Senator Feinstein Seeks to Ensure Individuals are Notified when Personal Information is Stolen from Databases . This federal bill introduced June 26 is modeled upon California SB 1386, but would put enforcement powers with the FTC and state attorneys general rather than with private litigants. Like 1386, the proposed federal law exempts data that was "encrypted" but seems not to define the level or manner of encryption. More info at the Senator's press release linked to above.
Thanks to beSpacific.com for the heads up on this item. I'll be looking for the full text of the bill. If a reader has a link, please let me know via a comment or email.
The "most read" story about privacy at Yale's LawMeme site is LawMeme - Accidental Privacy Spills: Musings on Privacy, Democracy, and the Internet. In this February 2003 piece, James Grimmelmann reminds us about the story of an individual who sends an informal but lengthy and broadly interesting email to a few friends, thinking it will be kept private, and within two weeks finds it picked up on MetaFilter, republished and discussed throughout the Internet. Of course, the author was Laurie Garrett, a Pulitzer prize winning science journalist and author, and the story was a chatty report of the goings-on she saw inside the controversial Davos conference of the World Economic Forum.
Grimmelmann's comprehensive and thoughtful posting muses about the social and ethical situation where one's informal email "crosses the bloodstream" and becomes a digital global phenomenon, and the revelations that the story has for privacy and the Internet. He insightfully notes that despite all the high-powered security technology one may employ, the weak link is always the unscrupulous, tactless or just plain clumsy person who has access to private information and lets it out. As he notes, "people make secure systems insecure because insecure systems do what people want and secure systems don't."
He also notes that in the age of cheap, ubiquitous scanners, even paper-based writings can be spread throughout the world in a matter of hours. The "CLICK-FORWARD" world that caught Laurie Garrett is becoming the "SCAN-FORWARD" world of tomorrow. As Grimmelmann observes: "The problem isn't just that the Internet is leaky; the Internet makes everything leaky."
The entry includes several reader comments on Grimmelmann's piece that reflect on whether various new technologies such as Microsoft's Palladium or Microsoft's Digital Rights Management tools might have been useful in this context. Such tools are designed to allow one to control with whom particular content may and may not be shared, at the architectural layer of the information medium, and have become of commercial interest in the context of peer-to-peer file sharing via Napster, Kazaa, etc.
Grimmelmann also cites a February 2000 paper "What the Publisher Can Teach the Patient: Intellectual Property and Privacy in an Era of Trusted Privication"
by Jonathan Zittrain of Harvard Law School. about the application of technology tools developed for the music industry to the preservation of personal medical information (an application of interest to those subject to HIPAA compliance). The point being to change an "Era of Promiscuous Publication" to an"Era of Trusted Privication": "one in which a well-enforced technical rights architecture would enable the distribution of information to a large audience while simultaneously, and according to rules generated by the controller of the information, not releasing it freely into general circulation."
Both articles are valuable reading to anyone dealing with privacy and the Internet.
Conference on Cyber Security, Privacy, and Disclosure at Stanford, California, scheduled for November 2003: "This conference explores the relationship between computer security, privacy and disclosure of information about security vulnerabilities." No exact date or tuition stated.
"Technologies for Protecting Personal Information," was the subject of Federal Trade Commission workshops on May 14 and June 4. The Commission's page includes links to various panelist's presentations, and says: "A number of products promise to help consumers and businesses control sensitive information and guard against internal and external threats; technology is also frequently cited as the best method for managing information and ensuring information security."
Panelists whose presentations are online include:
The site also includes information for ordering videotapes of the presentations.
Prism Legal Consulting's blog, Strategic Legal Technology commented on one large law firm's choice of document management outsourcer. Ron Friedman at Prism brings much experience in the field of customizing technology to law firms. His blog is one to watch develop. I look forward to him commenting on Digital Rights Management tools, increasingly valuable to comply with Gramm-Leach-Bliley and HIPAA.
Also, he was kind enough to add Unintended Consequences to his BlogRoll. Thanks, Ron.
The Southern California Law Blog picked up our note on S.B. 1386, with a referral.
The weblog focuses on "legal and political issues facing attorneys practicing in and around Southern California," which should keep the host busy. Thanks for the referral, SoCal Law Blog.
The syllabus and and reading list for Harvard Law's Program of Instruction For Lawyers: Internet Law 2003 includes weblogged commentary by John Palfrey and Donna Wentworth of the Berkman Center.
The program runs 6/16-20 and addresses Jurisdiction, Intellectual Property, Digital Democracy, Litigation and the Digital Environment and Privacy, one topic each of the five days. Thanks to beSpacific.com for the heads up on this resource.
Donna Wentworth, of the Berkman Center attended and blogged the legal panel discussion at the ClickZ Weblog Business Strategies Conference & Expo in Boston. This conference addressed "the recent emergence of Weblogs into the business world and their rising importance as a medium of communication." The various panelists presented "the latest developments, strategies, and success stories behind what is now becoming known as the Business Blog, or B-Blog for short."
Her detailed notes are in: Harvard Weblogs: The Law of the Blog
Among the panelists was John Palfrey, who works at the Berkman center with Wentworth. She quoted him in part:
"Three or four months ago we created Weblogs at Harvard Law, a blogspace; we put it up and watched to see what happened--like throwing spaghetti at the wall and seeing what sticks. Anyone with a Harvard email address can now get a weblog in that space--including untold numbers of alumni, etc.
We've learned three things, pretty quickly: 1.) watch out about becoming an ISP, 2.) be ready for take-off, it happens more quickly than you think and 3.) blogs are good for the Web and good for you.
Thanks for Wentworth for alerting this reader at her site about the law and politics of intellectual property in a networked world, Copyfight.org. She has been with the Berkman Center since 1997 and also hosts The Filter, which has a steady stream of public interest Internet news and commentary, also published by the Berkman Center.
LawSites is a legal blog, or "blawg" that tracks new and intriquing web sites for the legal profession, hosted by Robert Ambrogi, an attorney now practicing in Rockport, Massachusetts. Robert has long experience in practice, as well as serving as an ADR neutral and as a legal writer and editor. He is author of "The Essential Guide to the Best (and Worst) Legal Sites on the Web."
Hopefully, this humble blogger will do well enough to stay off Ambrogi's "(Worst)" list. Meanwhile, much thanks to Bob for the link.
California S.B. 1386 [California Civil Code Sections 1798.29 and 1798.82 to 1798.84 - dks 10/24/03] takes effect 7/1/03, and mandates that those doing business in California disclose any security breach in which a California resident's "unencrypted personal information" may have been compromised. The word "when" appears in the definition of "personal information," defining that term to mean "an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted." [emphasis added]
The listed data elements include:
* social security number
* drivers license number or California ID card number
* account number, credit or debit card number "in combination with any required security code, access code, or password that would permit access to an individual's financial account."
In this context, if "when" means "so long as," it may affect the decision of many companies to encrypt information about customers, visitors, claimants or others and to encrypt it while resident in their database, not just while in communication transit. Merely encrypting data while it is moving between customer and institution, using SSL or a VPN for example, may not be sufficient. A breach that results in unauthorized persons gaining access to an "at rest" database of unencrypted data may be reportable under the new law.
Interesting S.B. 1386 questions are raised by recent reports of the BugBear.B virus, which enters consumer PCs, then searches for the occurrence of matches with several thousand electronic bank addresses that BugBear.B already has (God knows from where). If it gets a match, the virus attempts to capture passwords from the consumer's data store and emails them to ten addresses (presumably the perpetrator's). While this may expose the bank and consumer to unauthorized access of the consumer's account, it does so without hacking into the bank's system.
In a June 6, 2003 Investor's Business Daily article "California Law Raises Bar for Data Security," Donna Howell quotes several attorneys and database security executives in a discussion of the various ways of protecting affected data without prohibitive costs. Other discussions of the law can be found at Security Focus, where some reader responses raised issues of possible conflict with the federal interstate commerce clause and the usual jurisdiction questions of cross-border commerce.
The BugBear.B cyber-attack could raise several interesting questions under S.B. 1386:
* Query: Does S.B. 1386 require the bank that knows of such a compromise to notify California-resident consumers of the possibility they have been the victim of "BugBear.B"?
* Query: If so, which banks must so report? The stories about BugBear.B indicate that over 1200 separate banks' addresses are already carried in the virus' comparison reference list. Must all of them report?
* Query: If so, to which consumers must those banks report? The virus is said to be spreading like most viruses: rapidly and without leaving a trail for investigators to determine which consumers have been infected.
* Query: In such a circumstance, is notification by publication sufficient? The statute has specific provisions for "substitute notice" which include email, media notification and posting on the institution's own website. But to be allowed substitute notice, the statute requires the notifier to "demonstrate" that the cost of specific notice will exceed $250,000 or must address a class of persons greater than a half million.
* Query: Does that mean that 1000+ banks may have to spend up to $250,000 each providing actual personalized notice of the BugBear.B attack? That's up to a quarter billion dollars. For one virus.
Is this a case in which the cost of the notice due to the statute may be greater than the cost of the loss by identity theft? Could the cure be more costly than the disease?
All of these questions and more will be grist for the mill of lawyers across the US, and behond, wherever companies do business in California with California residents. As we watch the wheels turn, there may be many interesting unintended consequences.
Thanks to BeSpacific for the word that this law appears to be a result of the State of California's own failure to disclose a hack of its own database in April 2002, as reported in the Contra Costa Times.
FBI investigating "virus-like infection" trying to steal passwords at 1200 banks, including the world's largest, according to the Washington Post article titled "Virus Targeting Banks (washingtonpost.com)"
According to an AP feed found at The WorldLink.com the virus is not directly attacking the bank's computers, but is hitting consumer's computers, looking for bank web addresses that match those in its software. If it finds a match, it grabs consumer's passwords and emails it to ten email addresses, presumably the perpetrators', says the story.
Financial Services Information Sharing and Analysis Center distributed information from the Office of Homeland Security to its client banks and is working with the FBI.
Network Associates Inc. BugBear.B info
Hmmmm ... will this need to be reported to California residents, per Calif. S.B. 1386?
P2P file traders targeted by cyber-assaults from music publishers may not be defenseless. NWFusion's Ann Harrison notes in "Anti-file trading measures raise high profile policy questions" that a NYTimes article May 5 suggested that state and federal wiretap laws might have some say on such activity.
Harrison also mentioned a company called OverPeer, which she says develops such software tools, as do others. She also said that a representative of the RIAA acknowledged legal gray areas (or worse) exist regarding some the the software tools in development, which Harrison says include Trojan horse programs.
"This is the first unintended effect of Sarbanes-Oxley," says David Skeel, U.Penn. Law School professor, in an article in Forbes: "Feel Good Justice" that reports on WorldCom's agreement with the S.E.C. to pay $500 million that will go to the benefit of shareholders.
The money will come out of creditor's pockets, turning upside down the usual process of bankruptcy in which shareholders take last only after impaired creditors are satisfied. Elizabeth Warren, a bankruptcy authority at Harvard Law, told Forbes "The notion that they [shareholders] cheated themselves and should be paid ahead of creditors makes no sense."
Forbes says that the deal is not expected to be blocked by the bankruptcy court overseeing WorldCom's reorganization, because the S.E.C. started out with a $1.5 billion demand, and got the creditor's committee to assent to the reduced penalty sum.
This space will focus on law and disruptive technologies affecting insurance and related financial services (especially their unintended consequences). The Host is Doug Simpson, an attorney in Hartford, Connecticut who was with the law department of a Fortune 500 insurance company for over 25 years. Doug is a graduate of Dartmouth College and the University of Connecticut School of Law and a member of the Connecticut Bar. He is now an independent legal consultant and writer.
Gramm-Leach-Bliley, HIPPA, Sabranes-Oxley, McCarran-Ferguson, E-SIGN, DMCA and other statutes will play a part in the coming discussion. Also playing are concepts like "Metcalf's Law" and "The Innovator's Dilemma." Please join the conversation.
Full text of Robert K. Merton's 1936 article in the American Sociological Review, "The Unanticipated Consequences of Purposive Social Action".
George Gilder's "Metcalf's Law and Legacy".
Clayton Christensen's "Disruptive Technologies" source site.