Technology Law Blog

New Report On Identity Theft

2008-10-24T15:54:00.002-04:00

US AG, Michael B. Mukasey, and FTC Chairman William Kovacic recently announced the publication of a new report on identity theft. In April of '07, the President's Identity Theft Task Force published a strategic plan, listing 31 recommendations, for combating identity theft. This new report details the steps the government has taken to accomplish the recommendations set out in the original report.

Net Neutrality As An Anitrust Issue

2008-10-03T15:26:00.002-04:00

I recently came across this article discussing the FCC's Comcast ruling. The article, which references a journal article written by Cornell professor Alfred Kahn, suggests that the issue of net neutrality should best be dealt with by the antitrust courts.

VA Spam Law Overturned

2008-09-19T16:00:00.004-04:00

The Virginia Supreme Court recently ruled that the state's anti-spam law is unconstitutional. The Court wrote that: "the statute is unconstitutionally overbroad on its face because it prohibits the anonymous transmission of all unsolicited bulk e-mails including those containing political, religious or other speech protected by the First Amendment to the United States Constitution." See this Washington Post article for more.

Compliance With The Red Flag Rules

2008-09-12T15:42:00.002-04:00

This article reports that less than-third of US banks will be compliant with the Red Flag rules by the November 1 deadline. All told, U.S. financial institutions are expected to spend more than $200 million on compliance with the rules. For more on the Red Flag rules, see these posts.

Comcast Appeals FCC Decision

2008-09-05T16:18:00.001-04:00

Following on a previous post, Comcast yesterday appealed the FCC ruling that it violated the Agency's net-neutrality principles. Take a look at the petition for review filed with the US Court of Appeals for the DC Circuit.

ABA Issues Outsourcing Ethics Opinion

2008-08-26T16:58:00.003-04:00

Just yesteday, the ABA issued Ethics Opinion opinion 08-451 (not available online) dealing with the outsourcing of legal services. In brief, the Opinion permits outsourcing assuming both the attorney and the outsourcees adhere to certain standards of ethics and competence. See this ABA Journal article as well as this Daily Record article (subscription) for more.

FCC's Ruling On Net Neutrality

2008-08-22T14:52:00.005-04:00

Following on my post from a little while back, the FCC finally published their Order regarding Comcast's violation of the Agency's net neutrality principles. The Order gives Comcast 30 days to disclose their method for managing internet traffic.

ID Theft Ring Uncovered

2008-08-11T16:29:00.004-04:00

Prosecutors announced that they have uncovered the identities of the thieves behind the T.J. Max, Barnes & Noble, and The Sports Authority identity theft cases. The case, which involves 11 people, is being dubbed the largest identity theft case ever prosecuted. The thieves reportedly stole 40 million confidential records. Investigators say the suspects obtained their information largely through hacking into wireless networks. See here for a copy of the indictment.

New Copyright Suit Against YouTube

2008-08-05T15:01:00.004-04:00

YouTube now faces a new copyright suit. Italian media company Mediaset has sued YouTube, alleging the video-sharing website unlawfully made use of thousands of copyrighted video clips. This latest suit comes after a similar suit by Viacom for $1 billion.

FCC Rules On Net Neutrality

2008-08-01T14:12:00.006-04:00

The FCC issued its much anticipated ruling today on net-neutrality, alleging that Comcast interfered with the free nature of the web when it wrongly slowed some of its customers' Internet traffic. Consumer groups had initially sued Comcast but then later asked the FCC for a declaratory ruling on the matter. The FCC's opinion effectively changes the playing field by making the US government a regulator of the internet. The FCC's Memorandum Opinion and Order (FCC 08-183) is not yet available online.

Identity Theft Monitoring Services

2008-07-29T17:08:00.001-04:00

Many companies offer these services as additional protection for identity theft. Are they worth purchasing? Are they effective? Privacy Rights Clearinghouse recently published this new guide: "Straight Talk about Identity Theft Monitoring Services."

Unsolicited Text Message Suit Given Go Ahead

2008-07-24T16:49:00.004-04:00

TMobile's attempt to dismiss a class action suit filed by disgruntled TMobile users has been dismissed. The suit, Zaldivar v. T-Mobile USA, alleges that TMobile forces cell phone users to pay for unsolicited text messages. Filed on July 15 in the Federal District Court for the Western District of Washington state, the suit alleges breach of contract, unjust enrichment, and violations of Washington’s Consumer Protection Act.

Net Neutrality Suit On Hold

2008-07-15T16:20:00.003-04:00

Jon Hart's suit against Comcast has been put on hold. Hart, a Comcast subscriber had sued Comcast alleging that the company is violating FCC net neutrality principles by interfering with certain types of internet traffic. The case has been put on hold until an FCC investigation into the matter has been concluded. The suit, originally filed in California Superior Court, has since been removed to federal court.

Deadline For Red Flag Rules Approaching

2008-07-09T17:14:00.005-04:00

With the so-called Red Flag rules set to become effective on Nov. 1, the FTC is beginning a campaign to help educate the public on the details of the new regs. The FTC recently published an Alert to help companies better understand the law. The Red Flag rules require certain types of companies to implement identity theft prevention programs. See this previous post for more info.

McAfee's Spam Experiment

2008-07-08T14:41:00.004-04:00

In an effort to better understand spam, McAfee recently commissioned 50 people to surf the net without any anti-spam/spyware protection for a period of a month. At the end of a month, the 50 participants had received 104,000 unsolicited messages, totalling around 70 messages a day for each participant. One of the findings was the amount emanating from outside the US. Of the 104,000 letters, only 23,233 were in English. During the month-long experiment, McAfee encouraged the participants to log their experiences in a blog. Check out the blog here.

New Spam Rules Go Into Effect

2008-07-08T10:35:00.003-04:00

New CAN-SPAM rules, published in May, went into effect yesterday. Among other things, the new rules clarify who is obligated to comply with CAN-SPAM, clarify the definition of “sender,” and include new unsubscribe requirements. See this article for more info. For help complying with CAN-SPAM, including the new rules, see this White Paper from ExactTarget (free registration required).

2008 Security Breach Report

2008-07-03T09:53:00.003-04:00

The Identity Theft Resource Center recently published their 2008 security breach incidence report. For each incident the report provides the number the exposed records, the breach type (print or electronic), and a link to a news article about the incident. So far in '08, the report counts 346 security breach incidents totalling upwards of 16 million exposed records.

California Expands Identity Theft Law

2008-07-03T09:43:00.003-04:00

California Governor Arnold Schwartzenegger recently signed into law SB 612 which makes it easier to prosecute identity theft crimes in California. Under the old system, prosecutions could only take place where the crime occurred, which is usually in the perpetrators' towns or cities. With the passage of this bill, prosecutors can now charge people with identity theft in the jurisdictions where the victims live. This is significant because prosecutors are generally more aggressive when they're fighting criminals in their home town.

New Guidelines To Deal With SPAM

2008-06-30T17:06:00.003-04:00

This article discusses new guidelines released by The Messaging Anti-Abuse Working Group (MAAWG) intended to reduce spam. According to the article, the new guidelines (which do not appear to be available online) recommend that ISPs use separate servers for received and forwarded e-mails, and that they block port 25, through which spam travels. Even if the guidelines were successfully adopted, though, there's no indication that they would be successful. Still, this might be a start.

Texas AG Settles With EZCORP Over Identity Theft

2008-06-24T15:32:00.003-04:00

The Texas Attorney General's Office announced a settlement yesterday with EZCORP over the company's failure to adequately safeguard customer's personal information. Apparently, the company had simply dumped 483 customer records laden with social security numbers and other highly sensitive information in the trash. The AG's office filed suit under Texas Business & Comm. Code Section 48-102, claiming the company had failed to implement "reasonable procedures" to safeguard customers personal information. The AG's website includes a picture of a credit application that was found in the trash.

Web Site Liability For Third Party Content

2008-06-16T17:39:00.005-04:00

The question of when a website owner becomes liable for content posted by third parties has been around for some time. As far back as 1997, the Courts were already dealing with this issue (See Zeran v. AOL). In the past several months a number of new opinions on this issue have appeared. In May of this year, the 9th Circuit case Fair Housing Council v. Roommates.com tackled the issue of whether an online roommate matching website should be held liable for violation of the federal housing discrimination laws, since certain postings discriminated against particular groups. The Court held that the website could be held liable because it used drop-down menus to limit users' choice as to the content of their listing. As a result, the safeharbor provisions of the Communications Deceny Act (CDA) did not apply. On the other hand, in March of this year, the 7th Circuit in Chicago Lawyer's Committee v. Craigslist found Craigslist immune under the CDA for user posted listings which likewise discriminated against certain groups. The distinction between the two rulings appears to be that once a website operator takes an active involvement in the generation of content (as was the case in the Fair Housing decision), the safeharbor provisions of the CDA no longer apply.

Suing For Identity Theft Using RICO

2008-06-16T12:50:00.004-04:00

Check out this National Law Journal article, "RICO And Data Thieves" (subscription). Historically, data theft has been largely prosecuted using the Computer Fraud and Abuse Act (CFAA). The author, Nick Akerman, suggests that filing suit under the Racketeer Influenced and Currupt Organizations (RICO) statute might have some advantages. As the author points out, RICO, unlike the CFAA, provides for treble damages and attorney fees.

The Ethics of Viewing Metadata

2008-06-13T16:26:00.004-04:00

The controversy over whether an attorney is permitted to view the metadata of documents they receive from opposing counsel has been ongoing for some time. A number of jurisdictions--including Florida (Ethics Opinion 06-2) and New York (Ethics Opinion 749)--prohibit an attorney from making use of the metadata. The ABA (Ethics Opinion 06-442), on the other hand, permits it. Boris Reznikov recently published this excellent article on the current state of the legal ethics debate on metadata.

Do Data Breach Laws Reduce Identity Theft?

2008-06-13T16:10:00.002-04:00

A new working paper entitled "Do Data Breach Laws Reduce Identity Theft?" (Carnegie Mellon University) analyzes the effect of data breach laws on the presence of identity theft. Although the authors acknowlege limitations to their study, they conclude that they found no statistically significant effect that data breach laws reduce identity theft. This is one more indication that an effective approach to tackling the problem of identity theft requires more than enacting legislation alone.

New York Internet Sales Tax Setting A Trend?

2008-06-06T14:14:00.003-04:00

A highly controversial New York law recently went into effect. Under the new law (Chapter 57, Laws 2008, Part KK-1), New York becomes the first state to require internet sales companies to collect sales tax. Will this new law set a trend for other states? According to this National Law Journal article (subscription), legislators in Colorado, Florida, Illinois, Kansas and Minnesota are also considering passing similar laws. For a fuller explanation of the law, see this technical bulletin. A number of retailers--Amazon.com and Overstock.com--have already filed suit. See Overstock's Complaint here.

Vulnerabilities of Printers and Copiers

2008-06-03T15:27:00.002-04:00

This AP article, quoting the European Network and Information Security Agency, warns that printers and copiers could be the weak link in a company's cyber defense program. For more on this, see this post by Bruce Schneier responding to a presentation by Brendan O'Connor.

Law Firm Suit For The Outsourcing of Litigation Support

2008-05-27T17:59:00.000-04:00

The Annapolis, MD law firm of Newman McIntosh & Hennessey recently filed suit against a legal process outsourcer located in India. The case, filed in US District Court for DC, seeks a ruling from the court on the following question: “Given the pervasive nature of the signals intercept by the United StatesGovernment and UKUSA Allies, will the electronic transmission of data to foreign nationals residing overseas waive Fourth Amendment protections with respect to the data transmitted?” It appears that the law firm also submitted this question to the Ethics Committee of the DC Bar. See here for more info.

Maryland Identity Theft Statute Held Not To Apply To Fictitious Identities

2008-05-21T17:25:00.003-04:00

Maryland's highest court recently published a surprising ruling: to be prosecuted under the Maryland identity theft statute (Criminal Law Article 8-301), one must have stolen the identity of an actual person. The statute does not apply, the court reasoned, in cases where an individual commits identity theft using a fictitious identity. The majority of the case centers on an analysis of the term "another" in the statute. After delving into the statute's legislative history, the court determined that "another" must refer to an actual person for the statute to apply.

New CAN-SPAM Rules

2008-05-21T17:15:00.002-04:00

The FTC recently (May 12) recently published a new final rule implementing the CAN-SPAM Act (15 U.S.C. 7701-7713). For a brief overview of the new rules, see here. For the Press Release announcing the new rules, see here. For a more detailed overview of the rules, see this article from B2B.

New Net Neutrality Bill

2008-05-12T12:27:00.003-04:00

Representative John Conyers (D-Mich) recently introduced (May 8th) a new bill (HR 5994) on net neutrality dubbed the ‘‘Internet Freedom and Nondiscrimination Act of 2008." This is the the most recent of a series of bills on this issue. Other notable bills dealing with net neutrality include HR 5353, S 215, HR 5417, and S.2917. For a list of net neutrality bills which have been introduced, see this Wikipedia article.

EDiscovery Vendor Suits

2008-05-12T11:34:00.003-04:00

For those of you that missed the news a few months back, the law firm of Sullivan & Cromwell agreed to settle with ediscovery vendor Electronic Data Discovery. Sullivan & Cromwell had sued the vendor for alledly providing sub-par work. See this article for more info. The case is important because it could be the first of many similar suits.

Rambus Wins On Appeal

2008-05-02T15:18:00.003-04:00

As this Law.com article reports, the ongoing litigation between Samsung and Rambus seems to have come to a close. The Rambus case had caught the attention of the legal community because of allegations that Rambus had shredded millions of documents prior to initiating a slew of litigation. The opinion published April 30 overturns previous decisions on the grounds that they did not have the requisit jurisdiction. For more on the history of the case, see the Rambus.org website.

The Future Of The Internet

2008-04-25T17:18:00.002-04:00

The US Senate Committee on Commerce, Science and Transportation met recently to discuss a rather timely topic: "the future of the internet." You can see either a webcast of the hearing or read some of the prepared testimony (see FCC Chairman Kevin Martin's testimony, in particular).

New Suits Target Information On Store Receipts

2008-04-14T16:58:00.003-04:00

This National Law Journal article discusses a recent increase in suits against companies who are alledgely failing to comply with the Fair Credit Reporting Act (FACTA). One of the provisions of FACTA prohibits a company from printing more than the last 5 digits of a credit card number on the customer's receipt. According to the article, more than 300 class actions have been filed against a number of companies, including Toys "R" Us Inc. and AMC Entertainment Holdings.

Life Sentence For Identity Theft?

2008-04-14T13:16:00.003-04:00

According to this Baltimore Sun article, a Maryland woman indicted on identity theft charges could face life in prison. Belinda Marie Glock, 33, was indicted on counts of aggravated identity theft (18 USC 1028A(a)(1)) and fraud in connection with access devices (18 USC 1029(a)(2)).

2007 Internet Crime Report

2008-04-08T14:40:00.002-04:00

The 2007 Internet Crime Report, published by the Internet Crime Complaint Center (a partnership among the FBI, the National White Collar Crime Center, and Bureau of Justice Assistance), includes some interesting findings. The report demonstrates (not suprisingly) that internet fraud is on the rise. Reported losses were $240 million compared to $200 million in 2006. Other notable findings include that the most common crime occurred through the use of email and that those affected were more likely to be males rather than females. For IC3's previous reports see here.

Country Cybercrime Reports

2008-04-02T13:18:00.003-04:00

The Council of Europe has a great page on Cybercrime legislation for a number of countries. Each country report contains a listing of citations to cybercrime statutes for that country as well as english language excerpts of the actual statutes.

FTC Announces Settlement With TJX, Lexis

2008-03-28T11:49:00.003-04:00

The FTC agreed to settle charges with discount retailer TJX and data broker Reed Elsevier. The FTC had sued each of the companies for failing to adequately protect the security of consumer data. Both of the FTC's suits were brought under the unfair trade practices theory under Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a). The TJX Complaint is available here; the Reed Elsevier Complaint is available here.

Patient Data Exposed Online

2008-03-26T16:42:00.003-04:00

Today's Baltimore Sun reports on an incident involving Dental Network, a CareFirst BlueCross BlueShield dental HMO, in which the company accidentally exposed personal information, including Social Security numbers, of about 75,000 members on a public website. A Maryland Law (SB 194) enacted last year requires that businesses notify consumers of a breach of their personal information "as soon as reasonably practicable after the business discovers or is notified of the breach." In this case, it took 3 weeks before CareFirst notified customers of the breach.

Goal Financial Settles Charges Of Failing To Safeguard Sensitive Information

2008-03-20T09:59:00.003-04:00

Student loan company Goal Financial LLC has agreed to settle with the FTC over charges that it failed to adequately safeguard sensitive customer information. The FTC's Complaint alleges a number of violations, including violations of the Commission’s Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, and the Commission’s Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313. Also see the Consent Order Agreement.

Identity Theft At Major Financial Institutions

2008-03-04T10:02:00.003-05:00

Until recently, there has been no way to compare the relative incidence of identity theft at major financial institutions. Chris Hoofnagle's study "Measuring Identity Theft at Top Banks" uses a novel approach: he compared complaint data from various banks submitted by victims of identity theft, obtained through FOIA requests. The study makes clear that the incidence of identity theft is alarmingly high at our major financial institutions, but that some institutions faired better than others.

More Data Breach Resources

2008-03-04T09:43:00.004-05:00

CSOonline has a number of interesting articles on the subject of security breach legislation. First, check out their interactive map of security breach legislation. Also see their articles "What's New With Disclosure Legislation?" (interview with Proskauer Rose attorney Tanya Forsheit) and "The Dos And Don'ts of Disclosure Letters." Finally, see this blog posting on what a federal databreach law would look like.

Anti Cybersquatting Suits Becoming Increasingly Popular

2008-03-03T12:02:00.004-05:00

A recent article in the National Law Journal entitled "Suits a new weapon to fight cybersquatters" (subscription) reports that companies are increasingly filing suits under the Anticybersquatting Consumer Protection Act of 1999 (codified at 15 USC 1125(d)) to deal with cybersquatters who profit from their brand names. Traditionally, the preferred route for companies to resolve this type of dispute would have been through arbitration. That method has proved ineffective against increasingly sophisticated cybersquatters. As a results, many companies have begun filing law suits.

Wireless Security Whitepaper

2008-02-18T11:03:00.003-05:00

Finish IT security firm Codenomicon recently posted this white paper on the current status of wireless security.

Businesses Generally Ignoring E-Discovery Rules

2008-02-18T10:24:00.001-05:00

According to this article from eweek, a little over a year after the ediscovery rules went into effect, "about two-thirds of U.S. businesses remain unprepared to meet strict court requirements for the discovery and handling of electronic evidence."

E-Discovery Guidelines In US District Courts

2008-02-15T09:44:00.002-05:00

The Electronic Discovery Law blog compiled a list of links to the 38 US District Courts that have adopted (or at least considered) local ediscovery rules and guidelines.

Identity Theft Tops FTC Complaint List

2008-02-14T09:49:00.003-05:00

According to the FTC's annual report on the subject, identity theft topped the list of FTC complaints for the 7th year in a row. Roughly 32% (or over 260,000) of the Agency's 2007 complaints were due to identity theft. The report also demonstates that the most frequent type of identity theft complaint in 2007 was credit card fraud (23%). The metropolitan areas reporting the highest per capita rates of identity theft were Napa, California; Madera, California; and Greeley, Colorado.

Annonymity On The Net

2008-02-12T16:36:00.000-05:00

Is there a First Amendment right to speak annonymously on the internet? A recent California Appellate (Krinsky v. Doe 6) case holds that, under certain circumstances, there is. In that case, plaintiffs argued that the identity of a individual who posted "scathing verbal attacks" on an online message board against corporate officers of a Florida company should be exposed. Plaintiffs served a subpoena to have the identity of "Doe 6" disclosed but the request was denied.

Spam Ring Indicted

2008-02-11T11:40:00.000-05:00

A federal indictment was recently unsealed in Detroit, charging 11 people with violations of the CAN SPAM Act. The DOJ release alleges that the defendants set up "an international scheme to make money by manipulating stock prices through illegal spam e-mail promotions." The indictment also alleges that the defendants tried to send their spam through the use of botnets.

Red Flag Regulations

2008-02-07T12:19:00.000-05:00

The most recent National Law Journal features an article entitled "Scrambing With ID Theft Programs" (subscription) discussing the so-called "Red Flag Regulations" which implement two sections of the Fair and Accurate Credit Transactions Act. The regulations, formally termed
"Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003," require financial institutions and companies offering consumer credit to institute identity theft prevention programs to detect "red flags" which might signal possible foul play. The regs go into effect Nov. 1 of this year.

FTC Settlement With Life Is Good, Inc.

2008-02-05T09:39:00.000-05:00

The FTC recently announced a Proposed Settlement with clothing company Life Is Good, Inc. The FTC's Complaint against the company had alleged that the company, contrary to it's privacy policy, failed to adequately protect and secure the sensitive information it maintained about its customers. The proposed settlement requires, among other things, that the company designate at least one employee to coordinate the security program and that the company develop reasonable procedures for selecting and supervising service providers that handle customers’ personal information.

Preparing For A Data Breach

2008-02-04T10:25:00.000-05:00

Philip Gordon of the Workplace Privacy Counsel blog provides 5 key points for employers to consider as they prepare for the possibility of a data breach: be prepared, train your HR professionals, determine your notice obligations, help your employees, and learn from your mistakes.

MD Identity Theft Task Force Issues Report

2008-01-31T15:32:00.000-05:00

The Maryland Task Force to study Identity Theft recent published it's report. Over 230 pages, the report recommends, among other things, that the penalties for felony identity theft be increased, that the State ban credit card skimming devices, and that the State should enact legislation to enable a court to order the forfeiture of all property of a criminal convicted of identity theft obtained from the crime.

EDD In Criminal Investigations

2008-01-30T13:47:00.000-05:00

The DOJ's publication, "Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations," provides a comprehensive guide to the legal issues that arise when federal law enforcement agents search and seize computers during criminal investigations. Topics covered include the Electronic Communications Privacy Act, workplace privacy, and the law of electronic surveillance.

EDD Opinions By Judge Grimm

2008-01-24T09:57:00.000-05:00

In the past few years, Judge Paul W. Grimm of the US District Court in Maryland has issued a couple of groundbreaking electronic discovery opinions: Lorraine v. Markel American Insurance Company (DMd May 4, 2007) and Hopson v. Mayor and City Council of Baltimore (D.Md.2005). For more on Lorraine see here and here. For a summary of the Hopson decision see here. Judge Grimm has also authored a Suggested Protocol For Discovery of Electronically Stored Information discussed in an earlier post.

Sears Sued For Failing To Adequately Protect Website

2008-01-09T09:48:00.000-05:00

This Washington Post article reports on a class action suit against Sears for failing to adequately secure the personal information on its website managemyhome.com. The site's security vulnerabilities came to light after Ben Edelman pointed out the ease with which anyone could access the purchase history of the site's users. See here for a copy of the Complaint filed in Cook County, Illinois.

Google Not Required To Disclose Identity of Blogger

2008-01-03T11:14:00.000-05:00

Google has no obligation to disclose the identity of a blogger who used Blogger.com to allegedly defame a Long Island school board member. Judge Marcy S. Friedman of the New York County Supreme Court called the blogger's statements opinions rather than actionable statements of fact. As such, there is no case for defamation and Google has no obligation to turn over the records. Greenbaum v. Google Inc. (N.Y. Sup. Ct., N.Y. County Oct. 23, 2007).

Security Breach Laws

2008-01-02T14:39:00.000-05:00

The National Conference of State Legislatures site contains a list of all state security breach notification laws. The Maryland Statute (Commercial Law 14-3501 et. seq.) was recently amended by SB 194 which went into effect Jan. 1 of '08.

Maryland Computer Services Tax

2008-01-02T14:11:00.000-05:00

In a special session, the Maryland legislature recently increased taxes for the first time since 1977. Included in the tax bill is a special tax on computer services. Although critics vow to get the bill repealed, barring any actions by the courts or legislature, the bill is scheduled to go into effect July 1. The bill is Section 3 (p. 24) of Senate Bill 2.

Costs Of A Data Breach

2007-12-27T09:36:00.000-05:00

A new study of 35 companies that incurred a data breach demonstrates how expensive thse incidents are to companies. The study reports that the average total cost per reporting company was more than $6.3 million per breach and ranged from $225,000 to almost $35 million. The study also indicates that these costs are increasing each year and that financial service firms are impacted the most.

FTC Testifies On ID Theft

2007-12-19T12:15:00.000-05:00

In testimony yesterday before the House Judiciary Committee’s Subcommittee on Crime, Terrorism, and Homeland Security, the FTC's Joel Winston testified that since 2001 the Commission has brought 14 cases since against businesses that failed to implement reasonable security measures to protect sensitive consumer data. In each of those cases the security vulnerabilities were multiple and systemic, and the preventative measures were inexpensive and readily available. The full text of the testimony is available here.

Guide For Businesses On Protecting Personal Information

2007-12-06T10:12:00.000-05:00

Entitled “Protecting Personal Information: A Guide for Business,” this new tutorial from the FTC outlines a framework businesses can use to implement a data security plan. The framework offered in the tutorial is built on 5 principles:

Take stock
Scale down.
Lock it.
Pitch it.
Plan ahead.

New CRS Report On Botnets, Cybercrime

2007-12-06T09:58:00.000-05:00

CRS recently published a new report entitled "Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues." Among the findings in the report are that "cybercrime is becoming more organized and established as a transnational business....[and that] designs for cybercrime botnets arebecoming more sophisticated, and future botnet architectures may be more resistant to computer security countermeasures."

Study Shows Low Awareness of Security Freeze Laws

2007-12-03T12:11:00.000-05:00

A study conducted by the AARP indicates that although consumers have a high concern about identity theft, their awareness of security freeze legislation remains extremely low. The study indicates that more than half (57%) of the respondents did not know where to turn for security freeze information. For the full text of the study, click here. For a summary, click here.

First Prosecution In File Sharing ID Theft

2007-11-12T15:59:00.000-05:00

This AP news story reports on the case of Gregory Kopiloff. According to the Justice Department this is the first prosecution against someone accused of using file-sharing to commit identity theft. Kopiloff used file sharing programs to gain access to the personal information of more than 50 people. He then used that information to fraudulently buy and resell more than $73,000 in merchandise.

The Prevalence of Identity Theft

2007-11-08T09:35:00.000-05:00

The Bureau of Justice Statistics recently published a report on identity theft. According to the report, in 2005, 6.4 million households (5.5% of all households in the US) discovered that at least one member experienced one or more types of identity theft. Of this group, unauthorized use of an existing credit card was the the most prevalent type of identity theft (about 3 million households). Given that the data in the report is from 2005, the statistics today would likely be significantly larger.

Fair Use For User Generated Content

2007-11-05T16:34:00.000-05:00

With the growth of user generated content (UGC) services like Youtube.com, the question of what is considered fair use is only now beginning to be defined. This article from the Electronic Frontier Foundation provides a framework for applying fair use in the UCG context. Hats off to beSpacific for this catch.

E-Discovery Local Rules

2007-10-25T09:50:00.000-04:00

Following on yesterday's post, Maryland is not the only state where federal courts have proposed or enacted e-discovery local rules. As this article shows, at least 32 US District Courts have enacted or proposed special rules addressing electronic discovery.

Suggested Protocol For E-Discovery

2007-10-24T09:51:00.000-04:00

Judge Paul W. Grimm of the US District Court of Maryland recently posted this "Suggested Protocol For Discovery of Electronically Stored Information." Although not currently adopted, the document is a "working model" which may at some point be recommended for adoption.

Website Liability For User Posted Content

2007-10-24T09:27:00.000-04:00

This Findlaw article by Eric Sinrod discusses when websites will be held liable for the content posted by others on their site. In particular, the article discusses the case of Fair Housing Council of San Fernando Valley v. Roommates.com, LLC where the website http://www.roommates.com/ was sued by the Fair Housing Councils of San Fernando Valley and San Diego. The plaintiffs alleged that the site's practice of allowing users to filter out potential roommates according to user-selected criteria violated the Fair Housing Act (FHA).

'07 Global Security Survey

2007-10-09T09:53:00.000-04:00

Deloitte recently published it's annual review of the state of information security in the financial services industry. The survey includes data from 169 global financial institutions in 32 countries. Key findings include: companies are moving away from a sole focus on shoring up infrastructure against external breaches and are focusing instead on a a layered approach of preventative, detective and corrective controls; respondents identified access and identity management (50%) as their top operational initiative; generic countermeasures (encryption, access control, and network security) are proving inadequate at protecting on-line applications; and in an organization’s attempt to prevent security breaches, people remain the weakest link.

A Global Privacy Standard?

2007-09-25T17:35:00.000-04:00

A senior executive at Google stated today that he agreed on the need for a basic set of global privacy protections. See this CNET article for more.

Domain Name Theft

2007-09-25T12:54:00.000-04:00

This Wall Street Journal article examines how domain name hijacking is becoming an increasingly prevalent phenomenon.

EU Data Transfer Regulations

2007-09-24T09:52:00.000-04:00

U.S. companies transferring personal data from Europe to the U.S. must follow prescribed methods to protect data in accord with EU data privacy protection laws. Complying with this "adequacy requirement" means satisfying each European nation's data protection authorities. Binding Corporate Rules allow a company to design a single set of internal rules that work on their own data protection policies for intranet sites, databases and other electronic business tools that also comply with EU requirements. For more on this, see this article from the New York Law Journal.

Robot Exclusion Protocol

2007-09-17T10:53:00.000-04:00

If you are concerned, as I am, about the privacy threats posed by Google's search bots, take a look at the following post from Paul Ford of Ftrain.com.

VOIP Security Whitepaper From IBM

2007-09-11T12:34:00.000-04:00

This 16-page whitepaper from IBM discusses "vishing." From the intro, "Vishing is the practice of leveraging IP-based voice messaging technologies (primarily Voice over Internet Protocol, or VoIP) to socially engineer the intended victim into providing personal, financial or other confidential infor-mation for the purpose of financial reward." The term "vishing" is a contraction of the terms 'voice' and 'phishing.'

DOT Issues Memo On Loss of Personal Information

2007-09-07T09:54:00.000-04:00

The US Department of Transporation issued this memorandum on the theft of two laptops belonging to the Office of The Inspector General. Both laptops contained large amounts of Sensitive Personally Identifiable Information.

National Security Archive Sues White House Over Emails

2007-09-06T09:48:00.000-04:00

See this press release. The suit, filed in the US District Court of the District of Columbia, demands the recovery and preservation of 5 million emails which were allegedly deleted by the White House during the period of March 2003 and October 2005.

Source Code For Breathalyzer Softwere Held Not To Be Trade Secret

2007-09-05T15:28:00.000-04:00

See this post from the DUI Blog. A number of manufacturers of breathalyzer software had refused to disclose their source close, claiming they were trade secrets. The Supreme Court of New Jersey, however, recently ruled that the source code for this software is not a trade secret and therefore the company should be forced to reveal the code.

Online Listing Qualifies For Copyright Protection

2007-09-05T10:24:00.000-04:00

In a decision published on June 21 (BUC Int'l Corp. v. Int'l Yacht Council), the 11th Circuit Court of Appeals affirmed that BUC International Corp.'s method of organizing its online listings of yachts for sale was unique enough to qualify for copyright protection. The defendant had "scraped" adds off of BUC's website.

Executive Office of The President Not Subject To FOIA

2007-09-05T10:12:00.000-04:00

This page on the White House website states "The Office of Administration, whose sole function is to advise and assist the President, and which has no substantial independent authority, is not subject to FOIA and related authorities."

Anti-Cybersquatting Enforcement

2007-08-17T10:59:00.000-04:00

Columnist Eric Sinrod reports in this article how a non-profit group called The Coalition Against Domain Name Abuse (CADNA) is leading the fight against cybersquatting.

Youtube's Failure To Dismiss Tur Suit

2007-08-16T09:57:00.000-04:00

According to an article in Andrews Intellectual Property Litigation Reporter (14 No. 9 Andrews Intell. Prop. Litig. Rep. 2) on Robert Tur's copyright suit against Youtube.com (Tur v. Youtube Inc.), Youtube's motion to dismiss was refused because the company failed to show that it has the "right and ability to control" the content posted on its site. For background on this case, see this post. To see the text of the orders, click here and here.

Antitrust Concerns In Cyberspace

2007-08-16T09:45:00.000-04:00

For an interesting case applying antitrust principles to the cyber arena, see this recent case from the US District Court of the Central District of California (Liveuniverse v. Myspace).

A Setback For Spammers

2007-08-14T09:41:00.000-04:00

See this article from PC World: "Researchers at the University of California, San Diego (UCSD) said this week they've discovered a critical weakness in the spam ecosystem that could be used to help cut off the promise of economic returns fuelling the huge growth in spam levels." For a brief history of spam, see this article from the New Yorker entitled "Damn Spam."

Authenticating Email

2007-08-13T11:49:00.000-04:00

Check out today's article from Law.com entitled "Authenticating Email Evidence As Evidence." As the authors point out, part of what makes authenticating email for use as evidence difficult is that each email is not an independent entity--it is part of a chain of emails which form a discussion.

FTC On Laptop Security

2007-08-09T15:32:00.000-04:00

The FTC recently published this page offering suggestions for maintaining laptop security.

Financial Privacy Legislation

2007-08-07T16:26:00.000-04:00

The National Conference of State Legislatures provides this list of financial privacy legislation--both introduced and enacted--from all 50 states for the years 2000-2006. The list includes links to the full text of the legislation. The same site also provides a 50-state listing of security breach legislation.

Visa Held Not To Be Vicarious Infringer

2007-08-06T16:19:00.000-04:00

A recent 9th Circuit Court of Appeals decision, Perfect 10 Inc. v. Visa International Service Association et al., found that credit card companies that process transactions over the internet that ultimately involve infringed goods, are not themselves liable for vicarious infringement. See this article from Mealey's for more.

GAO Report On Cybercrime

2007-08-02T16:06:00.000-04:00

GAO recently published a new report entitled "Public and Private Entities Face Challenges in Addressing Cyber Threats." From the Executive Summary: "Cybercrime has significant economic impacts and threatens U.S. national security interests. Various studies and experts estimate the direct economic impact from cybercrime to be in the billions of dollars annually. The annual loss due to computer crime was estimated to be $67.2 billion for U.S. organizations, according to a 2005 Federal Bureau of Investigation (FBI) survey."

iPhone Vulernable To Hackers

2007-07-30T14:32:00.000-04:00

This AP article reports on a vulnerability within Apple's iPhone which could make it susceptible to hackers.

YouTube To Institute Copyright Filtering

2007-07-30T10:41:00.000-04:00

See this article from InfoWorld and this article from Wired News which discuss Google's intent to implement an antipiracy tool on it's YouTube website. According to the articles, Google plans to implement the changes as soon as this Fall.

Government Barred From Accessing Emails From ISP

2007-07-26T18:11:00.000-04:00

In a recent 6th Circuit decision, Warshak v. United States (June 18, 2007), the Court ruled that email users have a reasonable expectation of privacy and thus barred the government from accessing emails from the Internet Service Provider of a criminal defendant.

Law Firm Cleared of Hacking Opponents' Web Archives

2007-07-25T16:20:00.000-04:00

Yesterday's New Jersey Law Journal reported on a case (Healthcare Advocates Inc. v. Harding Earley Follmer & Frailey) in which a law firm had been sued for allegedgly violating copyright and anti-hacking laws when it recovered old web pages belonging to its client's adversary. The opinion by Judge Robert Kelley, Jr. of the US District Court of Eastern District of Pennsylvania stated that the firm, in accessing pages from the Way Back Machine, did not violate any law. As stated in the opinion, "They did not 'pick the lock' and avoid or bypass the protective measure, because there was no lock to pick...Nor did the Harding firm steal passwords to get around a protective barrier... The Harding firm could not 'avoid' or 'bypass' a digital wall that was not there." A copy of the Complaint is available here. The opinion does not appear to be online.

Top Ten Opt Out List

2007-07-23T10:20:00.000-04:00

Also from the World Privacy Forum: The World Privacy Forum's Top Ten Opt Out List is "a list of what top things to opt out of, and how to opt out. Millions of people have heard about the Do Not Call list, an opt out list that gets people off of telemarketing lists. But many fewer people have heard about the other opt outs that are available, like those that can take people out of data broker lists or opt outs that can stop schools from giving out directory information like email and home addresses."

State Security Freeze Laws

2007-07-23T10:00:00.000-04:00

This page from the World Privacy Forum provides an overview of state security freeze laws, as well as a list of states with enacted security freeze legislation. Each entry includes a link to the full text of the that state's security freeze statute.

IT Disaster Recovery Tool-kit

2007-07-20T17:07:00.000-04:00

The National Association of State Chief Information Officers publishes this tool-kit which is designed to assist state CIOs and their staff in IT disaster recovery and business continuity planning. It is an updated and expanded version of business continuity and disaster preparedness checklists utilized for a brainstorming exercise at the “CIO-CLC Business Continuity/ Disaster Recovery Forum” at NASCIO’s 2006 Midyear Conference.

Spyware's Effect on Web Site Traffic Counts

2007-07-20T16:58:00.000-04:00

Ben Edelman has a new article entitled "How Spyware-Driven Forced Visits Inflate Web Site Traffic Counts." Also see this related New York Times article from Dec. 11 of 2006 entitled "In Web Traffic Tallies, Intruders Can Say You Visited Them."

House Committee Passes Social Security Privacy Legislation

2007-07-20T16:39:00.000-04:00

In a press release, the House Ways and Means Committee stated "During the course of the 16 hearings conducted by the Subcommittee, numerous experts testified that the easy availability of Social Security numbers (SSNs) in the public and private sectors, combined with the number’s widespread use as an individual identifier, greatly facilitates the crime of identity theft. The bill would restrict the use of the SSN by government and business, to make it less accessible to identity thieves, while providing exceptions for legitimate and necessary uses of the number." Click here for a text of the bill.