeed they long pre-date the Internet age. Too information much can be just as bad as too little; after all, Rumpole of the Bailey did not need a computer to trick his former pupil, Miz Liz Probert, into citing too many authorities to a judge who was desperate to get to his golf game.

   Send article as PDF   

Do publishers who hold copyrights to older book titles also own the right to publish those titles in digital form, as e-books?

Before the advent of the Internet, publisher contracts with authors typically included clauses guaranteeing the right to publish the work “in book form”. This begs the question; what exactly is a ‘book”?

A recent article in the New York Times has considered this very question. Not surprisingly, publishers such as Random House, who hold copyrights in many older book titles, have argued that the term “book form” should encompass any digital format. Other publishers, such as Open Road, who concentrate entirely on e-book formats, argue that such contracts are confined to books in traditional print format.

This issue first achieved prominence in the 2001 decision of Random House, Inc. v. Rosetta Books, LLC et al., when Random House sought an injunction preventing Rosetta Books from publishing in e-book format, arguing that its copyright to publish in “book form” was an exclusive license that permitted publication in any and all formats. District Judge Stein disagreed, however, and held that, “the publishing industry generally interprets the phrase ‘in book form’ as granting the publisher “the exclusive right to publish a hardcover trade book …”. Ironically, Judge Stein decided against Random House based on its own Webster’s Unabridged Dictionary definition of ‘book’, in which a book is defined as: “a written or printed work of fiction or nonfiction, usually on sheets of paper fastened or bound together within covers.”

Eight years later, the definition of a “book” has still not changed. Despite major developments in the e-book world, the accepted definition of “book” still does not encompass the “e-book”, a finding supported by a brief survey of online dictionaries. The Merriam Webster is typical, in that it defines a book to include a set of written sheets of skin or paper or tablets of wood or ivory, or, a set of written, printed, or blank sheets bound together into a volume. The Free Dictionary, YourDictionary and Dictionary.com, all provide definitions in similar terms.

Eight years of “e-development” since 2001 and, despite the addition of numerous new Internet-related words to the dictionary, a book is still regarded very much as a paper (or ivory or wood) based medium. New publishing contracts take care, of course, to encompass publication in any and all possible formats. But the old stuff? Fair game.

   Send article as PDF   

LawPRO Magazine is published by the Lawyers’ Professional Indemnity Company (LPIC), the wholly Canadian owned insurance company that provides mandatory professional liability insurance to lawyers in private practice in Ontario.

In the December 2009 issue, LawPRO Magazine has run a “Social Media” theme, dealing with “Why, What and How to Do It Right”, including an article  that sets out a useful summary of Canadian case law on the use of social networking sites in litigation:  “Litigation and Online Social Networking Sites“.

Other articles that may be of interest include:

• “Social Media: Why?” - An overview of how social media are changing the legal landscape.
• “Social Media: What?” – A guide through the many social media tools available PLUS interviews with five lawyers who walk the social media talk.
• “Social Media: How?”  – A primer on social media as marketing and networking tools in law practice.
• “Social media pitfalls to avoid” -  A discussion of some of the dangers inherent in using social networking tools, and how to safely exploit the marketing opportunities they do offer.

LawPRO Magazine also offeres a number of technology-related articles with practical information for lawyers and businesses, all of which are freely available online.

   Send article as PDF   

The roads traveled by non-profit entities have never been easy ones to negotiate. Indeed, the time, expense and, dare I say, risk of doing good deeds and raising capital has been fraught with potholes and impediments from the get-go. Now, that road has become even more treacherous for non-profits and their cyber/tech insurers alike.

1.  An Overview of Massachusetts’ New Data Security Law

Effective March 1, 2010, a new data security breach law will become effective in the Commonwealth of Massachusetts. Described by some as the toughest data security law in the U.S., the law and corresponding regulations applies to all entities, including non-profits, that employ or serve Massachusetts residents and which store, own or license “personal information” about a Massachusetts resident. Here is the Press Release from the Office of Consumer Affairs and Business Regulation. Here is the Final Version of The Regulations.

2.  What is Meant by “Personal Information”?

The term “personal information is defined in the law to mean a Massachusetts resident’s first and last name, or first initial and last name, together with:

1. The resident’s driver’s license number or state identification card;
2. Bank/financial account or credit/debit account number; or
3. Social Security number.

In other words, personal information will, generally speaking, include anything uniquely identifiable about a Massachusetts resident.

Read the rest of this entry »

“Only one thing is impossible for God: To find any sense in any copyright law on the plant” - Mark Twain.

What Are the File Sharing Trials?

The file sharing trials are copyright infringement actions dealing with the distribution and downloading of digital music. The Recording Industry Association of America (RIAA) is the trade organization that supports and promotes the major music companies.  Over the past few years, the RIAA has deployed investigators in cities across North America to track down individuals who pirate digital music, and has brought resulting lawsuits against music fans for sharing music over peer-to-peer networks.

For many people, these cases bring to mind the old saw “but for the grace of God, there go I.” Generally speaking, the RIAA has settled these lawsuits for relatively modest amounts. In a couple of cases, however, the defendants have opted instead to ‘roll the dice’ and go to trial. Under the U.S. Copyright Act, juries have discretion to award damages of anywhere between $750 and $150,000 per copyrighted work, but they are provided with little or no guidance in how damages are to be assessed. As a consequence, these file sharing trials have resulted in jury verdicts for shocking sums of money that would seem to dwarf any actual damages that have actually been suffered by the copyright holders. The fact that these damage awards may be grossly disproportionate to the harm actually incurred has generated constitutional concerns which will likely be tested in the courts in the near future.  In particular, two cases have recently received a significant amount of media attention:

Read the rest of this entry »

Given that we are in the midst of the 2009 United Nations Climate Change Conference in Copenhagen (December 7-18th), the once tried and true “how ‘bout that weather?” may no longer be the uncontroversial conversation fail-safe that we have come to know and love.

But have no fear! Each week, starting on Monday, December 14, 2009, we will feature a comprehensive summary what we believe to be one of the  “top ten” cyber law cases currently pending in the courts. Regardless of whether these cases are directly relevant to your business or practice, they raise fascinating issues that are both topical and newsworthy and should serve as some great conversation fodder. Our first post, discussing  “The Filing Sharing Trials,” should be posted tomorrow. We would greatly appreciate your feedback and comments.

   Send article as PDF   

Kindle is the latest in a series of electronic devices some have suggested will sound the death knell of the book. The demise of the printed book has been predicted since at least the 1970s – remember the “paperless office” that was supposed to be just around the corner?

Admittedly, it’s difficult to think of something that isn’t online nowadays. Even the legal profession, which perhaps most vividly conjures up the image of bookshelves filled with stacks of solemn law tomes and serried law reporters, has gone electronic: court decisions from all over the word, legislation, government debates and legal publications of all types, almost everything is available online at the click of a mouse.

Yet in the face of the technological leaps and bounds of the past centuries, books have persisted in more or less the same format, largely unchanged. The previous post on this site, discussing Google Goggles (see below), links to a fascinating presentation by researchers at MIT in which they showcase technology that will allow a somewhat frightening degree of information to be made instantly available to the wearer of the device. I mention this, because I was delighted by the interaction between this cutting-edge technology and the book. The wearer of the MIT device would only have to look at a book (or even think in the direction of a book, as mention is made of embedded brain chips) in order to receive a virtual projection of the latest book reviews, Amazon ratings etc. I find the implications fascinating: purchasers of this futuristic technology will use it to help them decide what books to buy. Aww. I had to smile. Here we have it folks, from researchers at MIT on the cutting, not to say bleeding, edge. However far we might advance, we’ll still be buying books. Actual books.

That said, no-one wants to curl up in bed or in front of a fire with a law report, or a piece of legislation. What is their use today, except as space-fillers? Their demise in printed form is long overdue, except perhaps to the film industry; their nice, uniform bindings do look attractive, after all. The next time you watch a movie or television show, take a closer look at the books in the background – 99.9% of the time, they are discarded law reporters. Goggle them, or ogle them, but let’s stop destroying trees to store them when, let’s face it, nobody looks at them anymore.

   Send article as PDF   

Remember the good ol’ days of the Commodore 64, back when fluorescent colors were fashionable and “Computer, earl grey…hot” was to boldly go where no one has gone before?

Well, those days are now behind us, and unless you’re one of the stubborn few who still use a phone line to dial into “those newfangled internets”, you have probably heard of Google’s new search by site application, “Google Goggles”.

On Monday, Google announced the launch of a new search engine that allows users to perform an internet search simply by submitting a photograph. Instead of using words, you can take a picture of an object with your camera phone: Google will attempt to recognize the object, and return relevant search results to you. The experimental search-by-sight feature, called Google Goggles, has a database of billions of images that informs its analysis of what’s been uploaded. Vic Gondotra, Google’s vice president of engineering, has said: “It is our goal to be able to identify any image. It represents our earliest efforts in the field of computer vision. You can take a picture of an item, use that picture of whatever you take as the query.” The application is still in a very early stage of development, however, and works best with objects, books, album covers, artwork, landmarks, places, and logos. You can view Google’s video of the application below:

Read the rest of this entry »

In a December 2, 2009 decision, G & G v. Wikimedia Foundation Inc., Mr Justice Tugendhat of the UK’s High Court of Justice, ordered Wikipedia’s parent organization, Wikimedia Foundation Inc, to disclose the IP address of a Wikipedia contributor who had placed allegedly personal and sensitive information in an entry about a prominent UK businesswoman.

The businesswoman, identified only as “G” or “the mother” in the judgment, has apparently been in dispute with another person in the UK, who has made claims against a company with which she is associated. This person is said to have sent letters to the businesswoman indicating a belief that she has falsified expense claims, and threatening to expose this to newspapers. “G” believed that the same person was responsible for the addition of the sensitive information to her Wikipedia entry.

Read the rest of this entry »

In the security industry there is a generally accepted philosophy that no system or network is completely secure – a competent attacker with enough time, patience and resources will eventually find a way into a target.

We may have gotten a good chuckle out of the various messages that were left on the Twitter accounts for Barack Obama, Britney Spears, and Bill O’Reilly, but the implications are serious; with every new technology comes new risk. Viruses can permanently erase an entire system, sensitive system files can be accessed and altered by intruders, computer networks can be infiltrated and used to attack others and credit card information can be absconded and used to make unauthorized purchases.

“Cybersecurity” refers to the protection of that information by preventing, detecting and responding to attacks. Although there may be a tendency to consider cybersecurity to be a technical issue with technical solutions, it may also be useful to think of cybersecurity as an economic issue…with economic solutions.

This is the message that the Internet Security Alliance (“ISA”) has made in a landmark report issued earlier today, December 3, 2009.  The ISA is a trade association which represents a gamut of corporate interests ranging from Defence and Aerospace, Banking & Financial, Food Service, Entertainment, Telecommunications and Manufacturing industries. In its report, entitled “Implementing the Obama Cyber Security Strategy via the ISA Social Contract Model,” the ISA emphasizes that cybersecurity is an economic rather than a technical issue and that both the U.S. government and private industry need to revisit their assessments of cybersecurity by creating economic incentives and other programs to foster broader, and more enhanced, cybersecurity efforts and systems.

At present, the government has been relying on regulations to ostensibly improve cybersecurity.  The ISA suggests that this method is not only outdated, but also ineffective in dealing with a 21^st Century problem.  The report sets forth a number of proposed economic solutions, many of which focus on encouraging companies to educate their executives about the economic and social benefits of cybersecurity. Key among these proposals is the suggestion that businesses should create risk management programs that educate their executives about the growing problem of cyber theft and abuse, and assist them incorporating cybersecurity solutions in their corporate business plans (rather than ceding such responsibilities to computer “geeks” in their IS or IT, as is typically the case today).

The report concludes that most companies underfund their investments in cybersecurity, and suggests that economic and other incentives are needed to prompt businesses to improve their cybersecurity.  ISA’s report also suggests that the insurance industry become actively involved in providing a methodology by which returns on securities investments are quantified.

Among the ISA’s recommendations designed to encourage investment is a proposal that cyber insurance be used to promote the development of standards and practices and assist companies in quantifying and managing their cyber risks. At the same time, the ISA proposes that the government create limited liability protections for certified products and processes and recognized industry best practices. Alternatively, liability might be assigned on a sliding scale (comparative liability) such as limiting punitive damages while allowing actual damages and providing affirmative defenses with reduced standards (preponderance of evidence vs. clear and convincing etc.).

The report is long (over 70 pages) and quite detailed.  For those interested in reading it, the report can be found here. Irrespective of whether readers choose to take the time to read the entire report, they should familiarize themselves with its purpose and intent, as it is a major step forward in promoting dialogue on the ever-growing problem of cyber crime.  At a minimum, insurance underwriters and cyber professionals should study the report and perhaps incorporate some of the ISA’s recommendations in their own due diligence processes to compliment, for example, their existing NetDiligence® cyber risk assessment service (used by many leading US & UK insurers).  Only through joint and collaborative efforts can the billion dollar problem of cyber crime be mitigated.  It is incumbent on the insurance industry to be among the leaders in these efforts.  We can begin by collecting comments on the ISA’s proposal and submitting them to its members, including those representing the insurance industry.  Please feel free to comment below.  As appropriate, we will forward them to the ISA with the author’s name and contact information, if so authorized.

   Send article as PDF   

So you want to get production of documents from Facebook to assist you in your civil case. How do you go about it? We asked and Facebook answered.

Well, first off, you are going to need a court order (subpoena) to obtain the information. In the U.S., Facebook  users’ data is protected by the  Electronic Communications Privacy Act (“ECPA”).  See 18 USC section 2701 et. seq.  ECPA is a federal statute that prohibits Facebook from producing any “content” without notarized user consent or a Search Warrant. Facebook’s Law Enforcement Response Team has advised that, with regard to civil matters:

• State Court Subpoenas must issue from a court within California or must be issued pursuant to the proper California court commission.  
• Federal Civil Subpoenas seeking the production of documents must issue from the court in the district where the production is to be made.  

The subpoena should be sent to subpoena@facebook.com or faxed to 650-644-3229.

Facebook states that it requires a $150 processing fee per User ID. Checks can be made payable to Facebook, Inc. and can be sent to the attention of Facebook Security at 1601 S. California Ave., Palo Alto, CA, 94304, bearing the name and number of the case for which the fees are paid.

In addition to a valid subpoena, Facebook advises that as much of the following information as possible  should be provided in order to expedite a request:

• Your full contact information (name, physical address, phone and email)
• Response date due (please allow 2-4 weeks for processing)
• Full name of user(s)
• Full URL to Facebook profile 
• School/networks
• Birth date
• Known email addresses
• IM account ID
• Phone numbers
• Address
• Period of activity (specific dates will more likely expedite your request)

 It takes Facebook approximately 2-4 weeks to respond to questions from law enforcement agencies or legal representaives about the status of these requests. If Facebook is  informed and has a good faith belief that the matter is an emergency regarding potential threat of serious bodily harm or threat to life (see Title 18 United States Code section 2702(b)), they generally respond within 24 hours.

Facebook advises that if you are not a member of a Law Enforcement Agency or Legal Department, you will have to contact Facebook through their Help Page or have your local law enforcement or legal representative contact them. Some other helpful Facebook links are as follows:

Facebook Help Page: http://www.facebook.com/help

Facebook Terms of Use: http://www.facebook.com/terms.php

Hacked/Phished Facebook Account: http://www.facebook.com/security

Facebook Safety: http://www.facebook.com/safety

   Send article as PDF