June 30, 2003

Sen. Feinstein: "Notification of Risk to Personal Data Act""

Senator Feinstein Seeks to Ensure Individuals are Notified when Personal Information is Stolen from Databases . This federal bill introduced June 26 is modeled upon California SB 1386, but would put enforcement powers with the FTC and state attorneys general rather than with private litigants. Like 1386, the proposed federal law exempts data that was "encrypted" but seems not to define the level or manner of encryption. More info at the Senator's press release linked to above.

Thanks to beSpacific.com for the heads up on this item. I'll be looking for the full text of the bill. If a reader has a link, please let me know via a comment or email.

Posted by dougsimpson at 08:48 PM | Comments (1) | TrackBack

June 19, 2003

Grimmelmann on Accidental Privacy Spills

The "most read" story about privacy at Yale's LawMeme site is LawMeme - Accidental Privacy Spills: Musings on Privacy, Democracy, and the Internet. In this February 2003 piece, James Grimmelmann reminds us about the story of an individual who sends an informal but lengthy and broadly interesting email to a few friends, thinking it will be kept private, and within two weeks finds it picked up on MetaFilter, republished and discussed throughout the Internet. Of course, the author was Laurie Garrett, a Pulitzer prize winning science journalist and author, and the story was a chatty report of the goings-on she saw inside the controversial Davos conference of the World Economic Forum.

Grimmelmann's comprehensive and thoughtful posting muses about the social and ethical situation where one's informal email "crosses the bloodstream" and becomes a digital global phenomenon, and the revelations that the story has for privacy and the Internet. He insightfully notes that despite all the high-powered security technology one may employ, the weak link is always the unscrupulous, tactless or just plain clumsy person who has access to private information and lets it out. As he notes, "people make secure systems insecure because insecure systems do what people want and secure systems don't."

He also notes that in the age of cheap, ubiquitous scanners, even paper-based writings can be spread throughout the world in a matter of hours. The "CLICK-FORWARD" world that caught Laurie Garrett is becoming the "SCAN-FORWARD" world of tomorrow. As Grimmelmann observes: "The problem isn't just that the Internet is leaky; the Internet makes everything leaky."

The entry includes several reader comments on Grimmelmann's piece that reflect on whether various new technologies such as Microsoft's Palladium or Microsoft's Digital Rights Management tools might have been useful in this context. Such tools are designed to allow one to control with whom particular content may and may not be shared, at the architectural layer of the information medium, and have become of commercial interest in the context of peer-to-peer file sharing via Napster, Kazaa, etc.

Grimmelmann also cites a February 2000 paper "What the Publisher Can Teach the Patient: Intellectual Property and Privacy in an Era of Trusted Privication"
by Jonathan Zittrain of Harvard Law School. about the application of technology tools developed for the music industry to the preservation of personal medical information (an application of interest to those subject to HIPAA compliance). The point being to change an "Era of Promiscuous Publication" to an"Era of Trusted Privication": "one in which a well-enforced technical rights architecture would enable the distribution of information to a large audience while simultaneously, and according to rules generated by the controller of the information, not releasing it freely into general circulation."

Both articles are valuable reading to anyone dealing with privacy and the Internet.

Posted by dougsimpson at 10:13 PM | Comments (0) | TrackBack

Stanford Law: Conf on Cyber Security, Privacy and Disclosure

Conference on Cyber Security, Privacy, and Disclosure at Stanford, California, scheduled for November 2003: "This conference explores the relationship between computer security, privacy and disclosure of information about security vulnerabilities." No exact date or tuition stated.

Posted by dougsimpson at 07:42 PM | Comments (0) | TrackBack

FTC Conf on Tech to Protect Privacy

"Technologies for Protecting Personal Information," was the subject of Federal Trade Commission workshops on May 14 and June 4. The Commission's page includes links to various panelist's presentations, and says: "A number of products promise to help consumers and businesses control sensitive information and guard against internal and external threats; technology is also frequently cited as the best method for managing information and ensuring information security."

Panelists whose presentations are online include:

  • Lorrie Faith Cranor, AT&T Labs
  • Stephanie Perrin, Digital Discretion, Inc.
  • Larry Clinton, Internet Security Alliance
  • Richard M. Smith, Computerbytesman.com
  • Michael Willett, Security and Privacy Consultant
  • Andrew Patrick, National Research Council of Canada
  • Mary J. Culnan, Bentley College
  • Donna Hoffman, Vanderbilt University
  • Nathaniel Wood, FTC
  • Lynette Millett, National Academy of Sciences
  • Ari Schwartz, Center for Democracy and Technology

    The site also includes information for ordering videotapes of the presentations.

    Posted by dougsimpson at 09:46 AM | Comments (0) | TrackBack
  • Prism Legal Comments on Doc Mgt

    Prism Legal Consulting's blog, Strategic Legal Technology commented on one large law firm's choice of document management outsourcer. Ron Friedman at Prism brings much experience in the field of customizing technology to law firms. His blog is one to watch develop. I look forward to him commenting on Digital Rights Management tools, increasingly valuable to comply with Gramm-Leach-Bliley and HIPAA.

    Also, he was kind enough to add Unintended Consequences to his BlogRoll. Thanks, Ron.

    Posted by dougsimpson at 06:57 AM | Comments (0) | TrackBack

    Sunny So Cal Notes SB 1386 Comment

    The Southern California Law Blog picked up our note on S.B. 1386, with a referral.

    The weblog focuses on "legal and political issues facing attorneys practicing in and around Southern California," which should keep the host busy. Thanks for the referral, SoCal Law Blog.

    Posted by dougsimpson at 06:31 AM | Comments (1) | TrackBack

    June 18, 2003

    At Harvard: Internet Law Conference

    The syllabus and and reading list for Harvard Law's Program of Instruction For Lawyers: Internet Law 2003 includes weblogged commentary by John Palfrey and Donna Wentworth of the Berkman Center.

    The program runs 6/16-20 and addresses Jurisdiction, Intellectual Property, Digital Democracy, Litigation and the Digital Environment and Privacy, one topic each of the five days. Thanks to beSpacific.com for the heads up on this resource.

    Posted by dougsimpson at 08:23 PM | Comments (0) | TrackBack

    June 12, 2003

    Wentworth's Blog of the Law of the Blog

    Donna Wentworth, of the Berkman Center attended and blogged the legal panel discussion at the ClickZ Weblog Business Strategies Conference & Expo in Boston. This conference addressed "the recent emergence of Weblogs into the business world and their rising importance as a medium of communication." The various panelists presented "the latest developments, strategies, and success stories behind what is now becoming known as the Business Blog, or B-Blog for short."

    Her detailed notes are in: Harvard Weblogs: The Law of the Blog

    Among the panelists was John Palfrey, who works at the Berkman center with Wentworth. She quoted him in part:

    "Three or four months ago we created Weblogs at Harvard Law, a blogspace; we put it up and watched to see what happened--like throwing spaghetti at the wall and seeing what sticks. Anyone with a Harvard email address can now get a weblog in that space--including untold numbers of alumni, etc.

    We've learned three things, pretty quickly: 1.) watch out about becoming an ISP, 2.) be ready for take-off, it happens more quickly than you think and 3.) blogs are good for the Web and good for you.

    Thanks for Wentworth for alerting this reader at her site about the law and politics of intellectual property in a networked world, Copyfight.org. She has been with the Berkman Center since 1997 and also hosts The Filter, which has a steady stream of public interest Internet news and commentary, also published by the Berkman Center.

    Posted by dougsimpson at 08:37 AM | Comments (1) | TrackBack

    June 11, 2003

    Lawsites lists Unintended Consequences

    LawSites is a legal blog, or "blawg" that tracks new and intriquing web sites for the legal profession, hosted by Robert Ambrogi, an attorney now practicing in Rockport, Massachusetts. Robert has long experience in practice, as well as serving as an ADR neutral and as a legal writer and editor. He is author of "The Essential Guide to the Best (and Worst) Legal Sites on the Web."

    Hopefully, this humble blogger will do well enough to stay off Ambrogi's "(Worst)" list. Meanwhile, much thanks to Bob for the link.

    Posted by dougsimpson at 08:08 PM | Comments (0) | TrackBack

    Calif. S.B. 1386

    California S.B. 1386 [California Civil Code Sections 1798.29 and 1798.82 to 1798.84 - dks 10/24/03] takes effect 7/1/03, and mandates that those doing business in California disclose any security breach in which a California resident's "unencrypted personal information" may have been compromised. The word "when" appears in the definition of "personal information," defining that term to mean "an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted." [emphasis added]

    The listed data elements include:
    * social security number
    * drivers license number or California ID card number
    * account number, credit or debit card number "in combination with any required security code, access code, or password that would permit access to an individual's financial account."

    In this context, if "when" means "so long as," it may affect the decision of many companies to encrypt information about customers, visitors, claimants or others and to encrypt it while resident in their database, not just while in communication transit. Merely encrypting data while it is moving between customer and institution, using SSL or a VPN for example, may not be sufficient. A breach that results in unauthorized persons gaining access to an "at rest" database of unencrypted data may be reportable under the new law.

    Interesting S.B. 1386 questions are raised by recent reports of the BugBear.B virus, which enters consumer PCs, then searches for the occurrence of matches with several thousand electronic bank addresses that BugBear.B already has (God knows from where). If it gets a match, the virus attempts to capture passwords from the consumer's data store and emails them to ten addresses (presumably the perpetrator's). While this may expose the bank and consumer to unauthorized access of the consumer's account, it does so without hacking into the bank's system.

    In a June 6, 2003 Investor's Business Daily article "California Law Raises Bar for Data Security," Donna Howell quotes several attorneys and database security executives in a discussion of the various ways of protecting affected data without prohibitive costs. Other discussions of the law can be found at Security Focus, where some reader responses raised issues of possible conflict with the federal interstate commerce clause and the usual jurisdiction questions of cross-border commerce.

    The BugBear.B cyber-attack could raise several interesting questions under S.B. 1386:

    * Query: Does S.B. 1386 require the bank that knows of such a compromise to notify California-resident consumers of the possibility they have been the victim of "BugBear.B"?

    * Query: If so, which banks must so report? The stories about BugBear.B indicate that over 1200 separate banks' addresses are already carried in the virus' comparison reference list. Must all of them report?

    * Query: If so, to which consumers must those banks report? The virus is said to be spreading like most viruses: rapidly and without leaving a trail for investigators to determine which consumers have been infected.

    * Query: In such a circumstance, is notification by publication sufficient? The statute has specific provisions for "substitute notice" which include email, media notification and posting on the institution's own website. But to be allowed substitute notice, the statute requires the notifier to "demonstrate" that the cost of specific notice will exceed $250,000 or must address a class of persons greater than a half million.

    * Query: Does that mean that 1000+ banks may have to spend up to $250,000 each providing actual personalized notice of the BugBear.B attack? That's up to a quarter billion dollars. For one virus.

    Is this a case in which the cost of the notice due to the statute may be greater than the cost of the loss by identity theft? Could the cure be more costly than the disease?

    All of these questions and more will be grist for the mill of lawyers across the US, and behond, wherever companies do business in California with California residents. As we watch the wheels turn, there may be many interesting unintended consequences.

    Thanks to BeSpacific for the word that this law appears to be a result of the State of California's own failure to disclose a hack of its own database in April 2002, as reported in the Contra Costa Times.

    Posted by dougsimpson at 02:05 PM | Comments (0) | TrackBack

    BubBear.B virus targets 1200 banks world-wide

    FBI investigating "virus-like infection" trying to steal passwords at 1200 banks, including the world's largest, according to the Washington Post article titled "Virus Targeting Banks (washingtonpost.com)"

    According to an AP feed found at The WorldLink.com the virus is not directly attacking the bank's computers, but is hitting consumer's computers, looking for bank web addresses that match those in its software. If it finds a match, it grabs consumer's passwords and emails it to ten email addresses, presumably the perpetrators', says the story.

    Financial Services Information Sharing and Analysis Center
    distributed information from the Office of Homeland Security to its client banks and is working with the FBI.

    Network Associates Inc. BugBear.B info

    Hmmmm ... will this need to be reported to California residents, per Calif. S.B. 1386?

    Posted by dougsimpson at 10:31 AM | Comments (0) | TrackBack

    June 10, 2003

    Trojan Horses Come "tap-tap-tapping" P2P

    P2P file traders targeted by cyber-assaults from music publishers may not be defenseless. NWFusion's Ann Harrison notes in "Anti-file trading measures raise high profile policy questions" that a NYTimes article May 5 suggested that state and federal wiretap laws might have some say on such activity.

    Harrison also mentioned a company called OverPeer, which she says develops such software tools, as do others. She also said that a representative of the RIAA acknowledged legal gray areas (or worse) exist regarding some the the software tools in development, which Harrison says include Trojan horse programs.

    Posted by dougsimpson at 09:21 PM | Comments (0) | TrackBack

    June 07, 2003

    "Let's Stand Them on Their Heads"

    "This is the first unintended effect of Sarbanes-Oxley," says David Skeel, U.Penn. Law School professor, in an article in Forbes: "Feel Good Justice" that reports on WorldCom's agreement with the S.E.C. to pay $500 million that will go to the benefit of shareholders.

    The money will come out of creditor's pockets, turning upside down the usual process of bankruptcy in which shareholders take last only after impaired creditors are satisfied. Elizabeth Warren, a bankruptcy authority at Harvard Law, told Forbes "The notion that they [shareholders] cheated themselves and should be paid ahead of creditors makes no sense."

    Forbes says that the deal is not expected to be blocked by the bankruptcy court overseeing WorldCom's reorganization, because the S.E.C. started out with a $1.5 billion demand, and got the creditor's committee to assent to the reduced penalty sum.

    Posted by dougsimpson at 08:34 PM | Comments (0) | TrackBack

    New Blawg on Intersection of Law and Disruptive Technologies Affecting Financial Services

    This space will focus on law and disruptive technologies affecting insurance and related financial services (especially their unintended consequences). The Host is Doug Simpson, an attorney in Hartford, Connecticut who was with the law department of a Fortune 500 insurance company for over 25 years. Doug is a graduate of Dartmouth College and the University of Connecticut School of Law and a member of the Connecticut Bar. He is now an independent legal consultant and writer.

    Gramm-Leach-Bliley, HIPPA, Sabranes-Oxley, McCarran-Ferguson, E-SIGN, DMCA and other statutes will play a part in the coming discussion. Also playing are concepts like "Metcalf's Law" and "The Innovator's Dilemma." Please join the conversation.

    Full text of Robert K. Merton's 1936 article in the American Sociological Review, "The Unanticipated Consequences of Purposive Social Action".

    George Gilder's "Metcalf's Law and Legacy".

    Clayton Christensen's "Disruptive Technologies" source site.

    Posted by dougsimpson at 04:33 PM | Comments (0) | TrackBack