Category Archives: Identity Theft

Cyber Defense Strategies and Responsibilities for Industry Call for Papers Now Open

Posted on by

The Northern Kentucky Law Review and Salmon P. Chase College of Law seek submissions for the third annual Law + Informatics Symposium on February 27-28, 2014.

2014 Law + Informatics Symposium on

Cyber Defense Strategies and Responsibilities for Industry

 The focus of the conference is to provide an interdisciplinary review of issues involving business and industry responses to cyber threats from foreign governments, terrorists, and corporate espionage. The symposium will emphasize the role of the NIST Cybersecurity Framework and industries providing critical infrastructure.

The symposium is an opportunity for academics, practitioners, consultants, and students to exchange ideas and explore emerging issues cybersecurity and informatics law as it applies to corporate strategies and the obligations of business leaders. Interdisciplinary presentations are encouraged. Authors and presenters are invited to submit proposals on topics relating to the theme, such as the following:

Cyber Warfare

  • Rules of Engagement
  • Offensive and defensive approaches
  • Responses to state actors
  • Engagement of non-state actors
  • Distinguishing corporate espionage from national defense
  • Proportionality and critical infrastructure
  • Cyber diplomacy
  • Cold War footing and concerns of human rights implications

Front Lines for Industry

  • Role of regulators such as FERC
  • Legacy systems and modern threats
  • NIST guidelines
  • NIST Cybersecurity Framework
  • Engaging Dept. of Homeland Security
  • Implications on various industries (electric power,  telecommunications and transportation systems, chemical facilities)
  • Health and safety issues
 Global Perspectives

  • Concepts of cyber engagement in Europe
  • Perception of Internet and social media as threat to national soverignty
  • Rules of engagement outside U.S. and NATO
  • Implications for privacy and human rights
  • Stuxnet, Duqu, Gauss, Mahdi, Flame, Wiper, and Shamoon
  • Cyber engagement in lieu of kinetic attacks or as a component of kinetic engagement

 

Corporate Governance

  • Confidentiality and disclosure obligations
  • Responsibilities of the board of directors
  • Staffing, structures and responses
  • Data protection & obligations regarding data breaches
  • Corporate duty to stop phishing and other attacks for non-critical industries
  • Investment and threat assessment
  • Litigation and third party liability

 

Other Issues

  • Executive orders and legislative process
  • Lawyer responsibility in the face of potential threats
  • Practical implications of government notices
  • Perspective on the true nature of the threat

Submissions & Important Dates: 

  • Please submit materials to Nkylrsymposium@nku.edu
  • Submission Deadline for Abstracts: September 1, 2013
  • Submission Deadline for First Draft of Manuscripts: January 1, 2014
  • Submission Deadline for Completed Articles: February 1, 2014
  • Symposium Date: February 27-28, 2014

Law Review Published Article:  The Northern Kentucky Law Review will review, edit and publish papers from the symposium in the 2014 spring symposium issue.  Papers are invited from scholars and practitioners across all disciplines related to the program. Please submit a title and abstract (of 500-100 words) or draft paper for works in progress. Abstracts or drafts should be submitted by September 1, 2013. Submissions may be accepted on a rolling basis after that time until all speaking positions are filled.

Presentations (without publication) based on Abstracts:  For speakers interested in presenting without submitting a publishable article, please submit an abstract of the proposed presentation. Abstracts should be submitted by September 1, 2013. Submissions may be accepted on a rolling basis after that time until all speaking positions are filled.

Publication of Corporate Handbook on Cyber Defense: The Law + Informatics Institute may edit and publish a handbook for corporate counsel related to the topics addressed at the symposium. Scholars and practitioners interested in authoring book chapters are invited to submit their interest by September 1, 2013 which may be in addition to (or as an adaptation of) a submitted abstract for The Northern Kentucky Law Review. Submissions may be accepted on a rolling basis after that time until all chapter topics are filled.

About the Law and Informatics Institute:  The Law + Informatics Institute at Chase College of Law provides a critical interdisciplinary approach to the study, research, scholarship, and practical application of informatics, focusing on the regulation and utilization of information – including its creation, acquisition, aggregation, security, manipulation and exploitation – in the fields of intellectual property law, privacy law, evidence (regulating government and the police), business law, and international law.

Through courses, symposia, publications and workshops, the Law + Informatics Institute encourages thoughtful public discourse on the regulation and use of information systems, business innovation, and the development of best business practices regarding the exploitation and effectiveness of the information and data systems in business, health care, media, and entertainment, and the public sector.

For More Information Please Contact:

  • Professor Jon M. Garon, symposium faculty sponsor and book editor: garonj1@nku.edu or 859.572.5815
  • Lindsey Jaeger, executive director: JaegerL1@nku.edu or 859.572.7853
  • Aaren Meehan, symposium editor, meehana2@mymail.nku.edu or 859-912-1551

Another Hidden Cost of Rent-to-Own: Your Privacy

Posted on by

Although I normally try to add context to commentary about the legal issues covered in this blog, this FTC press release speaks for itself: Secretly Installed Software on Rented Computers Collected Information, Took Pictures of Consumers in Their Homes, Tracked Consumers’ Locations

Seven rent-to-own companies and a software design firm have agreed to settle Federal Trade Commission charges that they spied on consumers using computers that consumers rented from them, capturing screenshots of confidential and personal information, logging their computer keystrokes, and in some cases taking webcam pictures of people in their homes, all without notice to, or consent from, the consumers.

The software design firm collected the data that enabled rent-to-own stores to track the location of rented computers without consumers’ knowledge according to the FTC complaint.  The settlements bar the companies from any further illegal spying, from activating location-tracking software without the consent of computer renters and notice to computer users, and from deceptively collecting and disclosing information about consumers.

“An agreement to rent a computer doesn’t give a company license to access consumers’ private emails, bank account information, and medical records, or, even worse, webcam photos of people in the privacy of their own homes,” said Jon Leibowitz, Chairman of the FTC.  “The FTC orders today will put an end to their cyber spying.”

“There is no justification for spying on customers.  These tactics are offensive invasions of personal privacy,” said Illinois Attorney General Madigan.

The FTC named DesignerWare, LLC, a company that licensed software to rent-to-own stores to help them track and recover rented computers.  The FTC also reached settlements with seven companies that operate rent-to-own stores and licensed software from DesignerWare, including franchisees of Aaron’s, ColorTyme, and Premier Rental Purchase.

According to the FTC, DesignerWare’s software contained a “kill switch” the rent-to-own stores could use to disable a computer if it was stolen, or if the renter failed to make timely payments.  DesignerWare also had an add-on program known as “Detective Mode” that purportedly helped rent-to-own stores locate rented computers and collect late payments.  DesignerWare’s software also collected data that allowed the rent-to-own operators to secretly track the location of rented computers, and thus the computers’ users.

When Detective Mode was activated, the software could log key strokes, capture screen shots and take photographs using a computer’s webcam, the FTC alleged.  It also presented a fake software program registration screen that tricked consumers into providing their personal contact information.

Data gathered by DesignerWare and provided to rent-to-own stores using Detective Mode revealed private and confidential details about computer users, such as user names and passwords for email accounts, social media websites, and financial institutions; Social Security numbers; medical records; private emails to doctors; bank and credit card statements; and webcam pictures of children, partially undressed individuals, and intimate activities at home, according to the FTC.

In its complaint against DesignerWare, the FTC charged that licensing and enabling Detective Mode, gathering personal information about renters, and disclosing that information to the rent-to-own businesses was unfair, and violated the FTC Act.  The agency also alleged that DesignerWare’s use of geolocation tracking software without first obtaining permission from the computers’ renters and notifying the computers’ users was unfair and illegal.  It charged that providing the rent-to-own operators the means to break the law was unfair, and providing the fake registration forms to obtain consumer data was deceptive.

The seven rent-to-own companies were charged with breaking the law by secretly collecting consumers’ confidential and personal information and using it to try to collect money from them.  Use of the bogus “registration” information was deceptive, the FTC alleged.

The proposed settlement orders will ban the software company and the rent-to-own stores from using monitoring software like Detective Mode and will ban them from using deception to gather any information from consumers.  They also will prohibit the use of geolocation tracking without consumer consent and notice, and bar the use of fake software registration screens to collect personal information from consumers.  In addition, DesignerWare will be barred from providing others with the means to commit illegal acts, and the seven rent-to-own stores will be prohibited from using information improperly gathered from consumers in connection with debt collection.  All the proposed settlements contain record keeping requirements to allow the FTC to monitor compliance with the orders for the next 20 years.

Those named in the FTC’s complaints include DesignerWare, LLC; its principals,  Timothy Kelly and Ronald P. Koller, individually and as officers of DesignerWare, LLC.; Aspen Way Enterprises, Inc.; Watershed Development Corp.; Showplace, Inc., d/b/a Showplace Rent-to-Own; J.A.G. Rents, LLC, d/b/a ColorTyme; Red Zone, Inc., d/b/a ColorTyme; B. Stamper Enterprises, Inc., d/b/a Premier Rental Purchase; and C.A.L.M. Ventures, Inc., d/b/a Premier Rental Purchase.

The Office of the Illinois Attorney General partnered with the FTC in this investigation.  Today General Lisa Madigan announced the filing of an action against one of the rent-to-own companies that used Detective Mode and that is located in Illinois, Watershed Development Corp.

The Commission vote to accept the consent agreement packages containing the proposed consent orders for public comment was 4-0-1, with Commissioner J. Thomas Rosch abstaining.

COPPA Rule Supplemental Comments Extended to Sept. 24th

Posted on by

In an earlier post, I discussed the significance of proposed changes to the Children’s Online Privacy Protection Rule (COPPA Rule) recommended by the FTC. The FTC has extended the comment period regarding the revisions to the COPPA Rule until September 24, 2012.

The COPPA Rule is designed to protect children under 13 from unwanted privacy intrusion by providing parents control over what information websites and online services may collect from these children.

The revised rule expands the websites covered by the COPPA Rule, makes clear that targeted or behavioral advertising geared at protected minors is covered and expanded the definition of personal information to include persistent identifiers.

Some comments have already been filed. They can be read online.

According to the FTC, the extension was “in response to requests from several organizations.” The FTC now anticipates that “public comments on the Supplemental Notice of Proposed Rulemaking will now be accepted until September 24, 2012.”

Significant revisions to Children’s Online Privacy Protection Rule triggers supplement review

Posted on by

In 1998 Congress responded to the growing demand for protection from invasions of privacy and the potential for marketers or predators to target young children by passing the Children’s Online Privacy Protection Act (COPPA). The Children’s Online Privacy Protection Rule (16 CFR part 312) provides the rules governing the implantation of the law.

As described in the Federal Register, the COPPA Rule include three key features:

Among other things, the Rule requires that operators provide notice to parents and obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children under 13 years of age. The Rule also requires operators to keep secure the information they collect from children and prohibits them from conditioning children’s participation in activities on the collection of more personal information than is reasonably necessary to participate in such activities. The Rule contains a ‘‘safe harbor’’ provision enabling industry groups or others to submit to the Commission for approval self-regulatory guidelines that would implement the Rule’s protections.

In April 2010 the FTC began a process to update the Rules. A notice was sent out in September 2011, generating 350 comments regarding the proposed changes. After receiving the comments and reviewing its own proposal, the FTC substantially changed the proposed update to the Rule. As a result, the FTC has issues a Supplemental Notice of Proposed Rulemaking under which comments will be accepted until September 10, 2012.

Instructions for submitting comments are found in the Notice. Comments can be submitted electronically by clicking here.

The FTC explains the changes as follows:

The proposed modifications to the definitions of “operator” and “website or online service directed to children” would allocate and clarify the responsibilities under COPPA when third parties such as advertising networks or downloadable software kits (“plug-ins”) collect personal information from users through child-directed websites or services. The Commission proposes to state within the definition of “operator” that personal information is “collected or maintained on behalf of” an operator where it is collected in the interest of, as a representative of, or for the benefit of, the operator. This change would make clear that an operator of a child-directed site or service that chooses to integrate the services of others that collect personal information from its visitors should itself be considered a covered “operator” under the Rule.

The Commission also proposes to modify the definition of “website or online service directed to children” to:

  1. Clarify that a plug-in or ad network is covered by the Rule when it knows or has reason to know that it is collecting personal information through a child-directed website or online service;
  2. Address the reality that some websites that contain child-oriented content are appealing to both young children and others, including parents. Under the current Rule, these sites must treat all visitors as under 13 years of age. The proposed definition would allow these mixed audience websites to age-screen all visitors in order to provide COPPA’s protections only to users under age 13; and,
  3. Clarify that those child-directed sites or services that knowingly target children under 13 as their primary audience or whose overall content is likely to attract children under age 13 as their primary audience must still treat all users as children.

Finally, the Commission proposes to modify the Rule’s definition of “personal information” to make clear that a persistent identifier will be considered personal information where it can be used to recognize a user over time, or across different sites or services, where it is used for purposes other than support for internal operations. In connection with this change, the Commission proposes to modify the definition of “support for internal operations” in order to explicitly state that activities such as: site maintenance and analysis, performing network communications, use of persistent identifiers for authenticating users, maintaining user preferences, serving contextual advertisements, and protecting against fraud and theft will not be considered collection of “personal information” as long as the information collected is not used or disclosed to contact a specific individual, including through the use of behaviorally-targeted advertising, or for any other purpose.

Taken together, these changes attempt to deal with the increasing use of cross-platform sign-ins and authentication. They do not, however, deal directly with social media or other websites that have no provisions for compliance with the Rule but instead encourage users under the age of 13 to mis-identify themselves to the benefit of the website operator.

As the Washtington Post noted, “vague language … could allow companies supplying online ads — or even Facebook and Twitter which sometimes appear as little icons on Web sites — to avoid the parental consent process.”

Still, the update addresses at least some of the important changes to the structure of internet communications and the importance of mobile apps as a platform for communications.

September 10th is coming fast. Public comments will be critical in effectively shaping the update to the Rule.

New CRS Reports Highlight Legislation for Cybersecurity

Posted on by

As noted in Eric Ficher, Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions, (June 29, 2012) (CRS Report R42114) (full-text), cybersecurity is a “somewhat fuzzy subject.” Yet it has become the focus of considerable regulatory and legislative attention.

Dr. Fischer, Senior Specialist in Science and Technology, has provided a comprehensive roadmap for CRS which provides some context for the competing legislative approaches to this important but under-reported topic.

As the report notes, “There is as yet no overarching framework legislation in place, but many enacted statutes address various aspects of cybersecurity.” The report reviews proposed changes to 28 separate laws from the Posse Comitatus Act of 1879 to the Intelligence Reform and Terrorism Prevention Act of 2004. He reports that “more than 50 statutes address various aspects of cybersecurity either directly or indirectly, but there is no overarching framework legislation in place.” So the report provides an important outline of the disparate efforts to address cybersecurity in congress.

The report identifies ten broad areas for the legislative proposals:

  • national strategy and the role of government,
  • reform of the Federal Information Security Management Act (FISMA),
  • protection of critical infrastructure (including the electricity grid and the
  • chemical industry),
  • information sharing and cross-sector coordination,
  • breaches resulting in theft or exposure of personal data such as financial
  • information,
  • cybercrime,
  • privacy in the context of electronic commerce,
  • international efforts,
  • research and development, and
  • the cybersecurity workforce.

Not to be outdone, the companion report provides even more specific information regarding recent legislative efforts. Rita Tehan, Cybersecurity: Authoritative Reports and Resources (July 3, 2012) (CRS Report R42507) (full-text) provides a comprehensive overview. Together, the two reports provide a critical roadmap to the present legislative efforts. Tehan’s introduction provides a glimpse at the scale of the activity:

“Cybersecurity is a sprawling topic that includes national, international, government, and private industry dimensions. More than 40 bills and resolutions with provisions related to cybersecurity have been introduced in the first session of the 112th Congress, including several proposing revisions to current laws. In the 111th Congress, the total was more than 60. Several of those bills received committee or floor action, but none have become law. In fact, no comprehensive cybersecurity legislation has been enacted since 2002.”

Fischer notes the importance of these changes. As he notes, “for more than a decade, various experts have expressed increasing concerns about cybersecurity, in light of the growing frequency, impact, and sophistication of attacks on information systems in the United States and abroad. Consensus has also been building that the current legislative framework for cybersecurity might need to be revised.”

Additional coverage can be found by ITWiki, PrivacyLives, and Justice Information Sharing.

CFAA only for hacking – at least in the West

Posted on by

In U.S. v. Nosal __ F.3d __ (2012), the Ninth Circuit made clear that it considers the scope of the Computer Fraud and Abuse Act to be focused specifically on computer hacking rather than more broadly related to violations of corporate policies and terms of service agreements.

The case arose out of a minor bit of corporate espionage – and the hubris and stupidity that often accompanies such activities. David Nosal, former employee at the executive search firm of Korn/Ferry, “convinced some of his former colleagues who were still working for Korn/Ferry to help him start a competing business.”  The Korn/Ferry employees used their access to the system to download confidential information, including source lists, names and contact, which they emailed to Nosal. They were all caught. The government indicted Nosal was on twenty counts, including trade secret theft, mail fraud, conspiracy and violations of the CFAA.

Although Nosal did not violate the CFAA, he was charged with aiding and abetting those former colleagues who did. The aiding and abetting count rests on whether the conduct of Nosal’s former colleagues violated the CFAA when they used their authorized access to the confidential database to violate the terms of confidentiality and theft of trade secrets.

Writing a clear, rather stinging rebuke of the government’s position, Judge Kozinski explained that the section of the CFAA is limited to computer hacking, not every violation of use.

The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6).

This language can be read either of two ways: First, as Nosal suggests and the district court held, it could refer to someone who’s authorized to access only certain data or files but accesses unauthorized data or files—what is colloquially known as “hacking.” For example, assume an employee is permitted to access only product information on the company’s computer but accesses customer data: He would “exceed[] authorized access” if he looks at the customer lists.

Second, as the government proposes, the language could refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information. For example, an employee may be authorized to access customer lists in order to do his job but not to send them to a competitor.

… The government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute. … The government’s construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.

… Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by chatting with friends, playing games, shopping or watching sports highlights. … Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit. Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.

There are a number of subsections of the CFAA and the government takes the position that the broad interpretation this provision is limited by the need to prove an intent to defraud. In those other sections of the CFAA where intent to defraud is not required, the statute’s scope can still be more limited. But the Ninth Circuit points out that the language of the offense is the same such that a different scope in the same statute for the same phrase is unworkable.

The Ninth Circuit remains at odds with decisions in other circuits. Eventually either Congress or the Supreme Court will need to reconcile this increasingly important tension in the CFAA. For now, one’s exposure to federal criminal prosecution depends, at least in part, on where one accesses the computer.

FTC Report on Protecting Consumer Privacy released

Posted on by
The FTC has issued its final report setting forth best practices for businesses to protect consumer’s personal data. The report emphasizes “privacy by design” which, among other things, requires more opt-in approaches to information sharing, setting defaults as private, and recognizing that there is a range between confidential and public, such as limited to family, to friends and family, to colleagues, or others. While called the final report, it undoubtedly will not be. Legislation is likely in this area as technology and public demands continue to shift. The FTC recognizes as much.

#

In the report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” the FTC also recommends that Congress consider enacting general privacy legislation, data security and breach notification legislation, and data broker legislation.

Some proposals, such as do not track will have much stronger support among all interests in the privacy debate and should see broad legislative support.

“If companies adopt our final recommendations for best practices – and many of them already have – they will be able to innovate and deliver creative new services that consumers can enjoy without sacrificing their privacy,” said Jon Leibowitz, Chairman of the FTC. “We are confident that consumers will have an easy to use and effective Do Not Track option by the end of the year because companies are moving forward expeditiously to make it happen and because lawmakers will want to enact legislation if they don’t.”

Concerns for tracking of mobile devices are adding to public interest in privacy legislation. Moreover, concern about the power of police and security forces may further the discussion for appropriate U.S. legislation.

At the same time, policy changes in Europe mean that it is likely the U.S. and Europe will move farther apart even as the U.S. tries to improve its protections of individual privacy.

Two days until NKU Law Review Symposium on Law & Informatics

Posted on by

The Northern Kentucky Law Review will host the inaugural Law & Informatics Symposium on March 1-2, 2012, presented in association with the NKU Chase Law & Informatics. Offering cutting edge presentations and 10.5 hours of CLE the symposium is sure to provide an important addition to the growing understanding of the intersection between law and information systems around the globe.

Limited seating is still available. See  https://supportnku.nku.edu/ChaseLII for details.

Your registration fee includes the general and special sessions, breakfast and lunch, as well as all published materials.

This two-day conference will gather academics, lawyers, and industry leaders from throughout the United States, Europe, and Asia to focus on cutting-edge issues involving data privacy, cyber-security, international trade, and internet regulation.

The first day’s topics will include criminal justice and the media, antitrust, HIPAA/HITECH Act compliance, GLBA reporting, social media marketing, and international internet regulations. The second day will include international cyber-crime cross-border transactions, international publicity, cyber currency, privacy legislation, and many related topics.

The Symposium is an opportunity for academics, practitioners, and students to exchange ideas and explore emerging issues in informatics law, disruptive innovation, and the increasingly interconnected information environment. The agenda is available online at http://chaseinformatics.org/symposium/.

Speakers:

  • P.J. Blount, National Center for Remote Sensing, Air, and Space Law, University of Mississippi School of Law
  • Galina Borisevich, Perm State University, Russian Federation
  • Eric Chaffee, University of Dayton School of Law
  • Natalya Chernyadyeva, Perm State University, Russian Federation
  • Jorge Contreras, American University Washington College of Law
  • Evelina Frolovich, Perm State University, Russian Federation
  • Vaibhav Garg, Indiana University School of Informatics and Computing
  • Anne Gilliland, The Ohio State University College of Medicine SBS-Biomedical Informatics
  • David Harris, Harvard Law School Charles Hamilton Houston Institute for Race and Justice
  • Henry Judy, K&L Gates
  • Kalyan C. Kankanala, Brain League IP Services Ltd. (India)
  • Deborah Keeling, University of Louisville College of Justice Administration
  • Michael Losavio, University of Louisville College of Justice Administration
  • Rachel Lyon, Northern Kentucky University College of Informatics
  • Jasmine McNealy, Syracuse University S.I. Newhouse School of Public Communication
  • Mark McPhail, University of Wisconsin-Whitewater College of Arts and Communication
  • Svetlana Polyaskya, Perm State University, Russian Federation
  • David Satola, The World Bank
  • Susan Stephan, Kretsch & Gust PLLC
  • Lauren Solberg, Meharry Medical College
  • Judith Wiener, The Ohio State University College of Medicine SBS-Biomedical Informatics
  • Peter Yu, Drake University School of Law

For details, registration, and additional restrictions please see http://chaseinformatics.org/symposium/ or call 859.572.7577.

General Pricing: $395  – Same Day Rush: $200

Alumni Pricing: $295   – Same Day Rush: $200

Academics & Students not affiliated with NKU: $50 – Same Day Rush: $10

Cybersecurity Act of 2012 Puts Focus on the Shadow Wars

Posted on by

On February 14, 2012, a 205 page comprehensive new Cybersecurity Act of 2012was introduced in the Senate to address the growing concerns about cyber-warfare, cybersecurity, and cyber-terrorism. The bipartisan Cybersecurity Act of 2012 is co-sponsored by Senators Joe Lieberman (I-Ct), Susan Collins, (R-Maine) Jay Rockefeller (D-WV) and Diane Feinstein (D-Cal) to address the potential gaps in the critical U.S. infrastructure. As defined in the USA Patriot Act,

[T]he term “critical infrastructure” means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

The proposed law expands on the USA Patriot Act and existing presidential directives to provide sector-by-sector assessment, standards and regulations to improve these assets. Presently, the DHS provides utterly circular guidance on the existing directives. Hopefully, the new proposal will at least increase the awareness within these sectors for comprehensive security.

The proposed legislation defines ‘‘cyber risk’’ as “any risk to information infrastructure, including physical or personnel risks and security vulnerabilities, that, if exploited or not mitigated, could pose a significant risk of disruption to the operation of information infrastructure essential to the reliable operation of covered critical infrastructure.” The information infrastructure is the privately owned communications systems located in the U.S., presumably including everything from telephones and cable to Facebook and Google.

 Howard Waltzman suggests that a critical infrastructure system or asset may be deemed “covered” only if damage or unauthorized access to the infrastructure could lead to:

  • The interruption of life-sustaining services (e.g. food, energy, or emergency services) sufficient to cause a mass casualty event or mass evacuations;
  • Catastrophic economic damage to the United States, including failure or disruption of a US financial market or sustained disruption of a transportation system; or
  • Severe degradation of national security capabilities.

Ninety days following the passing of the legislation, a sector-by-sector review of the critical infrastructure will provide a prioritized list of the most at-risk systems.

There are significant exemptions in the law to protect private vendors (perhaps security software companies, search engine providers, and social media networks) so that particular products cannot be singled out. Similarly, there is a weak attempt to provide free speech protections to the system and to protect technologies based solely on their ability to be used in critical infrastructure.

The timing of the legislation is particularly interesting in light of the recent cyber attack in Israel by a Saudi Arabian hacker and retaliatory credit card hacking by an Israeli against the Saudi banks.  Attacks against Google and US defense contractors allegedly by Chinese sponsored hackers raised similar concerns.

Moreover, a stealth war with Iran appears to be heating up, including the assassinations of government scientists and public officials, increased sponsorship of terrorism targeting soft targets, and heightened war rhetoric.

As with the SOPA and PROTECT IP Act, the critical issue will be focus on the primary risks rather than political maneuvering for legislators to prove who is the toughest on the perceived threat. The costs for upgrading critical infrastructure will likely be immense; the complexity will be monumental; and the challenges significant. Where our nation is at risk, these steps must be taken. But the process must include some caution and common sense so that the process is moderated and proportional to the outstanding threats.

Facebook IPO raises interesting legal disclosures

Posted on by

Companies engaging in public markets are under tremendous scrutiny as well as legal obligations to provide all material information related to the sale of those securities. In addition, beginning October 13, 2011, the SEC provided specific guidance on the types of cyber-security issues that must be disclosed to the public markets in various statements and offerings.

So it should come as no surprise that Facebook has provided the public a comprehensive blueprint for disclosure of all possible risks that might occur to a publicly traded social media enterprise in its initial IPO filing (its S-1 Registration).

In his Internet Cases blog, attorney Evan Brown noted that Facebook lists 40 risk factors. His informative blog describes six of the more interesting legal disclosures in the Facebook IPO regarding the intellectual property issues the company faces.

Among the risk factors of note were the reliance on Zynga – which accounts for 12% of company revenue, challenges of scalability, and the risk associated with the development of Facebook’s own technology.

  • We recently began to own and build key portions of our technical infrastructure, and, because of our limited experience in this area, we could experience unforeseen difficulties.

In 2011, we began serving our products from data centers owned by Facebook using servers specifically designed for us. We plan to continue to significantly expand the size of our infrastructure, primarily through data centers that we design and own.

Facebook also recognized the significant challenges created by intellectual property ownership – both as an owner of those assets trying to protect them – and as a target for others trying to cash in (since others could not be justifiably defending their own rights).

  • We are currently, and expect to be in the future, party to patent lawsuits and other intellectual property rights claims that are expensive and time consuming, and, if resolved adversely, could have a significant impact on our business, financial condition, or results of operations.

Companies in the Internet, technology, and media industries own large numbers of patents, copyrights, trademarks, and trade secrets, and frequently enter into litigation based on allegations of infringement, misappropriation, or other violations of intellectual property or other rights. In addition, various “non-practicing entities” that own patents and other intellectual property rights often attempt to aggressively assert their rights in order to extract value from technology companies.

Perhaps the most interesting disclosure is the attitude exhibited for rights of privacy and publicity.

  • Our business is subject to complex and evolving U.S. and foreign laws and regulations regarding privacy, data protection, and other matters. Many of these laws and regulations are subject to change and uncertain interpretation, and could result in claims, changes to our business practices, increased cost of operations, or declines in user growth or engagement, or otherwise harm our business.

Certainly one can understand the pressure Facebook feels to comply with privacy laws and keep up with the FTC practices that require privacy policies be respected and changes to those policies be enacted only after adequate notice.

Is it then at odds with the company to value itself at $100 billion if the value of its assets are so uncertain and complex? The risk does not seem to be diminishing the company from seeking the reward. So perhaps the risk factor serves another purpose – to suggest that any changes resulting in increased privacy protections are harmful to the economy and the country.

Either way: Buyer beware.