Category Archives: Social Media

W. Bruce Lunsford contribution to create Academy for Law, Business + Technology

Posted on by

With apologies for posting a press release as a blog post, the news that W. Bruce Lunsford has pledged $1 million to Chase under the direction of the Law + Informatics Institute for the creation of the the W. Bruce Lunsford Academy for Law, Business + Technology is exciting enough for us to share our news.

HIGHLAND HEIGHTS, Ky. (May 15, 2013) — The Northern Kentucky University Chase College of Law has received a $1 million gift from W. Bruce Lunsford to establish and support the W. Bruce Lunsford Academy for Law, Business + Technology.

Lunsford, a 1974 graduate of Chase College of Law, is chairman and CEO of Lunsford Capital, LLC, a private investment company headquartered in Louisville, Ky.

The W. Bruce Lunsford Academy for Law, Business + Technology will be an honors immersion program operated by the NKU Chase Law + Informatics Institute. The focus of the program will be to develop “renaissance lawyers” for the Information Age. The Lunsford Academy will provide students with the technological, financial and professional skill sets essential to the modern practice of law.  Through the program’s technology-driven, skills-based curriculum, students will acquire the fundamental skills that will make them more productive for their clients, more attractive to employers and better prepared to practice law upon graduation.

For those interested in learning more about the details of the program, the most comprehensive vision is provided in my forthcoming article from Connecticut Law Review. An working draft of the paper may be found here: Jon M.Garon, Legal Education in Disruption: The Headwinds and Tailwinds of Technology, (Conn. L. Rev. forthcoming) at SSRN: http://ssrn.com/abstract=2040560.

In addition to taking the program’s required and elective law and informatics courses, Chase students participating in the Lunsford Academy will have the opportunity to participate in technology-focused semester-in-practice placements and study abroad programs; they will also be able to seek joint degrees.

Chase College of Law partners with the NKU College of Informatics to offer a Juris Doctor/Master of Business Informatics and Juris Doctor/Master of Health Informatics and with the NKU Haile/US Bank College of Business to offer a Juris Doctor/Master of Business Administration.

Professor Jon Garon, director of the Law + Informatics Institute, said the development of the Lunsford Academy is the next step in the evolution of legal education. “In addition to a solid foundation in legal doctrine, theory and practice, law students need business education, information technology and intellectual property knowledge, and law practice management experience,” he said. “These skills will enable students to compete in today’s highly networked, efficient and global business community. The generous donation by Bruce Lunsford enables Chase to meet this challenge and redefine the scope of legal education.”

In recognition of Lunsford’s gift, the academy will be named the W. Bruce Lunsford Academy for Law, Business + Technology, upon approval by the NKU Board of Regents.

“We are extremely honored and pleased that Bruce has made this significant investment in our Law + Informatics Institute,” said Dennis R. Honabach, dean of the College of Law. “The Lunsford Academy will provide our law students with invaluable opportunities to become uniquely prepared for the modern practice of law.”

Comprehensive Copyright Review – The First Steps of a Very Long Journey

Posted on by

House Judiciary Committee Chairman Bob Goodlatte has announced that the Judiciary Committee will conduct a comprehensive review of U.S. copyright law over the coming months. The comprehensive review is not any particular legislative agenda, but it will serve as an open invitation to content industries, technology industries, and the public in a way that likely never occurred in any of the Copyright Act’s prior legislative reforms.

Chairman Goodlatte emphasized the evolution of technology and media in his remarks:

The discussions during the early 1900’s over the need to update American copyright laws to respond to new technology were not the first time such discussions occurred and they will certainly not be the last. Formats such as photographs, sound recordings, and software along with ways to access such formats including radio, television, and the Internet did not exist when the Constitution recognized intellectual property. My Committee has repeatedly held similar discussions about new forms of intellectual property as they arose and enacted laws as appropriate. Driven by new technologies and business models, a number of changes to copyright law went into effect in 1976.

copyright officeNo one should expect immediate legislation. As Register of Copyrights, Maria Pallante noted in her recent congressional testimony “a major portion of the current copyright statute was enacted in 1976. It took over two decades to negotiate, and was drafted to address analog issues and to bring the United States into better harmony with international standards, namely the Berne Convention.” Even there, the effective date for U.S. adherence to the Berne Convention took until March 1, 1989.

In the decades of negotiation over copyright reform in the past, the tension was primarily between commercial interests of the content industries – film, television, music, and publishing industries with the trade unions, authors, and creative interests. But that focus has shifted dramatically with the rise of the information age.

The defeat of SOPA highlighted the tension between the technology industries – led by the ISPs, Google, Apple, Microsoft, eBay, Facebook, and Wikipedia with the content industries. In this fight, the content industries continue to lose. They could not push ACTA and they have lost in the courts over first sale in Kirtsaeng v. John Wiley & Sons, secondary liability in Viacom Int’l v. YouTube Inc. and Tiffany v. eBay, Inc., and many others.

Even more importantly, the rise of social media and the role copyright now plays – or interferes – in the daily lives of ordinary citizens means that the public’s interest in this debate will be higher than ever. Organized by social media companies like Facebook, LinkedIn, Twitter, Google and hundreds of others, the public will be exhorted to be heard every time they log on or check in. This is a great change for democracy. But we shouldn’t forget that those intermediaries are also the very technology companies that have their own stake in the outcomes.

Register Pallante has indicated some of the critical issues before the Judiciary Committee (though the explanation and approach is mine, not Register Pallente’s):

  • First sale doctrine – which could include both (i) a review of Kirtsaeng (2013) which internationalized first sale, and (ii) technologies that allow for a digital forward-and-delete that mimics first sale in the online environment;
  • Orphan works – questions about how to handle works for which the ownership information or the transfers of ownership have been lost;
  • Library exceptions – addressing digital collections and the ability to gain far greater usage out of far fewer copies;
  • Statutory licensing reform – on rate setting and rates;
  • Federalization of pre-72 sound recordings – resolving the issues involving retroactive pseudo-copyright protection for these works and the implications on the public domain;
  • Resale royalties for visual artists – addressing the conflict with those states which provide these rights and potentially creating national legislation;
  • Copyright small claims procedure or courts – adding a mechanism for copyright to be enforceable for small scale claims; and
  • Mass digitization of books – addressing the myriad of problems triggered by the intermediate copyright violations of works, the fair use of showing snippets, the procedural issues in the project, and many other concerns.

This list does not include many other potential areas for reform, including some of my preferred topics:

  • Explicit free speech and human rights accommodations for the statute, since copyright and First Amendment issues increasingly intersect;
  • Expanded fair use or copyright exemptions codified under Section 110 for digitization, reverse engineering, comparative advertising, and others;
  • Anti-circumvention (DMCA) reform to prohibit its use for use in commercial products – such as cars, printers, garage doors, and other goods;
  • Expanded registration requirements so that most of the economically insignificant works people create daily are outside of the copyright regime;
  • Statutory Damage Reform to tie statutory damages more closely to actual damages and separate commercial infringers from consumers;
  • Mandatory cease-and-desist system so that no one can be sued for copyright damages unless they have been notified directly the conduct is infringing and continue, after a reasonable opportunity to cure has been provided; and
  • Broader non-commercial exceptions to copyright analogous to the public/private distinction of the 1909 Act.

Copyright needs to continue to adjust to address these issues. While the system is not broken, there are many strains. Again, from Chairman Goodlatte:

There is little doubt that our copyright system faces new challenges today. The Internet has enabled copyright owners to make available their works to consumers around the world, but has also enabled others to do so without any compensation for copyright owners. Efforts to digitize our history so that all have access to it face questions about copyright ownership by those who are hard, if not impossible, to locate. There are concerns about statutory license and damage mechanisms. Federal judges are forced to make decisions using laws that are difficult to apply today. Even the Copyright Office itself faces challenges in meeting the growing needs of its customers – the American public.

It will be important to be heard on these issues and to think carefully about a system that is good for today’s issues, tomorrow’s challenges and the decades of unanticipated changes the new law will cover.

Cyber Defense Strategies and Responsibilities for Industry Call for Papers Now Open

Posted on by

The Northern Kentucky Law Review and Salmon P. Chase College of Law seek submissions for the third annual Law + Informatics Symposium on February 27-28, 2014.

2014 Law + Informatics Symposium on

Cyber Defense Strategies and Responsibilities for Industry

 The focus of the conference is to provide an interdisciplinary review of issues involving business and industry responses to cyber threats from foreign governments, terrorists, and corporate espionage. The symposium will emphasize the role of the NIST Cybersecurity Framework and industries providing critical infrastructure.

The symposium is an opportunity for academics, practitioners, consultants, and students to exchange ideas and explore emerging issues cybersecurity and informatics law as it applies to corporate strategies and the obligations of business leaders. Interdisciplinary presentations are encouraged. Authors and presenters are invited to submit proposals on topics relating to the theme, such as the following:

Cyber Warfare

  • Rules of Engagement
  • Offensive and defensive approaches
  • Responses to state actors
  • Engagement of non-state actors
  • Distinguishing corporate espionage from national defense
  • Proportionality and critical infrastructure
  • Cyber diplomacy
  • Cold War footing and concerns of human rights implications

Front Lines for Industry

  • Role of regulators such as FERC
  • Legacy systems and modern threats
  • NIST guidelines
  • NIST Cybersecurity Framework
  • Engaging Dept. of Homeland Security
  • Implications on various industries (electric power,  telecommunications and transportation systems, chemical facilities)
  • Health and safety issues
 Global Perspectives

  • Concepts of cyber engagement in Europe
  • Perception of Internet and social media as threat to national soverignty
  • Rules of engagement outside U.S. and NATO
  • Implications for privacy and human rights
  • Stuxnet, Duqu, Gauss, Mahdi, Flame, Wiper, and Shamoon
  • Cyber engagement in lieu of kinetic attacks or as a component of kinetic engagement

 

Corporate Governance

  • Confidentiality and disclosure obligations
  • Responsibilities of the board of directors
  • Staffing, structures and responses
  • Data protection & obligations regarding data breaches
  • Corporate duty to stop phishing and other attacks for non-critical industries
  • Investment and threat assessment
  • Litigation and third party liability

 

Other Issues

  • Executive orders and legislative process
  • Lawyer responsibility in the face of potential threats
  • Practical implications of government notices
  • Perspective on the true nature of the threat

Submissions & Important Dates: 

  • Please submit materials to Nkylrsymposium@nku.edu
  • Submission Deadline for Abstracts: September 1, 2013
  • Submission Deadline for First Draft of Manuscripts: January 1, 2014
  • Submission Deadline for Completed Articles: February 1, 2014
  • Symposium Date: February 27-28, 2014

Law Review Published Article:  The Northern Kentucky Law Review will review, edit and publish papers from the symposium in the 2014 spring symposium issue.  Papers are invited from scholars and practitioners across all disciplines related to the program. Please submit a title and abstract (of 500-100 words) or draft paper for works in progress. Abstracts or drafts should be submitted by September 1, 2013. Submissions may be accepted on a rolling basis after that time until all speaking positions are filled.

Presentations (without publication) based on Abstracts:  For speakers interested in presenting without submitting a publishable article, please submit an abstract of the proposed presentation. Abstracts should be submitted by September 1, 2013. Submissions may be accepted on a rolling basis after that time until all speaking positions are filled.

Publication of Corporate Handbook on Cyber Defense: The Law + Informatics Institute may edit and publish a handbook for corporate counsel related to the topics addressed at the symposium. Scholars and practitioners interested in authoring book chapters are invited to submit their interest by September 1, 2013 which may be in addition to (or as an adaptation of) a submitted abstract for The Northern Kentucky Law Review. Submissions may be accepted on a rolling basis after that time until all chapter topics are filled.

About the Law and Informatics Institute:  The Law + Informatics Institute at Chase College of Law provides a critical interdisciplinary approach to the study, research, scholarship, and practical application of informatics, focusing on the regulation and utilization of information – including its creation, acquisition, aggregation, security, manipulation and exploitation – in the fields of intellectual property law, privacy law, evidence (regulating government and the police), business law, and international law.

Through courses, symposia, publications and workshops, the Law + Informatics Institute encourages thoughtful public discourse on the regulation and use of information systems, business innovation, and the development of best business practices regarding the exploitation and effectiveness of the information and data systems in business, health care, media, and entertainment, and the public sector.

For More Information Please Contact:

  • Professor Jon M. Garon, symposium faculty sponsor and book editor: garonj1@nku.edu or 859.572.5815
  • Lindsey Jaeger, executive director: JaegerL1@nku.edu or 859.572.7853
  • Aaren Meehan, symposium editor, meehana2@mymail.nku.edu or 859-912-1551

Beyond Google’s Looking Glass – The Internet of Things is Already Here

Posted on by
Seal of the United States Federal Trade Commis...

(photo: Wikipedia)

Perhaps triggered by the New York Times coverage of Google Glass, The FTC announced both a call for submissions and a workshop related to the Internet of Things and its implications on privacy, fair trade practice, and security implications for both data and people. The FTC announcement highlights both the benefits and risks of device connectivity.

Connected devices can communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, healthcare providers, or even other consumers, who can measure how their product usage compares with that of their neighbors.  The devices can provide important benefits to consumers:  they can handle tasks on a consumer’s behalf, improve efficiency, and enable consumers to control elements of their home or work environment from a distance. At the same time, the data collection and sharing that smart devices and greater connectivity enable, pose privacy and security risks.

The issue is not new. The ITU released a 2005 study discussing the implications of the Internet of Things. The ITU described a near, technological future in which “industrial products and everyday objects will take on smart characteristics and capabilities. … Such developments will turn the merely static objects of today into newly dynamic things, embedding intelligence in our environment, and stimulating the creation of innovative products and entirely new services.”

I have previously described some of these concerns in an article, Mortgaging the Meme.[1]

In each of these situations, an automated and consumer-defined relationship will replace the pre-existing activities. In many situations, this will create efficiency and convenience for the consumer, but it will also reduce the opportunities for human interaction and subtly rewrite the engagement between customer and company. Those that understand this change will adjust their technologies to improve the service and increase the customer‘s reliance on its systems. Companies that do not understand how this engagement will occur, risk alienating customers and losing markets quickly.

Beyond consumer interactions, other uses may arise. Ethical and privacy concerns regarding misuse tend to focus on government, business and organized crime. These include unwarranted surveillance, profiling, behavioral advertising and target pricing campaigns. As a result, as companies increasingly rely on these tools, they also bear a responsibility to do so in a socially positive manner that increases the public‘s estimation of the company.

Timing for the FTC submissions and workshop are overdue. Reading the New York Times quote regarding app developers, there is a sense that unlike the technology giants such as Microsoft and Google, the developers are thinking more about the technology’s potential than its potential impact. One such example from the Times: “‘You don’t carry your laptop in the bathroom, but with Glass, you’re wearing it,’ said Chad Sahlhoff, a freelance software developer in San Francisco. ‘That’s a funny issue we haven’t dealt with as software developers.’”

Many fields will benefit from increased device connectivity. Just a few:

  • Public transportation systems designed around real-time usage and traffic patterns.
  • Prescription monitoring to help patients take the right medications at the correct time.
  • Fresher, healthier produce.
  • Protection of pets and children.
  • Social connectivity, with photo-tagging and group-meeting moving into the real world.
  • Interactive games played on a real-world landscape.

There are also law enforcement uses that must be carefully considered. After the Boston Marathon attack, for example, calls for public surveillance will undoubtedly increase, including calls for adding seismic devices and real-time echo-location. Gunshots, explosions, and even loud arguments could become self-reporting.

Common household products sometimes become deadly in large quantities. RFID technology could be used to monitor quantity concentration of potentially lethal materials and provide that data to the authorities.

The consumer use, public use, and law enforcement use must be thoughtfully reviewed to balance the benefits of the technology with the intrusions into privacy and the legacy of retrievable information that such technology creates.

FTC staff will accept submissions through June 1, 2013, electronically through iot@ftc.gov or in written form. The workshop will be held on November 21st. These are the questions posed by the FTC thus far:

  • What are the significant developments in services and products that make use of this connectivity (including prevalence and predictions)?
  • What are the various technologies that enable this connectivity (e.g., RFID, barcodes, wired and wireless connections)?
  • What types of companies make up the smart ecosystem?
  • What are the current and future uses of smart technology?
  • How can consumers benefit from the technology?
  • What are the unique privacy and security concerns associated with smart technology and its data?  For example, how can companies implement security patching for smart devices?  What steps can be taken to prevent smart devices from becoming targets of or vectors for malware or adware?
  • How should privacy risks be weighed against potential societal benefits, such as the ability to generate better data to improve healthcare decision making or to promote energy efficiency?
  • Can and should de-identified data from smart devices be used for these purposes, and if so, under what circumstances?

While the FTC has asked some good questions, they are only the beginning. Please submit your thoughts and join the FTC conversation.

[1] Jon M. Garon, Mortgaging the Meme: Financing and Managing Disruptive Innovation, 10 NW. J. TECH. & INTELL. PROP. 441 (2012).

NYPD Issues social media policy to stop embarrassment from private comments

Posted on by

Facing increased criticism over the conduct of police officials and firemen, New York City has issued strict social media policies focused on tamping down the offending comments of its officers. New York City Police Commissioner Raymond W. Kelly ordered the distribution of the new guidelines to regulate the comments and impact of the offers’ social media activities. The policy does not cover firefighters, though reports suggest a similar policy is under development.

As the New York Times reports, “police officers across the city checked their accounts to see if anything they had posted might run afoul of the new rules. Some edited their personal accounts to remove references to the department.” The Times quoted Roy T. Richter, president of the Captains Endowment Association. “Such an order is not unexpected. The only surprise is that the order was not put out before now.”

The new policy comes on the heels of incidents in which very public incidents involving social media, including racially inappropriate tweets that led to the resignation of the fire commissioner’s son. Kelly denied the policy was a direct result of the incident, saying the order’s development predated this latest incident.

Robert Gonzelez, a police training expert at John Jay College, has been quoted as saying the guidelines constitute “unauthorized censorship. Members of the NYPD are proud public officials and should be authorized to express that right on social media sites without retribution.

The NLRB has been very aggressive in voiding social media policies that interfere with the rights of workers to organize. The Operations Management Memo has found most social media policies overbroad. Among the limitations on social media policies, employees have the right to wear company logos even when protesting working conditions. Policies that prohibit their right to self-identify as employees or to wear uniforms outside of work are a violation of these rights.

Compare those policies to the NYPD guidelines as reported by the New York Times:

The policy restricts posting photos of other officers, tagging them in photos or putting photos of themselves in uniform — except at police ceremonies — on any social media site.

Employees are “urged not to disclose or allude to their status” online. Disclosing one’s employment could result in that person being ineligible for certain sensitive roles.

The New York Times correct lists other aspects of the policy as good practice and appropriate: “Do not post images of crime scenes, witness statements or other nonpublic information gained through work as a police officer; do not engage with witnesses, victims or defense lawyers; do not “friend” or “follow” minors encountered on the job.”

Once the initial bad press of online misuse fades, the issues of government limitations on employee’s social media will again rise to the surface as a significant issue for employment in the public sector. The NYPD guidelines provide fuel rather than direction for this debate.

Journalism audience, revenue, and depth all in decline suggests Pew Center study

Posted on by

The Pew Research Center’s Project for Excellence in Journalism paints a dismal picture regarding the transformation of American news media. The Center describes “a news industry that is more undermanned and unprepared to uncover stories, dig deep into emerging ones or to question information put into its hands” than any time in recent history. Among the findings:

  • Sports, weather and traffic now account on average for 40% of content
  • Newsroom cutbacks in 2012 put the industry down 30% since its peak in 2000
  • Some media outlets, such as Forbes magazine, use technology by a company called Narrative Science to produce content by way of algorithm
  • Media campaign reports were primarily megaphones, rather than investigative journalism

In response to the declines, the Center reports, “nearly a third of U.S. adults, 31%, have stopped turning to a news outlet because it no longer provided them with the news they were accustomed to getting.”

Pew InfographicThere is some financial restructuring of the industry as well. In most cases, however, the restructuring moves revenue away from news media and towards aggregators such as Google and Facebook. Economically this is another situation where the company providing the conduit for content receives the revenue rather than the individuals and companies providing the actual content. The other good news is the slight increase in Sunday newspaper subscriptions and the end to the decline in overall newspaper sales.

In total, however, the report makes clear that while there is more information than ever before, there is less in-depth news coverage.

In a report published last year, the Pew Center reported found that “for every $1 newspapers were gaining in digital ad revenue, they were losing $7 in print advertising” and the gap grew to $16 in print losses for every digital dollar gained by the end of the 2012. Some papers are returning to pay walls to offset the losses; others are accelerating their cost-cutting in print and reporting expenses to pay the gap.

While digital revenues continue to grow, the income is not fueling journalism. Instead, it pays for mobile devices, social media and search. While each of these has benefits, journalism has a uniquely important role in society – unfortunately that role will continue to shrink as budgets wane, reports become more superficial, audiences erode, budgets shrink in response – and the cycle goes inexorably downward.

iPad Newsstand provides some revenue to the publishers, but at a steep price to the Apple newsstand vendor. Zinio and Kindle are also out there.

Perhaps it is time to rethink what we pay for with our home entertainment dollars. Maybe the bundle of services will cover a few dozen fewer unwatched cable channels and put a few cents into the digital edition of the local paper. Certainly it is time to rethink media ownership and financing rules for the digital market.

New FTC Dot Com guide reminds firms to keep disclosures close – and disclaimers even closer

Posted on by

On March 12, 2013, The Federal Trade Commission released new guidance for mobile and other online advertisers that explains “how to make disclosures clear and conspicuous to avoid deception.” The announcement contains the this introduction:

Updating guidance known as Dot Com Disclosures, which was released in 2000, the new FTC staff guidance, .com Disclosures: How to Make Effective Disclosures in Digital Advertising, takes into account the expanding use of smartphones with small screens and the rise of social media marketing.  It also contains mock ads that illustrate the updated principles.

Like the original, the updated guidance emphasizes that consumer protection laws apply equally to marketers across all mediums, whether delivered on a desktop computer, a mobile device, or more traditional media such as television, radio, or print.

dotcom dislosuresFTC Guidance on online advertising, like that for the Endorsement Guides affecting testimonials, blogs, social media marketing and celebrity endorsements, remains premised on the ability of the FTC to identify those specific steps that are likely to violate Section 5 of the FTC Act. Section 5 (15 USC 45) prohibits “unfair or deceptive acts or practices in or affecting commerce.” The Federal Reserve summary of the rule and compliance evaluation is a very helpful tool for all advertisers, not just banks. Violations of the guidelines are not illegal, merely indicators that Section 5 has been violated. In reality, however, most enforcement actions never go to trial. The FTC enters into determinations, levies fines and establishes injunctive relief and specific performance which may significantly intrude on business practices. Most companies agree to these terms rather than facing potentially harsher and more costly litigation. As such, the guidelines are much more than mere advisory guidelines.

The new guidelines attempt to remind advertisers that disclaimers and additional terms must be near claims and specific even in the constrained space of mobile advertising:

If a disclosure is needed to prevent an online ad claim from being deceptive or unfair, it must be clear and conspicuous.  Under the new guidance, this means advertisers should ensure that the disclosure is clear and conspicuous on all devices and platforms that consumers may use to view the ad.  The new guidance also explains that if an advertisement without a disclosure would be deceptive or unfair, or would otherwise violate a Commission rule, and the disclosure cannot be made clearly and conspicuously on a device or platform, then that device or platform should not be used. …

The new guidance points out that advertisers using space-constrained ads, such as on some social media platforms, must still provide disclosures necessary to prevent an ad from being deceptive, and it advises marketers to avoid conveying such disclosures through pop-ups, because they are often blocked.

The guide is long and full of detailed examples. But the list of rules is actually quite intuitive. These are probably the most important:

1.         To make a disclosure clear and conspicuous, advertisers should:

  • Place the disclosure as close as possible to the triggering claim.
  • Take account of the various devices and platforms consumers may use to view advertising and any corresponding disclosure.  If an ad is viewable on a particular device or platform, any necessary disclosures should be sufficient to prevent the ad from being misleading when viewed on that device or platform.
  • When a space-constrained ad requires a disclosure, incorporate the disclosure into the ad whenever possible.  However, when it is not possible to make a disclosure in a space-constrained ad, it may, under some circumstances, be acceptable to make the disclosure clearly and conspicuously on the page to which the ad links.
  • When using a hyperlink to lead to a disclosure,
  • make the link obvious;
  • label the hyperlink appropriately to convey the importance, nature, and relevance of the information it leads to;
  • use hyperlink styles consistently, so consumers know when a link is available;
  • place the hyperlink as close as possible to the relevant information it qualifies and make it noticeable;
  • take consumers directly to the disclosure on the click-through page;
  • assess the effectiveness of the hyperlink by monitoring click-through rates and other information about consumer use and make changes accordingly.
  • Preferably, design advertisements so that “scrolling” is not necessary in order to find a disclosure. When scrolling is necessary, use text or visual cues to encourage consumers to scroll to view the disclosure.
  • Keep abreast of empirical research about where consumers do and do not look on a screen.
  • Recognize and respond to any technological limitations or unique characteristics of a communication method when making disclosures.
  • Display disclosures before consumers make a decision to buy — e.g., before they “add to shopping cart.” Also recognize that disclosures may have to be repeated before purchase to ensure that they are adequately presented to consumers.
  • Repeat disclosures, as needed, on lengthy websites and in connection with repeated claims. Disclosures may also have to be repeated if consumers have multiple routes through a website.
  • If a product or service promoted online is intended to be (or can be) purchased from “brick and mortar” stores or from online retailers other than the advertiser itself, then any disclosure necessary to prevent deception or unfair injury should be presented in the ad itself — that is, before consumers head to a store or some other online retailer.
  • Necessary disclosures should not be relegated to “terms of use” and similar contractual agreements.
  • Prominently display disclosures so they are noticeable to consumers, and evaluate the size, color, and graphic treatment of the disclosure in relation to other parts of the webpage.
  • Review the entire ad to assess whether the disclosure is effective in light of other elements — text, graphics, hyperlinks, or sound — that might distract consumers’ attention from the disclosure.
  • Use audio disclosures when making audio claims, and present them in a volume and cadence so that consumers can hear and understand them.
  • Display visual disclosures for a duration sufficient for consumers to notice, read, and understand them.
  • Use plain language and syntax so that consumers understand the disclosures.

2.         If a disclosure is necessary to prevent an advertisement from being deceptive, unfair, or otherwise violative of a Commission rule, and it is not possible to make the disclosure clearly and conspicuously, then that ad should not be disseminated. This means that if a particular platform does not provide an opportunity to make clear and conspicuous disclosures, then that platform should not be used to disseminate advertisements that require disclosures.

State of the Cyber Union: Policy Directive + Executive Order = Expansive Regulatory Efforts

Posted on by

In President Obama’s 2013 State of the Union Address, the president included announcement of a long-expected Executive Order as well as a Presidential Policy Directive focusing on the need for better cybersecurity coordination and defense. This comes on the heels of a classified National Intelligence Estimate reported first by The Washington Post which “identifies China as the country most aggressively seeking to penetrate the computer systems of American businesses and institutions to gain access to data that could be used for economic gain.” The report ties directly into the focus of the Executive Order, emphasizing the risk both to critical infrastructure and to industry.

At the heart of the Executive Order are voluntary efforts on the part of industry and the role of the Federal Government in increasing coordination. “The Cybersecurity Framework shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible.” NIST is authorized to create a preliminary Cybersecurity Framework within 240 days. Compliance incentives will be developed to encourage voluntary compliance. As these standards gain adoption, they will set a new reasonableness standard, pulling the more reluctant companies up because of the risk of negligence and loss.

But the real action of the Executive Order is Section 10 which provides that each regulatory agency must report if the agency has the regulatory scope to implement the Cybersecurity Framework. If it does, presumably it will use those regulatory powers to transform the voluntary program into a regulatory one; if it does not, the agency will be expected to engage in the necessary rulemaking to do so.

The Executive Order  defines critical infrastructure very broadly to mean “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” The Policy Directive provides specific guidance to the Office of Homeland Security and to the other federal agencies targeted with enforcing protections of critical infrastructure and regulatory compliance.

Neither order is overwhelming on its face, but the message is clear. The Federal Government will take an aggressive approach to cybersecurity and will use the broader regulatory authority at its disposal to do so. Though it has been invited to pass legislation, Congress does not need to act because every industry sector has some regulatory oversight and cybersecurity will soon be layered on top of the existing regulations. An excerpt from the Policy Directive highlights the expansionist approach:

Additional roles and responsibilities for the Secretary of Homeland Security include:

  1. Identify and prioritize critical infrastructure, considering physical and cyber threats, vulnerabilities, and consequences, in coordination with SSAs and other Federal departments and agencies;

  2. Maintain national critical infrastructure centers that shall provide a situational awareness capability that includes integrated, actionable information about emerging trends, imminent threats, and the status of incidents that may impact critical infrastructure;

  3. In coordination with SSAs and other Federal departments and agencies, provide analysis, expertise, and other technical assistance to critical infrastructure owners and operators and facilitate access to and exchange of information and intelligence necessary to strengthen the security and resilience of critical infrastructure;

  4. Conduct comprehensive assessments of the vulnerabilities of the Nation’s critical infrastructure in coordination with the SSAs and in collaboration with SLTT entities and critical infrastructure owners and operators;

  5. Coordinate Federal Government responses to significant cyber or physical incidents affecting critical infrastructure consistent with statutory authorities;

  6. Support the Attorney General and law enforcement agencies with their responsibilities to investigate and prosecute threats to and attacks against critical infrastructure;

  7. Coordinate with and utilize the expertise of SSAs and other appropriate Federal departments and agencies to map geospatially, image, analyze, and sort critical infrastructure by employing commercial satellite and airborne systems, as well as existing capabilities within other departments and agencies; and

  8. Report annually on the status of national critical infrastructure efforts as required by statute.

When combined with the additional power of regulation across the spectrum of energy, finance, communications, health, agriculture, information technology and other sectors, the reach is broad enough to rewrite the regulatory landscape much as the USA Patriot Act did in the wake of 9/11.

Privacy may well be another of the casualties of this war. The Executive Order adds that “[a]gencies shall consider the assessments and recommendations of the report in implementing privacy and civil liberties protections for agency activities,” but asks for little more than an annual report. In contrast, corporate reporting is singled out. “Information submitted voluntarily in accordance with 6 U.S.C. 133 by private entities under this order shall be protected from disclosure to the fullest extent permitted by law.” This has been the case with the Patriot Act and the President’s policies give little comfort.

Confidentiality, rather than privacy, is part of the new regime. Paul Rosenzweig, writing the Lawfare blog from Brookings highlights the importance of the short-list: a subset of critical infrastructure organizations within the identified industry which make up the heart of each industry and will be singled out for heightened cybersecurity engagement.

Confidential Identification – The EO has one true innovation in it – a confidential naming program that will identify the critical cyber infrastructure “where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”  This is a subset, of course, of the earlier broader definition.

Being an identified company may bring greater security obligations or improved resources or no change at all. Only time will tell. The impact will vary tremendously depending of the existing preparedness of each company.

The National Intelligence Estimate on cybersecurity risk makes clear that the threat must be addressed.

 The report, which represents the consensus view of the U.S. intelligence community, describes a wide range of sectors that have been the focus of hacking over the past five years, including energy, finance, information technology, aerospace and automotives, according to the individuals familiar with the report, who spoke on the condition of anonymity about the classified document.

-          The Washington Post

The only question is the cost of the response. China, Russia, Iran, Israel, North Korea and other countries are known for releasing global cyber-attacks, some focused on military and political topics, while others highlight corporate espionage. Moreover, as I mentioned in an earlier post, the intruders use directed attacks on employees and independent contractors who open links, photos or already infected USB devices. Already behind firewalls, these tools install malignant code to glean passwords, open files and glean information which is sent back to the intruder. Some of these attacks are directly at U.S. infrastructure, others at economic targets, while many others affect U.S. interests only as collateral damage to regional conflicts which do not involve U.S. participants.

Nonetheless, the risks are increasing. After the President’s speech one thing is clear. Using the State of the Union as the basis for the announcement of the Cybersecurity Executive Order and Policy Directive has placed this topic near the top of the national agenda.

Photo:

President Barack Obama delivers the State of the Union address in the House Chamber at the U.S. Capitol in Washington, D.C., Feb. 12, 2013. (Official White House Photo by Chuck Kennedy)

When to shred your Facebook page

Posted on by

Two recent cases (both analyzed quite thoughtfully in Eric Goldman’s blog) highlight the importance of anticipating the unintended audiences. These situations are not unique, but they provide stark reminders of why each person should be diligent about social media and its impact. The first lesson provides a stark reminder that broad complaints lose their context online. As report in the Matter of the Tenure Hearing of Jennifer O’Brien, State Operated School District of the City of Patterson, Passaic County, 2013 WL 132508 (Jan. 11, 2013), a2452-11, Ms. O’Brien was a tenured, certified elementary school teacher in the Patterson, NJ schools. O’Brien had been assigned a technology coordinator at School No. 29. The next year she found herself at School No. 21. assigned to teach the first grade, with 23 students, “[a]lmost all [of whom] were six years old. All were either Latino or African-American.” The court reports the posts:

On March 28, 2011, O’Brien posted two statements on Facebook, an internet social-networking site. The first statement was, “I’m not a teacher — I’m a warden for future criminals!” The second statement was, “They had a scared straight program in school — why couldn’t [I] bring [first] graders?”

Perhaps Ms. O’Brien was frustrated at her reassignment; perhaps this was dark humor. It was insensitive, disparaging of these six year olds, and found to constitute conduct unbecoming a teacher. Her defense that six or seven of the student were disciplinary problems or had stolen from her seems a bit non-responsive. Posting to her friends, which numbered above 300, amounted to a broadcast and resulted in her termination. She never should have made such a post. But how does she rectify it? The answer to that leads to the second incident listed on the Goldman blog. In Allied Concrete v. Lester, 2013 Va. LEXIS 8 (Jan. 10, 2013), Venkat Balasubramani writes of a dispute in which the survivor in a wrongful death action is told by her attorney’s paralegal to “to “clean up” his Facebook page because he didn’t “want any blow-ups of this stuff at trial.” While the Facebook page was subject to discovery, at least in part because the plaintiff sent a Facebook message to an attorney for the defendant. Having failed to exclude the Facebook page, the lawyer was concerned that embarrassing pictures would negatively influence the jury and affect the damage award. He should have been worried that instructing the paralegal to advise the client to destroy documents could lead to sanctions and affect the trial. In this case the sanctions were levied at $542,000 and an additional $180,000 was ordered paid to cover costs of the defendants. (Admittedly, the plaintiff made matters worse by lying about the deletion and evading the discovery requests.) While sanctions of this size should highlight the need to be cautious about what to post and when to remove the posts, matters involving federal investigations are even riskier. The Sarbanes-Oxley anti-shredding laws extend to any destruction of material related to an ongoing federal investigation. The law is extremely broad:

18 USC § 1519 – Destruction, alteration, or falsification of records in Federal investigations and bankruptcy Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.

Although enacted as part of Sarbanes-Oxley, the law does not have any limitations regarding publicly traded companies, corporate fraud – or seemingly any limitations at all. If the eventual investigation includes a federal agency or inquiry, then the knowing destruction of a record constitutes a violation. And records aren’t pressed in vinyl or lacquer. Tweets, posts, photos, and video will all be covered under the statute. A quick collection of examples serves to illustrate the point:

Individuals prosecuted under Section 1519 include: an employee of a private community corrections center, for providing an inmate with a clean urine sample and falsely completing official paperwork regarding the sample, United States v. Jensen, 248 Fed. Appx. 849 (10th Cir. 2007); a woman who destroyed a CD containing child pornography that belonged to her boyfriend after learning that he was under investigation by the FBI, United States v. Wortman, 488 F.3d 752 (7th Cir. 2007); a Pennsylvania state senator, for destroying e-mails pertaining to matters under federal investigation, United States v. Fumo, 2007 U.S. Dist. LEXIS 79454 (E.D. Pa 2007); and an ophthalmologist, for falsifying and creating false medical records in order to defraud Medicare and Medicaid, United States v. Mermelstein, 487 F.Supp.2d 242 (E.D.N.Y. 2007). — Obstruction of Justice under Sarbanes-Oxley: A Broad Reach by Michael G. Considine and Caroline Bersak Hyde

As a result, removals of Facebook pages, Tumblr photographs or other online content could result in a 20-year federal prison sentence if the content is removed after the owner of the account becomes aware that a federal agency is taking an interest in a matter relating to the post. Since the crime is committed if the removal is done pursuant to an indictment, investigation, or “in relation to or contemplation of” such a matter, once a federal inquiry could be triggered, it is potentially too late to remove the content. The obvious lesson is not to post harmful comments or embarrassing statements. The second best step is to remove harmful content to reduce ongoing embarrassment and damage while preserving the removed content for investigators. After all, nothing in the law requires a person continue an ongoing harm; the duty is to disclose to investigators and that goal can be accomplished without continuing the public disclosure. If the situation in Patterson had created interest in pursuing a federal civil rights claim on behalf of the first grade students, then suddenly the question of social media decorum easily escalates to a federal investigation. In such a case, the comments can only be removed if they are fully archived so that there is no spoliation of the evidence. If a teacher in Ms. O’Brien’s position tried to delete the Facebook account to make the situation go away, that teacher could be facing federal prison rather than merely a tenure hearing. This raises not a lesson but a warning. The overbreadth of these statutes grants far to much prosecutorial discretion and the ability to layer multiple criminal sanctions on, one-atop-another. Trivial acts may suddenly result in prosecutions for decades of potential jail time. Strong laws require predictable outcomes and equal treatment. Selective enforcement of overly broad provisions achieve no social goals. The final lesson is for employers to develop, enforce and train their staff members on the importance of both social media policies and document retention policies. Companies face challenges enforcing either policy, but when they come in conflict, employees and their supervisors can land in jail. Maybe the best time to shred that social media account is right this minute – unless, of course, there is any federal interest in investigating the content.