Category Archives: cyberattacks

W. Bruce Lunsford contribution to create Academy for Law, Business + Technology

Posted on by

With apologies for posting a press release as a blog post, the news that W. Bruce Lunsford has pledged $1 million to Chase under the direction of the Law + Informatics Institute for the creation of the the W. Bruce Lunsford Academy for Law, Business + Technology is exciting enough for us to share our news.

HIGHLAND HEIGHTS, Ky. (May 15, 2013) — The Northern Kentucky University Chase College of Law has received a $1 million gift from W. Bruce Lunsford to establish and support the W. Bruce Lunsford Academy for Law, Business + Technology.

Lunsford, a 1974 graduate of Chase College of Law, is chairman and CEO of Lunsford Capital, LLC, a private investment company headquartered in Louisville, Ky.

The W. Bruce Lunsford Academy for Law, Business + Technology will be an honors immersion program operated by the NKU Chase Law + Informatics Institute. The focus of the program will be to develop “renaissance lawyers” for the Information Age. The Lunsford Academy will provide students with the technological, financial and professional skill sets essential to the modern practice of law.  Through the program’s technology-driven, skills-based curriculum, students will acquire the fundamental skills that will make them more productive for their clients, more attractive to employers and better prepared to practice law upon graduation.

For those interested in learning more about the details of the program, the most comprehensive vision is provided in my forthcoming article from Connecticut Law Review. An working draft of the paper may be found here: Jon M.Garon, Legal Education in Disruption: The Headwinds and Tailwinds of Technology, (Conn. L. Rev. forthcoming) at SSRN: http://ssrn.com/abstract=2040560.

In addition to taking the program’s required and elective law and informatics courses, Chase students participating in the Lunsford Academy will have the opportunity to participate in technology-focused semester-in-practice placements and study abroad programs; they will also be able to seek joint degrees.

Chase College of Law partners with the NKU College of Informatics to offer a Juris Doctor/Master of Business Informatics and Juris Doctor/Master of Health Informatics and with the NKU Haile/US Bank College of Business to offer a Juris Doctor/Master of Business Administration.

Professor Jon Garon, director of the Law + Informatics Institute, said the development of the Lunsford Academy is the next step in the evolution of legal education. “In addition to a solid foundation in legal doctrine, theory and practice, law students need business education, information technology and intellectual property knowledge, and law practice management experience,” he said. “These skills will enable students to compete in today’s highly networked, efficient and global business community. The generous donation by Bruce Lunsford enables Chase to meet this challenge and redefine the scope of legal education.”

In recognition of Lunsford’s gift, the academy will be named the W. Bruce Lunsford Academy for Law, Business + Technology, upon approval by the NKU Board of Regents.

“We are extremely honored and pleased that Bruce has made this significant investment in our Law + Informatics Institute,” said Dennis R. Honabach, dean of the College of Law. “The Lunsford Academy will provide our law students with invaluable opportunities to become uniquely prepared for the modern practice of law.”

Cyber Defense Strategies and Responsibilities for Industry Call for Papers Now Open

Posted on by

The Northern Kentucky Law Review and Salmon P. Chase College of Law seek submissions for the third annual Law + Informatics Symposium on February 27-28, 2014.

2014 Law + Informatics Symposium on

Cyber Defense Strategies and Responsibilities for Industry

 The focus of the conference is to provide an interdisciplinary review of issues involving business and industry responses to cyber threats from foreign governments, terrorists, and corporate espionage. The symposium will emphasize the role of the NIST Cybersecurity Framework and industries providing critical infrastructure.

The symposium is an opportunity for academics, practitioners, consultants, and students to exchange ideas and explore emerging issues cybersecurity and informatics law as it applies to corporate strategies and the obligations of business leaders. Interdisciplinary presentations are encouraged. Authors and presenters are invited to submit proposals on topics relating to the theme, such as the following:

Cyber Warfare

  • Rules of Engagement
  • Offensive and defensive approaches
  • Responses to state actors
  • Engagement of non-state actors
  • Distinguishing corporate espionage from national defense
  • Proportionality and critical infrastructure
  • Cyber diplomacy
  • Cold War footing and concerns of human rights implications

Front Lines for Industry

  • Role of regulators such as FERC
  • Legacy systems and modern threats
  • NIST guidelines
  • NIST Cybersecurity Framework
  • Engaging Dept. of Homeland Security
  • Implications on various industries (electric power,  telecommunications and transportation systems, chemical facilities)
  • Health and safety issues
 Global Perspectives

  • Concepts of cyber engagement in Europe
  • Perception of Internet and social media as threat to national soverignty
  • Rules of engagement outside U.S. and NATO
  • Implications for privacy and human rights
  • Stuxnet, Duqu, Gauss, Mahdi, Flame, Wiper, and Shamoon
  • Cyber engagement in lieu of kinetic attacks or as a component of kinetic engagement

 

Corporate Governance

  • Confidentiality and disclosure obligations
  • Responsibilities of the board of directors
  • Staffing, structures and responses
  • Data protection & obligations regarding data breaches
  • Corporate duty to stop phishing and other attacks for non-critical industries
  • Investment and threat assessment
  • Litigation and third party liability

 

Other Issues

  • Executive orders and legislative process
  • Lawyer responsibility in the face of potential threats
  • Practical implications of government notices
  • Perspective on the true nature of the threat

Submissions & Important Dates: 

  • Please submit materials to Nkylrsymposium@nku.edu
  • Submission Deadline for Abstracts: September 1, 2013
  • Submission Deadline for First Draft of Manuscripts: January 1, 2014
  • Submission Deadline for Completed Articles: February 1, 2014
  • Symposium Date: February 27-28, 2014

Law Review Published Article:  The Northern Kentucky Law Review will review, edit and publish papers from the symposium in the 2014 spring symposium issue.  Papers are invited from scholars and practitioners across all disciplines related to the program. Please submit a title and abstract (of 500-100 words) or draft paper for works in progress. Abstracts or drafts should be submitted by September 1, 2013. Submissions may be accepted on a rolling basis after that time until all speaking positions are filled.

Presentations (without publication) based on Abstracts:  For speakers interested in presenting without submitting a publishable article, please submit an abstract of the proposed presentation. Abstracts should be submitted by September 1, 2013. Submissions may be accepted on a rolling basis after that time until all speaking positions are filled.

Publication of Corporate Handbook on Cyber Defense: The Law + Informatics Institute may edit and publish a handbook for corporate counsel related to the topics addressed at the symposium. Scholars and practitioners interested in authoring book chapters are invited to submit their interest by September 1, 2013 which may be in addition to (or as an adaptation of) a submitted abstract for The Northern Kentucky Law Review. Submissions may be accepted on a rolling basis after that time until all chapter topics are filled.

About the Law and Informatics Institute:  The Law + Informatics Institute at Chase College of Law provides a critical interdisciplinary approach to the study, research, scholarship, and practical application of informatics, focusing on the regulation and utilization of information – including its creation, acquisition, aggregation, security, manipulation and exploitation – in the fields of intellectual property law, privacy law, evidence (regulating government and the police), business law, and international law.

Through courses, symposia, publications and workshops, the Law + Informatics Institute encourages thoughtful public discourse on the regulation and use of information systems, business innovation, and the development of best business practices regarding the exploitation and effectiveness of the information and data systems in business, health care, media, and entertainment, and the public sector.

For More Information Please Contact:

  • Professor Jon M. Garon, symposium faculty sponsor and book editor: garonj1@nku.edu or 859.572.5815
  • Lindsey Jaeger, executive director: JaegerL1@nku.edu or 859.572.7853
  • Aaren Meehan, symposium editor, meehana2@mymail.nku.edu or 859-912-1551

Beyond Google’s Looking Glass – The Internet of Things is Already Here

Posted on by
Seal of the United States Federal Trade Commis...

(photo: Wikipedia)

Perhaps triggered by the New York Times coverage of Google Glass, The FTC announced both a call for submissions and a workshop related to the Internet of Things and its implications on privacy, fair trade practice, and security implications for both data and people. The FTC announcement highlights both the benefits and risks of device connectivity.

Connected devices can communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, healthcare providers, or even other consumers, who can measure how their product usage compares with that of their neighbors.  The devices can provide important benefits to consumers:  they can handle tasks on a consumer’s behalf, improve efficiency, and enable consumers to control elements of their home or work environment from a distance. At the same time, the data collection and sharing that smart devices and greater connectivity enable, pose privacy and security risks.

The issue is not new. The ITU released a 2005 study discussing the implications of the Internet of Things. The ITU described a near, technological future in which “industrial products and everyday objects will take on smart characteristics and capabilities. … Such developments will turn the merely static objects of today into newly dynamic things, embedding intelligence in our environment, and stimulating the creation of innovative products and entirely new services.”

I have previously described some of these concerns in an article, Mortgaging the Meme.[1]

In each of these situations, an automated and consumer-defined relationship will replace the pre-existing activities. In many situations, this will create efficiency and convenience for the consumer, but it will also reduce the opportunities for human interaction and subtly rewrite the engagement between customer and company. Those that understand this change will adjust their technologies to improve the service and increase the customer‘s reliance on its systems. Companies that do not understand how this engagement will occur, risk alienating customers and losing markets quickly.

Beyond consumer interactions, other uses may arise. Ethical and privacy concerns regarding misuse tend to focus on government, business and organized crime. These include unwarranted surveillance, profiling, behavioral advertising and target pricing campaigns. As a result, as companies increasingly rely on these tools, they also bear a responsibility to do so in a socially positive manner that increases the public‘s estimation of the company.

Timing for the FTC submissions and workshop are overdue. Reading the New York Times quote regarding app developers, there is a sense that unlike the technology giants such as Microsoft and Google, the developers are thinking more about the technology’s potential than its potential impact. One such example from the Times: “‘You don’t carry your laptop in the bathroom, but with Glass, you’re wearing it,’ said Chad Sahlhoff, a freelance software developer in San Francisco. ‘That’s a funny issue we haven’t dealt with as software developers.’”

Many fields will benefit from increased device connectivity. Just a few:

  • Public transportation systems designed around real-time usage and traffic patterns.
  • Prescription monitoring to help patients take the right medications at the correct time.
  • Fresher, healthier produce.
  • Protection of pets and children.
  • Social connectivity, with photo-tagging and group-meeting moving into the real world.
  • Interactive games played on a real-world landscape.

There are also law enforcement uses that must be carefully considered. After the Boston Marathon attack, for example, calls for public surveillance will undoubtedly increase, including calls for adding seismic devices and real-time echo-location. Gunshots, explosions, and even loud arguments could become self-reporting.

Common household products sometimes become deadly in large quantities. RFID technology could be used to monitor quantity concentration of potentially lethal materials and provide that data to the authorities.

The consumer use, public use, and law enforcement use must be thoughtfully reviewed to balance the benefits of the technology with the intrusions into privacy and the legacy of retrievable information that such technology creates.

FTC staff will accept submissions through June 1, 2013, electronically through iot@ftc.gov or in written form. The workshop will be held on November 21st. These are the questions posed by the FTC thus far:

  • What are the significant developments in services and products that make use of this connectivity (including prevalence and predictions)?
  • What are the various technologies that enable this connectivity (e.g., RFID, barcodes, wired and wireless connections)?
  • What types of companies make up the smart ecosystem?
  • What are the current and future uses of smart technology?
  • How can consumers benefit from the technology?
  • What are the unique privacy and security concerns associated with smart technology and its data?  For example, how can companies implement security patching for smart devices?  What steps can be taken to prevent smart devices from becoming targets of or vectors for malware or adware?
  • How should privacy risks be weighed against potential societal benefits, such as the ability to generate better data to improve healthcare decision making or to promote energy efficiency?
  • Can and should de-identified data from smart devices be used for these purposes, and if so, under what circumstances?

While the FTC has asked some good questions, they are only the beginning. Please submit your thoughts and join the FTC conversation.

[1] Jon M. Garon, Mortgaging the Meme: Financing and Managing Disruptive Innovation, 10 NW. J. TECH. & INTELL. PROP. 441 (2012).

State of the Cyber Union: Policy Directive + Executive Order = Expansive Regulatory Efforts

Posted on by

In President Obama’s 2013 State of the Union Address, the president included announcement of a long-expected Executive Order as well as a Presidential Policy Directive focusing on the need for better cybersecurity coordination and defense. This comes on the heels of a classified National Intelligence Estimate reported first by The Washington Post which “identifies China as the country most aggressively seeking to penetrate the computer systems of American businesses and institutions to gain access to data that could be used for economic gain.” The report ties directly into the focus of the Executive Order, emphasizing the risk both to critical infrastructure and to industry.

At the heart of the Executive Order are voluntary efforts on the part of industry and the role of the Federal Government in increasing coordination. “The Cybersecurity Framework shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible.” NIST is authorized to create a preliminary Cybersecurity Framework within 240 days. Compliance incentives will be developed to encourage voluntary compliance. As these standards gain adoption, they will set a new reasonableness standard, pulling the more reluctant companies up because of the risk of negligence and loss.

But the real action of the Executive Order is Section 10 which provides that each regulatory agency must report if the agency has the regulatory scope to implement the Cybersecurity Framework. If it does, presumably it will use those regulatory powers to transform the voluntary program into a regulatory one; if it does not, the agency will be expected to engage in the necessary rulemaking to do so.

The Executive Order  defines critical infrastructure very broadly to mean “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” The Policy Directive provides specific guidance to the Office of Homeland Security and to the other federal agencies targeted with enforcing protections of critical infrastructure and regulatory compliance.

Neither order is overwhelming on its face, but the message is clear. The Federal Government will take an aggressive approach to cybersecurity and will use the broader regulatory authority at its disposal to do so. Though it has been invited to pass legislation, Congress does not need to act because every industry sector has some regulatory oversight and cybersecurity will soon be layered on top of the existing regulations. An excerpt from the Policy Directive highlights the expansionist approach:

Additional roles and responsibilities for the Secretary of Homeland Security include:

  1. Identify and prioritize critical infrastructure, considering physical and cyber threats, vulnerabilities, and consequences, in coordination with SSAs and other Federal departments and agencies;

  2. Maintain national critical infrastructure centers that shall provide a situational awareness capability that includes integrated, actionable information about emerging trends, imminent threats, and the status of incidents that may impact critical infrastructure;

  3. In coordination with SSAs and other Federal departments and agencies, provide analysis, expertise, and other technical assistance to critical infrastructure owners and operators and facilitate access to and exchange of information and intelligence necessary to strengthen the security and resilience of critical infrastructure;

  4. Conduct comprehensive assessments of the vulnerabilities of the Nation’s critical infrastructure in coordination with the SSAs and in collaboration with SLTT entities and critical infrastructure owners and operators;

  5. Coordinate Federal Government responses to significant cyber or physical incidents affecting critical infrastructure consistent with statutory authorities;

  6. Support the Attorney General and law enforcement agencies with their responsibilities to investigate and prosecute threats to and attacks against critical infrastructure;

  7. Coordinate with and utilize the expertise of SSAs and other appropriate Federal departments and agencies to map geospatially, image, analyze, and sort critical infrastructure by employing commercial satellite and airborne systems, as well as existing capabilities within other departments and agencies; and

  8. Report annually on the status of national critical infrastructure efforts as required by statute.

When combined with the additional power of regulation across the spectrum of energy, finance, communications, health, agriculture, information technology and other sectors, the reach is broad enough to rewrite the regulatory landscape much as the USA Patriot Act did in the wake of 9/11.

Privacy may well be another of the casualties of this war. The Executive Order adds that “[a]gencies shall consider the assessments and recommendations of the report in implementing privacy and civil liberties protections for agency activities,” but asks for little more than an annual report. In contrast, corporate reporting is singled out. “Information submitted voluntarily in accordance with 6 U.S.C. 133 by private entities under this order shall be protected from disclosure to the fullest extent permitted by law.” This has been the case with the Patriot Act and the President’s policies give little comfort.

Confidentiality, rather than privacy, is part of the new regime. Paul Rosenzweig, writing the Lawfare blog from Brookings highlights the importance of the short-list: a subset of critical infrastructure organizations within the identified industry which make up the heart of each industry and will be singled out for heightened cybersecurity engagement.

Confidential Identification – The EO has one true innovation in it – a confidential naming program that will identify the critical cyber infrastructure “where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”  This is a subset, of course, of the earlier broader definition.

Being an identified company may bring greater security obligations or improved resources or no change at all. Only time will tell. The impact will vary tremendously depending of the existing preparedness of each company.

The National Intelligence Estimate on cybersecurity risk makes clear that the threat must be addressed.

 The report, which represents the consensus view of the U.S. intelligence community, describes a wide range of sectors that have been the focus of hacking over the past five years, including energy, finance, information technology, aerospace and automotives, according to the individuals familiar with the report, who spoke on the condition of anonymity about the classified document.

-          The Washington Post

The only question is the cost of the response. China, Russia, Iran, Israel, North Korea and other countries are known for releasing global cyber-attacks, some focused on military and political topics, while others highlight corporate espionage. Moreover, as I mentioned in an earlier post, the intruders use directed attacks on employees and independent contractors who open links, photos or already infected USB devices. Already behind firewalls, these tools install malignant code to glean passwords, open files and glean information which is sent back to the intruder. Some of these attacks are directly at U.S. infrastructure, others at economic targets, while many others affect U.S. interests only as collateral damage to regional conflicts which do not involve U.S. participants.

Nonetheless, the risks are increasing. After the President’s speech one thing is clear. Using the State of the Union as the basis for the announcement of the Cybersecurity Executive Order and Policy Directive has placed this topic near the top of the national agenda.

Photo:

President Barack Obama delivers the State of the Union address in the House Chamber at the U.S. Capitol in Washington, D.C., Feb. 12, 2013. (Official White House Photo by Chuck Kennedy)

New York Times disclosure of cyber-attacks should pave way for greater corporate engagement and a critical infrastructure executive order

Posted on by
Seal of the White House Office of Homeland Sec...

Seal of the White House Office of Homeland Security, which was formed by executive order on October 8, 2001,http://www.whitehouse.gov/news/releases/2001/10/20011008-2.html and later grew into the United States Department of Homeland Security. (Photo credit: Wikipedia)

With the lead story in the New York Times focused on its own failure to defend from Chinese political computer hacking, there is a renewed concern regarding the vulnerability of domestic computer systems, particularly those that are part of the critical national infrastructure. Homeland Security describes critical infrastructure as “the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, public health or safety, or any combination thereof.”

While the Communications Sector is one of the 18 Sectors identified as part of the critical infrastructure, the focus is on the telecommunications network rather than the content itself. Nonetheless, the continuing attack which lasted over four months raises serious questions regarding the ability of organizations to effectively defend themselves against a serious professional attack.

Among the facts that stood out was the failure of commercial antivirus software. According to the Times, “[o]ver the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.”

The nature of the exposure has also changed. Instead of attacks targeted at firewalls, the campaign is not conducted through phishing – bogus links in innocuous emails that open the firewall to allow installation of “remote access tools” — or RATs.

Those tools can siphon off oceans of data — passwords, keystrokes, screen images, documents and, in some cases, recordings from computers’ microphones and Web cameras — and send the information back to the attackers’ Web servers.

Michael Higgins, chief security officer at The Times, said: “Attackers no longer go after our firewall. They go after individuals. They send a malicious piece of code to your e-mail account and you’re opening it and letting them in.”

To meet this threat the Department of Homeland Security established the Office of Infrastructure Protection in 2002. It has its hands full.

This is a complex mission. Critical infrastructure ranges from the nation’s electric power, food and drinking water to its national monuments, telecommunications and transportation systems, chemical facilities, and much more. The vast majority of critical infrastructure in the United States is privately owned and operated; thus, public-private partnerships are essential to protect and boost the resilience of critical infrastructure and respond to events.

The attacks are real.  The Washington Post has reported on an overseas attacks which target utilities, including one which gained control of a Texas water utility.

Uncounted numbers of industrial control computers, the systems that automate such things as water plants and power grids, were linked in, and in some cases they were wide open to exploitation by even moderately talented hackers. … From October to April, the DHS received 120 incident reports, about the same as for all of 2011. But no one knows how often breaches have occurred or how serious they have been. Companies are under no obligation to report such intrusions to authorities.

Congress flirted with new legislation to update the obligation of companies in the 18 sectors which provide our critical infrastructure but it was ultimately unable to agree on legislative action. In its place, President Obama is expected to issue an executive order which will highlight the obligation to respond to a notice of imminent threat or to update the capacity to respond to a cyber-attack by any organization within one of the sectors which receives a governmental notice.  A possible draft of the order is available here.

While business is reluctant to embrace these new obligations, the acknowledgment by the New York Times of the vulnerability companies face should change the dialogue about the executive order and the need to plan for cyber-defense rather than complain about its costs. After all, the cost of inaction will be much, much higher.

ITU Treaty rejected by US and Western nations but ratified by majority

Posted on by

Earlier this Month, the U.S. and many Western nations rejected a proposed revision to the World Conference on International Telecommunications (WCIT) organized by the International Telecommunications Union of the United Nations. The White House issued a statement on Dec. 21st in which it explained the rejection of the proposed treaty amendments because the ITU regulation of Internet governance would lead to greater governmental regulation of access to the Internet and the content available online. As the statement explained, “the Internet’s social and economic benefits come from the free flow of information and ideas and that the technical innovation enabling this information flow comes from the full engagement of civil society, industry, and governments in the process.”

At the same time, however, it is important to recognize that the treaty was adopted, 89 states did sign onto the revised treaty, signaling a strong split among nations regarding the nature of Internet governance. Mohamed al-Ghanim, chairman of the WCIT commented “I hope that the 55 states that said do not want to sign the treaty, or need to hold consultations, to think again.” Ghanim is the chief of the UAE’s Telecommunications Regulatory Authority. The treaty is not binding on the non-signatory countries.

The tension over the ITU treaty amendments which had been focused on expanding broadband to greater parts of the globe highlight the growing tension over the role of Internet access as part of human rights protections. Countries such as Russia and China see control over Internet content within their borders as a fundamental issue of sovereignty while U.S., E.U. and other government coalitions view Internet content as a fundamental human right. In July of this year, for example, the U.N. Human Rights Council passed a resolution that “affirms that the same rights that people have offline must also be protected online, in particular freedom of expression, which is applicable regardless of frontiers and through any media of one’s choice.”

The ITU vote suggests a growing of the Cyber Cold War in which historical East/West divisions are reemerging behind firewalls rather than the physical walls of the twentieth century. As in the past, the various U.N. bodies and commissions are split as to their allegiance and ineffectual in their pronouncements.

While the constant threat of cyber-attacks against governmental computers has become a constant occurrence in almost every country, the ITU vote signals a more explicit acknowledgement of the regulatory rift among nations. For governments seeking to manage the information available to their citizens or control the publications by their citizens, the open nature and growing penetration of the Internet represents a fundamental challenge to governmental control. The ITU vote reflects this tension and provides a roll call for the nations seeking greater transparency and those seeking greater control. Transparency is behind in the vote – 55 to 89.

Lack of Network Diligence Will Cost Dearly

Posted on by

Northwest Florida State College acknowledged on Oct. 10, 2012 that it has been the subject of a data breach. The announcement explained the attack included “Northwest Florida State College student data on 76,500 current and past students as well as student data on approximately 200,000 Bright Futures scholars across the State of Florida” as well as 3200 employees.

The breach seems to have been identified and corrected approximately two weeks prior to this announcement, around Sept. 24th. But the report acknowledges that the break-in began May 21st and continued unabated for three months.

The NWFSC student information compromised in the security breach contains public directory information including name and address, as well as confidential student data including birth date and Social Security number. The Bright Futures scholars’ data file includes all State of Florida Bright Futures eligible students during the 2005-06 and 2006-07 academic years. This data file contains student names, Social Security numbers, dates of birth, ethnicity and gender. No student academic files have been compromised.

The Chronicle of Higher Education reports that “cases of identity theft have already been reported, with information used to take out loans or open store accounts and make purchases.”

An update by the university regarding the intrusion added details regarding the attack:

At this point in time, the personal information of employees includes name, birthdate, employee Direct Deposit bank routing and account number information, and Social Security number. Approximately 50 employees to date have reported issues with identity theft, including the college president, faculty and staff.

For universities struggling in a weak economy, high tuition, and questions on the return in investment, failures to protect the information of prospective or current students could prove disastrous. Senior university leadership should learn from the obligations under HIPAA and Sarbanes-Oxley to stay very informed and engaged in the security of their students – both offline and online. That the president of the university was personally targeted by the attackers makes the need for diligence even more important.

It is also a good reminder that all of us receiving funds via direct deposit need to become more diligent checking our accounts.

The university has set up a website at http://www.nwfsc.edu/security/.

Join over 300 professionals before space runs out at NKU Security Symposium

Posted on by
 The NKU Security Symposium with the inclusion of the legal track takes place this Friday. It will be a great opportunity to cross-train with security and privacy professionals, programmers, IT specialists and legal specialists. The legal track announcement is below:

2012 NKU Security Symposium

Friday, Oct. 12, 2012
NKU METS Center in Erlanger, KY

Register Now!

The 2012 Security Symposium, for the 6th year in a row, will bring together security professionals for a multi-track conference focused on the various aspects of security in information technology today. The symposium will focus on IT security challenges, best practices, and professional discussions, and will include a legal track focusing on the intersection of law and security. The symposium is presented by the Center for Applied Informatics, NKU Chase Law & Informatics Institute and CincyIP. Four hours of Kentucky, Ohio and Indiana CLE credits are anticipated.  This conference is free, but space is limited. Register now!

The Security Symposium is organized into five tracks:

  • Information Security Governance
    This informational track focuses on the understanding and implementation of management policy, procedures, IT audits, continuity planning, and security awareness and training.
  • Software Security
    This track incorporates knowledge about how identity theft is being fought and information
    integrity is being secured by industry ingenuity.
  • Mobile & Computer Forensics
    Learn the latest methods and tools to process and understand digital evidence.
  • Current Topics in Security
    Explore security topics focused around cloud computing, virtualization, mobile, and much more.
  • Legal Issues in Privacy and Security
    This year marks the first year with an additional legal track, enabling the legal professionals to engage with security professionals and those involved with implementation of software security.


Legal Track Presenters:

•  Prof. Jon M. Garon, director of the NKU Chase Law + Informatics Institute
•  Prof. Jack Harrison, NKU Chase College of Law
•  Craig Hoffman, Esq., partner of Baker Hostetler
•  Curtis Scribner, an attorney in the Global Privacy and Digital Legal group at Procter & Gamble
Agenda

7:30 - 8:00 AM:  Breakfast

8:15 – 8:30 AM:  Welcome Address

8:30 – 9:30 AM:  General Session I

9:30 – 9:40 AM:  Break

9:40 – 10:40 AM:  LEGAL TRACK: Curtis Scribner on “Issues in Data Privacy”

10:40 – 11:10 AM:   Refreshments and Networking

11:10 – 12:10 PM:  LEGAL TRACK: Prof. Jon M. Garon on “Navigating Through the Cloud – 
                            Legal and Regulatory Management for Software as a Service”

12:10 – 12:45 PM:  Lunch

12:45 – 1:45 PM:  General Session II

1:45 – 2:00 PM:  Break

2:00 – 3:00 PM:  LEGAL TRACK: Craig Hoffman, Esq. on “The Legal Implications of Data Breach”

3:00 – 3:30 PM:  Refreshments and Networking

3:30 – 4:30 PM:  LEGAL TRACK: Prof. Jack Harrison on “E-Discovery – 
                         Legal Issues, Strategies, and Management”

4:30 – 5:30 PM:  Reception

Learn More:
Law + Informatics Blog

Law + Informatics Facebook

One Internet or Many – Questions on Censorship Grow

Posted on by

When a hateful fourteen-minute video was created intentionally to depict the prophet Mohammad in a manner designed to offend, the awareness of this trivial effort sparked worldwide protests against the United States and Western governments. It was used as a rationale for attacks against NATO forces in Afghanistan and was manipulated to put U.S. ambassador Chris Stevens in a vulnerable position where he was attacked and killed.

Is the response to stop offensive speech on the Internet?

Internet censorship is hardly new. China has laws designed to promote harmony and prosecutes cases to limit the risk of internal rebellion – whether aimed at the government or at ethnic minorities. Germany prohibits Nazi propaganda. Most Islamic states bar publications that insult the prophet Mohammad. The response to the recent video echo the 2005 controversy regarding a dozen editorial cartoons with depictions considered offensive. First Amendment scholar Eugene Volokh has noted some U.S. analysts suggesting a growing international norm in favor of censorship.

The same week, the British royal family is bringing suit for invasion of privacy related to nude photographs of Kate Middleton, citing French censorship laws. This could be another example of this international norm.

From the U.S. perspective, with our strong values in Free Speech, the debate seems odd. But the U.S. is actually the odd man out.

  • The U.S. is one of the few nations that bars prior restraint. In most of the world, the government can suppress offensive speech.
  • The U.S. has no laws to punish offensive speech, unless that speech falls into a very narrow set of exceptions (child pornography, obscenity, and invasion of privacy or defamation – only after the plaintiff wins in court, etc.).
  • The U.S. has no anti-blasphemy laws or any official state-sponsored religion.

While these points seem obvious to Americans, they are unheard of in much of the world. As a result, the Administration’s strong denunciation of offensive content seems intentionally weak to someone who believes that content is only published with a government’s prior approval or at least with the ability to arrest those who blaspheme, offend, or violate the State’s position.

This comes at a time when the Internet itself is under redesign. Changes to Internet governance has allowed the Internet to better recognize Arabic, Cyrillic and Simplified Chinese in the domain names of websites. New top level domains will complement .com, .org, and other long-recognized domains. These efforts were intended by ICANN, NGOs and international treaty organizations to further democratize the Internet but instead could be utilized as tools to segment the Internet, increase censorship, and cut down on public discourse – in the name of harmony and peace.

Pressures to legitimize government censorship in order to save lives and promote order may create opportunities for greater government censorship than ever before. The U.S., Western Governments and NGOs committed to the rule of law and expansion of individual freedoms must undertake a global effort to educate the public on the values of free speech and the role of tolerance regarding the speech of others.

Despite suggestions that the time to censor has arrived, the real obligation is to teach that the cost of democracy is tolerance and civil liberties. Democracy without tolerance is mob rule; revolutions without civil liberties are little more than window dressing. The lessons from the Arab Spring must continue to be learned in the form of greater understanding and respect for civil discourse which lies at the heart of any civil democracy.

Fourth Circuit Joins Ninth in Limiting CFAA – Setting Stage for More Action

Posted on by

In 1986, Congress amended its earlier attempt to combat computer crime with the Computer Fraud and Abuse Act of 1986. It was further expanded in 2001 under the USA Patriot Act. The CFAA serves as both a criminal and civil statute.  It has both strong criminal penalties for unauthorized entry into computer systems and provides an express private cause of action – enabling injured parties to sue intruders using the federal law as the basis for their claims.

The most controversial aspect of the CFAA has been the meaning of unauthorized access. Among the violations, Congress has made it a crime to “intentionally accesses a computer without authorization or exceeds authorized access….” The statute provides some additional guidance. The addition of exceed has its own definition. It means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” § 1030(e)(6). So it seems fairly clear that using one’s password to acquire documents for which one has no right to read is a violation of the statute.

But data theft is more nuanced than just this. What about downloading documents when the person downloading has authority to use the material, but then uses that material in an unauthorized manner. Put another way – if an employee is fired and then takes the files she has had at home and brings them to her next employer, it is unlikely an CFAA claim can be made. Conversely, if she returns to work the day after being fired and downloads all the company documents, she has certainly violated the CFAA since her termination ending her authorized access to the computer. But what about the situation when one downloads the documents intending trade secret theft prior to being fired or quitting the company?

In a recent Fourth Circuit opinion, WEC Carolina Energy Solutions LLC v. Miller, 2012 U.S. App. LEXIS 15441 (4th Cir. July 26, 2012) faced this situation.

The court explained the split of authority interpreting the statute:

In short, two schools of thought exist. The first, promulgated by the Seventh Circuit … holds that when an employee accesses a computer or information on a computer to further interests that are adverse to his employer, he violates his duty of loyalty, thereby terminating his agency relationship and losing any authority he has to access the computer or any information on it. Thus, for example, the Seventh Circuit held [in Int'l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006)] that an employee who erased crucial data on his company laptop prior to turning it in at the end of his employment violated the CFAA. It reasoned that his “breach of his duty of loyalty terminated his agency relationship . . . and with it his authority to access the laptop, because the only basis of his authority had been that relationship.”

The second, articulated by the Ninth Circuit … interprets “without authorization” and “exceeds authorized access” literally and narrowly, limiting the terms’ application to situations where an individual accesses a computer or information on a computer without permission. Thus, in [United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012) (en banc)] the Ninth Circuit, sitting en banc, held that the defendant’s coconspirators, a group of employees at an executive search firm, did not violate the CFAA when they retrieved confidential information via their company user accounts and transferred it to the defendant, a competitor and former employee. It reasoned that the CFAA fails to provide a remedy for misappropriation of trade secrets or violation of a use policy where authorization has not been rescinded.

The Fourth Circuit opinion attempts to make sense of the language with a simple, plain language approach. “Congress has not clearly criminalized obtaining or altering information ‘in a manner’ that is not authorized,” the court explained. “Rather, it has simply criminalized obtaining or altering information that an individual lacked authorization to obtain or alter.”

This separates the Fourth Circuit from the Seventh Circuit and even distinguishes it somewhat from other courts. Employees who hack into their employers’ computer systems to steal data or who use the username and password of other employees to gain greater access to computer systems will remain liable under the CFAA. But those who take electronic files home to work on them at night without express permission were beyond the scope of the CFAA. Similarly, those disgruntled employees who steal electronic files while on the job may be violating their terms of employment, company policies, and state laws but they are not violating the CFAA in the Fourth Circuit.

Since it is better that the interpretation of a statute does not turn on the language in the employee handbook, this is a better result. Companies can still protect themselves by limiting access to sensitive information. Other laws protect theft of trade secrets and other torts provide remedy for breach of fiduciary duties. On the other hand, the distinction between the circuits need not be as stark. An employee who erases all company data before returning equipment has likely exceeded the authority to alter the data. This result is consistent with the outcome in the WEC and a court can still reach such misconduct under the cleaner interpretation of the Fourth Circuit.

While it remains to be seen whether the Fourth Circuit opinion invites Supreme Court review, it may be sufficiently well reasoned to invite other circuits to reconsider interpretations of the statute that go beyond the language Congress enacted.